Cisco ASA in CCIE Security Version 3 Lab

11:58:00 AM    No comments

Basic Initialization

hostname ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0

logging console warnings
logging trap debugging
logging host inside 10.1.1.100
logging enable

Access Management

telnet 10.1.1.100 255.255.255.255 inside

ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5

Address Translation

access-list NONAT extended permit ip host 8.8.8.8 host 4.4.4.4

global (outside) 1 65.1.200.21-65.1.200.25 netmask 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 65.1.15.251 10.1.1.251 netmask 255.255.255.255 (Access from outside to inside server)
static (outside,inside) 10.1.1.5 65.1.15.5 netmask 255.255.255.255 (Access from inside to outside server)

ACLs

Firewall transparent (transparent firewall mode)

access-list OUTSIDE extended permit eigrp host 150.100.3.4 any
access-list OUTSIDE extended permit icmp any any
access-list INSIDE extended permit tcp 150.100.3.0 255.255.255.0 any eq www
access-list INSIDE extended permit tcp 150.100.3.0 255.255.255.0 any eq https
access-list INSIDE extended permit tcp 150.100.3.0 255.255.255.0 any eq telnet
access-list INSIDE extended permit eigrp host 150.100.3.254 any
access-list INSIDE extended permit icmp any any
access-list INSIDE extended permit udp 150.100.3.0 255.255.255.0 any eq domain

access-group OUTSIDE in interface outside
access-group INSIDE in interface inside

IP Routing

route outside 0.0.0.0 0.0.0.0 192.1.12.2 1
route inside 10.3.3.0 255.255.255.0 10.2.2.5 1

router rip
network 65.0.0.0
network 192.168.6.0
passive-interface default
no passive-interface outside
no passive-interface inside
version 2

router ospf 1
network 65.1.15.101 255.255.255.255 area 2
router-id 11.11.11.11
log-adj-changes
default-information originate always

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.1.15.101 255.255.255.0
ospf message-digest-key 1 md5
ospf authentication message-digest


Object Groups

object-group protocol PROTOS
protocol-object gre
object-group icmp-type ICMP_ECHO
icmp-object echo
icmp-object echo-reply
object-group service MGMT_PORTS tcp
port-object eq telnet
port-object eq ssh

access-list OUTSIDE extended permit icmp any any object-group ICMP_ECHO
access-list OUTSIDE extended permit tcp any any object-group MGMT_PORTS
access-list OUTSIDE extended permit object-group PROTOS any any
!

access-group OUTSIDE in interface outside
VLANs

interface Ethernet0/0.55
vlan 55
nameif DMZ55
security-level 50
ip address 192.168.5.10 255.255.255.0 standby 192.168.5.11
!
interface Ethernet0/2
!
interface Ethernet0/2.10
description LAN Failover Interface
vlan 550
!
interface Ethernet0/2.20
description STATE Failover Interface
vlan 560

AAA

aaa-server TAC protocol tacacs+
aaa-server TAC host 10.1.1.100
key ipexpert
aaa authentication telnet console TAC

aaa authentication include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC
aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC
aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC
aaa authentication include tcp/4515 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC

aaa-server RAD protocol radius
aaa-server RAD (dmz) host 10.1.200.251
key cisco

aaa authentication telnet console RAD LOCAL
aaa accounting telnet console RAD

telnet 10.1.33.3 255.255.255.255 inside


VPNs

crypto ipsec transform-set MYTRANS esp-3des esp-sha-hmac
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 192.1.12.15
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.1.12.15 type ipsec-l2l
tunnel-group 192.1.12.15 ipsec-attributes
pre-shared-key *

access-list L2L extended permit ip host 192.1.49.55 10.1.1.0 255.255.255.0

EZVPN

group-policy EZGroup internal
group-policy EZGroup attributes
wins-server value 10.2.2.175
dns-server value 10.2.2.175
vpn-idle-timeout 30
default-domain value ipexpert.net
username cisco password 3USUcOPFUiMCO4Jk encrypted

crypto ipsec transform-set MYTRANSFORM esp-des esp-md5-hmac
crypto dynamic-map MYDYN 5 set transform-set MYTRANSFORM
crypto map MYMAP 50 ipsec-isakmp dynamic MYDYN
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group EZGroup type ipsec-ra
tunnel-group EZGroup general-attributes
address-pool MYpool
default-group-policy EZGroup
tunnel-group EZGroup ipsec-attributes
pre-shared-key *

WebVPN

http server enable
http redirect outside 80

webvpn
enable outside

username lab2 password cisco encrypted

Filtering

filter java 80 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
filter java 8080 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
filter activex 80 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
filter activex 8080 10.1.11.0 255.255.255.0 10.1.5.0 255.255.255.0
Failover

Active/Standby

ASA1

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.1.15.101 255.255.255.0 standby 65.1.15.102
no shut
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 150.100.1.101 255.255.255.0 standby 150.100.1.102
no shut
!
interface GigabitEthernet0/3
description STATE Failover Interface
no shut
!
interface Management0/0
description LAN Failover Interface
no shut

failover lan unit primary
failover lan interface FAILOVER_LAN Management0/0
failover key luan
failover replication http
failover link STATEFUL_LAN GigabitEthernet0/3
failover interface ip FAILOVER_LAN 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip STATEFUL_LAN 1.1.1.5 255.255.255.252 standby 1.1.1.6
failover

