ASA Firewall Lab Manual
62
Cisco Certified Security Professional SNAF Securing Networks with ASA Fundamentals Lab Manual Developed by M. Irfan Ghauri M. Tanzeel Nasir C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press Ph #021-6034003 Copyrights 2011
-
Upload
ryduano-vicent -
Category
Documents
-
view
268 -
download
2
description
Cisco Security Appliance Command LineConfiguration GuideThe purpose of this guide is to help you configure the security appliance using the command-lineinterface. This guide does not cover every feature, but describes only the most common configurationscenarios.You can also configure and monitor the security appliance by using ASDM, a GUI application. ASDMincludes configuration wizards to guide you through some common configuration scenarios, and onlineHelp for less common scenarios.
Transcript of ASA Firewall Lab Manual
-
Cisco Certified Security Professional
SNAF
Securing Networks with ASA Fundamentals
Lab Manual
Developed by M. Irfan Ghauri
M. Tanzeel Nasir
C-32/1 Block-5 Gulshan-e-Iqbal, Karachi ESP Press Ph #021-6034003 Copyrights 2011
-
ASA Lab Manual
1
LAB. LABS DESCRIPTION PAGE
NO. 1
ASA Basic & Accessing ASA through Telnet/SSH/HTTP
3
2
NETWORK ADDRESS TRANSLATION
Nat Control Static NAT Dynamic NAT PAT STATIC PAT POLICY NAT NAT 0
8
3
Fitering ACTIVEX Objects and JAVA Applets
17
4
Transparent Firewall
18
5
Syslog server
20
6
Cut through proxy through LOCAL database & AAA server
21
7
Downloadable Acl
24
8
Tcp intercept Max connection
29
9
Object Grouping and Time-based Acl
30
10
Routing a.Static Routing b.Dynamic Routing
32
-
ASA Lab Manual
2
11
Dynamic Host Configuration Protocol
34
12
Demilitarized Zone
37
13
Intervlan Routing with ASA
39
14
Modular Policy Framework
41
15
Virtual Private Network Site to Site VPN Web VPN Remote Access VPN
42
-
ASA Lab Manual
3
Lab # 1
ASA Basic Configuration How to verify Version ciscoasa(config)# sh version How to Set Hostname ciscoasa(config)# hostname ESP How to Set Time & Date ciscoasa# clock set 03:40:50 29 december 2010 How to Set Desired Banners ciscoasa(config)# banner exec "you are off" How to Configure a particular Interface ciscoasa(config)# interface ethernet 0/0
Assign IP ciscoasa(config-if)# ip address 20.0.0.10
Alive Interface ciscoasa(config-if)# no shutdown
Set Speed ciscoasa(config-if)# speed auto
Give Label ciscoasa(config-if)# nameif outside
Mention Security Level ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto
-
ASA Lab Manual
4
ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100
How to check Particular Interface information ciscoasa# sh interface ethernet 0/0 ciscoasa# sh interface ethernet 0/1 How to check the applied IP Addresses on the Device ciscoasa# sh ip addresses How to check interface Labels & Security Levels ciscoasa# sh nameif How to check Interfaces summary ciscoasa(config)# sh interface ip brief How to Save Configuration ciscoasa(config)# copy running-config start How to check state table ciscoasa(config)# sh conn How to check memory status ciscoasa# sh memory How to restrict access on Privilege mode ciscoasa(config)# enable password cisco How to check running configuration ciscoasa(config)# sh run How to check History of CLI ciscoasa# sh history
-
ASA Lab Manual
5
Accessing ASA through Telnet/HTTP/SSH
Configuration Assigning Speed & IP Address on Inside & Outside Interfaces. ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside How to Telnet Adaptive Security Appliance ciscoasa(config)# telnet 10.0.0.4 255.255.255.255 inside ciscoasa(config)# passwd cisco ciscoasa(config)# enable password cisco (Telnet only allow from inside) How to HTTP Adaptive Security Appliance ciscoasa(config)#http server enable ciscoasa(config)#http 10.0.0.1 255.255.255.255 inside How to SSH Adaptive Security Appliance ciscoasa(config)# crypto key generate rsa modulus 1024 ciscoasa(config)# ssh 10.0.0.1 255.255.255.255 inside ciscoasa(config)# ssh 20.0.0.4 255.255.255.255 outside Authentication With local database ciscoasa(config)#username tanzeel password cisco123 ciscoasa(config)# aaa authentication ssh console LOCAL
