Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Using Firewall Builder To Configure Cisco ASA & PIX


Firewall Builder is a firewall configuration and management GUI that supports configuring a wide range of firewalls from a single application. Supported firewalls include Linux iptables, BSD pf, Cisco ASA/PIX, Cisco router access lists and many more. The complete list of supported platforms along with downloadable binary packages and soure code can be found at http://www.fwbuilder.org.

This tutorial is the second in a series of articles that walk through the basic steps of using Firewall Builder to configure each of the supported firewall platforms. In this tutorial we will configure Access Control Lists (ACL) on a Cisco ASA firewall.

The diagram below shows a simple 2 interface firewall configuration based on a Cisco ASA 5505 with the firewall acting as a gateway to the Internet for a private LAN network.

example_asa

We will use Firewall Builder to implement the following basic rules as access lists on the firewall.

  • Allow inside traffic (10.0.0.0/24) through the firewall to any Internet address for the HTTP and HTTPS protocols
  • Allow inside traffic from Email Server (10.0.0.25) through the firewall to a specific IP address (198.51.100.25) for the SMTP protocol. This external server is acting as an external mail relay.
  • Allow inbound SMTP from external IP address (198.51.100.25) to the internal Email Server (10.0.0.25).
  • Allow inside traffic (10.0.0.0/24) to the firewall’s inside interface (Ethernet0/1) for the SSH protocol.

Note that Cisco ASA and PIX access lists have an implicit deny all at the end of every access list, so anything that we do not setup a rule to explicitly permit will be denied.

We will also use Firewall Builder to implement the NAT configuration on the firewall.

  • Source NAT all inside traffic (10.0.0.0/24) through the firewall destined to any Internet address changing the source IP to the IP address of the outside interface (Ethernet0/0).
  • Destination NAT traffic from external IP address (198.51.100.25), the external SMTP relay server, coming to the outside interface with TCP destination port of 25 (SMTP) and forward that to an internal Email Server (10.0.0.25).

 

NOTE

In this how to we use a ASA 5505 running ASA OS v8.3. Some of the command syntax, especially for nat are different for earlier versions of ASA OS, but you don’t have to worry about this since Firewall Builder automatically generates the right configuration commands based on the version set for the firewall.

 

Step 1: Create Network Objects

We are going to start by creating the objects that will be used in the rules. Firewall Builder includes hundreds of predefined objects, including most standard protocols, so to implement the rules above we will only need to create the objects that are specific to our network. For our rules this means we need to create objects for the internal 10.0.0.0/24 network, for the internal Email Server (10.0.0.25) and for the external SMTP relay server with an IP address of 198.51.100.25.

 

Create a New IP Network Object

To create the object that will represent our internal 10.0.0.0/24 network in the left hand tree double-click the folder labeled Objects to expand it. Right click on the folder called Networks and select “New Network”. This creates a new network object. In the lower portion of your screen, called the Editor Panel, you can modify the properties of this object.

Change the object name to something that matches the function, in this example we are going to call it “Internal Network” to represent the local LAN IP addresses. The address is set to 10.0.0.0 and the netmask is 255.255.255.0.

new_network

NOTE: When editing the attributes of an object there is no Apply or Submit button. Once you edit an attribute as soon as you move away from the field you were editing the change will take effect immediately.

 

Create a New IP Address Object

Repeat this process to create an object that will represent the SMTP Relay server that will be used in rule #2. Go to the object tree and right-click on the Addresses folder and select New Address. In the Editor Panel change the name of the object to “SMTP Relay” and set the IP address to 198.51.100.25.

new_address_steps

Repeat the steps above to create a new Address object to represent the internal Email Server (10.0.0.25). After you are done you should see two objects in the Addresses system folder in the object tree.

address_objects

Step 2: Define The Firewall

To create a firewall object to represent your Cisco ASA click on the “Create new firewall� icon on the main window of Firewall Builder. This will launch a wizard that walks you through creating your firewall object.

Enter a name for the firewall object, in this example we will use asa-1. Change the drop down menu for software that is running on the firewall to be “Cisco ASA (PIX)”.

create_asa

Click the Next > button to continue the wizard.

When creating a firewall in Firewall Builder you have a choice of configuring interfaces manually, or you can use SNMP discovery if you have SNMP enabled on your router and you have access to a Read-Only or Read-Write community string. For this example we are going to configure the router interfaces manually.

interface_discovery

Click the Next > button to continue to the next step.

The firewall that you create in Firewall Builder needs to match the Cisco ASA or PIX firewall that you want to deploy the access lists on. This means that the interface names and IP addresses in the firewall object that you are creating must match exactly to what is configured on the ASA or PIX.

