Professional Documents
Culture Documents
Lab Manual
Developed by
1
ASA Lab Manual
LAB.
LABS DESCRIPTION
PAGE NO.
3
NETWORK ADDRESS TRANSLATION Nat Control Static NAT Dynamic NAT PAT STATIC PAT POLICY NAT NAT 0
17
Transparent Firewall
18
Syslog server
20
Cut through proxy through LOCAL database & AAA server Downloadable Acl
21
24
8 9 10
Tcp intercept Max connection Object Grouping and Time-based Acl Routing a.Static Routing b.Dynamic Routing
29 30 32
2
ASA Lab Manual
11
34
12
Demilitarized Zone
37
13 14
39 41
15
Virtual Private Network Site to Site VPN Web VPN Remote Access VPN
42
3
ASA Lab Manual
4
ASA Lab Manual
5
ASA Lab Manual
ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside
How to Telnet Adaptive Security Appliance ciscoasa(config)# telnet 10.0.0.4 255.255.255.255 inside ciscoasa(config)# passwd cisco ciscoasa(config)# enable password cisco (Telnet only allow from inside) How to HTTP Adaptive Security Appliance ciscoasa(config)#http server enable ciscoasa(config)#http 10.0.0.1 255.255.255.255 inside How to SSH Adaptive Security Appliance ciscoasa(config)# crypto key generate rsa modulus 1024 ciscoasa(config)# ssh 10.0.0.1 255.255.255.255 inside ciscoasa(config)# ssh 20.0.0.4 255.255.255.255 outside Authentication With local database ciscoasa(config)#username tanzeel password cisco123 ciscoasa(config)# aaa authentication ssh console LOCAL
6
ASA Lab Manual
At Machine 10.0.0.1:
7
ASA Lab Manual
Verification Commands: ciscoasa(config)# show ssh ciscoasa(config)# show ssh session ciscoasa(config)# ssh disconnect session_id ciscoasa(config)# show crypto key mypubkey rsa
8
ASA Lab Manual
Configuration
Assigning Speed & IP Address on Inside & Outside Interfaces.
ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside ciscoasa (config)#nat-control ciscoasa (config)# access-list 1 permit ip any any ciscoasa (config)# access-group 1 in interface outside
9
ASA Lab Manual
Configuration
Establish Static NAT & ACLs.
ciscoasa (config)# static (inside,outside) 20.0.0.51 10.0.0.1 ciscoasa (config)# static (inside,outside) 20.0.0.52 10.0.0.2
Verify Configuration by using following commands.
ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show access-list 1
10
ASA Lab Manual
Configuration
Establish Dynamic NAT, POOL & ACLss on Inside Interfaces.
ciscoasa (config)# show running-config global ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show access-list 1
11
ASA Lab Manual
Configuration
Establish Dynamic PAT, POOL & ACLs
ciscoasa (config)# nat (inside) 1 0 0 ciscoasa (config)# global (outside) 1 interface ciscoasa (config)# access-list 1 permit ip any any ciscoasa (config)# access-group 1 in interface outside
12
ASA Lab Manual
ciscoasa (config)# show running-config global ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show access-list 1
13
ASA Lab Manual
STATIC PAT
Configuration
Establish Port Redirection & ACLs
ciscoasa (config)# show running-config nat ciscoasa (config)# show running-config xlate
14
ASA Lab Manual
POLICY NAT
Configuration
Apply ACLs & NAT POLICY
ciscoasa (config)# nat (inside) 1 access-list 101 ciscoasa (config)# global (outside) 1 20.0.0.51 ciscoasa (config)# nat (inside) 2 access-list 102 ciscoasa (config)# global (outside) 2 20.0.0.52
15
ASA Lab Manual
ciscoasa (config)# show running-config nat ciscoasa (config)# show xlate ciscoasa (config)# show running-config global
16
ASA Lab Manual
IP Address 20.0.0.1
IP Address 10.0.0.10
IP Address 20.0.0.10
IP Address 10.0.0.2
IP Address 20.0.0.2
Configuration
Enable Nat control. ciscoasa (config)# nat-control Apply NAT 0 Policy for ATIF. ciscoasa (config)# nat (inside) 0 10.0.0.2 255.255.255.255 Verify Configuration by using following commands. ciscoasa (config)# show xlate ciscoasa (config)# show running-config global
17
ASA Lab Manual
Configuration
Apply Filters.
