Scribd
Upload
38 views6 pages

ASA Configuration

The document outlines the configuration of ASA (Adaptive Security Appliance) with various router and interface settings, including IP addressing and enabling DHCP services for internal clients. It details the setup of static routing to allow clients to access servers and external DNS, as well as the implementation of NAT for internal networks. Additionally, it includes access control rules to permit ICMP and TCP traffic, ensuring proper communication between internal and external networks.

Uploaded by

noni nabila
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
38 views6 pages

ASA Configuration

The document outlines the configuration of ASA (Adaptive Security Appliance) with various router and interface settings, including IP addressing and enabling DHCP services for internal clients. It details the setup of static routing to allow clients to access servers and external DNS, as well as the implementation of NAT for internal networks. Additionally, it includes access control rules to permit ICMP and TCP traffic, ensuring proper communication between internal and external networks.

Uploaded by

noni nabila
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

ASA Configuration

Addressing :

Router-INET(config)#int loopback 0
Router-INET(config-if)#ip add 8.8.8.8 255.255.255.0
Router-INET(config-if)#int gig0/0/0
Router-INET(config-if)# no shut
Router-INET(config-if)#ip add 10.10.10.1 255.255.255.252

Ro-LAN(config)#int gig0/1
Ro-LAN(config-if)#ip add 10.10.10.2 255.255.255.252
Ro-LAN(config-if)#no shut
Ro-LAN(config-if)#int gig0/2
Ro-LAN(config-if)#ip add 20.20.20.2 255.255.255.252
Ro-LAN(config-if)#no shut
Ro-LAN(config-if)#int gig0/0
Ro-LAN(config-if)#ip add 192.168.10.1 255.255.255.252
Ro-LAN(config-if)#no shut
Ro-Server(config)#int gig0/0/0
Ro-Server(config-if)#no shut
Ro-Server(config-if)#ip add 20.20.20.1 255.255.255.252
Ro-Server(config-if)#int gig0/0/1
Ro-Server(config-if)#no shut
Ro-Server(config-if)#ip add 172.168.16.1 255.255.255.0

ciscoasa(config)#int gig1/1
ciscoasa(config-if)#no shut
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#ip add 192.168.10.2 255.255.255.252
ciscoasa(config-if)#int gig1/2
ciscoasa(config-if)#no shut
ciscoasa(config-if)#nameif inside-100
ciscoasa(config-if)#ip add 192.168.100.1 255.255.255.0
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#int gig1/3
ciscoasa(config-if)#no shut
ciscoasa(config-if)#nameif inside-200
ciscoasa(config-if)#ip add 192.168.200.1 255.255.255.0
ciscoasa(config-if)#security-level 100

Pada cisco asa, kita wajib menentukan interface inside(LAN) dan outside(internet). Inside
zone adalah trusted zone yang defaultnya diberi level security 100. Adapun outside adalah
untrusted zone yang defaultnya di beri level security 0.
Addressing end device.
Adapun untuk PC client, kita akan mengkonfigurasikan DHCP client. Pada scenario ini cisco
asa yang akan menjadi DHCP Server.

ciscoasa(config)#dhcpd enable inside-100


ciscoasa(config)#dhcpd address 192.168.100.2-192.168.100.254 inside-100
ciscoasa(config)#dhcpd dns 192.168.100.1 interface inside-100
ciscoasa(config)#dhcpd enable inside-100
ciscoasa(config)#dhcpd address 192.168.200.2-192.168.200.254 inside-200
ciscoasa(config)#dhcpd dns 192.168.200.1 interface inside-200
ciscoasa(config)#dhcpd enable inside-200

Kemudian enable DHCP-Client pada setiap PC.


Routing :
Agar client bisa akses server dan juga dns google, maka kita perlu menambahkan routing.
Adapun routing yang akan kita tambahkan yaitu routing static.

Ro-LAN(config)#ip route 8.8.8.8 255.255.255.255 10.10.10.1


Ro-LAN(config)#ip route 172.168.16.0 255.255.255.0 20.20.20.1

Ro-Server(config)#ip route 10.10.10.0 255.255.255.252 20.20.20.2


Ro-Server(config)#ip route 192.168.10.0 255.255.255.252 20.20.20.2

Router-INET(config)#ip route 20.20.20.0 255.255.255.252 10.10.10.2


Router-INET(config)#ip route 192.168.10.0 255.255.255.252 10.10.10.2
Router-INET(config)#ip route 172.168.16.0 255.255.255.0 10.10.10.2

Pastikan hasil ping dari Ro-Lan sudah reply ke arah google dan server.

Ro-LAN(config)#do ping 8.8.8.8

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

Ro-LAN(config)#do ping 172.168.16.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.168.16.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

Coba Ping dari PC di inside area.


Hasilnya pun RTO, karena kita belum setting NAT. Selanjutnya kita akan menambahkan
object network yang akan di translasikan berdasarkan port, atau biasa di sebut PAT.
Dynamic NAT Configuration :

ciscoasa(config)#object network LAN1


ciscoasa(config-network-object)#subnet 192.168.100.0 255.255.255.0
ciscoasa(config-network-object)#nat (inside-100,outside) dynamic interface
ciscoasa(config)#object network LAN2
ciscoasa(config-network-object)#subnet 192.168.200.0 255.255.255.0
ciscoasa(config-network-object)#nat (inside-200,outside) dynamic interface

Kemudian coba ping kembali dari setiap PC.

Dari setiap PC sudah bisa ping, apabila belum bisa kemungkinan kita harus membuat rule
untuk allow icmp connection. Karena kita juga akan mengakses server, maka kita akan
membuat riule untuk permit TCP.
ciscoasa(config)#access-list Permit-lan permit icmp any any echo-reply
ciscoasa(config)#access-list Permit-lan permit tcp any any gt 1000
ciscoasa(config)#access-group Permit-lan in interface outside

Rule ini adalah untuk allow ping dan http, lho kok bukan port 80 atau 443?. Simple nya,
inside area akan selalu di permit oleh asa kemanapun traffic itu keluar. Namun ketika traffic
dari luar itu ingin kembali ke dalam(inside area), Ada beberapa port dan protocol unspecified
akan di drop oleh asa. Oleh karena itu kita hanya permit traffic dari outside ke inside.
Lalu mengapa ada command line gt 100?, berikut penjelasannya.

Gambar di atas adalah packet reply dari server, paket tersebut tidak di ijinkan oleh asa. Oleh
karena itu kita harus membuat rule untuk permit paket tersebut. Command line gt 1000
adalah untuk menginjinkan destination port di atas 1000. Karena biasanya apabila inside area
ingin mengakses suatu http, maka akan menggunakan range port tcp 1000-2000.
Ada beberapa case juga yang mewajibkan kita mengkonfigurasi dns-lookup pada cisco asa,
apabila client menggunakan ip gateway sebagai DNS.

ciscoasa(config)#domain-name google.com
ciscoasa(config)#dns server-group DNS
ciscoasa(config)#domain-name google.com
ciscoasa(config-dns-server-group)# domain-name 8.8.8.8

You might also like