Installing a new Cisco ASA-5520 & Creating Secure Networks

I decided to add a Cisco ASA 5520 to my lab. We will use figure 1 to visualize this. I am going to Guide you on how to this and actually route some packets through it. I have only done minor configurations on an ASA before hand, never to this extent. I created two networks, 10.50.51.0/24 and 10.50.52.0/24 for this lab. These are what I will call secure networks. All communication between these two networks must traverse the Firewall.

Figure 1

On 4948_01 I created VLAN 51 (10.50.51.0/24) and on 4948_02, I created VLAN 52. All communication between these two networks must traverse the Firewall. I have seen this used in networks as it was a security requirement by the infosec guys. I also could of created both vlans on one switch and still routed the traffic via the firewall. Some people might use Vlan ACLS  to secure communications between two vlans, but lets say that for this we had a requirement to use a Firewall. Additionally, the networks had two live on two separate switches.

Lets create the Vlan on the switches and SVI along with assigning IP addresses.

Cisco_4948E_01#

vlan 51
 name secure_network_10.50.51.0
!
interface Vlan51
ip address 10.50.51.254 255.255.255.0
no shut

Cisco_4948E_02#

vlan 52
name secure_network_10.50.52.0
!
interface Vlan52
ip address 10.50.52.254 255.255.255.0
no shut

Now we need to add the firewall into the mix. For this I connected one cable from each 4948(Gi1/46) to the ASA_5520.  I made the interfaces on the 4948's routed(L23). I also defined a static route to point to the opposite network. By the way, I used named static routes, a few weeks or months from now you might not remember why you put in that static route. When possible, use them..

Cisco_4948E_01

interface GigabitEthernet1/46
description ASA_GigabitEthernet0/3
no switchport
ip address 192.168.1.1 255.255.255.252
exit
!
ip route 10.50.52.0 255.255.255.0 GigabitEthernet1/46 192.168.1.2 name secure_network
!

Cisco_4948E_02

interface GigabitEthernet1/46
description ASA_GigabitEthernet0/2
no switchport
ip address 192.168.1.5 255.255.255.252
!
ip route 10.50.51.0 255.255.255.0 GigabitEthernet1/46 192.168.1.6 name secure_network
!

This takes care of the switching end of things. Now onto the firewall configuration. First you need to configure your interfaces because the static routes and ACLS will tie into them later. Under each interface you need to assign it a name and ip address. Then you need to assign it a security level. I chose 50 and 100 at random. Security Levels are exactly that. A higher level interface can talk to a lower level interface but not a lower level interface to a higher level interface unless an ACL is define. 

Cisco-ASA5520-01#

 interface GigabitEthernet0/2
 description Cisco_4948E_02 Gi1/46
 nameif Cisco_4948E_02
 security-level 50
 ip address 192.168.1.6 255.255.255.252

interface GigabitEthernet0/3
 description Cisco_4948E_01 Gi1/46
 nameif Cisco_4948E_01
 security-level 100
 ip address 192.168.1.2 255.255.255.252

Now we need to create an acl and in this case I created a ACL that will permit anything and applied it to the lower level interface per Cisco Rule. The permit any is just for this example, I will harden it later.

Cisco-ASA5520-01#

access-list any permit ip any any Cisco_4948E_02
!
access-group any in interface Cisco_4948E_02

Now we need to tell the ASA how to route the traffic and for this I created static routes. Now lets test.

Cisco-ASA5520-01#


route Cisco_4948E_01 10.50.51.0 255.255.255.0 192.168.1.1 1
route Cisco_4948E_02 10.50.52.0 255.255.255.0 192.168.1.5 1

Success!!!!!

 Cisco_4948E_02#ping 10.50.51.254 source 10.50.52.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.51.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.52.254
!!!!!


Cisco_4948E_01#ping 10.50.52.254 source 10.50.51.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.52.254, timeout is 2 seconds:
Packet sent with a source address of 10.50.51.254
!!!!!