Click the green icon to add a new interface to the firewall. Enter the name of the interface exactly as it is shown on the ASA or PIX command line when you run “show interface” command. In our example the interfaces are Ethernet0/0 through Ethernet0/7, but we are only going to use interfaces Ethernet0/0 and Ethernet0/1.

Set the interface name as Ethernet0/0 and set the label to outside. Click on the Add address button and set the IP address to 192.0.2.1 with a netmask of 255.255.255.240.

asa_interface_address

Click the green icon to add another interface to the firewall. Enter the information in to the wizard to match the second interface as follows:

asa_interface_address2

Click on the Next > button.

Firewall Builder will automatically set the security level of the interface based on the interface label and IP address. The outside interface is set to security level 0 and the inside interface is set to security level 100.

asa_interface_sec_level

 

Click on the Finish button to create the firewall object.

After you create the firewall object representing the ASA or PIX the firewall object will be displayed in the object tree on the left side. The Policy object, which is where the access list rules are configured, is automatically opened in the main window.

asa_firewall_object_tree

Firewall Builder uses the concept of Network Zones to determine network topology in order to correctly create rules. Each firewall interface has a corresponding Network Zone that must be set. The Network Zone represents the set of IP networks that would be the source of traffic coming inbound to an interface.

For example, if you use 10.0.0.0/8 for your internal network, the “inside” interface should have its Network Zone set to an object that represents 10.0.0.0/8. Network Zones can be a Network object or a group object that includes multiple Network objects. An exmple of when you would use a Group object is if your internal network used both 10.0.0.0/8 and 172.16.0.0/16. In this case you would create a Group object that included network objects for both these IP networks and use that Group object as your “inside” interface’s Network Zone.

For the “outside” interface you will typically set its Network Zone to “Any” which is all IP networks that aren’t associated any other interfaces. Set the Network Zone by double-clicking the interface object of the firewall and selecting the Network Zone from the dropdown list.

In this example we are going to set the Network Zone for the Ethernet0/0 “outside” interface to “Any” and the Network Zone for the Ethernet0/1 “inside” interface to “net-10.0.0.0” as shown below.

asa_setting_network_zone

 

 

NOTE: The Network Zones used above are specifically for this example. If you have different IP addresses and networks in use in your network environment you may need to select different Network Zone values.

Now that the ASA firewall is ready for configuration, before moving on we should save our data file that contains the new firewall object that we just created. Do this by going to the File -> Save As menu item. Choose a name and location to save this file to.

Getting Started: Configuring Cisco ASA & PIX

Reminder – In this tutorial we are configuring a Cisco ASA 5505 firewall that has the following interface configuration.

example_asa

Access Lists

Our goal is to implement the following access list rules on the firewall.

  • Allow inside traffic (10.0.0.0/24) through the firewall to any Internet address for the HTTP and HTTPS protocols
  • Allow inside traffic from Email Server (10.0.0.25) through the firewall to a specific IP address (198.51.100.25) for the SMTP protocol. This outside server is acting as an external mail relay.
  • Allow inbound SMTP from external IP address (198.51.100.25) to the internal Email Server (10.0.0.25).
  • Allow inside traffic (10.0.0.0/24) to the firewall’s inside interface (Ethernet0/1) for the SSH protocol.

NAT

And our goal is to implement the following NAT rules on the firewall.

  • Source NAT all inside traffic (10.0.0.0/24) through the firewall destined to any Internet address changing the source IP to the IP address of the outside interface (Ethernet0/0).
  • Destination NAT traffic from external IP address (198.51.100.25), the external SMTP relay server, coming to the outside interface with TCP destination port of 25 (SMTP) and forward that to an internal Email Server (10.0.0.25).

 

Step 3: Configure Access Lists

After we created the firewall object asa-1 it was automatically opened in the object tree and its Policy object was opened in the main window for editing. The Policy object is where access list rules are configured.

To add a new rule to the Policy, click on the green green_plus icon at the top left of the main window. This creates a new rule with default values set to deny all.

default_rule

In Firewall Builder everything is based on the concept of objects. To configure rules that will be converted in to access lists you simply find the object you want in the tree and drag-and-drop it to the correct section of the rule.

The first rule in our example is to allow internal network traffic to use the HTTP and HTTPS protocols to access the Internet. Starting in Cisco ASA v8.3 access lists use the real IP address for traffic that is NAT’ed so we will use the “Internal Network” object as the Source for the rule. After you drag-and-drop the object the rule Source will be updated as shown below.

asa_new_rule_source

Since we want this rule to allow traffic to the Internet we will leave the Destination object set to Any. The Any object in Firewall Builder is the same as the “any” parameter in Cisco CLI commands for access lists.

Next we want to define the protocols or services this rule will allow. The example calls for the HTTP and HTTPS services to be allowed out to the Internet.

