SlideShare une entreprise Scribd logo

Configuring asa site to-site vp ns

chiensy
chiensy

Configuring asa site to-site vp ns

Ingénierie
1  sur  50
Télécharger pour lire hors ligne
Configuring ASA Site-To-Site VPN Contents Purpose:............................................................................................................................................2 Background: ......................................................................................................................................2 Outside:.....................................................................................................................................................2 Inside:........................................................................................................................................................3 DMZ:..........................................................................................................................................................3 VPN:..................................................................................................................................................3 ASA VPN Types: .................................................................................................................................3 Clientless VPN: ..........................................................................................................................................3 Any Connect VPN:.....................................................................................................................................4 Site-to-Site VPN:........................................................................................................................................4 There are two types of site-to-site VPNs:.............................................................................................4 ASDM:...............................................................................................................................................4 Learning Objectives:...........................................................................................................................5 Network Diagram:..............................................................................................................................6 Lab: ...................................................................................................................................................6 Task 1: Configure all other devices except the ASA..................................................................................6 PC’s and servers:...................................................................................................................................6 ISP:.........................................................................................................................................................6 R1: .........................................................................................................................................................7 R2: .........................................................................................................................................................7 Task 2: Create an MS Loopback interface.................................................................................................8 Task 3: Add the ASA device to GNS3.........................................................................................................9 Local Site. ..........................................................................................................................................9 Task 4: Install ASDM on the ASA device....................................................................................................9 Task 5: Configure the ASA using ASDM...................................................................................................11 Step 1: Basic configuration. ................................................................................................................11 Step 2: Create a global service policy. ................................................................................................17 Step 3: Configure the dmz. .................................................................................................................19 Step 4: Create an Access Rule.............................................................................................................22
Task 6: Verifying the Local configuration................................................................................................24 Remote Site.....................................................................................................................................25 Task 7: Install ASDM on the ASA device..................................................................................................25 Task 8: Configure the ASA using ASDM.................................................................................................26 Step 1: Basic configuration.................................................................................................................26 Step 2: Create a global service policy. ...............................................................................................31 Task 9: Verifying the Remote configuration..........................................................................................33 Configure the Site-To-Site VPN .........................................................................................................33 Local site. ........................................................................................................................................34 Remote site. ....................................................................................................................................40 Verifying the VPN configuration .......................................................................................................47 Purpose: The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5520 Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will use GNS3 to learn how to configure the ASA as a basic Firewall with the addition of a third zone referred to as a DMZ and finally we will create a site-to-site VPN between the sites. This knowledge is essential to passing the CCNP Security exam and will be used in daily in your position as a Cisco network engineer. Background: In this lab we will be using GNS3 and ASDM to model a network with LOCAL and REMOTE site. Each of these sites will have access to the internet. The local site will also have a DMZ zone that can be access by any outside device as well as inside devices, but will not be able to connect to any inside device. In addition to this we will create a site-to-site VPN between the local site and remote site. Before we continue with our lab let’s take a look at some basic interface being used in this lab. Outside: The outside interface is a public untrusted zone commonly used to connect to public address within the internet. Devices within this zone cannot access devices in the inside or DMZ without permission.
Inside: The inside interface is a private trusted interface generally used for local devices using a private address space. To access public address in the outside the private address will need to be translated using NAT or PAT. Device can access devices in the outside or DMZ unless restricted. DMZ: In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. VPN: VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location. ASA VPN Types: There are basically three types of VPN available to the Cisco ASA product line they are as follows: Clientless VPN: Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a Web browser without requiring a software or hardware client. It provides secure and easy access to a broad range of Web resources and both web-enabled and legacy applications from almost any device that can connect to the Internet via HTTP. They include: • Internal websites. • Web-enabled applications. • NT/Active Directory file shares. • email proxies, including POP3S, IMAP4S, and SMTPS. • Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007. • Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.
• Application Access (smart tunnel or port forwarding access to other TCP-based applications) Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide the secure connection between remote users and specific, supported internal resources that you configure at an internal server. The ASA recognizes connections that must be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. The network administrator provides access to resources by users of Clientless SSL VPN sessions on a group basis. Users have no direct access to resources on the internal network. Any Connect VPN: Cisco AnyConnect is an app designed to let you connect securely to VPNs. This is an app for enterprise users who need a secure way to connect to a VPN at their place of work. Coming from a trusted name like Cisco, the app provides a level of safety and security that should be welcome by those who have need of such an app. Site-to-Site VPN: A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world. There are two types of site-to-site VPNs: • Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN. • Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets. Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote- access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN. ASDM: Cisco’s ASDM is a simple, GUI-Based Firewall Appliance Management tool that is user friendly and allows the user to configure, monitor, and troubleshoot Cisco firewall appliances and