-
ASA Lab Manual
6
At Machine 10.0.0.1:
-
ASA Lab Manual
7
Verification Commands: ciscoasa(config)# show ssh ciscoasa(config)# show ssh session ciscoasa(config)# ssh disconnect session_id ciscoasa(config)# show crypto key mypubkey rsa
-
ASA Lab Manual
8
Lab # 2
NETWORK ADDRESS TRANSLATION Network Address Translation allows to translate Private Addresses into Public Addresses
Nat Control Static NAT Dynamic NAT PAT STATIC PAT POLICY NAT NAT 0
Configuration Assigning Speed & IP Address on Inside & Outside Interfaces. ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside ciscoasa (config)#nat-control
ciscoasa (config)# access-list 1 permit ip any any ciscoasa (config)# access-group 1 in interface outside
-
ASA Lab Manual
9
STATIC NETWORK ADDRESS TRANSLATION
Configuration Establish Static NAT & ACLs. ciscoasa (config)# static (inside,outside) 20.0.0.51 10.0.0.1 ciscoasa (config)# static (inside,outside) 20.0.0.52 10.0.0.2
Verify Configuration by using following commands. ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show access-list 1
-
ASA Lab Manual
10
DYNAMIC NETWORK ADDRESS
TRANSLATION
Configuration Establish Dynamic NAT, POOL & ACLss on Inside Interfaces. ciscoasa (config)# nat (inside) 1 0 0 ciscoasa (config)# global (outside) 1 20.0.0.51-20.0.0.60 Verify Configuration by using following commands. ciscoasa (config)# show running-config global ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show access-list 1
-
ASA Lab Manual
11
DYNAMIC PORT ADDRESS TRANSLATION
Configuration Establish Dynamic PAT, POOL & ACLs ciscoasa (config)# nat (inside) 1 0 0 ciscoasa (config)# global (outside) 1 20.0.0.51
OR Establish Dynamic PAT by assigning Outside Interface IP Address to POOL ciscoasa (config)# nat (inside) 1 0 0 ciscoasa (config)# global (outside) 1 interface ciscoasa (config)# access-list 1 permit ip any any ciscoasa (config)# access-group 1 in interface outside
-
ASA Lab Manual
12
Verify Configuration by using following commands. ciscoasa (config)# show running-config global ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show access-list 1
-
ASA Lab Manual
13
STATIC PAT
Configuration Establish Port Redirection & ACLs ciscoasa (config)# static (inside,outside) tcp 20.0.0.50 http 10.0.0.1 80 Verify results by browsing 20.0.0.50 from outside machine.
(Outside Machine will successfully access local Web Server) Verify Configuration by using following commands. ciscoasa (config)# show running-config nat ciscoasa (config)# show running-config xlate
-
ASA Lab Manual
14
POLICY NAT
Configuration Apply ACLs & NAT POLICY ciscoasa (config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 host 20.0.0.1 ciscoasa (config)# access-list 102 permit ip 10.0.0.0 255.0.0.0 host 20.0.0.2 ciscoasa (config)# nat (inside) 1 access-list 101 ciscoasa (config)# global (outside) 1 20.0.0.51 ciscoasa (config)# nat (inside) 2 access-list 102 ciscoasa (config)# global (outside) 2 20.0.0.52
-
ASA Lab Manual
15
Verify Configuration by using following commands. ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show running-config global
-
ASA Lab Manual
16
NAT CONTROL
AND NAT 0
Configuration Enable Nat control. ciscoasa (config)# nat-control Apply NAT 0 Policy for ATIF. ciscoasa (config)# nat (inside) 0 10.0.0.2 255.255.255.255 Verify Configuration by using following commands. ciscoasa (config)# show xlate ciscoasa (config)# show running-config global
IP Address 10.0.0.1
IP Address 20.0.0.2
ATIF using NAT0 policy
10.0.0.210.0.0.2
IP Address 20.0.0.1
IP Address 10.0.0.2
ALI requires a NAT rule
IP Address 10.0.0.10 IP Address 20.0.0.10
E1 EO
-
ASA Lab Manual
17
Lab # 3
FILTERING ACTIVEX OBJECTS AND
JAVA APPLETS
Configuration Apply Filters. ciscoasa (config)# filter java 80 0 0 0 0 ciscoasa (config)# filter activex 80 0 0 0 0 Verify results by browsing outside machine from any inside machine.