18
ASA Lab Manual
IP Address 10.0.0.2
IP Address 10.0.0.1
IP Address 10.0.0.3
Configuration
Assigning Speed & no Shut Inside & Outside Interfaces.
19
ASA Lab Manual
ciscoasa (config)# access-list 1 permit ip any any ciscoasa (config)# access-group 1 in interface outside ciscoasa (config)# ip address 10.0.0.10 255.255.255.0
Verify results by IOS commands.
20
ASA Lab Manual
IP Address 10.0.0.1 E1 EO
IP Address 20.0.0.1
IP Address 10.0.0.10
IP Address 20.0.0.10
IP Address 20.0.0.2
Configuration:
ciscoasa(config)# logging on ciscoasa(config)# logging host inside 10.0.0.2 ciscoasa(config)# logging trap 7
21
ASA Lab Manual
Lab # 6 Cut through proxy through LOCAL database & AAA server
IP Address 10.0.0.2 E1 EO
IP Address 20.0.0.1
IP Address 20.0.0.10
Configuration
Cut through Proxy through Local database ciscoasa(config)# username admin password admin ciscoasa(config)# aaa authentication include any inside 0 0 0 0 LOCAL Cut through Proxy with AAA server ciscoasa(config)# aaa-server esp protocol tacacs+ ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.1 cisco123 ciscoasa(config)# aaa authentication include any inside 0 0 0 0 esp
22
ASA Lab Manual
23
ASA Lab Manual
24
ASA Lab Manual
ALI
IP Address 10.0.0.2 E1 EO
IP Address 20.0.0.1
ATIF
IP Address 20.0.0.10
Cisco Secure ACS allows to create downloadable ACLs. By this various ACLs can be formed for different users. Downloadable ACL will be activated only when the particular user sign in. Step 1:Configure AAA server using Radius Protocol. ciscoasa(config)# aaa-server esp protocol radius ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.4 cisco ciscoasa(config-aaa-server-host)# aaa authentication include any inside 0 0 0 0 esp
25
ASA Lab Manual
Step 2:Form Downloadable ACL through Shared profile Components (if Downloadable option is not available then click on Interface Configuration. )
26
ASA Lab Manual
27
ASA Lab Manual
28
ASA Lab Manual
Step 3: Add User Ali and apply Downloadable ACL on users profile.
Step 3: Verify results. ( Atif can successfully browse & ftp outside network) BUT ( Ali can only successfully ftp outside network)
Verification Commands: ciscoasa(config)# show uauth ciscoasa(config)# clear uauth ciscoasa(config)# show conn
29
ASA Lab Manual
IP Address 10.0.0.1 E1 EO
IP Address 20.0.0.1
IP Address 10.0.0.10
IP Address 20.0.0.10
IP Address 20.0.0.2
Configuration:
ciscoasa(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0 ciscoasa(config)# access-list 1 permit ip any any ciscoasa(config)# access-group 1 in interface outside
Verification Commands: ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# show show show show running-config static local-host xlate conn
30
ASA Lab Manual
IP Address 10.0.0.1 E1 EO
IP Address 20.0.0.1
IP Address 10.0.0.10
IP Address 20.0.0.10
IP Address 20.0.0.2
Configuration:
Create network object ciscoasa(config)# object-group network esp ciscoasa(config-network)# network-object host 20.0.0.1 ciscoasa(config-network)# network-object host 20.0.0.2 ciscoasa(config-network)# network-object host 20.0.0.3 ciscoasa(config-network)# exi Create service object ciscoasa(config)# object-group service httpftp tcp ciscoasa(config-service)# port-object eq 80 ciscoasa(config-service)# port-object eq 21 ciscoasa(config-service)# exi
31
ASA Lab Manual
Calling object in ACL ciscoasa(config)# access-list 101 extended permit tcp object-group esp host 10.0.0.1 object-group httpftp ciscoasa(config)# access-group 101 in interface outside