firewall service modules. Ideal for small or simple deployments, the Cisco Adaptive Security Device Manager provides the following:  Setup wizards that help you configure and manage Cisco firewall devices, including the Cisco ASA Adaptive Security Appliances, Cisco PIX appliances, and Cisco Catalyst 6500 Series Firewall Services Modules without cumbersome command-line scripts  Powerful real-time log viewer and monitoring dashboards that provides an at-a-glance view of firewall appliance status and health  Handy troubleshooting features and powerful debugging tools such as packet trace and packet capture. Learning Objectives:  Add the ASA to GNS3.  Configure MS Loopback Interface.  Install and configure ASDM.  Use ASDM to configure the ASA.  Configure a DMZ  Configure a Site-to-Site VPN
Network Diagram: Lab: Task 1: Configure all other devices except the ASA. In this part of or lab we will configure the routers, PCs and servers as shown in the network diagram. Note: In this lab routers are being used to simulate the devices INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs. PC’s and servers: 1. Configure the INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs devices as shown in the network diagram. 2. Configure a default route on the above devices. ISP: 1. Configure the ISP as follows:
ISP#config t ISP(config)#interface FastEthernet0/0 ISP(config)# ip address 209.165.200.9 255.255.255.248 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#interface serial1/0 ISP(config)# ip address 10.1.1.2 255.255.255.252 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#interface serial1/1 ISP(config)# ip address 10.1.1.2 255.255.255.252 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#ip route 209.165.200.224 255.255.255.248 10.1.1.1 ISP(config)#ip route 209.165.200.232 255.255.255.248 10.2.2.1 ISP(config)#exit ISP#wr R1: 1. Configure R1 as follows: R1#config t R1(config)#interface FastEthernet0/0 R1(config)# ip address 209.165.200.226 255.255.255.248 R1(config)#No Shutdown R1(config)#exit ! R1(config)#interface serial1/0 R1(config)# ip address 10.1.1.1 255.255.255.252 R1(config)#No Shutdown R1(config)#exit ! R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2 R1(config)#exit R1#wr R2: 1. Configure R2 as follows: R2#config t R2(config)#interface FastEthernet0/0
R2(config)# ip address 209.165.200.233 255.255.255.248 R2(config)#No Shutdown R2(config)#exit ! R2(config)#interface serial1/1 R2(config)# ip address 10.2.2.1 255.255.255.252 R2(config)#No Shutdown R2(config)#exit ! R2(config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2 R2(config)#exit R2#wr Task 2: Create an MS Loopback interface. Microsoft Loopback Adapter is a dummy network card, no hardware is involved. It is used as a testing tool for a virtual network environment where network access is not available. You can bind network clients, protocols, and other network configuration items to the Loopback adapter. 1. In the host operating system, right-click My Computer, and then select Properties. Depending on the style of the start menu, My Computer may be located in the Start menu. 2. In the System Properties dialog box, on the Hardware tab, click Add Hardware Wizard. 3. In the Add Hardware dialog box, click Next. 4. When the Is the hardware connected? dialog box appears, click Yes, I have already connected the hardware, and then click Next. 5. In the Installed hardware list, click Add a new hardware device, and then click Next. 6. In the What do you want the wizard to do? list, click Install the hardware that I manually select from a list (Advanced), and then click Next. 7. In the Common hardware types list, click Network adapters, and then click Next. 8. In the Manufacturer list, click Microsoft. 9. In the Network Adapter list, click Microsoft Loopback Adapter, and then click Next twice. 10. If a message about driver signing appears, click Continue Anyway. 11. In the Completing the Add Hardware Wizard dialog box, click Finish, and then click OK. 12. Reboot the computer. 13. On the host operating system, open Network Connections, right-click the local area connection for Microsoft Loopback Adapter, and then select Properties. 14. In the Microsoft Loopback Adapter Properties dialog box, verify that the Virtual Machine Network services check box is selected. 15. Click Internet Protocol (TCP/IP), and then click Properties. 16. On the General tab, click Use the following IP address, and then type the IP address and subnet mask 192.168.2.10 and 255.255.255.0. 17. Click OK, and then click Close.
Task 3: Add the ASA device to GNS3. 1. Copy the ASA842.zip Included with this lab.into the GNS3 Image directory. 2. Unzip the ASA842.zip file. 3. Open Edit -> Preferences -> Qemu and click the ASA tab 4. Enter an Identifier name – I used “ASA-5520″ 5. Enter 1024 in RAM 6. Enter the following for Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32 7. Enter the paths where you placed the files from step 1 into the designated boxes for Initrd and Kernel 8. Enter the following for Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 9. Leave all other options at defaults 10. Click the Save button then click OK. 11. Copy the ASDM lab.zip file to the GNS3 project directory. 12. Extract the ASDM lab.zip file. 13. Open the lab topology. 14. Once the ASA is up, enter enable and then enter one of the following to activate features: activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5 activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6 Local Site. Task 4: Install ASDM on the ASA device. 1. If you don’t already have a TFTP server installed, then you can download and install the Cisco TFTP server available with this lab. 2. In the ASA console enter the following: ciscoasa # config t ciscoasa(config)#hostname ASA1 ASA1 (config) # int gi 5 ASA1 (config) # ip address 192.168.2.1 255.255.255.0
ASA1 (config) # nameif management ASA1 (config) # no shut 3. Ping the Windows loopback adapter from the ASA firewall to test connectivity. 4. If you don’t already have the ASDM, then download the ASDM647 included with this lab. 5. In the ASA console, copy the ASDM bin file to flash on the ASA: ASA1# copy tftp flash Address or name of remote host []? 192.168.2.10 Source filename []? asdm-647.bin Destination filename [asdm-647.bin]? 6. Set the ASA to load the ASDM during the next boot ASA1# config t ASA1(config)# asdm image flash:asdm-647.bin ASA1(config)# http server enable ASA1(config)# http 192.168.2.10 255.255.255.255 management ASA1(config)# username admin password cisco privilege 15 7. When the copy is complete save you configuration using the ‘wr’ command and then reload the firewall using 'reload' command. Note: to complete the next step, you will need to disable or configure your PC firewall. You may also need to disable popup in your browser and in Java configuration. Lastly you may need to add https://192.168.2.1 to the trusted site under the internet security options. You may also need to install the certificate in your browser. 8. Open your browser and browse to https://192.168.2.1 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco.
Task 5: Configure the ASA using ASDM. Step 1: Basic configuration. 1. From the ASDM window select configuration.
2. Launch the startup wizard. 3. Select modify existing configuration and click next. 4. Hostname ASA1 Domain Name Local and click next. 5. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet0 interface name ..outside security level…….0 ip address…………209.165.200.226 subnet mask…….255.255.255.248 6. Click next. 7. Highlight GigabitEthernet1 and click edit. 8. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet1 interface name ..inside security level…….0 ip address…………192.168.20.1subnet mask…….255.255.255.0
9. Click OK. 10. 11. Highlight GigabitEthernet2 and click edit. 12. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet2 interface name ..dmz security level…….0 ip address…………172.16.1.1 subnet mask…….255.255.255.0 13. Click OK.
14. Click next. 15. Click Add and enter the following: Interface…….inside Network……..any Gateway IP…209.165.200.225 16. Click OK 17. Click next. 18. Enable DHCP server on the inside interface.
19. Enter the starting IP address 192.168.10.10 and an ending IP address 192.168.10.100. 16. Click next. 17. Select use the IP address on GigabitEthernet0 interface.
17. Click next. 18. Click next. 19. Click next 20. Select do not enable smart call home and click next. 21. Verify the configuration.
18. Click finish. 19. Select send. Step 2: Create a global service policy. 1. From the configuration tab select Firewall. 2. Select Service Policy Rules. 3. Click the Add button and select Add Service Policy Rule. 4. Click Global and make the policy Name global-policy the click next. 5. Check the box labeled Default Inspection Traffic and click next. 6. Click next. 7. Check the following inspection rules
 DNS  ESMIP  FTP  H.323 H.225  HTTP  ICMP  IP-OPTIONS  NETBIOS 8. Click finish. 9. Click Apply.
10. Click send. Step 3: Configure the dmz. 1. From the Firewall drop down select Network Object/Group. 2. Click Add and select Network Object. 3. In the Network Object window enter the following: Name……………..inside-subnet Type……………….Network IP Address…….192.168.1.0 Netmask……….255.255.255.0 4. Click the NAT and select Add Automatic Address Translation Rule. 5. Select the Type of Dynamic 6. Select the Translation Address as outside 7. Click Advanced. 8. Select the Source Interface as inside and Destination Interface outside 9. click OK.
10. From the Firewall drop down select Network Object/Group. 11. Click Add and select Network Object. 12. In the Network Object window enter the following: Name……………..dmz-subnet Type……………….Network IP Address…….172.16.1.0 Netmask……….255.255.255.0 13. Click the NAT and select Add Automatic Address Translation Rule. 14. Select the Type of Dynamic 15. Select the Translation Address as outside 16. Click Advanced.
17. Select the Source Interface as dmz and Destination Interface outside 18. click OK. 19. Click OK. 20. Click Add and select Network Object. 21. In the Network Object window enter the following: Name……………..dmz-host-ext Type……………….host IP Address…….209.165.200.229 22. Click OK 23. Click Add and select Network Object. 24. In the Network Object window enter the following:
