Topcerts 642-617 Exam - Deploying Cisco ASA Firewall Solutions
Cisco ASA Firewall Lab WorkBook
-
Upload
rhc-technologies -
Category
Technology
-
view
963 -
download
44
Transcript of Cisco ASA Firewall Lab WorkBook
![Page 1: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/1.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Cisco ASA Firewall LAB WORKBOOK
Prepared By Sai Linn Thu
![Page 2: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/2.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Security Policy ( Allow / Deny )
![Page 3: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/3.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Security Policy ( Allow / Deny )
Employee E-‐mail Finance ( $ ) Internet Employee Deny Permit Deny Permit Execu9ve Deny Deny Permit Permit BYOD Deny Permit Deny Permit Guest Permit Deny Deny Permit
SourceDestination
![Page 4: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/4.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
{lowest 0} > Security Level < {highest 100}
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
![Page 5: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/5.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
{lowest 0} > Security Level < {highest 100}
Internet
outside ( 0 )
inside ( 100 )
dmz zone 1 ( 50 ) dmz zone 2 ( 60 )
dmz zone 3 ( 70 )
![Page 6: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/6.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Incoming traffic / Outgoing traffic
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
Incoming traffic ( Low – to – High )
Outgoing traffic ( High – to – Low )
(Block, Explicitly Allow)
(Allow, but Inspected)
![Page 7: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/7.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
192.168.5.5/24
10.10.10.10/24
ASA int g0 nameif inside security-level 100 ip add 10.1.1.100 255.255.255.0 int g1 nameif outside security-level 0 ip add 150.1.1.100 255.255.255.0 ! int g2 nameif dmz security-level 50 ip add 192.168.1.100 255.255.255.0 !
#show int ip brief
LAB
![Page 8: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/8.jpg)
©2016 RHC Technologies
Verify ping test on ASA !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAASA#ping 173.252.74.68ASA#ping 10.10.10.10ASA#ping 192.168.5.5
SUCCESS [or] FAIL ?
![Page 9: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/9.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
192.168.5.5/24
10.10.10.10/24
ASA route outside 0 0 150.1.1.1 route inside 10.10.10.0 255.255.255.0 10.1.1.1 route dmz 192.168.5.0 255.255.255.0 192.168.1.1
#show route
![Page 10: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/10.jpg)
©2016 RHC Technologies
Verify ping test on ASA !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAASA#ping 173.252.74.68ASA#ping 10.10.10.10ASA#ping 192.168.5.5
SUCCESS [or] FAIL ?
![Page 11: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/11.jpg)
©2016 RHC Technologies
Configure default routes from LAN , DMZ and INTERNET !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LAN#ip route 0.0.0.0 0.0.0.0 10.1.1.100DMZ#ip route 0.0.0.0 0.0.0.0 192.168.1.100INTERNET#ip route 0.0.0.0 0.0.0.0 150.1.1.100
![Page 12: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/12.jpg)
©2016 RHC Technologies
Verify ping test from LAN to INTERNET !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LANLAN#ping 173.252.74.68LAN#ping 173.252.74.68 source lo0
SUCCESS [or] FAIL ?
Outbound traffic : Low > High is OK ( inspected )Inbound traffic : High > Low is DROP ( require ACL )
![Page 13: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/13.jpg)
©2016 RHC Technologies
Configure vty password & enable password on LAN , DMZ and INTERNET !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LANline vty 0 4 password testlan!enable password testlan!
DMZline vty 0 4 password testdmz!enable password testdmz!
INTERNETline vty 0 4 password testout!enable password testout!
![Page 14: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/14.jpg)
©2016 RHC Technologies
Verify telnet test from LAN < > INTERNET // LAN < > DMZ // DMZ < > INTERNET
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LANLAN#telnet 173.252.74.68
LAN#telnet 173.252.74.68 /source-interface lo0
Please also test LAN < > DMZ // DMZ < > INTERNET.
SUCCESS [or] FAIL ?