Time-based Acl
Configuration:
ciscoasa(config)#time-range test ciscoasa(config-time-range)#periodic daily 15:00 to 15:30 ciscoasa(config-time-range)#exit ciscoasa(config)# access-list 101 permit ip any any time-range test ciscoasa(config)#access-group 101 in interface outside Verifying commands ciscoasa(config)# show access-list ciscoasa(config)# show run object-group
32
ASA Lab Manual
Lab # 10 Routing
IP Address 15.0.0.1 E0 IP Address 15.0.0.2 Fa0/0
WEB Server
IP Address 20.0.0.1
FTP Server
IP Address 20.0.0.2
Configuration :
ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 15.0.0.1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# nameif outside ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto
33
ASA Lab Manual
Static Routes Commands on Asa ciscoasa(config)#route outside 20.0.0.0 255.0.0.0 15.0.0.2 Rip Commands on Asa ciscoasa(config)#router rip ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0 Ospf Commands on Asa ciscoasa(config)#router ospf 64 ciscoasa(config-router)#network 15.0.0.0 255.0.0.0 area 0 ciscoasa(config-router)#network 10.0.0.0 255.0.0.0 area 0 Eigrp Commands on Asa ciscoasa(config)#router eigrp 10 ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0 ciscoasa(config-router)#exit Verifying Commands ciscoasa(config)#sh route ciscoasa(config)#sh rip database ciscoasa(config)#sh ospf interface ciscoasa(config)#sh ospf neighbor ciscoasa(config)# sh eigrp interfaces ciscoasa(config)# sh eigrp neighbors
34
ASA Lab Manual
DHCP SERVER
Configuration
Create POOL for Inside Hosts. ciscoasa(config)# dhcpd address 10.0.0.51-10.0.0.61 inside Enable DHCP on the ASA Firewall. ciscoasa(config)#dhcpd enable inside
35
ASA Lab Manual
Verify Configuration by using following commands. ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# show dhcpd binding show dhcpd state clear dhcpd bindings debug dhcpd events debug dhcpd packet
DHCP CLIENT
Configuration
Step 1: Enable DHCP Client. ciscoasa(config)#int e0/0 ciscoasa(config)# ip address dhcp
36
ASA Lab Manual
Step 3: Verify Configuration by using following commands. ciscoasa(config)#debug dhcpd events ciscoasa(config)#debug dhcpd packet
37
ASA Lab Manual
Configuration
Step 1:Assign IPs and Define Security Levels. ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside
38
ASA Lab Manual
ciscoasa(config)# interface ethernet 0/2 ciscoasa(config-if)# ip address 30.0.0.10 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif dmz Apply PAT for inside Users & Static Nat for server on DMZ Interface. ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface ciscoasa(config)# static (dmz,outside) 40.0.0.51 30.0.0.1 ciscoasa(config)# static (dmz,outside) 40.0.0.52 30.0.0.2 Establish ACL to allow traffic from lower security level to servers. ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.51 eq www ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.52 eq ftp ciscoasa(config)# access-group 1 in interface outside
39
ASA Lab Manual
IP Address 10.0.0.1
IP Address 20.0.0.1
Fa 0/3
2950
Fa 0/4
Vlan 30
Vlan 40
Configuration
ciscoasa(config)#Interface Ethernet0/2 ciscoasa(config-if)#no shut ciscoasa(config-if)#no ip add ciscoasa(config-if)#exit
40
ASA Lab Manual