Name……………..dmz-host-int Type……………….host IP Address…….172.16.1.200 25. Click the NAT and select Add Automatic Address Translation Rule. 26. Select the Type of Static 27. Select the Translation Address as dmz-host-ext 28. Click Advanced. 29. Select the Source Interface as dmz and Destination Interface outside. 30. Click OK 31. Click OK 32. Click Apply. 33. Click Send. Step 4: Create an Access Rule. 1. From the Firewall select Access Rules. 2. Highlight outside (0 implicit incoming rules).
3. Click Add and select Add Access Rule and enter the following  Interface: outside  Action: Permit  Source: any  Destination: dmz-host-int  Services: tcp/ftp, tcp/ftp-data, tcp/http, tcp/https, tcp/ssh, tcp/telnet 4. Click OK.
5. Click Apply. 6. Click send. 7. From the menu bar click Save. 8. Click send. Task 6: Verifying the Local configuration. 1. From LOCAL-PC Telnet the INTERNET server using the username admin ad the password cisco. 2. Enter Exit. 3. From LOCAL-PC Telnet the DMZ server using the username admin ad the password cisco. 4. Enter Exit. 5. From DMZ server Telnet the INTERNET server using the username admin ad the password cisco. 6. Enter Exit. 7. Insure you cannot Telnet LOCAL-PC or server from DMZ.
Remote Site. Task 7: Install ASDM on the ASA device. 1. If you don’t already have a TFTP server installed, then you can download and install the Cisco TFTP server available with this lab. 2. In the ASA console enter the following: ciscoasa # config t ciscoasa(config)#hostname ASA2 ASA2 (config) # int gi 5 ASA2 (config) # ip address 192.168.2.2 255.255.255.0 ASA2 (config) # nameif management ASA2 (config) # no shut 3. Ping the Windows loopback adapter from the ASA firewall to test connectivity. 4. If you don’t already have the ASDM, then download the ASDM647 included with this lab. 5. In the ASA console, copy the ASDM bin file to flash on the ASA: ASA2# copy tftp flash Address or name of remote host []? 192.168.2.10 Source filename []? asdm-647.bin Destination filename [asdm-647.bin]? 6. Set the ASA to load the ASDM during the next boot ASA2# config t ASA2(config)# asdm image flash:asdm-647.bin ASA2(config)# http server enable ASA2(config)# http 192.168.2.10 255.255.255.255 management ASA2(config)# username admin password cisco privilege 15 7. When the copy is complete save you configuration using the ‘wr’ command and then reload the firewall using 'reload' command. Note: to complete the next step, you will need to disable or configure your PC firewall. You may also need to disable popup in your browser and in Java configuration. Lastly you may need to add https://192.168.2.2 to the trusted site under the internet security options. You may also need to install the certificate in your browser. 8. Open your browser and browse to https://192.168.2.2 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco.
Task 8: Configure the ASA using ASDM. Step 1: Basic configuration. 1. From the ASDM window select configuration.
2. Launch the startup wizard. 3. Select modify existing configuration and click next. 4. Hostname ASA1 Domain Name Local and click next. 5. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet0 interface name ..outside security level…….0 ip address…………209.165.200.226 subnet mask…….255.255.255.248 6. Click next. 7. Highlight GigabitEthernet1 and click edit. 8. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet1 interface name ..inside security level…….0 ip address…………192.168.20.1subnet mask…….255.255.255.0
9. Click OK. 10. Click next. 11. Click Add and enter the following: Interface…….inside Network……..any Gateway IP…209.165.200.225 12. Click OK
13. Click next. 14. Enable DHCP server on the inside interface. 15. Enter the starting IP address 192.168.0.10 and an ending IP address 192.168.10.100.
16. Click next. 17. Select use the IP address on GigabitEthernet0 interface. 18. Click next. 19. Click next. 20. Click next 21. Select do not enable smart call home and click next. 22. Verify the configuration.
23. Click finish. 24. Select send. Step 2: Create a global service policy. 1. From the configuration tab select Firewall. 2. Select Service Policy Rules. 3. Click the Add button and select Add Service Policy Rule. 4. Click Global and make the policy Name global-policy the click next. 5. Check the box labeled Default Inspection Traffic and click next. 6. Click next. 7. Check the following inspection rules
 DNS  ESMIP  FTP  H.323 H.225  HTTP  ICMP  IP-OPTIONS  NETBIOS 8. Click finish. 9. Click Apply.
10. Click send. Task 9: Verifying the Remote configuration. 1. From REMOTE-PC Telnet the INTERNET server using the username admin ad the password cisco. 2. Enter Exit. 3. From REMOTE-PC Telnet the DMZ server outside address 209.165.200.229 using the username admin ad the password cisco. 4. Enter Exit. 5. Insure you cannot Telnet the LOCAL-PC or server from REMOTE-PC. Configure the Site-To-Site VPN For this part of our lab we will be using ASDM to configure the Local and Remote side of our Site-To-Site VPN.
Local site. 1. Open your browser and browse to https://192.168.2.1 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 2. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco. 3. From the menu bar select wizards. 4. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.
5. Click Next. 6. Enter the outside address of ASA2 as the Peer IP Address. 7. Insure the VPN Access Interface is outside. 8. Click Next. 9. We will be using IKE version 1 for this lab so uncheck IKE version 2
10. Click next. 11. From the Local Network dropdown select the inside-subnet as the Local Network. 12. Select the Remote Network dropdown. 13. Click add and select network object. And enter the following: Name: remote-subnet Type: Network. IP Address: 192.168.20.0 NetMask: 255.255.255.0
13. Click OK 14. Select remote-subnet as the Remote Network. 15. Click Next. 16. Enter cisco as the Pre-shared key. 17. Click next. 18. Take the defaults for the IKE policy and IPsec Proposal.
19. Click Next. 20. Check the remaining 2 boxes. 21. Click Next.
22. Insure the configuration is ok and click Finish. 23. Click send.
This completes the site-to-site VPN configuration on the Local site. Remote site. 14. Open your browser and browse to https://192.168.2.2 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 15. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco. 16. From the menu bar select wizards. 17. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.
18. Click Next.
19. Enter the outside address of ASA1 as the Peer IP Address. 20. Insure the VPN Access Interface is outside. 21. Click Next. 22. We will be using IKE version 1 for this lab so uncheck IKE version 2 23. Click next.
24. From the Local Network dropdown select the inside-subnet as the Local Network. 25. Select the Remote Network dropdown. 26. Click add and select network object. And enter the following: Name: remote-subnet Type: Network. IP Address: 192.168.10.0 NetMask: 255.255.255.0 24. Click OK 25. Select remote-subnet as the Remote Network.
26. Click Next. 27. Enter cisco as the Pre-shared key. 28. Click next. 29. Take the defaults for the IKE policy and IPsec Proposal. 30. Click Next. 31. Check the remaining 2 boxes.
32. Click Next. 33. Insure the configuration is ok and click Finish.
34. Click send.
This completes the site-to-site VPN configuration on the Local site. Verifying the VPN configuration 1. From the REMOTE-PC telnet the LOCAL server 192.168.10.200 using the username admin and password cisco. 2. Type exit 3. From the REMOTE-PC telnet the INTERNET server 209.165.200.11 using the username admin and password cisco. 4. Type exit 5. From the REMOTE-PC telnet the DMZ server 209.165.200.229 using the username admin and password cisco. 6. Type exit 7. From the INTERNET Server insure you cannot access the inside of the LOCAL or REMOTE site. 8. From the command prompt of ASA2 issue the following commands and observer the outputs. ASA2# sh crypto isakmp sa
IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 209.165.200.226 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE There are no IKEv2 SAs ASA2# sh crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.234 access-list outside_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 209.165.200.226 #pkts encaps: 201, #pkts encrypt: 201, #pkts digest: 201 #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 201, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 209.165.200.234/0, remote crypto endpt.: 209.165.200.226/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 36C6AFF0 current inbound spi : DCCD0B9F inbound esp sas: spi: 0xDCCD0B9F (3704425375) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4096, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373992/28356) IV size: 16 bytes replay detection support: Y
Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x36C6AFF0 (918990832) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4096, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373991/28356) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA2# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f access-list outside_cryptomap line 1 extended permit ip object inside-subnet object remote- subnet (hitcnt=3) 0x6742cde6 access-list outside_cryptomap line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=5) 0x6742cde6 ASA2# sh vpn-sessiondb --------------------------------------------------------------------------- VPN Session Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ---------------------------------------------- Site-to-Site VPN : 1 : 1 : 1 IKEv1 IPsec : 1 : 1 : 1 --------------------------------------------------------------------------- Total Active and Inactive : 1 Total Cumulative : 1 Device Total VPN Capacity : 0 Device Load : 0% ***!! WARNING: Platform capacity exceeded !!*** --------------------------------------------------------------------------- --------------------------------------------------------------------------- Tunnels Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concurrent
---------------------------------------------- IKEv1 : 1 : 1 : 1 IPsec : 1 : 1 : 1 --------------------------------------------------------------------------- Totals : 2 : 2 ---------------------------------------------------------------------------