(Host will successfully access the HTML page )
-
ASA Lab Manual
18
Lab # 4 TRANSPARENT FIREWALL
Configuration Assigning Speed & no Shut Inside & Outside Interfaces. ciscoasa (config)# firewall transparent ciscoasa (config)# interface ethernet 0/0 ciscoasa (config-if)# no shutdown ciscoasa (config-if)# speed auto ciscoasa (config-if)# nameif outside ciscoasa (config)# interface ethernet 0/1 ciscoasa (config-if)# no shutdown ciscoasa (config-if)# speed auto ciscoasa (config-if)# nameif inside
IP Address 10.0.0.1
IP Address 10.0.0.2
IP Address 10.0.0.3
-
ASA Lab Manual
19
ciscoasa (config)# access-list 1 permit ip any any ciscoasa (config)# access-group 1 in interface outside ciscoasa (config)# ip address 10.0.0.10 255.255.255.0 Verify results by IOS commands. ciscoasa (config)# show firewall ciscoasa (config)# show mac-address-table
-
ASA Lab Manual
20
Lab # 5
SYSLOG SERVER
Configuration: ciscoasa(config)# logging on ciscoasa(config)# logging host inside 10.0.0.2 ciscoasa(config)# logging trap 7 Verification Commands: ciscoasa(config)# show logging
IP Address 10.0.0.1
IP Address 20.0.0.2
IP Address 20.0.0.1
SYSLOG IP Address
10.0.0.2
IP Address 10.0.0.10 IP Address 20.0.0.10
E1 EO
-
ASA Lab Manual
21
Lab # 6 Cut through proxy through LOCAL database
& AAA server
Configuration Cut through Proxy through Local database ciscoasa(config)# username admin password admin ciscoasa(config)# aaa authentication include any inside 0 0 0 0 LOCAL Cut through Proxy with AAA server ciscoasa(config)# aaa-server esp protocol tacacs+ ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.1 cisco123 ciscoasa(config)# aaa authentication include any inside 0 0 0 0 esp
IP Address 10.0.0.2
IP Address 20.0.0.2
IP Address 20.0.0.1
IP Address 10.0.0.3
IP Address 10.0.0.10 IP Address 20.0.0.10
E1 EO
AAA SERVER IP Address
10.0.0.1
-
ASA Lab Manual
22
Configuration on ACS server
-
ASA Lab Manual
23
User accounts on AAA
Verification Commands: ciscoasa(config)# show uauth ciscoasa(config)# clear uauth
-
ASA Lab Manual
24
Lab # 7 Downloadable Acl
Cisco Secure ACS allows to create downloadable ACLs. By this various ACLs can be formed for different users. Downloadable ACL will be activated only when the particular user sign in. Step 1:Configure AAA server using Radius Protocol. ciscoasa(config)# aaa-server esp protocol radius ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.4 cisco ciscoasa(config-aaa-server-host)# aaa authentication include any inside 0 0 0 0 esp
IP Address 10.0.0.2
IP Address 20.0.0.2
ATIF
IP Address 20.0.0.1
IP Address 10.0.0.3
ALI
IP Address 10.0.0.10 IP Address 20.0.0.10
E1 EO
AAA SERVER IP Address
10.0.0.1
-
ASA Lab Manual
25
Configuration on ACS server
Step 2:Form Downloadable ACL through Shared profile Components (if Downloadable option is not available then click on Interface Configuration. )
-
ASA Lab Manual
26
-
ASA Lab Manual
27
Now option is added in Shared Profile Components
-
ASA Lab Manual
28
Step 3: Add User Ali and apply Downloadable ACL on users profile.