Firewall Builder comes with hundreds of predefined objects including almost all standard protocols. To access these objects switch to the Standard library by selecting it from the drop down at the top of the Object tree window.

switch_library

 

After you have switched to the Standard library you can navigate to the HTTP service by opening the Services folder, then opening the TCP folder and scrolling down until you find the http object.

Once you find the http object, drag-and-drop from the tree on the left in to the Service section of the rule in the Rules window.

asa_new_rule_service

Repeat this process to add the HTTPS service to the rule. Drag-and-drop the https object from the tree on the left to the Service section of the rule in the Rules window.

NOTE: Notice that you can have more than one service in a single rule. Firewall Builder will automatically expand this rule in to multiple rules in the Cisco command syntax if necessary.

IMPORTANT! To access the objects you previously created, including the router, you need to switch back to the User library. Do this by going to the drop down menu at the top of the object tree panel and switch the selected library from Standard to User.

Set the interface for this rule by dragging-and-dropping the “outside” Ethernet0/0 interface of the firewall from the object tree to the Interface column of the rule.

asa_new_rule_interface

Traffic will be flowing outbound on this interface, so right-click in the Direction section and select Outbound. We want this traffic to be allowed, so we need to change the Action associated with this rule from Deny to Accept. Do this by right-clicking on the Action section of the rule an selecting Accept. Finally, since this is a rule that we expect to match a lot of traffic disable logging by right-clicking in the Options section and selecting Logging Off. You should now see a rule that looks like:

asa_new_rule_complete

The next rule in our example allows an internal server called “Email Server” to access an external SMTP Server called “SMTP Relay”. Click on the rule you just created and then right-click in the rule number section and select “Add New Rule Below”.

asa_add_new_rule_below

To access the objects that we created earlier we need to switch back to the User library. Click on the drop down menu that says Standard and select User from the list.

Drag-and-drop the IP address object you created earlier named “Email Server” to the Source column of the new rule. Next, drag-and-drop the IP address object name “SMTP Relay” to the Destination column of the new rule.

The SMTP protocol object is located in the Standard library, so select it from the dropdown menu at the top of the Object Window. To find the SMTP object you can scroll down through the object tree, or you can simply type smtp in to the filter field. This will display all objects in the current library that contain smtp.

smtp_filter

Drag-and-drop the filtered smtp object from the tree to the Sevices column of the rule you are currently editing. Clear the filter field by clicking the X to the right of the input box and then switch back to the User library by selecting it in the dropdown menu at the top of the object panel.

To set the interface the rule should be applied to drag-and-drop the “outside” interface Ethernet0/0 to the Interface column of the rule.

Right-click in the Direction column of the new rule and set the Direction to Outbound.

To change the Action to Accept right-click in the Action section of the rule and select Accept. To disable logging for this rule, right-click on the Options section and select Logging Off.

You should now have 2 rules that look like this:

asa_two_rules

The third rule will be identical to the second rule accept that it allows traffic initiated from the outside SMTP Relay server using the SMTP protocol to reach the inside Email Server. To create this rule right-click on the previous rule and select Copy Rule.

asa_copy_rule

 

Paste the copied rule by right-clicking on the previous rule and selecting Paste Rule Below. Follow the steps below to modify the copied rule to match incoming traffic from the external SMTP Relay server to the internal Email Server.

  • Right-click on the SMTP Relay object in the Destination column of the 3rd rule that you just pasted and select Cut from the context menu.
  • Right-click in the Source column of the rule and select Paste.
  • Right-click on the Email Server object in the Source column of the rule and select Cut.
  • Right-click in the Destination column of the rule and select Paste.
  • Right-click on the Direction column and select Inbound.

Your rules should now look like this:

asa_three_rules

Create a new rule below the last rule by selecting the last rule and right-clicking and selecting Add New Rule Below from the menu. This will create a new rule configured with the default values to deny all.

Modify this rule by dragging-and-dropping the Internal Network object from the tree to the Source section of the newly created rule. To restrict the rule to only allow traffic destined to the IP address of the ASA’s Ethernet0/1 interface, double-click on the firewall object’s Ethernet0/1 interface to expand it. Drag-and- drop the IP address of the interface to the Destination section of the rule.

To set the service to SSH switch to the Standard library by selecting it from the dropdown menu above the object tree and then type in “ssh” in the filter box. Drag-and-drop the ssh object from the tree to the Service section. Clear the filter by clicking on the X next to the filter input text box.

Switch back to the User library by selecting it from the dropdown menu above the object tree. Double click the asa-1 object to expand it and drag-and-drop the Ethernet0/1 interface to the Interface section of the rule.

Since this rule only applies to inbound traffic on this interface set the direction to Inbound by right-clicking in the Direction section and selecting Inbound. Finally, change the action for the rule by right- clicking on the Action section and selecting Accept. Since this rule defines access to the router via SSH we will leave logging enabled for this rule.