INTERNETINTERNET#telnet 10.10.10.10
INTERNET#telnet 10.10.10.10 /source-interface lo0
![Page 15: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/15.jpg)
©2016 RHC Technologies
Configure ACL to allow telnet traffic from INTERNET to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit tcp any any eq telnet!access-group INTERNET_LAN in interface outside!
INTERNETINTERNET#telnet 10.10.10.10INTERNET#telnet 10.10.10.10 /source-interface lo0INTERNET#telnet 10.10.10.10 /source-interface lo1
Verify telnet test from INTERNET to LAN
SUCCESS [or] FAIL ?
![Page 16: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/16.jpg)
©2016 RHC Technologies
Configure ACL to allow telnet traffic from DMZ to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list DMZ_LAN permit tcp any any eq telnet!access-group DMZ_LAN in interface dmz!
DMZDMZ#telnet 10.10.10.10DMZ#telnet 10.10.10.10 /source-interface lo0
Verify telnet test from DMZ to LAN
SUCCESS [or] FAIL ?
![Page 17: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/17.jpg)
©2016 RHC Technologies
Verify telnet test from INTERNET to DMZ !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
INTERNETINTERNET#telnet 192.168.5.5INTERNET#telnet 192.168.5.5 /source-interface lo0INTERNET#telnet 192.168.5.5 /source-interface lo1
Why SUCCESS ?Because of the below config we configured in the previous step.
ASAaccess-list INTERNET_LAN permit tcp any any eq telnet!access-group INTERNET_LAN in interface outside!
![Page 18: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/18.jpg)
©2016 RHC Technologies
Delete the below config
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASANO access-list INTERNET_LAN permit tcp any any eq telnet!NO access-group INTERNET_LAN in interface outside!
After deleting the config,We cannot be able to TELNET from INTERNET to LAN, and also from INTERNET to DMZ.
But we still can be able to telnet from DMZ to LAN.
![Page 19: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/19.jpg)
©2016 RHC Technologies
Configure the policy as below : 1) ONLY Allow TELNET from 173.252.74.68 to LAN.
2) ONLY Allow TELNET from 172.217.25.174 to DMZ.
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit tcp host 173.252.74.68 10.10.10.0 255.255.255.0 eq telnet!access-list INTERNET_LAN permit tcp host 172.217.25.174 192.168.5.0 255.255.255.0 eq telnet! access-group INTERNET_LAN in interface outside!
![Page 20: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/20.jpg)
©2016 RHC Technologies #LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
Verify telnet test from INTERNET to LAN !
INTERNETINTERNET#telnet 10.10.10.10 > {success/fail}INTERNET#telnet 10.10.10.10 /source-interface lo0 > {success/fail}INTERNET#telnet 10.10.10.10 /source-interface lo1 > {success/fail}
Verify telnet test from INTERNET to DMZ !
INTERNETINTERNET#telnet 192.168.5.5 > {success/fail}INTERNET#telnet 192.168.5.5 /source-interface lo0 > {success/fail}INTERNET#telnet 192.168.5.5 /source-interface lo1 > {success/fail}
![Page 21: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/21.jpg)
©2016 RHC Technologies
Configure the policy as below : 1) Allow ping ( ICMP ) from LAN to DMZ.
2) Allow ping ( ICMP ) from LAN to INTERNET.
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit icmp any any echo-reply!access-list DMZ_LAN permit icmp any any echo-reply! access-group INTERNET_LAN in interface outside!access-group DMZ_LAN in interface dmz
![Page 22: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/22.jpg)
©2016 RHC Technologies
Verify ping test from LAN to INTERNET & DMZ !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LAN
LAN#ping 173.252.74.68 source lo0LAN#ping 192.168.5.5 source lo0
SUCCESS [or] FAIL ?
Outbound traffic : Low > High is OK ( inspected )Inbound traffic : High > Low is OK ( required ACL is configured )
![Page 23: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/23.jpg)
©2016 RHC Technologies
Configure the policy as below : 1) Allow ping ( ICMP ) from INTERNET to LAN.
2) Allow ping ( ICMP ) from DMZ to LAN.
