Beruflich Dokumente
Kultur Dokumente
Contents
Purpose:................................................................................................2
Background:..........................................................................................2
Outside:................................................................................................................... 2
Inside:...................................................................................................................... 3
DMZ:........................................................................................................................ 3
VPN:......................................................................................................3
ASA VPN Types:......................................................................................3
Clientless VPN:........................................................................................................ 3
Any Connect VPN:................................................................................................... 4
Site-to-Site VPN:...................................................................................................... 4
There are two types of site-to-site VPNs:.............................................................4
ASDM:...................................................................................................4
Learning Objectives:...............................................................................5
Network Diagram:..................................................................................6
Lab:.......................................................................................................6
Task 1: Configure all other devices except the ASA.................................................6
PCs and servers:.................................................................................................. 6
ISP:....................................................................................................................... 6
R1:........................................................................................................................ 7
R2:........................................................................................................................ 7
Task 2: Create an MS Loopback interface................................................................8
Task 3: Add the ASA device to GNS3.......................................................................9
Local Site...............................................................................................9
Task 4: Install ASDM on the ASA device...................................................................9
Task 5: Configure the ASA using ASDM..................................................................11
Step 1: Basic configuration................................................................................ 11
Step 2: Create a global service policy.................................................................17
Step 3: Configure the dmz.................................................................................19
Step 4: Create an Access Rule............................................................................22
Task 6: Verifying the Local configuration...............................................................24
Remote Site.........................................................................................25
Task 7: Install ASDM on the ASA device.................................................................25
Task 8: Configure the ASA using ASDM..........................................................26
Step 1: Basic configuration...........................................................................26
Step 2: Create a global service policy.........................................................31
Task 9: Verifying the Remote configuration..................................................33
Configure the Site-To-Site VPN..............................................................33
Local site.............................................................................................34
Remote site.........................................................................................40
Verifying the VPN configuration............................................................47
Purpose:
The purpose of this lab is to provide a more advanced understanding of
Ciscos ASA 5520 Adaptive Security Appliance; The Cisco ASA is a security
device that combines firewall, antivirus, intrusion prevention, and virtual
private network (VPN) capabilities. In this lab we will use GNS3 to learn how
to configure the ASA as a basic Firewall with the addition of a third zone
referred to as a DMZ and finally we will create a site-to-site VPN between the
sites. This knowledge is essential to passing the CCNP Security exam and will
be used in daily in your position as a Cisco network engineer.
Background:
In this lab we will be using GNS3 and ASDM to model a network with LOCAL
and REMOTE site. Each of these sites will have access to the internet. The
local site will also have a DMZ zone that can be access by any outside device
as well as inside devices, but will not be able to connect to any inside device.
In addition to this we will create a site-to-site VPN between the local site and
remote site. Before we continue with our lab lets take a look at some basic
interface being used in this lab.
Outside:
The outside interface is a public untrusted zone commonly used to connect
to public address within the internet. Devices within this zone cannot access
devices in the inside or DMZ without permission.
Inside:
The inside interface is a private trusted interface generally used for local
devices using a private address space. To access public address in the
outside the private address will need to be translated using NAT or PAT.
Device can access devices in the outside or DMZ unless restricted.
DMZ:
In computer security, a DMZ or demilitarized zone (sometimes referred to as
a perimeter network) is a physical or logical sub network that contains and
exposes an organization's external-facing services to a larger and untrusted
network, usually the Internet. The purpose of a DMZ is to add an additional
layer of security to an organization's local area network (LAN); an external
attacker only has direct access to equipment in the DMZ, rather than any
other part of the network.
VPN:
VPNs allow employees to securely access their company's intranet while
traveling outside the office. Similarly, VPNs securely connect geographically
separated offices of an organization, creating one cohesive network. VPN
technology is also used by individual Internet users to secure their wireless
transactions, to circumvent geo restrictions and censorship, and to connect
to proxy servers for the purpose of protecting personal identity and location.
ASA VPN Types:
There are basically three types of VPN available to the Cisco ASA product line
they are as follows:
Clientless VPN:
Clientless SSL VPN enables end users to securely access resources on the
corporate network from anywhere using an SSL-enabled Web browser. The
user first authenticates with a Clientless SSL VPN gateway, which then allows
the user to access pre-configured network resources.
Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA
using a Web browser without requiring a software or hardware client. It
provides secure and easy access to a broad range of Web resources and both
web-enabled and legacy applications from almost any device that can
connect to the Internet via HTTP. They include:
Internal websites.
Web-enabled applications.
NT/Active Directory file shares.
email proxies, including POP3S, IMAP4S, and SMTPS.
Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007.
Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.
ASDM:
Ciscos ASDM is a simple, GUI-Based Firewall Appliance Management tool
that is user friendly and allows the user to configure, monitor, and
troubleshoot Cisco firewall appliances and firewall service modules. Ideal for
small or simple deployments, the Cisco Adaptive Security Device Manager
provides the following:
Setup wizards that help you configure and manage Cisco firewall
devices, including the Cisco ASA Adaptive Security Appliances, Cisco
PIX appliances, and Cisco Catalyst 6500 Series Firewall Services
Modules without cumbersome command-line scripts
Powerful real-time log viewer and monitoring dashboards that provides
an at-a-glance view of firewall appliance status and health
Handy troubleshooting features and powerful debugging tools such as
packet trace and packet capture.
Learning Objectives:
Add the ASA to GNS3.
Configure MS Loopback Interface.
Install and configure ASDM.
Use ASDM to configure the ASA.
Configure a DMZ
Configure a Site-to-Site VPN
Network Diagram:
Lab:
Task 1: Configure all other devices except the ASA.
In this part of or lab we will configure the routers, PCs and servers as shown
in the network diagram.
Note: In this lab routers are being used to simulate the devices INTERNET,
DMZ, and LOCAL servers and the REMOTE and LOCAL PCs.
PCs and servers:
1. Configure the INTERNET, DMZ, and LOCAL servers and the REMOTE
and LOCAL PCs devices as shown in the network diagram.
2. Configure a default route on the above devices.
ISP:
1. Configure the ISP as follows:
ISP#config t
ISP(config)#interface FastEthernet0/0
ISP(config)# ip address 209.165.200.9 255.255.255.248
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#interface serial1/0
ISP(config)# ip address 10.1.1.2 255.255.255.252
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#interface serial1/1
ISP(config)# ip address 10.1.1.2 255.255.255.252
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#ip route 209.165.200.224 255.255.255.248
10.1.1.1
ISP(config)#ip route 209.165.200.232 255.255.255.248
10.2.2.1
ISP(config)#exit
ISP#wr
R1:
1. Configure R1 as follows:
R1#config t
R1(config)#interface FastEthernet0/0
R1(config)# ip address 209.165.200.226 255.255.255.248
R1(config)#No Shutdown
R1(config)#exit
!
R1(config)#interface serial1/0
R1(config)# ip address 10.1.1.1 255.255.255.252
R1(config)#No Shutdown
R1(config)#exit
!
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2
R1(config)#exit
R1#wr
R2:
1. Configure R2 as follows:
R2#config t
R2(config)#interface FastEthernet0/0
14.
In the Microsoft Loopback Adapter Properties dialog box, verify
that the Virtual Machine Network services check box is selected.
15.
Click Internet Protocol (TCP/IP), and then click Properties.
16.
On the General tab, click Use the following IP address, and then
type the IP address and subnet mask 192.168.2.10 and 255.255.255.0.
17.
Click OK, and then click Close.
Task 3: Add the ASA device to GNS3.
1. Copy the ASA842.zip Included with this lab.into the GNS3 Image
directory.
2. Unzip the ASA842.zip file.
3. Open Edit -> Preferences -> Qemu and click the ASA tab
4. Enter an Identifier name I used ASA-5520
5. Enter 1024 in RAM
6. Enter the following for Qemu Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7. Enter the paths where you placed the files from step 1 into the
designated boxes for Initrd and Kernel
8. Enter the following for Kernel cmd line:
-append ide_generic.probe_mask=001
ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600
bigphysarea=65536
9. Leave all other options at defaults
10.
11.
12.
13.
14.
Once the ASA is up, enter enable and then enter one of the
following to activate features:
Note: to complete the next step, you will need to disable or configure
your PC firewall. You may also need to disable popup in your browser
and in Java configuration. Lastly you may need to add
https://192.168.2.1 to the trusted site under the internet security
options. You may also need to install the certificate in your browser.