Recommandé

Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
Router hardening project.slide
Router hardening project.slideRouter hardening project.slide
Router hardening project.slide
Alya Al Saadi
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
Prathan Phongthiproek
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Aircrack
AircrackAircrack
Aircrack
MuhammadHanzalah6
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
Aaron Zauner
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 

Recommandé

Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
Router hardening project.slide
Router hardening project.slideRouter hardening project.slide
Router hardening project.slide
Alya Al Saadi
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
Prathan Phongthiproek
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Aircrack
AircrackAircrack
Aircrack
MuhammadHanzalah6
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
Aaron Zauner
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
Napier University
 
Wpa3
Wpa3Wpa3
Wpa3
Bhavya Dashora
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
Ahmad Yar
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
Justin Black
 
All about routers
All about routersAll about routers
All about routers
agwanna
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
WPA 3
WPA 3WPA 3
WPA 3
diggu22
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
n|u - The Open Security Community
 
DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting
Shah Sheikh
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
Zscaler
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PROIDEA
 
Aws cloud hms service
Aws cloud hms serviceAws cloud hms service
Aws cloud hms service
Mmik Huang
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
IPMAX s.r.l.
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Institut Teknologi Sepuluh Nopember Surabaya
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 
Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...
Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...
Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...
Jakob Østergaard Nielsen
 
Desafíos en la enseñanza del Markerting
Desafíos en la enseñanza del MarkertingDesafíos en la enseñanza del Markerting
Desafíos en la enseñanza del Markerting
rperezllanes
 

Contenu connexe

Tendances

All about routers
All about routersAll about routers
All about routers
agwanna
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 

Tendances (20)

WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
Wpa3
Wpa3Wpa3
Wpa3
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 
All about routers
All about routersAll about routers
All about routers
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
WPA 3
WPA 3WPA 3
WPA 3
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting DTS Solution - Wireless Security Protocols / PenTesting
DTS Solution - Wireless Security Protocols / PenTesting
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
Aws cloud hms service
Aws cloud hms serviceAws cloud hms service
Aws cloud hms service
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
 

En vedette

Mobile CI
Mobile CIMobile CI
Mobile CI
Jerel Hass
 
Workshop Proceedings (Full Document)
Workshop Proceedings (Full Document)Workshop Proceedings (Full Document)
Workshop Proceedings (Full Document)
Nawsheen Hosenally
 
Powerpoint animales carnívoros, herbívoros y omnívoros
Powerpoint animales carnívoros, herbívoros y omnívoros Powerpoint animales carnívoros, herbívoros y omnívoros
Powerpoint animales carnívoros, herbívoros y omnívoros
Jorge Cardiel
 
Diapo sena
Diapo senaDiapo sena
Diapo sena
feerika
 
Tema 5. sinapsis
Tema 5. sinapsisTema 5. sinapsis
Tema 5. sinapsis
SalvadorGH
 

En vedette (20)

Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...
Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...
Øget produktivitet med Skype for Business og Office 365, Jakob Østergaard Nie...
 
Desafíos en la enseñanza del Markerting
Desafíos en la enseñanza del MarkertingDesafíos en la enseñanza del Markerting
Desafíos en la enseñanza del Markerting
 
Fq8 x000f0 astra led, dig y pantalla mini - Servicio Tecnico Fagor
Fq8 x000f0 astra led, dig y pantalla mini - Servicio Tecnico FagorFq8 x000f0 astra led, dig y pantalla mini - Servicio Tecnico Fagor
Fq8 x000f0 astra led, dig y pantalla mini - Servicio Tecnico Fagor
 
Mobile CI
Mobile CIMobile CI
Mobile CI
 
Workshop Proceedings (Full Document)
Workshop Proceedings (Full Document)Workshop Proceedings (Full Document)
Workshop Proceedings (Full Document)
 
Hosting Personalizado SMweb
Hosting Personalizado SMwebHosting Personalizado SMweb
Hosting Personalizado SMweb
 
Verano deportivo 2016
Verano deportivo 2016Verano deportivo 2016
Verano deportivo 2016
 
Water painting-techniques
Water painting-techniquesWater painting-techniques
Water painting-techniques
 
Seminario ISO 19600
Seminario ISO 19600Seminario ISO 19600
Seminario ISO 19600
 
Salud 2.0 : Una oportunidad para la EPS en la escuela.
Salud 2.0 : Una oportunidad para la EPS en la escuela.Salud 2.0 : Una oportunidad para la EPS en la escuela.
Salud 2.0 : Una oportunidad para la EPS en la escuela.
 
