Professional Documents
Culture Documents
Firewalls?
1. How Firewall Builder works with Cisco ASA Firewalls
2. Firewall Builder GUI Layout
3. Example Cisco ASA Deployment
4. Creating a Cisco ASA or PIX Firewall
4.1. Network Zones
5. Working With Objects
6. Configuring Policy Rules (Access Lists)
6.1. Additional Tips For Working with Rules
7. Configuring NAT Rules
8. Compile and Install
Firewall Builder is a configuration management application used to
configure and manage firewall rules for multiple types of firewalls.
This guide goes through the steps necessary to create a Cisco ASA
firewall object in Firewall Builder, and then install rules created in
Firewall Builder onto the firewall.
1. How Firewall
Firewalls
Builder
works
with
Cisco
ASA
The goal of this Getting Started Guide is to familiarize users with the
basic Firewall Builder steps needed to configure a Cisco ASA or PIX
firewall object. There are many advanced features that won't be
covered here, please refer to the Users Guide for a complete listing
of all Firewall Builder features.
Click the "Next >" button to continue to the next step in the wizard.
When creating a firewall object in Firewall Builder you have a choice
Note
Warning! If you do not set the Network Zone, Firewall Builder will
generate an error when you try to compile the firewall object to
generate the configuration file.
Outside Interface
For the "outside" interface, Ethernet0/0 in this example, you will
typically set the Network Zone to "Any". "Any" is defined to be all IP
networks that aren't associated with any other interfaces. To set the
Network Zone double-click the Ethernet0/0 interface object of the
firewall object and select the Network Zone "Any" from the
dropdown list.
Figure 11. Setting Network Zone For The "outside" Interface
Inside Interface
For the "inside" interface, and all other interfaces on the firewall
object, you need to select a Network Zone based on the your
network topology. In our firewall example object the "inside"
interface is attached to the 10.10.10.0/24 network. Firewall Builder
comes with a predefined object called net-10.0.0.0 which represents
the 10.0.0.0 network. We will use this network for the "inside"
interface Network Zone.
Note
A Network Zone can be an individual Network object or a Group
object that includes multiple Network objects. For example, you
must set the Network Zone to a Group object if your internal
network uses the 10.0.0.0/8 and 172.16.0.0/16 networks. In this
case you create a Group object, include network objects for both of
these IP networks, and use this Group object as your "inside"
interface's Network Zone.
Before moving on you should save the data file containing the new
firewall object just created. Do this by going to the "File -> Save As"
menu item. Choose a name and location to save the file.
Note
When editing the attributes of an object there is no Apply or Submit
button. Once you edit an attribute, as soon as you move away
from the field you were editing the change immediately
takes effect.
Address Objects
To create an object representing a single IP address, similar to the
host parameter in a Cisco access list, go to the object tree, rightclick on the Addresses folder, and select "New Address". In the
Editor Panel change the name of the new address object to
something that reflects its function, for example POP3 Server. Also
set the IP address.
Figure 14. New Address Object
You may have noticed that we did not create any objects for the TCP
services like HTTP and SSH needed for the firewall object rules
shown in the example. This is because Firewall Builder comes with
firewall itself.
Figure 16. Scenario Rules
After you drop the network object into the rule the Source field will
change from Any to Internal Network.
Figure 18. After Source is Set
Note
You can have more than one IP object in the Source and Destination
fields. When Firewall Builder generates the Cisco command line
access lists it will automatically split the rule into multiple lines if
necessary.
Setting the Destination
Setting the Destination is exactly the same as setting the Source,
except you drag-and-drop IP objects in to the Destination field of the
rule. For our first example rule we want the Destination to be the
"inside" interface of the firewall object. Drag-and-drop the
Ethernet0/1 object from the object tree to the Destination column.
Figure 19. Setting the Destination
After you drop the interface object into the rule the Destination field
will change from Any to "inside", the label of the Ethernet0/1
interface.
Figure 20. After Destination is Set
Note
To switch back to the User library, which contains objects you have
created, click on the drop down menu that says Standard and select
User from the list of libraries.
Setting the Interface
If desired, set the Interface for the rule by dragging-and-dropping an
interface object from the firewall (router) object to the Interface
section of the rule. This will explicitly define which interface on the
router that the access list will be applied to as an "access-group".
Figure 23. Setting the Interface
Copy-and-Paste
In addition to drag-and-drop you can also copy-and-paste objects.
For example, you can right-click on the Internal Network object in
the first rule and select Copy. Navigate to the Source section of the
new rule you just created and right-click and select Paste.
Using Filters to Find Objects
Filters provide a way to quickly find objects in the tree without
having to open multiple folders and scroll. For example, if you
wanted to use the POP3 protocol in a rule you could use the filter to
find it.
The POP3 protocol object is located in the Standard library, so select
it from the dropdown menu at the top of the Object Window. Type
pop3 in to the filter field. This will display all objects in the current
library that contain pop3.
Figure 26. Using Filter to Find Objects
Note
After you are done with the filtered object, clear the filter field by
clicking the X to the right of the input box and then switch back to
the User library by selecting it in the dropdown menu at the top of
the object panel.
Example of Completed Rules
For our example we needed to create two firewall rules. The
completed firewalll rules are shown in the diagram below.
Figure 27. Two Rules
Now that the basic firewall rules are configured we need to define
our NAT policy. Open the NAT object for editing by double-clicking on
it in the object tree as shown in the diagram below.
Figure 28. Open the NAT Object for Editing
For this example we will create a single NAT rule that translates the
source IP address of any traffic coming from the inside
10.10.10.0/24 network going to the Internet. The source IP should
be translated to the IP address of the "outside" interface of the
firewall.
To edit NAT rules we use the same concepts used to edit the firewall
Policy rules. Start by clicking the green
icon at the top of the
Rules panel to add a new NAT rule.
Drag-and-drop the "Internal Network" object you created earlier to
the Original Src column of the NAT rule. This identifies the traffic
that will have its source IP address translated. Now, drag-and-drop
the "outside" interface from the asa-1 firewall object to the
Translated Src column of the rule. This field identifies the IP address
that the traffic will be translated to. After you are done the NAT rule
should like the diagram below.
Figure 29. Completed NAT Rule
That's it! Now we are ready to generate the configuration file and
use the built-in installer to deploy it to the firewall.
Note
Any time you change access lists on your router you face the risk of
locking yourself out of the device. Please be careful to always
inspect your access lists closely and make sure that you will be able
to access the ASA / PIX after the access list is installed.
To install your access lists on the firewall, click on the install icon .
This will bring up a wizard where you will select the firewall to
install. Click Next > to install the selected firewall.
Figure 32. Setting Compile and Install Actions
After the access list configuration is installed you will see a message
at the bottom of the main window and the status indicator in the
upper left corner of the wizard will indicate if the installation was
successful.
Figure 34. Successful Install