Step 3: Verify results.
( Atif can successfully browse & ftp outside network) BUT
( Ali can only successfully ftp outside network) Verification Commands: ciscoasa(config)# show uauth ciscoasa(config)# clear uauth ciscoasa(config)# show conn
-
ASA Lab Manual
29
Lab # 8 TCP Intercept Maximum Connection
Configuration: ciscoasa(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0 ciscoasa(config)# access-list 1 permit ip any any ciscoasa(config)# access-group 1 in interface outside Verification Commands: ciscoasa(config)# show running-config static ciscoasa(config)# show local-host ciscoasa(config)# show xlate ciscoasa(config)# show conn
IP Address 10.0.0.1
IP Address 20.0.0.2
IP Address 20.0.0.1
FTP & WEB SERVER
IP Address 10.0.0.2
IP Address 10.0.0.10 IP Address 20.0.0.10
E1 EO
-
ASA Lab Manual
30
Lab # 9
Object Grouping
Configuration: Create network object ciscoasa(config)# object-group network esp ciscoasa(config-network)# network-object host 20.0.0.1 ciscoasa(config-network)# network-object host 20.0.0.2 ciscoasa(config-network)# network-object host 20.0.0.3 ciscoasa(config-network)# exi Create service object ciscoasa(config)# object-group service httpftp tcp ciscoasa(config-service)# port-object eq 80 ciscoasa(config-service)# port-object eq 21 ciscoasa(config-service)# exi
IP Address 10.0.0.1
IP Address 20.0.0.2
IP Address 20.0.0.1
FTP & WEB SERVER
IP Address 10.0.0.2
IP Address 10.0.0.10 IP Address 20.0.0.10
E1 EO
-
ASA Lab Manual
31
Calling object in ACL ciscoasa(config)# access-list 101 extended permit tcp object-group esp host 10.0.0.1 object-group httpftp ciscoasa(config)# access-group 101 in interface outside
Time-based Acl Configuration: ciscoasa(config)#time-range test ciscoasa(config-time-range)#periodic daily 15:00 to 15:30 ciscoasa(config-time-range)#exit
ciscoasa(config)# access-list 101 permit ip any any time-range test ciscoasa(config)#access-group 101 in interface outside Verifying commands ciscoasa(config)# show access-list ciscoasa(config)# show run object-group
-
ASA Lab Manual
32
Lab # 10 Routing
Configuration : ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 15.0.0.1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif outside ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto
R2
IP Address 15.0.0.2 Fa0/0 IP Address 15.0.0.1 E0
IP Address 10.0.0.10
Ethernet 1
Host A IP Address
10.0.0.1
FTP Server Host B
IP Address 10.0.0.2
WEB Server
IP Address 20.0.0.1
IP Address 20.0.0.10
Fa0/1
IP Address 20.0.0.2
-
ASA Lab Manual
33
ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100
Static Routing Dynamic Routing RIP OSPF EIGRP
Static Routes Commands on Asa ciscoasa(config)#route outside 20.0.0.0 255.0.0.0 15.0.0.2
Rip Commands on Asa ciscoasa(config)#router rip ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0 Ospf Commands on Asa ciscoasa(config)#router ospf 64 ciscoasa(config-router)#network 15.0.0.0 255.0.0.0 area 0 ciscoasa(config-router)#network 10.0.0.0 255.0.0.0 area 0 Eigrp Commands on Asa ciscoasa(config)#router eigrp 10 ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0 ciscoasa(config-router)#exit Verifying Commands ciscoasa(config)#sh route ciscoasa(config)#sh rip database ciscoasa(config)#sh ospf interface ciscoasa(config)#sh ospf neighbor ciscoasa(config)# sh eigrp interfaces ciscoasa(config)# sh eigrp neighbors
