Lab 19 - ASA 5505 interfaces configuration and security levels

 

 

Lab Solution

The default ASA 5505 firewall behavior is to allow traffic to flow from interfaces with higher security levels ("inside" interfaces) to interfaces with lower security levels ("outside" interfaces), but to deny traffic on the other way. Access-lists must be configured to allow the traffic flow from lower security levels to higher security levels.

Default ASA 5505 security levels :

  • Inside vlan : Security level 100
  • Outside vlan : Security level 0

Despite this default behavior, the simulated ASA 5505 available in Packet Tracer 6.1 does not allow the laptop to establish a working TCP connection with the HTTP server located in the outside network. The TCP SYN is allowed to flow from the laptop to the server, but the TCP ACK is blocked by the firewall.

The following configuration has to be applied to the firewall to establish a working TCP session between the laptop and the HTTP server. This configuration uses the Modular Policy Framework available in Cisco PIX/ASA products :

  • Configure a class-map to define the traffic flow having to be inspected
  • Define a policy-map to define the particular policy having to be applied to this traffic flow
  • Assign the policy to a specific interface (inside interface in the lab)

 

class-map HTTP
 match default-inspection-traffic
!
policy-map TestPolicy
 class HTTP
  inspect http 
!
service-policy TestPolicy interface inside