You should now have 4 rules that look like:

asa_four_rules

In the next section we will go through the process of configuring the NAT rules.

Getting Started: Configuring Cisco ASA & PIX

Reminder – In this tutorial we are configuring a Cisco ASA 5505 firewall that has the following interface configuration.

example_asa

Step 4: Configure NAT Rules

Now that we have configured the Access Lists, the next step is to configure the NAT rules. Here are the NAT rules that we need to create:

  • Source NAT all inside traffic (10.0.0.0/24) through the firewall destined to any Internet address changing the source IP to the IP address of the outside interface (Ethernet0/0).
  • Destination NAT traffic from external IP address (198.51.100.25), the external SMTP relay server, coming to the outside interface with TCP destination port of 25 (SMTP) and forward that to an internal Email Server (10.0.0.25).

To open the NAT rules for editing, double-click on the “NAT” object located under the asa-1 firewall object in the tree. To add a new rule to the Policy, click on the green icon at the top left of the main window.

asa_nat_rule

To create the first NAT rule, drag-and-drop the Internal Network object from the tree to the Original Src column of the NAT rule. Next, drag-and-drop the firewall object’s outside interface (Ethernet0/0) to the Translated Src column of the rule.

That’s it. You should now have a NAT rule that looks like:

asa_nat_rule_one

Right-click on the NAT rule you just created and select Add New Rule Below. The next NAT rule should translate traffic coming from the external SMTP Relay server to the internal Email Server. Follow the steps below to create the NAT rule.

  • Drag-and-drop the SMTP Relay object from the object tree to the Original Src column of the new NAT rule.
  • Drag-and-drop the Ethernet0/0 interface object from the asa-1 firewall object to the Original Src of the rule.
  • Switch to the Standard library and filter for the smtmp object. Drag-and-drop it to the Service column of the rule.
  • Clear the filter and switch back to the User library and drag-and- drop the Email Server object from the object tree to the Translated Dst column of the rule.

You should now have two NAT rules that look like:

 

In the next section we will go through the process of compiling and installing the Access List and NAT rules on the firewall.

For the following sections we are going to assume that the following Policy rules have been configured for the firewall configuration shown in the diagram above.

asa_four_rules

And that the following two NAT rules have been configured for the firewall shown in the diagram above.

asa_nat_two_rules

Step 4: Compile and Install

In Firewall Builder the process of converting the rules from the Firewall Builder GUI syntax to the target device commands is called compiling the configuration.

To compile, click on the Compile icon which looks like a hammer . If you haven’t saved your configuration file yet you will be asked to do so. After you save your file a wizard will be displayed that lets you select which firewall(s) you want to compile. In this example we are going to complie the firewall called asa-1 configured with the rules above.

If there aren’t any errors, you should see some messages scroll by in the main window and a message at the top left stating Success.

To view the output of the compile, click on the button that says Inspect Generated Files. This will open the file that contains the commands in Cisco command format. Note that any line that starts with “!” is a comment.

asa_compiler_output2

The output from the compiler is automatically saved in a file in the same directory as the data file that was used to create it. The generated files are named with the firewall name and a .fw extension. In our example the generated configuration file is called asa-1.fw. You can copy and copy and paste the commands from this file to your firewall or you can use the built-in Firewall Builder installer.

 

Installing

Firewall Builder can install the generated configuration file for you using SSH. To use the installer we need to identify one of the firewall interfaces as the “Management Interface”. This tells Firewall Builder which IP address to use to connect to the firewall.

Do this by double-clicking the firewall object to expand it, and then double-clicking on the interface name that you want to assign as the management interface. In our case this is interface Ethernet0/1 which is the interface connected to the internal network.

 

CAUTION! Any time you are changing access lists on your firewall you face the risk of locking yourself out of the device. Please be careful to always inspect your access lists closely and make sure that you will be able to access the firewall after the access list is installed.

To install your access lists on the firewall, click on the install icon install_icon. This will bring up a wizard where you will select the firewall to install. Click Next > to install the selected firewall.

 

Firewall Builder will compile your rules converting them in to Cisco access list command line format. After the compile completes successfully click Next >. Enter your username, password and enable password.

 

After the access list configuration is installed you see a message at the bottom of the main window and the status indicator in the upper left corner of the wizard will indicate if the installation was successful.

asa_install_success

 

By default Firewall Builder will use SCP to copy the generated config file to the firewall. Once the file is copied to the firewall, Firewall Builder will connect using SSH to load the transferred config file from memory using the “copy” command to merge the Firewall Builder generated command with the current running configuration.

Firewall Builder requires ssh version 2 to be enabled on the firewall.

You can find more information about Firewall Builder, including the complete Users Guide, at http://www.fwbuilder.org/.

Comments

comments