-
ASA Lab Manual
34
Lab # 11 DYNAMIC HOST CONFIGURATION PROTOCOL ASA Firewall has features that let it be Configured as a
DHCP SERVER DHCP CLIENT
DHCP SERVER
Configuration Create POOL for Inside Hosts. ciscoasa(config)# dhcpd address 10.0.0.51-10.0.0.61 inside Enable DHCP on the ASA Firewall. ciscoasa(config)#dhcpd enable inside
-
ASA Lab Manual
35
Verify Configuration by using following commands. ciscoasa(config)# show dhcpd binding ciscoasa(config)# show dhcpd state ciscoasa(config)# clear dhcpd bindings ciscoasa(config)# debug dhcpd events ciscoasa(config)# debug dhcpd packet
DHCP CLIENT
Configuration Step 1: Enable DHCP Client. ciscoasa(config)#int e0/0 ciscoasa(config)# ip address dhcp
-
ASA Lab Manual
36
Step 2: Define new scope for IP addresses range.
Step 3: Verify Configuration by using following commands. ciscoasa(config)#debug dhcpd events ciscoasa(config)#debug dhcpd packet
-
ASA Lab Manual
37
Lab # 12
Demilitarized Zone
Configuration Step 1:Assign IPs and Define Security Levels. ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside
-
ASA Lab Manual
38
ciscoasa(config)# interface ethernet 0/2 ciscoasa(config-if)# ip address 30.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif dmz Apply PAT for inside Users & Static Nat for server on DMZ Interface. ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface ciscoasa(config)# static (dmz,outside) 40.0.0.51 30.0.0.1 ciscoasa(config)# static (dmz,outside) 40.0.0.52 30.0.0.2 Establish ACL to allow traffic from lower security level to servers. ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.51 eq www ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.52 eq ftp ciscoasa(config)# access-group 1 in interface outside Verifying Commands ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface
-
ASA Lab Manual
39
Lab # 13 INTER-VLAN ROUTING WITH ASA
Configuration ciscoasa(config)#Interface Ethernet0/2 ciscoasa(config-if)#no shut ciscoasa(config-if)#no ip add ciscoasa(config-if)#exit
Vlan 30 Vlan 40
FTP Server 40.0.0.1/8 40.0.0.10
WEB Server 30.0.0.1/8 30.0.0.10
2950 Fa 0/4 Fa 0/3
E 0 / 2.30 30.0.0.10 / 8
E 0 / 2.40 40.0.0.10 / 8
Fa 0/24
Security-level 30 Security-level 40
IP Address 10.0.0.10
Ethernet 0/1 IP Address 20.0.0.10
Ethernet 0/0
IP Address 20.0.0.1 IP Address 10.0.0.1
-
ASA Lab Manual
40
ciscoasa(config)#Interface Ethernet0/2.30 ciscoasa(config-if)#vlan 30 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif www ciscoasa(config-if)#security-level 30 ciscoasa(config-if)#ip address 30.0.0.10 255.0.0.0 ciscoasa(config)#Interface Ethernet0/2.40 ciscoasa(config-if)#vlan 40 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif ftp ciscoasa(config-if)#security-level 40 ciscoasa(config-if)#ip address 40.0.0.10 255.0.0.0 After Configuration inside(100) users access ftp(40) and web(30) service now if u want to allow outside users to access ftp and web service make an access-list to allow them ciscoasa(config)# access-list 101 permit tcp any host 30.0.0.1 eq ftp ciscoasa(config)#access-group 101 in interface outside Switch configuration Switch(config)#vlan 30 Switch(config-vlan)#name www Switch(config)#vlan 40 Switch(config-vlan)#name ftp Switch(config)#interface fa0/3 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 30 Switch(config)#interface fa0/4 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 40 Switch(config)#interface fa0/24 Switch(config-if)#switchport mode trunk Verifying Commands ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface