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit icmp any any echoaccess-list INTERNET_LAN permit icmp any any echo-reply!access-group INTERNET_LAN in interface outside!access-list DMZ_LAN permit icmp any any echoaccess-list DMZ_LAN permit icmp any any echo-reply!access-group DMZ_LAN in interface dmz
![Page 24: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/24.jpg)
©2016 RHC Technologies
Verify ping test from INTERNET to LAN & DMZ to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ping testINTERNET#ping 10.10.10.10 source lo0INTERNET#ping 10.10.10.10 source lo1INTERNET#ping 192.168.5.5 source lo0INTERNET#ping 192.168.5.5 source lo1
DMZ#ping 10.10.10.10 source lo0DMZ#ping 10.10.10.10 source lo1
SUCCESS {or} FAIL ?
![Page 25: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/25.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
10.10.10.10/24
ASA int g0 nameif inside security-level 100 ip add 10.1.1.100 255.255.255.0 int g1 nameif outside security-level 0 ip add 150.1.1.100 255.255.255.0 ! int g2 nameif dmz security-level 50 ip add 192.168.1.100 255.255.255.0 !
#show int ip brief
LAB
![Page 26: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/26.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
10.10.10.10/24
ASA route outside 0 0 150.1.1.1 route inside 10.10.10.0 255.255.255.0 10.1.1.1 route inside 11.11.11.0 255.255.255.0 10.1.1.1 route inside 12.12.12.0 255.255.255.0 10.1.1.1 route dmz 192.168.5.0 255.255.255.0 192.168.1.1
#show route
![Page 27: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/27.jpg)
©2016 RHC Technologies
Configure the policy using object-group as below :
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAobject-group network GoogleDNS network-object host 8.8.8.8 network-object host 8.8.4.4!object-group network LAN network-object 10.10.10.0 255.255.255.0 network-object 11.11.11.0 255.255.255.0 network-object 12.12.12.0 255.255.255.0!object-group service PING service-object icmp echo service-object icmp echo-reply!access-list INTERNET_LAN permit object-group PING object-group GoogleDNS object-group LAN!access-group INTERNET_LAN in interface outside
![Page 28: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/28.jpg)
©2016 RHC Technologies
Verify ping test from INTERNET to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ping testINTERNET#ping 10.10.10.10 source lo0INTERNET#ping 10.10.10.10 source lo1INTERNET#ping 10.10.10.10 source lo2INTERNET#ping 10.10.10.10 source lo3
INTERNET#ping 11.11.11.11 source lo0INTERNET#ping 11.11.11.11 source lo1INTERNET#ping 11.11.11.11 source lo2INTERNET#ping 11.11.11.11 source lo3
INTERNET#ping 12.12.12.12 source lo0INTERNET#ping 12.12.12.12 source lo1INTERNET#ping 12.12.12.12 source lo2INTERNET#ping 12.12.12.12 source lo3
![Page 29: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/29.jpg)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24150.1.1.5/32
10.10.10.10/24
ASA Object network DMZ-Private host 192.168.5.5 ! Object network DMZ-Public host 150.1.1.5 ! nat(dmz,outside) source static DMZ-Private DMZ-Public ! Access-list INTERNET_LAN permit tcp any any eq telnet
LAB
DMZline vty 0 4 password testdmz!enable password testdmz!
![Page 30: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/30.jpg)
©2016 RHC Technologies
Verify telnet from INTERNET to DMZ Public IP!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ping testINTERNET#telnet 150.1.1.5 /source-interface lo0INTERNET#telnet 150.1.1.5 /source-interface lo1INTERNET#telnet 150.1.1.5 /source-interface lo2INTERNET#telnet 150.1.1.5 /source-interface lo3
![Page 31: Cisco ASA Firewall Lab WorkBook](https://reader034.fdocuments.us/reader034/viewer/2022042423/58a5003d1a28abce778b6121/html5/thumbnails/31.jpg)
© www.rhctechnologies.com
R H C TECHNOLOGIES
RHC Technologies
#LIKE #FOLLOW #WATCH