8. Open your browser and browse to https://192.168.2.1 and click the
Install ASDM Launcher button to download and install the ASDM app
from the ASA.
9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the
name admin and password cisco.
2.
3.
4.
5.
6. Click next.
7. Highlight GigabitEthernet1 and click edit.
8. Select enable interface and configure the interface with the following:
interface .GigabitEthernet1
interface name ..inside
security level.0
ip address192.168.20.1subnet mask.255.255.255.0
9. Click OK.
10.
11.
Highlight GigabitEthernet2 and click edit.
12.
Select enable interface and configure the interface with the
following:
interface .GigabitEthernet2
interface name ..dmz
security level.0
ip address172.16.1.1
subnet mask.255.255.255.0
13.
Click OK.
14.
15.
Click next.
Click Add and enter the following:
Interface.inside
Network..any
Gateway IP209.165.200.225
16.
Click OK
17.
Click next.
18.
Enable DHCP server on the inside interface.
19.
Enter the starting IP address 192.168.10.10 and an ending IP
address 192.168.10.100.
16.
17.
Click next.
Select use the IP address on GigabitEthernet0 interface.
17.
18.
19.
20.
21.
Click next.
Click next.
Click next
Select do not enable smart call home and click next.
Verify the configuration.
18.
19.
Click finish.
Select send.
DNS
ESMIP
FTP
H.323 H.225
HTTP
ICMP
IP-OPTIONS
NETBIOS
8. Click finish.
9. Click Apply.
10.
Click send.
Click the NAT and select Add Automatic Address Translation Rule.
Select the Type of Dynamic
Select the Translation Address as outside
Click Advanced.
Select the Source Interface as inside and Destination Interface outside
click OK.
10.
11.
12.
Name..dmz-subnet
Type.Network
IP Address.172.16.1.0
Netmask.255.255.255.0
13.
Click the NAT and select Add Automatic Address Translation Rule.
14.
Select the Type of Dynamic
15.
Select the Translation Address as outside
16.
Click Advanced.
17.
Select the Source Interface as dmz and Destination Interface
outside
18.
19.
20.
21.
click OK.
Click OK.
Click Add and select Network Object.
In the Network Object window enter the following:
Name..dmz-host-ext
Type.host
IP Address.209.165.200.229
22.
23.
24.
Click OK
Click Add and select Network Object.
In the Network Object window enter the following:
Name..dmz-host-int
Type.host
IP Address.172.16.1.200
25.
Click the NAT and select Add Automatic Address Translation Rule.
26.
Select the Type of Static
27.
Select the Translation Address as dmz-host-ext
28.
Click Advanced.
29.
Select the Source Interface as dmz and Destination Interface
outside.
30.
Click OK
31.
Click OK
32.
Click Apply.
33.
Click Send.
Interface:
outside
Action:
Source:
Destination:
Services:
tcp/telnet
4. Click OK.
Permit
any
dmz-host-int
tcp/ftp, tcp/ftp-data, tcp/http, tcp/https, tcp/ssh,
5.
6.
7.
8.
Click Apply.
Click send.
From the menu bar click Save.
Click send.
Remote Site.
Task 7: Install ASDM on the ASA device.
1. If you dont already have a TFTP server installed, then you can
download and install the Cisco TFTP server available with this lab.
2. In the ASA console enter the following:
ciscoasa # config t
ciscoasa(config)#hostname ASA2
ASA2 (config) # int gi 5
ASA2 (config) # ip address 192.168.2.2 255.255.255.0
ASA2 (config) # nameif management
ASA2 (config) # no shut
3. Ping the Windows loopback adapter from the ASA firewall to test
connectivity.
4. If you dont already have the ASDM, then download the ASDM647
included with this lab.
5. In the ASA console, copy the ASDM bin file to flash on the ASA:
ASA2# copy tftp flash
Address or name of remote host []? 192.168.2.10
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
6. Set the ASA to load the ASDM during the next boot
ASA2# config t
ASA2(config)#
ASA2(config)#
ASA2(config)#
management
ASA2(config)#
2.
3.
4.
5.
6. Click next.
7. Highlight GigabitEthernet1 and click edit.
8. Select enable interface and configure the interface with the following:
interface .GigabitEthernet1
interface name ..inside
security level.0
ip address192.168.20.1subnet mask.255.255.255.0
9. Click OK.
10.