Being Pavan Kota
Being Pavan KotaBeing Pavan Kota
Being Pavan Kota
 
Actividades plan de septiembre 2012
Actividades plan de septiembre 2012Actividades plan de septiembre 2012
Actividades plan de septiembre 2012
 
Knowledge Management: Introducción
Knowledge Management: IntroducciónKnowledge Management: Introducción
Knowledge Management: Introducción
 
Powerpoint animales carnívoros, herbívoros y omnívoros
Powerpoint animales carnívoros, herbívoros y omnívoros Powerpoint animales carnívoros, herbívoros y omnívoros
Powerpoint animales carnívoros, herbívoros y omnívoros
 
Fraude cibernético
Fraude cibernéticoFraude cibernético
Fraude cibernético
 
Diapo sena
Diapo senaDiapo sena
Diapo sena
 
Currículum vitae raul
Currículum vitae raulCurrículum vitae raul
Currículum vitae raul
 
El poder de la Mancha. Quijote News
El poder de la Mancha. Quijote NewsEl poder de la Mancha. Quijote News
El poder de la Mancha. Quijote News
 
Radiographic assessment in paediatric dentistry
Radiographic assessment in paediatric dentistryRadiographic assessment in paediatric dentistry
Radiographic assessment in paediatric dentistry
 
Tema 5. sinapsis
Tema 5. sinapsisTema 5. sinapsis
Tema 5. sinapsis
 

Similaire à Configuring asa site to-site vp ns

Public key authentication is the most secure colution and utilizes a.pdf
Public key authentication is the most secure colution and utilizes a.pdfPublic key authentication is the most secure colution and utilizes a.pdf
Public key authentication is the most secure colution and utilizes a.pdf
mohammadirfan136964
 
Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)
maunicmer
 
Virtual Private Network (VPN).
Virtual Private Network (VPN).Virtual Private Network (VPN).
Virtual Private Network (VPN).
Debasis Chowdhury
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 

Similaire à Configuring asa site to-site vp ns (20)

Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpn
 
Public key authentication is the most secure colution and utilizes a.pdf
Public key authentication is the most secure colution and utilizes a.pdfPublic key authentication is the most secure colution and utilizes a.pdf
Public key authentication is the most secure colution and utilizes a.pdf
 
Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)
 
Virtual Private Network (VPN).
Virtual Private Network (VPN).Virtual Private Network (VPN).
Virtual Private Network (VPN).
 
Virtual private network feature and benefits
Virtual private network feature and benefitsVirtual private network feature and benefits
Virtual private network feature and benefits
 
Firewall vpn proxy
Firewall vpn proxyFirewall vpn proxy
Firewall vpn proxy
 
Squid server
Squid serverSquid server
Squid server
 
Firewalls
FirewallsFirewalls
Firewalls
 
Azure Networking (1).pptx
Azure Networking (1).pptxAzure Networking (1).pptx
Azure Networking (1).pptx
 
Husky VPN.pdf
Husky VPN.pdfHusky VPN.pdf
Husky VPN.pdf
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
Network security
Network securityNetwork security
Network security
 
online-module-guide.pdf
online-module-guide.pdfonline-module-guide.pdf
online-module-guide.pdf
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
10052016115136.pptx
10052016115136.pptx10052016115136.pptx
10052016115136.pptx
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
 
SECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.pptSECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.ppt
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure sphere
 
Virtual private network
Virtual private network Virtual private network
Virtual private network
 

Plus de chiensy

Vostro 14-5468-laptop owner's manual-en-us
Vostro 14-5468-laptop owner's manual-en-usVostro 14-5468-laptop owner's manual-en-us
Vostro 14-5468-laptop owner's manual-en-us
chiensy
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquement
chiensy
 
Lab linux phan iv
Lab linux phan ivLab linux phan iv
Lab linux phan iv
chiensy
 
Lab linux phan iii
Lab linux phan iiiLab linux phan iii
Lab linux phan iii
chiensy
 
Lab linux phan i, ii.doc
Lab linux phan i, ii.docLab linux phan i, ii.doc
Lab linux phan i, ii.doc
chiensy
 
Xen server quick_installation_guide
Xen server quick_installation_guideXen server quick_installation_guide
Xen server quick_installation_guide
chiensy
 

Plus de chiensy (6)

Vostro 14-5468-laptop owner's manual-en-us
Vostro 14-5468-laptop owner's manual-en-usVostro 14-5468-laptop owner's manual-en-us
Vostro 14-5468-laptop owner's manual-en-us
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquement
 
Lab linux phan iv
Lab linux phan ivLab linux phan iv
Lab linux phan iv
 
Lab linux phan iii
Lab linux phan iiiLab linux phan iii
Lab linux phan iii
 
Lab linux phan i, ii.doc
Lab linux phan i, ii.docLab linux phan i, ii.doc
Lab linux phan i, ii.doc
 
Xen server quick_installation_guide
Xen server quick_installation_guideXen server quick_installation_guide
Xen server quick_installation_guide
 

Dernier

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur High Profile
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
Call Girls in Nagpur High Profile
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Dr.Costas Sachpazis
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
ranjana rawat
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur High Profile
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Call Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
ranjana rawat
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
ranjana rawat
 

Dernier (20)

