Professional Documents
Culture Documents
Case Study 1
Case Study 1
This section demonstrates how Cisco ASA appliances are deployed in SecureMe's branch offices, as well
as how a business partner company uses Cisco ASA to provide firewall and site-to-site VPN connectivity
to SecureMe.
Branch Offices
SecureMe has several small branch offices around the world. There are 20 to 25 users at each branch
office. A Cisco ASA 5510 is deployed at each of the three branch offices (New York, Los Angeles, and
Atlanta), as shown in Figure 22-1.
The Cisco ASA 5510 at each location is connected to a Cisco IOS router providing Internet connectivity.
The Cisco ASAs are also connected to Cisco Catalyst switches (not shown in Figure 22-1) to provide
connectivity to internal users.
SecureMe's security policies restrict all of its branch office users from communicating to the Internet on
any port other than TCP port 80 (www) and TCP port 443 (SSL). Its business model requires the
following:
The use of a third-party application that uses TCP ports 8912 and 8913. Client machines from users at
remote locations will access this third-party application server over the site-to-site VPN tunnel to
SecureMe's regional site in Washington.
Users access their e-mail (Simple Mail Transfer Protocol [SMTP], Post Office Protocol [POP], and Internet
Message Access Protocol [IMAP]) from an e-mail server in Washington over the VPN tunnel.
The IT staff in Washington developed an application to provide the capability to remotely control user
workstations at remote branch offices from the Washington regional site network. This application is
also used to remotely install software (that is, operating system patches and antivirus updates) and it
communicates over TCP port 7788. Figure 22-2 is a diagram of the New York branch office network with
all the assigned IP addresses.
interface GigabitEthernet0/0
nameif outside
security-level 0
interface GigabitEthernet0/1
nameif inside
security-level 100
hostname NewYork
!The following access control list entries restrict internal users to only be able to
!The following access control list entries restrict internal users to only be able to
!send TCP port 8912 and 8913 traffic to the 10.20.1.60 server in Washington, which hosts
eq 8912
eq 8913
!The following access control list entries restrict internal users to only be able to
!send SMTP, POP3, and IMAP4 traffic to the 10.20.4.50 mail server in Washington.
eq smtp
eq pop3
!The following access control list entry allows the 10.10.220.0/24 management
segment in
workstations
!in NY.
255.255.255.0 eq 7788
!The following access control list entries are used to define what traffic should be
255.255.255.0
255.255.255.0
!The following access control list entries allows the ASA to bypass NAT for the IPSec
!tunnel traffic.
255.255.255.0
255.255.255.0
access-list nonat extended permit ip 10.165.200.0 255.255.255.0 10.10.220.0
255.255.255.0
!The following NAT configuration allows all the internal devices within the
address
!The following is the IPSec site-to-site tunnel configuration to the Washington ASA
!209.165.201.1.
pre-shared-key 1qaz@WSX
Note that the sysopt connection permit-ipsec command is not used in the configuration in Example 22-
1. This is purposefully done to ensure that the decrypted VPN traffic passes through the interface ACL
applied to the outside interface.
Partner-A is a small company that buys supplies from SecureMe on a regular basis. There is a specific
ecommerce application that SecureMe and Partner-A use to do all of their business transactions.
Partner-A deploys the Cisco ASA 5510 to provide site-to-site extranet VPN services and to secure its
infrastructure, as shown in Figure 22-3.
The e-commerce application used by Partner-A to buy its materials is a web-based application over
Secure HTTP (HTTPS). SecureMe and Partner-A policies dictate that only TCP port 443 (HTTPS) traffic
should be allowed over their site-to-site VPN connection to the e-commerce server in Washington
(10.20.2.70). Traffic destined to the rest of 10.x.x.x networks in Washington is not allowed. All other
traffic is allowed to leave the security appliance. Example 22-2 shows the configuration for Partner-A's
Cisco ASA to achieve this goal.
interface GigabitEthernet0/0
nameif outside
security-level 0
interface GigabitEthernet0/1
nameif inside
security-level 100
hostname Partner-A
dropping all
10.20.2.70 eq https
access-list Part_in_ACL extended deny ip 192.168.144.0 255.255.255.0 10.0.0.0
255.0.0.0
! Access-lists to bypass NAT and classify what packets will be encrypted over the
tunnel
10.20.2.70
! NAT configuration
pre-shared-key 3edc$RFV
Partner-A has a total of 75 users. Its Network Address Translation (NAT) configuration is designed to
allow all of its users to have Port Address Translation (PAT) resolve the address of the ASA's public
interface.
The network security administrator at Partner-A receives a call from Partner-A's Chief Information
Officer (CIO) mentioning that the security policy has been changed such that ActiveX and Java should be
blocked for all of Partner-A's user web traffic to the Internet. The commands shown in Example 22-3 are
appended to SecureMe's Cisco ASA configuration to fulfill this requirement.
ActiveX and Java are filtered for all sources, and destinations on port 80.