Here are some values users can add to their Cisco configuration file. Information on configuring these settings can be found here TCP session timer (TLS connections only, port 5443): 300 - 700 seconds.
#How to configure security on a asa 5505 cisco series#
Next step is to test some traffic between devices in different security zones.Session Timers, Ports, Subnets, and DSCP Values for Cisco RoutersĬonfigure the UDP and TCP time out values per the X Series documentation This makes sense since these devices are also using the ASA as their default gateway. Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msĪs you can see the ASA can reach any device in each of the different security zones. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: The ASA can reach any device on any interface: ASA1# ping 192.168.1.1 Let’s see what traffic patterns are allowed now shall we? First we’ll send some pings from the ASA… Traffic from the ASA I manually changed the security level of the DMZ interface to 50. It uses a default security level of 100 for INSIDE and 0 for OUTSIDE/DMZ. As you can see the ASA recognizes INSIDE, OUTSIDE and DMZ names. The nameif command is used to specify a name for the interface, unlike the description command the name of your interface is actually used in many commands so pick something useful. Let’s configure the ASA with these interfaces: ASA1(config)# interface E0/0ĪSA1(config-if)# nameif INSIDE INFO: Security level for "INSIDE" set to 100 by default.ĪSA1(config-if)# ip address 192.168.1.254 255.255.255.0ĪSA1(config-if)# no shutdown ASA1(config)# interface E0/1ĪSA1(config-if)# nameif OUTSIDE INFO: Security level for "OUTSIDE" set to 0 by default.ĪSA1(config-if)# ip address 192.168.2.254 255.255.255.0ĪSA1(config-if)# no shutdown ASA1(config)# interface E0/2ĪSA1(config-if)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default.ĪSA1(config-if)# ip address 192.168.3.254 255.255.255.0
I will use the routers so we can generate some traffic between the different security levels. Let’s take a look at a Cisco ASA firewall with three interfaces so you can see this behavior in action, here’s the topology I will use:Ībove you see the Cisco ASA in the middle with three interfaces: You can create as many security levels as you want… Traffic from the DMZ however can’t go to the inside (without an access-list) because traffic from security level 50 is not allowed to reach security level 100. This means that traffic is allowed from our inside network to the DMZ (security level 100 -> 50) and also from the DMZ to the outside (security level 50 -> 0).
Since this is the highest security level, by default it can reach all the other interfaces. Security level 100: This is the highest security level on our ASA and by default this is assigned to the “inside” interface.Since there is no lower security level this means that traffic from the outside is unable to reach any of our interfaces unless we permit it within an access-list. Security level 0: This is the lowest security level there is on the ASA and by default it is assigned to the “outside” interface.
Here are a couple of examples of security levels: Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.Īn interface with a high security level can access an interface with a low security level but the other way around is not possible unless we configure an access-list that permits this traffic. The higher the security level, the more trusted the interface is. The Cisco ASA Firewall uses so called “security levels” that indicate how trusted an interface is compared to another interface.
0 kommentar(er)