ciscoasa(config)#Interface Ethernet0/2.30 ciscoasa(config-if)#vlan 30 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif www ciscoasa(config-if)#security-level 30 ciscoasa(config-if)#ip address 30.0.0.10 255.0.0.0 ciscoasa(config)#Interface Ethernet0/2.40 ciscoasa(config-if)#vlan 40 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif ftp ciscoasa(config-if)#security-level 40 ciscoasa(config-if)#ip address 40.0.0.10 255.0.0.0 After Configuration inside(100) users access ftp(40) and web(30) service now if u want to allow outside users to access ftp and web service make an access-list to allow them ciscoasa(config)# access-list 101 permit tcp any host 30.0.0.1 eq ftp ciscoasa(config)#access-group 101 in interface outside
Switch configuration
Switch(config)#vlan 30 Switch(config-vlan)#name www Switch(config)#vlan 40 Switch(config-vlan)#name ftp Switch(config)#interface fa0/3 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 30 Switch(config)#interface fa0/4 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 40 Switch(config)#interface fa0/24 Switch(config-if)#switchport mode trunk Verifying Commands ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface
41
ASA Lab Manual
Configuration
Step 1:Define Class Name. ASA(config)# class-map http ASA(config-cmap)# match port tcp eq 80 Step 2:Define Classes to the Policy Map ASA(config)# policy-map esp ASA(config-pmap)# class-map http ASA(config-pmap-c)# priority-queue inside ASA(config)# service-policy esp interface inside Step 3:Verify Results by IOS commands. ASA# show service-policy
42
ASA Lab Manual
IP Address 15.0.0.1 E0
WAN
RmtRouter
IP Address 20.0.0.10 Fa0/1
Rmt Users
WEB Server
IP Address 20.0.0.1
FTP Server
Host A IP Address 10.0.0.1 Host B IP Address 10.0.0.2 IP Address 20.0.0.2
Configuration
Site-to-Site Vpn Configuration on Asa ciscoasa(config)#crypto isakmp enable outside ciscoasa(config-isakmp-policy)#crypto isakmp policy 10 ciscoasa(config)# authen pre-share ciscoasa(config)# hash md5 ciscoasa(config)# encrypt des ciscoasa(config)# group 2 ciscoasa(config)# tunnel-group 15.0.0.2 type ipsec-l2l ciscoasa(config)# tunnel-group 15.0.0.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123
43
ASA Lab Manual
ciscoasa(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0 ciscoasa(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac ciscoasa(config)# crypto map outside_map 1 set peer 15.0.0.2 ciscoasa(config)# crypto map outside_map 1 set transform-set aset ciscoasa(config)#crypto map outside_map 1 match address 101 ciscoasa(config)# crypto map outside_map interface outside
44
ASA Lab Manual
45
ASA Lab Manual
46
ASA Lab Manual
47
ASA Lab Manual
48
ASA Lab Manual
IP Address 20.0.0.10 E0
WAN
IP Address 20.0.0.1 With no Vpn client IP Address 10.0.0.10 Ethernet 1
Local FTP Server IP Address 10.0.0.3 Host A IP Address 10.0.0.1 Local web Server IP Address 10.0.0.2
Configuration
SSL VPN Wizard
49
ASA Lab Manual
50
ASA Lab Manual
51
ASA Lab Manual
52
ASA Lab Manual
53
ASA Lab Manual
54
ASA Lab Manual
55
ASA Lab Manual
Step 3(A): Verify results by IOS commands. ciscoasa# show running-config webvpn
56
ASA Lab Manual
REMOTE-ACCESS VPN
Access VPN provides secure communication with remote users who are working from home and connect through modem or mobile but they should have client Hardware & client Software running on there computers.
IP Address 20.0.0.10 E0
WAN
IP Address 20.0.0.1 With Vpn client IP Address 10.0.0.10 Ethernet 1
Local FTP Server IP Address 10.0.0.3 Host A IP Address 10.0.0.1 Local web Server IP Address 10.0.0.2
Configuration
IPsec(Remote-access) VPN Wizard
57
ASA Lab Manual
58
ASA Lab Manual
59
ASA Lab Manual
60
ASA Lab Manual
61
ASA Lab Manual