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 

Configuring asa site to-site vp ns

  • 1. Configuring ASA Site-To-Site VPN Contents Purpose:............................................................................................................................................2 Background: ......................................................................................................................................2 Outside:.....................................................................................................................................................2 Inside:........................................................................................................................................................3 DMZ:..........................................................................................................................................................3 VPN:..................................................................................................................................................3 ASA VPN Types: .................................................................................................................................3 Clientless VPN: ..........................................................................................................................................3 Any Connect VPN:.....................................................................................................................................4 Site-to-Site VPN:........................................................................................................................................4 There are two types of site-to-site VPNs:.............................................................................................4 ASDM:...............................................................................................................................................4 Learning Objectives:...........................................................................................................................5 Network Diagram:..............................................................................................................................6 Lab: ...................................................................................................................................................6 Task 1: Configure all other devices except the ASA..................................................................................6 PC’s and servers:...................................................................................................................................6 ISP:.........................................................................................................................................................6 R1: .........................................................................................................................................................7 R2: .........................................................................................................................................................7 Task 2: Create an MS Loopback interface.................................................................................................8 Task 3: Add the ASA device to GNS3.........................................................................................................9 Local Site. ..........................................................................................................................................9 Task 4: Install ASDM on the ASA device....................................................................................................9 Task 5: Configure the ASA using ASDM...................................................................................................11 Step 1: Basic configuration. ................................................................................................................11 Step 2: Create a global service policy. ................................................................................................17 Step 3: Configure the dmz. .................................................................................................................19 Step 4: Create an Access Rule.............................................................................................................22
  • 2. Task 6: Verifying the Local configuration................................................................................................24 Remote Site.....................................................................................................................................25 Task 7: Install ASDM on the ASA device..................................................................................................25 Task 8: Configure the ASA using ASDM.................................................................................................26 Step 1: Basic configuration.................................................................................................................26 Step 2: Create a global service policy. ...............................................................................................31 Task 9: Verifying the Remote configuration..........................................................................................33 Configure the Site-To-Site VPN .........................................................................................................33 Local site. ........................................................................................................................................34 Remote site. ....................................................................................................................................40 Verifying the VPN configuration .......................................................................................................47 Purpose: The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5520 Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will use GNS3 to learn how to configure the ASA as a basic Firewall with the addition of a third zone referred to as a DMZ and finally we will create a site-to-site VPN between the sites. This knowledge is essential to passing the CCNP Security exam and will be used in daily in your position as a Cisco network engineer. Background: In this lab we will be using GNS3 and ASDM to model a network with LOCAL and REMOTE site. Each of these sites will have access to the internet. The local site will also have a DMZ zone that can be access by any outside device as well as inside devices, but will not be able to connect to any inside device. In addition to this we will create a site-to-site VPN between the local site and remote site. Before we continue with our lab let’s take a look at some basic interface being used in this lab. Outside: The outside interface is a public untrusted zone commonly used to connect to public address within the internet. Devices within this zone cannot access devices in the inside or DMZ without permission.
  • 3. Inside: The inside interface is a private trusted interface generally used for local devices using a private address space. To access public address in the outside the private address will need to be translated using NAT or PAT. Device can access devices in the outside or DMZ unless restricted. DMZ: In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. VPN: VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location. ASA VPN Types: There are basically three types of VPN available to the Cisco ASA product line they are as follows: Clientless VPN: Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a Web browser without requiring a software or hardware client. It provides secure and easy access to a broad range of Web resources and both web-enabled and legacy applications from almost any device that can connect to the Internet via HTTP. They include: • Internal websites. • Web-enabled applications. • NT/Active Directory file shares. • email proxies, including POP3S, IMAP4S, and SMTPS. • Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007. • Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.
  • 4. • Application Access (smart tunnel or port forwarding access to other TCP-based applications) Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide the secure connection between remote users and specific, supported internal resources that you configure at an internal server. The ASA recognizes connections that must be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. The network administrator provides access to resources by users of Clientless SSL VPN sessions on a group basis. Users have no direct access to resources on the internal network. Any Connect VPN: Cisco AnyConnect is an app designed to let you connect securely to VPNs. This is an app for enterprise users who need a secure way to connect to a VPN at their place of work. Coming from a trusted name like Cisco, the app provides a level of safety and security that should be welcome by those who have need of such an app. Site-to-Site VPN: A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world. There are two types of site-to-site VPNs: • Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN. • Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets. Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote- access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN. ASDM: Cisco’s ASDM is a simple, GUI-Based Firewall Appliance Management tool that is user friendly and allows the user to configure, monitor, and troubleshoot Cisco firewall appliances and
  • 5. firewall service modules. Ideal for small or simple deployments, the Cisco Adaptive Security Device Manager provides the following:  Setup wizards that help you configure and manage Cisco firewall devices, including the Cisco ASA Adaptive Security Appliances, Cisco PIX appliances, and Cisco Catalyst 6500 Series Firewall Services Modules without cumbersome command-line scripts  Powerful real-time log viewer and monitoring dashboards that provides an at-a-glance view of firewall appliance status and health  Handy troubleshooting features and powerful debugging tools such as packet trace and packet capture. Learning Objectives:  Add the ASA to GNS3.  Configure MS Loopback Interface.  Install and configure ASDM.  Use ASDM to configure the ASA.  Configure a DMZ  Configure a Site-to-Site VPN