11.
Click next.
Click Add and enter the following:
Interface.inside
Network..any
Gateway IP209.165.200.225
12.
Click OK
13.
Click next.
14.
Enable DHCP server on the inside interface.
15.
Enter the starting IP address 192.168.0.10 and an ending IP
address 192.168.10.100.
16.
17.
18.
19.
20.
21.
22.
Click next.
Select use the IP address on GigabitEthernet0 interface.
Click next.
Click next.
Click next
Select do not enable smart call home and click next.
Verify the configuration.
23.
24.
Click finish.
Select send.
DNS
ESMIP
FTP
H.323 H.225
HTTP
ICMP
IP-OPTIONS
NETBIOS
8. Click finish.
9. Click Apply.
10.
Click send.
Local site.
1. Open your browser and browse to https://192.168.2.1 and click the
Install ASDM Launcher button to download and install the ASDM app
from the ASA.
2. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the
name admin and password cisco.
3. From the menu bar select wizards.
4. From the dropdown select VPN Wizards and select Site-to-Site VPN
Wizard.
5. Click Next.
6. Enter the outside address of ASA2 as the Peer IP Address.
7. Insure the VPN Access Interface is outside.
8. Click Next.
9. We will be using IKE version 1 for this lab so uncheck IKE version 2
10.
11.
Local
12.
13.
Click next.
From the Local Network dropdown select the inside-subnet as the
Network.
Select the Remote Network dropdown.
Click add and select network object. And enter the following:
Name:
remote-subnet
Type:
Network.
IP Address:
192.168.20.0
NetMask: 255.255.255.0
13.
14.
Click OK
Select remote-subnet as the Remote Network.
15.
16.
17.
18.
Click Next.
Enter cisco as the Pre-shared key.
Click next.
Take the defaults for the IKE policy and IPsec Proposal.
19.
20.
Click Next.
Check the remaining 2 boxes.
21.
Click Next.
22.
23.
Click send.
17.
From the dropdown select VPN Wizards and select Site-to-Site
VPN Wizard.
18.
Click Next.
19.
20.
21.
22.
2
Click Next.
We will be using IKE version 1 for this lab so uncheck IKE version
23.
24.
Local
25.
26.
Click next.
From the Local Network dropdown select the inside-subnet as the
Network.
Select the Remote Network dropdown.
Click add and select network object. And enter the following:
Name:
remote-subnet
Type:
Network.
IP Address:
192.168.10.0
NetMask: 255.255.255.0
24.
25.
Click OK
Select remote-subnet as the Remote Network.
26.
27.
28.
29.
Click Next.
Enter cisco as the Pre-shared key.
Click next.
Take the defaults for the IKE policy and IPsec Proposal.
30.
31.
Click Next.
Check the remaining 2 boxes.
32.
Click Next.
33.
34.
Click send.
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 209.165.200.226
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
There are no IKEv2 SAs
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.234
access-list outside_cryptomap extended permit ip 192.168.20.0
255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 209.165.200.226
#pkts
#pkts
#pkts
#pkts
0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.165.200.234/0, remote crypto endpt.:
209.165.200.226/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 36C6AFF0
current inbound spi : DCCD0B9F
inbound esp sas:
spi: 0xDCCD0B9F (3704425375)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373992/28356)
IV size: 16 bytes
replay detection support: Y
ASA2# sh vpn-sessiondb
--------------------------------------------------------------------------VPN Session Summary
--------------------------------------------------------------------------Active : Cumulative : Peak Concur : Inactive
---------------------------------------------Site-to-Site VPN
:
1:
1:
1
IKEv1 IPsec
:
1:
1:
1
--------------------------------------------------------------------------Total Active and Inactive :
1
Total Cumulative :
1
Device Total VPN Capacity :
0
Device Load
:
0%
***!! WARNING: Platform capacity exceeded !!***
----------------------------------------------------------------------------------------------------------------------------------------------------Tunnels Summary
--------------------------------------------------------------------------Active : Cumulative : Peak Concurrent
---------------------------------------------IKEv1
:
1:
1:
1
IPsec
:
1:
1:
1
--------------------------------------------------------------------------Totals
:
2:
2
---------------------------------------------------------------------------