Scribd
Upload
47 views8 pages

Cisco Asa Lab

Topologies

Uploaded by

muhammadzainhussainkhan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views8 pages

Cisco Asa Lab

Topologies

Uploaded by

muhammadzainhussainkhan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Cisco ASA LAB

Submitted to: Sir Ismail


Submitted by: Muhammad Furqan Elahi
Designation: TAC Engineer Level-1
Table of Contents
Introduction: ............................................................................................................................... 3
Network Topology: ..................................................................................................................... 3
DMZ: .......................................................................................................................................... 4
WHY DMZ:................................................................................................................................. 4
Security Levels in Cisco ASA Firewall: ....................................................................................... 4
Cisco ASA: Security Level 100: .............................................................................................. 4
Cisco ASA: Security Level 0: .................................................................................................. 5
Configuration: ............................................................................................................................ 5
Cisco Asa: .............................................................................................................................. 5
R1 Running Config: ................................................................................................................ 6
R2 Running Configuration: ..................................................................................................... 7
Introduction:
In this lab we have implemented a scenario with Cisco Asa Firewall and created different zones
inside, outside and DMZ and applied policy as from inside network which has a high security
level can reach the outside (internet) but not the other way. Also a server is kept in DMZ so it
can be accessed publicly and keeping it away from the organization private internal network.

Network Topology:
DMZ:

It known as demilitarized zone and is used to improve the security of an organization network
by segregating devices such as servers on the opposite of a firewall.

WHY DMZ:
Now suppose the above topology and if we have had the server 7 in our inside zone, now since
server 7 needs to be accessed publicly. So this server 7 could be email server or a web server
now since the public is inside the company private network so that means the company is
letting in people from an untrusted network to company’s internal network this causes could
cause a security concern, so we made a DMZ and in which we kept the server 7 and kept it on
the opposite side of a firewall.

So this DMZ is the zone where the firewall protection is forbidden. Hence server 7 has been
kept in a DMZ based on the requirement.

Security Levels in Cisco ASA Firewall:


Security Level is nothing but a number between 0 to 100. High-Security Level means we have
higher trust and Low-Security Level means Lower trust in that particular zone. Cisco ASA
Firewall has configured 3 different interfaces. Interface Gig0/0 is configured with IP Address
192.168.1.2/30 and it’s connected with ISP. It has an outside security zone with a 0-security
level. Interface Gig0/2 is configured with IP address 192.168.3.0/24 and it’s connected with the
internal Core. It has an inside security zone with a 100-security level. Interface Gig0/1 is
configured with IP address 192.168.2.0/30 and it’s connected with the DMZ Network. It has a
DMZ security zone with a 70-security level. By default, all traffic from the Highest Security Level
to the Lowest Security Level is allowed. So, usually we define the highest security level to the
LAN or Inside interface.

Cisco ASA: Security Level 100:

This is the highest security level and it is assigned to the most Trusted Interface/Zone. Usually,
we assign Highest Security Level to the LAN / Corporate Interface. Traffic from High-Security
Level to Low-Security Level is allowed by default. By default, inside security zone has a security
level of 100. But it is always 0 in different security zones names, i.e., outside, DMZ.
Cisco ASA: Security Level 0:

This is the Lowest Security Level and it is assigned to the most untrusted Interface/Zone.
Usually, we assigned Lowest Security to the ISP or Internet Interface. Traffic from Low-Security
Level to High-Security Level is denied by default.

Accordingly, we need to configure Access Control Lists (ACLs) to allow this traffic from Outside
to Inside or DMZ.

Configuration:

Cisco Asa:
R1 Running Config:
R2 Running Configuration:

Results:

High Security level to low security level:

Now this inside network can ping the internet as from a high security level to a low security
level to a low level. For the inside network it’s 100.

Similarly the DMZ server can also ping the internet as it has security level of 70 going from a
higher level to a lower one.
Low security level to High security level:

Now below the ISP router cannot ping the inside network’s since traffic is coming from a lower
security level which is 0 for the outside interface.

You might also like