  • 6. Network Diagram: Lab: Task 1: Configure all other devices except the ASA. In this part of or lab we will configure the routers, PCs and servers as shown in the network diagram. Note: In this lab routers are being used to simulate the devices INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs. PC’s and servers: 1. Configure the INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs devices as shown in the network diagram. 2. Configure a default route on the above devices. ISP: 1. Configure the ISP as follows:
  • 7. ISP#config t ISP(config)#interface FastEthernet0/0 ISP(config)# ip address 209.165.200.9 255.255.255.248 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#interface serial1/0 ISP(config)# ip address 10.1.1.2 255.255.255.252 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#interface serial1/1 ISP(config)# ip address 10.1.1.2 255.255.255.252 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#ip route 209.165.200.224 255.255.255.248 10.1.1.1 ISP(config)#ip route 209.165.200.232 255.255.255.248 10.2.2.1 ISP(config)#exit ISP#wr R1: 1. Configure R1 as follows: R1#config t R1(config)#interface FastEthernet0/0 R1(config)# ip address 209.165.200.226 255.255.255.248 R1(config)#No Shutdown R1(config)#exit ! R1(config)#interface serial1/0 R1(config)# ip address 10.1.1.1 255.255.255.252 R1(config)#No Shutdown R1(config)#exit ! R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2 R1(config)#exit R1#wr R2: 1. Configure R2 as follows: R2#config t R2(config)#interface FastEthernet0/0
  • 8. R2(config)# ip address 209.165.200.233 255.255.255.248 R2(config)#No Shutdown R2(config)#exit ! R2(config)#interface serial1/1 R2(config)# ip address 10.2.2.1 255.255.255.252 R2(config)#No Shutdown R2(config)#exit ! R2(config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2 R2(config)#exit R2#wr Task 2: Create an MS Loopback interface. Microsoft Loopback Adapter is a dummy network card, no hardware is involved. It is used as a testing tool for a virtual network environment where network access is not available. You can bind network clients, protocols, and other network configuration items to the Loopback adapter. 1. In the host operating system, right-click My Computer, and then select Properties. Depending on the style of the start menu, My Computer may be located in the Start menu. 2. In the System Properties dialog box, on the Hardware tab, click Add Hardware Wizard. 3. In the Add Hardware dialog box, click Next. 4. When the Is the hardware connected? dialog box appears, click Yes, I have already connected the hardware, and then click Next. 5. In the Installed hardware list, click Add a new hardware device, and then click Next. 6. In the What do you want the wizard to do? list, click Install the hardware that I manually select from a list (Advanced), and then click Next. 7. In the Common hardware types list, click Network adapters, and then click Next. 8. In the Manufacturer list, click Microsoft. 9. In the Network Adapter list, click Microsoft Loopback Adapter, and then click Next twice. 10. If a message about driver signing appears, click Continue Anyway. 11. In the Completing the Add Hardware Wizard dialog box, click Finish, and then click OK. 12. Reboot the computer. 13. On the host operating system, open Network Connections, right-click the local area connection for Microsoft Loopback Adapter, and then select Properties. 14. In the Microsoft Loopback Adapter Properties dialog box, verify that the Virtual Machine Network services check box is selected. 15. Click Internet Protocol (TCP/IP), and then click Properties. 16. On the General tab, click Use the following IP address, and then type the IP address and subnet mask 192.168.2.10 and 255.255.255.0. 17. Click OK, and then click Close.
  • 9. Task 3: Add the ASA device to GNS3. 1. Copy the ASA842.zip Included with this lab.into the GNS3 Image directory. 2. Unzip the ASA842.zip file. 3. Open Edit -> Preferences -> Qemu and click the ASA tab 4. Enter an Identifier name – I used “ASA-5520″ 5. Enter 1024 in RAM 6. Enter the following for Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32 7. Enter the paths where you placed the files from step 1 into the designated boxes for Initrd and Kernel 8. Enter the following for Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 9. Leave all other options at defaults 10. Click the Save button then click OK. 11. Copy the ASDM lab.zip file to the GNS3 project directory. 12. Extract the ASDM lab.zip file. 13. Open the lab topology. 14. Once the ASA is up, enter enable and then enter one of the following to activate features: activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5 activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6 Local Site. Task 4: Install ASDM on the ASA device. 1. If you don’t already have a TFTP server installed, then you can download and install the Cisco TFTP server available with this lab. 2. In the ASA console enter the following: ciscoasa # config t ciscoasa(config)#hostname ASA1 ASA1 (config) # int gi 5 ASA1 (config) # ip address 192.168.2.1 255.255.255.0
  • 10. ASA1 (config) # nameif management ASA1 (config) # no shut 3. Ping the Windows loopback adapter from the ASA firewall to test connectivity. 4. If you don’t already have the ASDM, then download the ASDM647 included with this lab. 5. In the ASA console, copy the ASDM bin file to flash on the ASA: ASA1# copy tftp flash Address or name of remote host []? 192.168.2.10 Source filename []? asdm-647.bin Destination filename [asdm-647.bin]? 6. Set the ASA to load the ASDM during the next boot ASA1# config t ASA1(config)# asdm image flash:asdm-647.bin ASA1(config)# http server enable ASA1(config)# http 192.168.2.10 255.255.255.255 management ASA1(config)# username admin password cisco privilege 15 7. When the copy is complete save you configuration using the ‘wr’ command and then reload the firewall using 'reload' command. Note: to complete the next step, you will need to disable or configure your PC firewall. You may also need to disable popup in your browser and in Java configuration. Lastly you may need to add https://192.168.2.1 to the trusted site under the internet security options. You may also need to install the certificate in your browser. 8. Open your browser and browse to https://192.168.2.1 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco.
  • 11. Task 5: Configure the ASA using ASDM. Step 1: Basic configuration. 1. From the ASDM window select configuration.
  • 12. 2. Launch the startup wizard. 3. Select modify existing configuration and click next. 4. Hostname ASA1 Domain Name Local and click next. 5. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet0 interface name ..outside security level…….0 ip address…………209.165.200.226 subnet mask…….255.255.255.248 6. Click next. 7. Highlight GigabitEthernet1 and click edit. 8. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet1 interface name ..inside security level…….0 ip address…………192.168.20.1subnet mask…….255.255.255.0
  • 13. 9. Click OK. 10. 11. Highlight GigabitEthernet2 and click edit. 12. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet2 interface name ..dmz security level…….0 ip address…………172.16.1.1 subnet mask…….255.255.255.0 13. Click OK.
  • 14. 14. Click next. 15. Click Add and enter the following: Interface…….inside Network……..any Gateway IP…209.165.200.225 16. Click OK 17. Click next. 18. Enable DHCP server on the inside interface.
  • 15. 19. Enter the starting IP address 192.168.10.10 and an ending IP address 192.168.10.100. 16. Click next. 17. Select use the IP address on GigabitEthernet0 interface.
  • 16. 17. Click next. 18. Click next. 19. Click next 20. Select do not enable smart call home and click next. 21. Verify the configuration.
  • 17. 18. Click finish. 19. Select send. Step 2: Create a global service policy. 1. From the configuration tab select Firewall. 2. Select Service Policy Rules. 3. Click the Add button and select Add Service Policy Rule. 4. Click Global and make the policy Name global-policy the click next. 5. Check the box labeled Default Inspection Traffic and click next. 6. Click next. 7. Check the following inspection rules
  • 18.  DNS  ESMIP  FTP  H.323 H.225  HTTP  ICMP  IP-OPTIONS  NETBIOS 8. Click finish. 9. Click Apply.
  • 19. 10. Click send. Step 3: Configure the dmz. 1. From the Firewall drop down select Network Object/Group. 2. Click Add and select Network Object. 3. In the Network Object window enter the following: Name……………..inside-subnet Type……………….Network IP Address…….192.168.1.0 Netmask……….255.255.255.0 4. Click the NAT and select Add Automatic Address Translation Rule. 5. Select the Type of Dynamic 6. Select the Translation Address as outside 7. Click Advanced. 8. Select the Source Interface as inside and Destination Interface outside 9. click OK.
  • 20. 10. From the Firewall drop down select Network Object/Group. 11. Click Add and select Network Object. 12. In the Network Object window enter the following: Name……………..dmz-subnet Type……………….Network IP Address…….172.16.1.0 Netmask……….255.255.255.0 13. Click the NAT and select Add Automatic Address Translation Rule. 14. Select the Type of Dynamic 15. Select the Translation Address as outside 16. Click Advanced.
  • 21. 17. Select the Source Interface as dmz and Destination Interface outside 18. click OK. 19. Click OK. 20. Click Add and select Network Object. 21. In the Network Object window enter the following: Name……………..dmz-host-ext Type……………….host IP Address…….209.165.200.229 22. Click OK 23. Click Add and select Network Object. 24. In the Network Object window enter the following:
  • 22. Name……………..dmz-host-int Type……………….host IP Address…….172.16.1.200 25. Click the NAT and select Add Automatic Address Translation Rule. 26. Select the Type of Static 27. Select the Translation Address as dmz-host-ext 28. Click Advanced. 29. Select the Source Interface as dmz and Destination Interface outside. 30. Click OK 31. Click OK 32. Click Apply. 33. Click Send. Step 4: Create an Access Rule. 1. From the Firewall select Access Rules. 2. Highlight outside (0 implicit incoming rules).
