Professional Documents
Culture Documents
SNAF
Securing Networks with ASA
Fundamentals
Lab Manual
Developed by
M. Irfan Ghauri
M. Tanzeel Nasir
Nat Control
Static NAT
Dynamic NAT
PAT
STATIC PAT
POLICY NAT
NAT 0
4 Transparent Firewall 18
5 Syslog server 20
7 Downloadable Acl 24
10 Routing 32
a.Static Routing
b.Dynamic Routing
2
ASA Lab Manual
12 Demilitarized Zone 37
Lab # 1
ASA Basic
Configuration
Assign IP
ciscoasa(config-if)# ip address 20.0.0.10
Alive Interface
ciscoasa(config-if)# no shutdown
Set Speed
ciscoasa(config-if)# speed auto
Give Label
ciscoasa(config-if)# nameif outside
Configuration
At Machine 10.0.0.1:
7
ASA Lab Manual
Verification Commands:
ciscoasa(config)# show ssh
ciscoasa(config)# show ssh session
ciscoasa(config)# ssh disconnect session_id
ciscoasa(config)# show crypto key mypubkey rsa
8
ASA Lab Manual
Lab # 2
NETWORK ADDRESS TRANSLATION
Network Address Translation allows to translate Private
Addresses into Public Addresses
Nat Control
Static NAT
Dynamic NAT
PAT
STATIC PAT
POLICY NAT
NAT 0
Configuration
Assigning Speed & IP Address on Inside & Outside Interfaces.
ciscoasa (config)#nat-control
Configuration
Establish Static NAT & ACLs.
Configuration
Establish Dynamic NAT, POOL & ACLss on Inside Interfaces.
Configuration
Establish Dynamic PAT, POOL & ACLs
OR
STATIC PAT
Configuration
Establish Port Redirection & ACLs
POLICY NAT
Configuration
Apply ACLs & NAT POLICY
NAT CONTROL
AND
NAT 0
IP Address IP Address
10.0.0.1 20.0.0.1
E1 EO
ATIF using NAT0
policy
10.0.0.210.0.0.2
IP Address IP Address
10.0.0.10 20.0.0.10
IP Address
10.0.0.2 IP Address
20.0.0.2
Configuration
Enable Nat control.
ciscoasa (config)# nat-control
Lab # 3
Configuration
Apply Filters.
Lab # 4
TRANSPARENT FIREWALL
IP Address
10.0.0.2
IP Address
10.0.0.1
IP Address
10.0.0.3
Configuration
Assigning Speed & no Shut Inside & Outside Interfaces.
Lab # 5
SYSLOG SERVER
IP Address IP Address
10.0.0.1 20.0.0.1
E1 EO
IP Address IP Address
10.0.0.10 20.0.0.10
SYSLOG
IP Address
10.0.0.2 IP Address
20.0.0.2
Configuration:
ciscoasa(config)# logging on
ciscoasa(config)# logging host inside 10.0.0.2
ciscoasa(config)# logging trap 7
Verification Commands:
Lab # 6
Cut through proxy through LOCAL database
& AAA server
IP Address
10.0.0.2 IP Address
20.0.0.1
E1 EO
IP Address IP Address
10.0.0.10 20.0.0.10
IP Address
10.0.0.3
IP Address
20.0.0.2
AAA SERVER
IP Address
10.0.0.1
Configuration
Verification Commands:
Lab # 7
Downloadable Acl
ALI
IP Address IP Address
10.0.0.2 20.0.0.1
E1 EO
ATIF
IP Address IP Address
10.0.0.10 20.0.0.10
IP Address
10.0.0.3
IP Address
20.0.0.2
AAA SERVER
IP Address
10.0.0.1
Step 3: Add User Ali and apply Downloadable ACL on users profile.
