Here you will find out how to setup your Cisco ASA product to access the internet and setup NAT/PAT and Access Lists to secure your router and control what you want to pass through and block. Follow these steps to setup your ASA for most situations. This setup will be for a Cisco ASA 5520 or 5505 appliances.
This setup will be for a “static address” from your ISP
1. Console into your router. (Remember, you don’t use the quotes)
ciscoasa>en
ciscoasa#config t
ciscoasa(config)# int vlan 2
ciscoasa(config-if)# ip address “public ip from isp” “subnet mask”
ciscoasa(config)# route ouside 0.0.0.0 0.0.0.0 “ISP gateway” 1
ciscoasa(config)# dhcpd dns “ISP dns 1” “ISP dns 2”
You should now be able to access the internet through your Cisco ASA product.
Okay, say you want to have port forwarding to specific workstatsions or servers through the ASA.
1. Setup your NAT/PAT rules, we will use FTP for this example to forward FTP traffic to a specific host.
ciscoasa(config )# static (inside,outside) tcp interface ftp “Server IP” ftp netmask 255.255.255.255
eg: static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 – as 192.168.1.2 is your server
2. Setup your access list to allow traffic to this Server.
ciscoasa(config)# access-list outside_in extended permit tcp host “remote IP” host “outside interface IP” eq FTP
The above command “remote IP” will only allow that IP address to connect to your server.
eg: access-list outside_in extended permit tcp any host “outside interface” eq ftp – this will allow the world to access your server
ciscoasa(config)# access-group outside_in in interface outside
This is a basic setup, if you have a more complicated setup or are having problems, register with the site and post it in the Cisco Forum. It is absolutely free.
Now FTP traffic from the “Remote IP” will be directed to the specific server or workstation hosting the FTP service. If you want to allow access from ANY IP, use ANY instead of the “remote IP”. This will allow any IP from the outside world to access the FTP server. This isn’t that secure. For the most part you would want to get the IP from the company accessing your server and put in it where it says “Remote IP”. This will only allow access to the FTP server from that IP address and block any other IP from accessing it.
Do this for any Service you want to forward to specific workstations or servers. Follow steps 1 and 2 and change the “EQ FTP” to another service such as HTTPS. Same with the NAT/PAT rules, just replace “tcp interface HTTPS “Server IP” HTTPS.
Static NAT rules can be confusing. If you have any problems register with the site and post your specific issues that you are having with you Cisco ASA product in the Cisco Forum. You can post your entire config if you want. That will help with diagnosing the problem.