  • 23. 3. Click Add and select Add Access Rule and enter the following  Interface: outside  Action: Permit  Source: any  Destination: dmz-host-int  Services: tcp/ftp, tcp/ftp-data, tcp/http, tcp/https, tcp/ssh, tcp/telnet 4. Click OK.
  • 24. 5. Click Apply. 6. Click send. 7. From the menu bar click Save. 8. Click send. Task 6: Verifying the Local configuration. 1. From LOCAL-PC Telnet the INTERNET server using the username admin ad the password cisco. 2. Enter Exit. 3. From LOCAL-PC Telnet the DMZ server using the username admin ad the password cisco. 4. Enter Exit. 5. From DMZ server Telnet the INTERNET server using the username admin ad the password cisco. 6. Enter Exit. 7. Insure you cannot Telnet LOCAL-PC or server from DMZ.
  • 25. Remote Site. Task 7: Install ASDM on the ASA device. 1. If you don’t already have a TFTP server installed, then you can download and install the Cisco TFTP server available with this lab. 2. In the ASA console enter the following: ciscoasa # config t ciscoasa(config)#hostname ASA2 ASA2 (config) # int gi 5 ASA2 (config) # ip address 192.168.2.2 255.255.255.0 ASA2 (config) # nameif management ASA2 (config) # no shut 3. Ping the Windows loopback adapter from the ASA firewall to test connectivity. 4. If you don’t already have the ASDM, then download the ASDM647 included with this lab. 5. In the ASA console, copy the ASDM bin file to flash on the ASA: ASA2# copy tftp flash Address or name of remote host []? 192.168.2.10 Source filename []? asdm-647.bin Destination filename [asdm-647.bin]? 6. Set the ASA to load the ASDM during the next boot ASA2# config t ASA2(config)# asdm image flash:asdm-647.bin ASA2(config)# http server enable ASA2(config)# http 192.168.2.10 255.255.255.255 management ASA2(config)# username admin password cisco privilege 15 7. When the copy is complete save you configuration using the ‘wr’ command and then reload the firewall using 'reload' command. Note: to complete the next step, you will need to disable or configure your PC firewall. You may also need to disable popup in your browser and in Java configuration. Lastly you may need to add https://192.168.2.2 to the trusted site under the internet security options. You may also need to install the certificate in your browser. 8. Open your browser and browse to https://192.168.2.2 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco.
  • 26. Task 8: Configure the ASA using ASDM. Step 1: Basic configuration. 1. From the ASDM window select configuration.
  • 27. 2. Launch the startup wizard. 3. Select modify existing configuration and click next. 4. Hostname ASA1 Domain Name Local and click next. 5. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet0 interface name ..outside security level…….0 ip address…………209.165.200.226 subnet mask…….255.255.255.248 6. Click next. 7. Highlight GigabitEthernet1 and click edit. 8. Select enable interface and configure the interface with the following: interface ………….GigabitEthernet1 interface name ..inside security level…….0 ip address…………192.168.20.1subnet mask…….255.255.255.0
  • 28. 9. Click OK. 10. Click next. 11. Click Add and enter the following: Interface…….inside Network……..any Gateway IP…209.165.200.225 12. Click OK
  • 29. 13. Click next. 14. Enable DHCP server on the inside interface. 15. Enter the starting IP address 192.168.0.10 and an ending IP address 192.168.10.100.
  • 30. 16. Click next. 17. Select use the IP address on GigabitEthernet0 interface. 18. Click next. 19. Click next. 20. Click next 21. Select do not enable smart call home and click next. 22. Verify the configuration.
  • 31. 23. Click finish. 24. Select send. Step 2: Create a global service policy. 1. From the configuration tab select Firewall. 2. Select Service Policy Rules. 3. Click the Add button and select Add Service Policy Rule. 4. Click Global and make the policy Name global-policy the click next. 5. Check the box labeled Default Inspection Traffic and click next. 6. Click next. 7. Check the following inspection rules
  • 32.  DNS  ESMIP  FTP  H.323 H.225  HTTP  ICMP  IP-OPTIONS  NETBIOS 8. Click finish. 9. Click Apply.
  • 33. 10. Click send. Task 9: Verifying the Remote configuration. 1. From REMOTE-PC Telnet the INTERNET server using the username admin ad the password cisco. 2. Enter Exit. 3. From REMOTE-PC Telnet the DMZ server outside address 209.165.200.229 using the username admin ad the password cisco. 4. Enter Exit. 5. Insure you cannot Telnet the LOCAL-PC or server from REMOTE-PC. Configure the Site-To-Site VPN For this part of our lab we will be using ASDM to configure the Local and Remote side of our Site-To-Site VPN.
  • 34. Local site. 1. Open your browser and browse to https://192.168.2.1 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 2. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco. 3. From the menu bar select wizards. 4. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.
  • 35. 5. Click Next. 6. Enter the outside address of ASA2 as the Peer IP Address. 7. Insure the VPN Access Interface is outside. 8. Click Next. 9. We will be using IKE version 1 for this lab so uncheck IKE version 2
  • 36. 10. Click next. 11. From the Local Network dropdown select the inside-subnet as the Local Network. 12. Select the Remote Network dropdown. 13. Click add and select network object. And enter the following: Name: remote-subnet Type: Network. IP Address: 192.168.20.0 NetMask: 255.255.255.0
  • 37. 13. Click OK 14. Select remote-subnet as the Remote Network. 15. Click Next. 16. Enter cisco as the Pre-shared key. 17. Click next. 18. Take the defaults for the IKE policy and IPsec Proposal.
  • 38. 19. Click Next. 20. Check the remaining 2 boxes. 21. Click Next.
  • 39. 22. Insure the configuration is ok and click Finish. 23. Click send.
  • 40. This completes the site-to-site VPN configuration on the Local site. Remote site. 14. Open your browser and browse to https://192.168.2.2 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA. 15. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco. 16. From the menu bar select wizards. 17. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.
  • 42. 19. Enter the outside address of ASA1 as the Peer IP Address. 20. Insure the VPN Access Interface is outside. 21. Click Next. 22. We will be using IKE version 1 for this lab so uncheck IKE version 2 23. Click next.
  • 43. 24. From the Local Network dropdown select the inside-subnet as the Local Network. 25. Select the Remote Network dropdown. 26. Click add and select network object. And enter the following: Name: remote-subnet Type: Network. IP Address: 192.168.10.0 NetMask: 255.255.255.0 24. Click OK 25. Select remote-subnet as the Remote Network.
  • 44. 26. Click Next. 27. Enter cisco as the Pre-shared key. 28. Click next. 29. Take the defaults for the IKE policy and IPsec Proposal. 30. Click Next. 31. Check the remaining 2 boxes.
  • 45. 32. Click Next. 33. Insure the configuration is ok and click Finish.
  • 47. This completes the site-to-site VPN configuration on the Local site. Verifying the VPN configuration 1. From the REMOTE-PC telnet the LOCAL server 192.168.10.200 using the username admin and password cisco. 2. Type exit 3. From the REMOTE-PC telnet the INTERNET server 209.165.200.11 using the username admin and password cisco. 4. Type exit 5. From the REMOTE-PC telnet the DMZ server 209.165.200.229 using the username admin and password cisco. 6. Type exit 7. From the INTERNET Server insure you cannot access the inside of the LOCAL or REMOTE site. 8. From the command prompt of ASA2 issue the following commands and observer the outputs. ASA2# sh crypto isakmp sa
  • 48. IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 209.165.200.226 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE There are no IKEv2 SAs ASA2# sh crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.234 access-list outside_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 209.165.200.226 #pkts encaps: 201, #pkts encrypt: 201, #pkts digest: 201 #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 201, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 209.165.200.234/0, remote crypto endpt.: 209.165.200.226/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 36C6AFF0 current inbound spi : DCCD0B9F inbound esp sas: spi: 0xDCCD0B9F (3704425375) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4096, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373992/28356) IV size: 16 bytes replay detection support: Y
  • 49. Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x36C6AFF0 (918990832) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4096, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373991/28356) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA2# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f access-list outside_cryptomap line 1 extended permit ip object inside-subnet object remote- subnet (hitcnt=3) 0x6742cde6 access-list outside_cryptomap line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=5) 0x6742cde6 ASA2# sh vpn-sessiondb --------------------------------------------------------------------------- VPN Session Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ---------------------------------------------- Site-to-Site VPN : 1 : 1 : 1 IKEv1 IPsec : 1 : 1 : 1 --------------------------------------------------------------------------- Total Active and Inactive : 1 Total Cumulative : 1 Device Total VPN Capacity : 0 Device Load : 0% ***!! WARNING: Platform capacity exceeded !!*** --------------------------------------------------------------------------- --------------------------------------------------------------------------- Tunnels Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concurrent
  • 50. ---------------------------------------------- IKEv1 : 1 : 1 : 1 IPsec : 1 : 1 : 1 --------------------------------------------------------------------------- Totals : 2 : 2 ---------------------------------------------------------------------------