Verification Commands:
Lab # 8
TCP Intercept Maximum Connection
IP Address IP Address
10.0.0.1 20.0.0.1
E1 EO
IP Address IP Address
10.0.0.10 20.0.0.10
Configuration:
ciscoasa(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0
ciscoasa(config)# access-list 1 permit ip any any
ciscoasa(config)# access-group 1 in interface outside
Verification Commands:
Lab # 9
Object Grouping
IP Address IP Address
10.0.0.1 20.0.0.1
E1 EO
IP Address IP Address
10.0.0.10 20.0.0.10
Configuration:
Time-based Acl
Configuration:
ciscoasa(config)#time-range test
ciscoasa(config-time-range)#periodic daily 15:00 to 15:30
ciscoasa(config-time-range)#exit
Verifying commands
ciscoasa(config)# show access-list
ciscoasa(config)# show run object-group
32
ASA Lab Manual
Lab # 10
Routing
R2
IP Address
10.0.0.10 IP Address
Ethernet 1 20.0.0.10
Fa0/1
WEB Server
IP Address
20.0.0.1 FTP Server
Host B
Host A IP Address IP Address
IP Address 10.0.0.2 20.0.0.2
10.0.0.1
Configuration :
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# ip address 15.0.0.1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
Static Routing
Dynamic Routing
RIP
OSPF
EIGRP
ciscoasa(config)#router rip
ciscoasa(config-router)#network 15.0.0.0
ciscoasa(config-router)#network 10.0.0.0
ciscoasa(config)#router ospf 64
ciscoasa(config-router)#network 15.0.0.0 255.0.0.0 area 0
ciscoasa(config-router)#network 10.0.0.0 255.0.0.0 area 0
ciscoasa(config)#router eigrp 10
ciscoasa(config-router)#network 15.0.0.0
ciscoasa(config-router)#network 10.0.0.0
ciscoasa(config-router)#exit
Verifying Commands
ciscoasa(config)#sh route
ciscoasa(config)#sh rip database
ciscoasa(config)#sh ospf interface
ciscoasa(config)#sh ospf neighbor
ciscoasa(config)# sh eigrp interfaces
ciscoasa(config)# sh eigrp neighbors
34
ASA Lab Manual
Lab # 11
Configuration
Create POOL for Inside Hosts.
DHCP CLIENT
Configuration
ciscoasa(config)#int e0/0
ciscoasa(config)# ip address dhcp
36
ASA Lab Manual
Lab # 12
Demilitarized Zone
Configuration
Step 1:Assign IPs and Define Security Levels.
Apply PAT for inside Users & Static Nat for server on DMZ Interface.
Verifying Commands
Lab # 13
INTER-VLAN ROUTING WITH ASA
IP Address IP Address
10.0.0.10 20.0.0.10
Ethernet 0/1 Ethernet 0/0
E 0 / 2.30 E 0 / 2.40
IP Address 20.0.0.1
IP Address 10.0.0.1 30.0.0.10 / 8 40.0.0.10 / 8
Security-level 30 Security-level 40
Fa 0/24
Fa 0/3 Fa 0/4
2950
Vlan 40
Vlan 30
Configuration
ciscoasa(config)#Interface Ethernet0/2
ciscoasa(config-if)#no shut
ciscoasa(config-if)#no ip add
ciscoasa(config-if)#exit
40
ASA Lab Manual
ciscoasa(config)#Interface Ethernet0/2.30
ciscoasa(config-if)#vlan 30
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif www
ciscoasa(config-if)#security-level 30
ciscoasa(config-if)#ip address 30.0.0.10 255.0.0.0
ciscoasa(config)#Interface Ethernet0/2.40
ciscoasa(config-if)#vlan 40
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif ftp
ciscoasa(config-if)#security-level 40
ciscoasa(config-if)#ip address 40.0.0.10 255.0.0.0
Switch configuration
Switch(config)#vlan 30
Switch(config-vlan)#name www
Switch(config)#vlan 40
Switch(config-vlan)#name ftp
Switch(config)#interface fa0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
Switch(config)#interface fa0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 40
Switch(config)#interface fa0/24
Switch(config-if)#switchport mode trunk
Verifying Commands
Lab # 14
MODULAR POLICY FRAMEWORK
Configuration
Step 1:Define Class Name.
Lab # 15
SITE TO SITE VPN
IP Address
IP Address 20.0.0.10
10.0.0.10 Fa0/1
Ethernet 1
Rmt
Users
WEB Server
IP Address
20.0.0.1
FTP Server
IP Address
Host A Host B 20.0.0.2
IP Address IP Address
10.0.0.1 10.0.0.2
Configuration
Site-to-Site Vpn Configuration on Asa
IP Address 20.0.0.10
E0
WAN
IP Address 20.0.0.1
With no Vpn client
IP Address
10.0.0.10
Ethernet 1
IP Address 20.0.0.5
With no Vpn client
Host A
IP Address
10.0.0.1
Local web Server
IP Address 10.0.0.2
Configuration
REMOTE-ACCESS VPN
Access VPN provides secure communication with remote users who
are working from home and connect through modem or mobile but
they should have client Hardware & client Software running on
there computers.
IP Address 20.0.0.10
E0
WAN
IP Address 20.0.0.1
With Vpn client
IP Address
10.0.0.10
Ethernet 1
IP Address 20.0.0.5
With Vpn client
Host A
IP Address
10.0.0.1
Local web Server
IP Address 10.0.0.2
Configuration