Blue Team Tech: 8 - Building a DMZ for the ASAv and Enabling ICMP Inspection

This post will serve as a basic guide to creating a DMZ for a web server. Additionally, ICMP inspection will be enabled to allow the intern PC to ping outside.

To begin, ASDM will be used to configure static NAT 192.168.14.55 (Faux Public IP Used for Lab) and associate it with web server (which will be built) IP 10.2.0.55. Port 80 will then be opened for web server traffic with the ACL on ASDM. Lastly, ICMP will be enabled for packet inspection - like some protocols this is disabled for packet inspect by default.

Like every other post, this post will serve as an expansion of previous; but can also serve as a standalone. For background, below is the summary of the current setup:

To recap, here is the summary of the lab configuration so far:

Cloud1 represents the WAN.
ASAv has an outside interface of 192.168.14.130 (pretending this is our public IP)
ASAv has an inside interface of 10.1.0.250
ASDM is successfully built with reachability using the outside interface 192.168.14.130
The network behind the ASAv is designed with 10.0.0.0/24
The router is configured to route traffic with a default gateway to the ASAv
The virtual PC is configured with the router as the default gateway
The virtual PC can successfully the ASAv's inside IP 10.1.0.250.
The virtual PC is configured with 8.8.8.8 DNS Server
The ASAv is configured with dynamic PAT to allow internal IP address to translate to a public IP for communication
SSH is configured for outside traffic to manage the router.

STEP 1 - Creating a Router as the Web Server

Router, Web_Server, will be created to sit at the DMZ. It's configurations will allow it to be an http server. Web_Server will communicate from it's IP of 10.2.0.55 and route to the ASAv to be configured DMZ IP 10.2.0.66.

The router node is first added, named, connected and started before configuration. As noted in Post 2, the VIRL based nodes don't exactly match up with the GNS3 interface names. In this case the Gi0/0 matches the CLI.

enable

configure terminal

hostname Web_Server

interface gig0/0

ip address 10.2.0.55 255.255.255.0

no shutdown

exit

ip route 0.0.0.0 0.0.0.0 10.2.0.66

ip http server

ip http authentication local

username admin privilege 15 secret toor

end

write

As an added touch, right click Web_Server and select 'change symbol.' Search 'server' and click okay.

Step 2 - Using ASDM to configure the ASAv DMZ

Post 2 shows the configuration of the ASAv using the command line. Alternatively, this post will show the ASAv configuration using the Application Specific Device Manager. To get the planned setup interface gig0/2 going out will be configured with the 10.2.0.66 IP, and security level 50. After which NAT will associate public IP 192.168.14.55 with the Web_Server. The Access Control List will then allow for the outside world to reach Web_Server.

Navigate to Configuration to Device Setup to Interface Settings to Interfaces. Double click GigabitEthernet0/2 to edit.

Edit Interface will open. Change the following settings:

Interface Name: DMZ

Security Level: 50

Enable Interface: Check

IP Address: 10.2.0.66

Subnet Mask: 255.255.255.0

Click OK twice and Apply

To check connection to Web_Server, navigate to Tools to Ping. Fill out ip 10.2.0.55 and click ping. The output should show success.

Now to the NAT configuration!

Navigate to Configuration to Firewall to Objects to Network/Objects/Groups. From the Add drop down, select Add Network Object. Fill out the information as shown:

Name: Web_Server

IP Address: 10.2.0.55

Click OK and Apply