Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Lab1 - Detailed Solution

    Hochgeladen von

    Janek Podwala
    24 Ansichten7 Seiten

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    24 Ansichten7 Seiten

    Lab1 - Detailed Solution

    Hochgeladen von

    Janek Podwala

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 7

    Section 1.

    1a - ASA1_V ASA11_V Act/stb Failover

    ASA1_V (always save all config before and after)

    show mode
    show firewall
    configure terminal
    interface gi 0/0
    no shutdown
    nameif Outside
    security-level 0
    ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
    interface gi 0/1
    no shutdown
    nameif Inside
    security-level 100
    ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
    authentication key eigrp 12 cisco key-id 1
    authentication mode eigrp 12 md5
    interface gi 0/2
    no shutdown
    interface Management0/0
    no shutdown
    nameif Management
    security-level 100
    management-only
    ip address 150.1.7.53 255.255.255.0 standby 150.1.7.54
    !
    router eigrp 12
    no auto-summary
    eigrp router-id 10.1.11.1
    network 10.1.11.0 255.255.255.0
    !
    failover lan unit primary
    failover lan interface FO Gigaethernet 0/2
    failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
    failover link FO Gigaethernet 0/2
    failover
    monitor-interface Outside
    monitor-interface Inside
    monitor-interface Management

    ASA11_V

    configure terminal
    interface gi 0/2
    no shutdown
    !
    failover lan unit secondary
    failover lan interface FO Gigaethernet 0/2
    failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
    failover link FO Gigaethernet 0/2
    failover
    Section 1.1b - ASA2_V ASA22_V Act/stb Failover

    ASA2_V (always save all config before and after)

    configure terminal
    interface gi 0/0
    no shutdown
    nameif Outside
    security-level 0
    ip address 20.1.2.1 255.255.255.0 standby 20.1.2.2
    interface gi 0/1
    no shutdown
    nameif Inside
    security-level 100
    ip address 10.1.22.1 255.255.255.0 standby 10.1.22.2
    authentication key eigrp 12 cisco key-id 1
    authentication mode eigrp 12 md5
    interface gi 0/2
    no shutdown
    interface Management0/0
    no shutdown
    nameif Management
    security-level 100
    management-only
    ip address 150.1.7.55 255.255.255.0 standby 150.1.7.56
    !
    router eigrp 12
    no auto-summary
    eigrp router-id 10.1.22.1
    network 10.1.22.0 255.255.255.0
    !
    failover lan unit primary
    failover lan interface FO Gigaethernet 0/2
    failover interface ip FO 10.10.22.1 255.255.255.0 standby 10.10.22.2
    failover link FO Gigaethernet 0/2
    failover
    monitor-interface Outside
    monitor-interface Inside
    monitor-interface Management

    ASA22_V

    configure terminal
    interface gi 0/2
    no shutdown
    !
    failover lan unit secondary
    failover lan interface FO Gigaethernet 0/2
    failover interface ip FO 10.10.22.1 255.255.255.0 standby 10.10.22.2
    failover link FO Gigaethernet 0/2
    failover
    Section 1.2 - ASA1 ASA2 Act/Act Failover

    ASA1

    configure terminal
    mode multiple
    interface gi0/0
    no shutdown
    interface gi0/0.1
    vlan 2
    no shutdown
    interface gi0/0.2
    vlan 3
    no shutdown
    interface gi0/1
    no shutdown
    interface gi 0/1.1
    vlan 4
    no shutdown
    interface gi 0/1.2
    vlan 5
    no shutdown
    interface gi0/2
    no shutdown
    interface gi 0/2.1
    vlan 6
    no shutdown
    interface gi 0/2.2
    vlan 7
    no shutdown
    interface gi 0/3
    no shutdown
    interface gi 0/4
    no shutdown
    interface management0/0
    no shutdown
    !
    failover lan unit primary
    failover lan interface LAN gigabitethernet0/3
    failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
    failover link LINK gigabitethernet0/4
    failover interface ip LINK 10.100.202.1 255.255.255.0 standby 10.100.202.2
    failover
    failover group 1
    polltime interface msec 500 holdtime 5
    primary
    preempt 100
    failover group 2
    polltime interface msec 500 holdtime 5
    secondary
    preempt 200
    prompt hostname context priority state
    admin-context Admin
    !
    context Admin
    config-url disk0:/admin.cfg
    allocate-interface management0/0
    !
    context C1
    config-url disk0:/C1.cfg
    allocate-interface gigabitethernet 0/0.1
    allocate-interface gigabitethernet 0/1.1
    allocate-interface gigabitethernet 0/2.1
    join-failover-group 1
    !
    context C2
    config-url disk0:/C2.cfg
    allocate-interface gigabitethernet 0/0.2
    allocate-interface gigabitethernet 0/1.2
    allocate-interface gigabitethernet 0/2.2
    join-failover-group 2
    !
    changeto context C1
    hostname C1
    interface gi0/0.1
    nameif Inside
    security-level 100
    ip address 10.100.2.1 255.255.255.0 standby 10.100.2.2
    interface gi0/1.1
    nameif DMZ
    security-level 50
    ip address 10.100.4.1 255.255.255.0 standby 10.100.4.2
    interface gi0/2.1
    nameif Outside
    security-level 0
    ip address 10.100.6.1 255.255.255.0 standby 10.100.6.2
    !
    object network SRV-5-Internal
    host x.x.x.x
    nat (Inside,Outside) static interface service tcp 80 80
    nat (Inside,Outside) static interface service icmp
    !
    access-list outside-in permit tcp 192.168.10.0 255.255.255.0 object SRV-5-Internal eq 80
    access-list outside-in permit icmp 192.168.10.0 255.255.255.0 object SRV-5-Internal
    access-group outsite-in in interface Outside
    !
    changeto context C2
    hostname C2
    interface gi0/0.2
    nameif Inside
    security-level 100
    ip address 10.100.3.1 255.255.255.0 standby 10.100.3.2
    interface gi0/1.2
    nameif DMZ
    security-level 50
    ip address 10.100.5.1 255.255.255.0 standby 10.100.5.2
    interface gi0/2.2
    nameif Outside
    security-level 0
    ip address 10.100.7.1 255.255.255.0 standby 10.100.7.2
    !
    object network SRV-6-Internal
    host x.x.x.x
    nat (Inside,Outside) static interface service tcp 80 80
    nat (Inside,Outside) static interface service icmp
    !
    access-list outside-in permit tcp 192.168.11.0 255.255.255.0 object SRV-6-Internal eq 80
    access-list outside-in permit icmp 192.168.11.0 255.255.255.0 object SRV-6-Internal
    access-group outside-in in interface Outside