-
ASA Lab Manual
41
Lab # 14 MODULAR POLICY FRAMEWORK
Configuration Step 1:Define Class Name. ASA(config)# class-map http ASA(config-cmap)# match port tcp eq 80 Step 2:Define Classes to the Policy Map ASA(config)# policy-map esp ASA(config-pmap)# class-map http ASA(config-pmap-c)# priority-queue inside ASA(config)# service-policy esp interface inside Step 3:Verify Results by IOS commands. ASA# show service-policy
-
ASA Lab Manual
42
Lab # 15 SITE TO SITE VPN
Configuration Site-to-Site Vpn Configuration on Asa ciscoasa(config)#crypto isakmp enable outside ciscoasa(config-isakmp-policy)#crypto isakmp policy 10 ciscoasa(config)# authen pre-share ciscoasa(config)# hash md5 ciscoasa(config)# encrypt des ciscoasa(config)# group 2 ciscoasa(config)# tunnel-group 15.0.0.2 type ipsec-l2l ciscoasa(config)# tunnel-group 15.0.0.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123
WAN RmtRouter
IP Address 15.0.0.2 Fa0/0 IP Address 15.0.0.1 E0
IP Address 10.0.0.10
Ethernet 1
Host A IP Address
10.0.0.1
FTP Server
Host B IP Address
10.0.0.2
WEB Server IP Address
20.0.0.1
IP Address 20.0.0.10
Fa0/1
IP Address 20.0.0.2
Rmt Users
-
ASA Lab Manual
43
ciscoasa(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0 ciscoasa(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac ciscoasa(config)# crypto map outside_map 1 set peer 15.0.0.2 ciscoasa(config)# crypto map outside_map 1 set transform-set aset ciscoasa(config)#crypto map outside_map 1 match address 101 ciscoasa(config)# crypto map outside_map interface outside
-
ASA Lab Manual
44
IPsec(Site-to-Site) VPN Wizard
-
ASA Lab Manual
45
-
ASA Lab Manual
46
-
ASA Lab Manual
47
-
ASA Lab Manual
48
CLIENT LESS WEB VPN
Unlike a standard IPSec VPN which requires specific client software, Web VPN is a clientless Remote-Access VPN that uses a web browser to access a Corporate Network.
Configuration SSL VPN Wizard
WAN IP Address 20.0.0.10
E0
IP Address 10.0.0.10
Ethernet 1
Host A IP Address
10.0.0.1
IP Address 20.0.0.1 With no Vpn client
Local web Server IP Address 10.0.0.2
Local FTP Server IP Address 10.0.0.3
IP Address 20.0.0.5 With no Vpn client
-
ASA Lab Manual
49
-
ASA Lab Manual
50
-
ASA Lab Manual
51
-
ASA Lab Manual
52
-
ASA Lab Manual
53
-
ASA Lab Manual
54
Verify results by accessing Corporate Network. Type username and password .
-
ASA Lab Manual
55
Step 3(A): Verify results by IOS commands. ciscoasa# show running-config webvpn
-
ASA Lab Manual
56
REMOTE-ACCESS VPN
Access VPN provides secure communication with remote users who are working from home and connect through modem or mobile but they should have client Hardware & client Software running on there computers.
Configuration IPsec(Remote-access) VPN Wizard
WAN IP Address 20.0.0.10
E0
IP Address 10.0.0.10
Ethernet 1
Host A IP Address
10.0.0.1
IP Address 20.0.0.1 With Vpn client
Local web Server IP Address 10.0.0.2
Local FTP Server IP Address 10.0.0.3
IP Address 20.0.0.5 With Vpn client
-
ASA Lab Manual
57
-
ASA Lab Manual
58
-
ASA Lab Manual
59
-
ASA Lab Manual
60
-
ASA Lab Manual
61
ASA BasicAccessing ASA through Telnet/HTTP/SSH