    ASA2

    configure terminal
    interface gi 0/3
    no shutdown
    interface gi 0/4
    no shutdown
    !
    failover lan unit secondary
    failover lan interface LAN gigabitethernet0/3
    failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
    failover link LINK gigabitethernet0/4
    failover interface ip LINK 10.100.202.1 255.255.255.0 standby 10.100.202.2
    failover

    Section 1.3 - ASA3 ASA4 Clustering

    ASA3

    configure terminal
    cluster interface-mode spanned
    ip local pool MGMT 150.1.7.60-150.1.7.61
    interface management 0/0
    ip address 150.1.7.59 255.255.255.0 cluster-pool MGMT
    nameif management
    no shutdown
    interface port-channel 1
    port-channel span-cluster
    no shutdown
    interface gi 0/0
    no shutdown
    channel-group 1 mode active
    interface gi 0/1
    no shutdown
    channel-group 1 mode active
    interface po1.8
    vlan 8
    nameif Inside
    security-level 100
    ip address 10.100.8.1 255.255.255.0
    interface po 1.9
    vlan 9
    nameif OUTSIDE
    security-level 0
    ip address 10.100.9.1 255.255.255.0
    interface po 1.10
    vlan 10
    nameif DMZ
    security-level 50
    ip add 10.100.10.1 255.255.255.0
    interface gi 0/2
    no shutdown
    cluster group ccie
    local-unit ASA3
    cluster-interface gigabitethernet 0/2 ip 10.100.203.1 255.255.255.0
    priority 1
    enable
    !
    object network SRV-6-Internal
    host x.x.x.x
    nat (Inside,Outside) static interface service tcp 80 80
    nat (Inside,Outside) static interface service icmp
    !
    access-list outside-in permit tcp 192.168.11.0 255.255.255.0 object SRV-6-Internal eq 80
    access-list outside-in permit icmp 192.168.11.0 255.255.255.0 object SRV-6-Internal
    access-group outside-in in interface OUTSIDE

    ASA4

    configure terminal
    interface gi 0/2
    no shutdown
    cluster group ccie
    local-unit ASA4
    cluster-interface gigabitethernet 0/2 ip 10.100.203.1 255.255.255.0
    priority 50
    enable

    Section 1.4 - Access Policy NGIPS

    Device - Device Management - Interfaces


    (select interfaces to work with) - edit

    mode: none
    name: External-Zone - enable
    security zone: External-Zone
    mode: none
    name: Internal-Zone - enable
    security zone: Internal-Zone

    Save

    Device - Device Management - Inline Sets


    add inline set
    name: Inline-x-y
    failsafe: enable
    Selected interface pair: External-Zone <--> Internal-Zone

    save - deploy

    Policies - Access Control - (access-policy-1 edit)


    add rule

    1-
    name : EIGRP
    enable: check
    action: allow
    source zone: External-Zone Internal-Zone | destination zone :External-Zone Internal-Zone
    Applications: eigrp
    inspection
    intrusion policy: balanced security and connectivity
    logging
    log at beginning of connection

    2-
    name : FROM-172
    enable: check
    action: allow
    source zone: External-Zone | destination zone :Internal-Zone
    network: 172.16.1.0/24
    Applications: http 8080
    inspection
    intrusion policy: balanced security and connectivity
    logging
    log at beginning of connection

    3-
    name : FROM-10
    enable: check
    action: allow
    source zone: External-Zone | destination zone :Internal-Zone
    network: 10.1.22.0/24
    Applications: http 8080
    inspection
    intrusion policy: balanced security and connectivity
    logging
    log at beginning of connection

    save deploy

    Das könnte Ihnen auch gefallen