ASA2:

failover
failover lan unit secondary
failover lan interface FAILOVER_LAN Management0/0
failover key luan
failover interface ip FAILOVER_LAN 1.1.1.1 255.255.255.252 standby 1.1.1.2

Layer 2 Transparent Firewall

firewall transparent
interface GigabitEthernet0/0.3
vlan 31
!
interface GigabitEthernet0/0.33
vlan 32
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/1.3
vlan 311
!
interface GigabitEthernet0/1.33
vlan 321

context custa
allocate-interface GigabitEthernet0/0.3
allocate-interface GigabitEthernet0/1.3
config-url disk0:/custa.cfg
!
context custb
allocate-interface GigabitEthernet0/0.33
allocate-interface GigabitEthernet0/1.33
config-url disk0:/custb.cfg

ip address 65.1.201.103 255.255.255.0 - Need IP address for L2 Transparent Firewall to work

Security Contexts (Virtual Firewall)

context custa
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/2
config-url disk0:/custa.cfg
!
context custb
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/3
config-url disk0:/custb.cfg

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.1.99.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.1.1.101 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.1.101.101 255.255.255.0

custa-context

global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 access-list DMZ outside
static (dmz,outside) 65.1.99.253 10.1.1.253 netmask 255.255.255.255
static (dmz,outside) 65.1.99.251 10.1.1.251 netmask 255.255.255.255

access-list DMZ extended permit ip any host 65.1.99.253
access-list DMZ extended permit ip any host 65.1.99.251

route outside 0.0.0.0 0.0.0.0 65.1.99.6 1

access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit tcp any host 65.1.99.253 eq www
access-list OUTSIDE extended permit udp any host 65.1.99.253 eq ntp
access-list OUTSIDE extended permit tcp any host 65.1.99.251 eq tacacs
access-list OUTSIDE extended permit udp any host 65.1.99.251 eq radius
access-list OUTSIDE extended permit udp any host 65.1.99.251 eq radius-acct

access-group OUTSIDE in interface outside

custb-context

access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended deny ip any any log

access-list INSIDE extended permit tcp 10.1.101.0 255.255.255.0 host 6.6.6.6 eq www
access-list INSIDE extended permit icmp any any

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 65.1.99.6 1

Modular Policy Framework

class-map FTP
match port tcp eq ftp
class-map inspection_default
match default-inspection-traffic
class-map VOIP-SIG
match dscp af31
class-map VOIP-DATA
match dscp ef

policy-map VOIP-FTP
class VOIP-DATA
priority
class VOIP-SIG
priority
class FTP
police input 1000000 32000

service-policy VOIP-FTP interface outside

priority-queue outside
Application-Aware Inspection
High Availability Scenarios
QoS Policies

class-map class_ftp
match port tcp eq 2021
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
class class_ftp
inspect ftp
!
service-policy global_policy global
Other Advanced Features

arp outside 10.5.5.5 0012.8031.e118
arp inside 10.5.5.100 0003.6beb.1360
arp timeout 14400

MAC Aging

mac-address-table static outside 0012.8031.e118
mac-address-table static inside 0003.6beb.1360

ARP Spoofing

arp-inspection outside enable no-flood
arp-inspection inside enable no-flood

BGP passthrough

access-list OUTSIDE extended permit tcp host 10.1.11.1 host 10.1.11.254 eq bgp

static (inside,outside) 10.1.11.254 150.100.1.254 netmask 255.255.255.255
static (outside,inside) 150.100.1.1 10.1.11.1 netmask 255.255.255.255
access-group OUTSIDE in interface outside

Deny/Inspect SNMP

snmp-map NO_SNMP_V1
deny version 1

policy-map global_policy
inspect snmp NO_SNMP_V1

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About US

Network Bulls is Best Institute for Cisco CCNA, CCNA Security, CCNA Voice, CCNP, CCNP Security, CCNP Voice, CCIP, CCIE RS, CCIE Security Version 4 and CCIE Voice Certification courses in India. Network Bulls is a complete Cisco Certification Training and Course Coaching Institute in Gurgaon/Delhi NCR region in India. Network Bulls has Biggest Cisco Training labs in India. Network Bulls offers all Cisco courses on Real Cisco Devices. Network Bulls has Biggest Team of CCIE Trainers in North India, with more than 90% of passing rate in First Attempt for CCIE Security Version 4 candidates.
  • Biggest Cisco Training Labs in India
  • More than 90% Passing Rate in First Attempt
  • CCIE Certified Trainers for All courses
  • 24x7 Lab Facility
  • 100% Job Guaranteed Courses
  • Awarded as Best Network Security Institute in 2011 by Times
  • Only Institute in India, to provide CCIE Security Version 4.0 Training
  • CCIE Security Version 4 Training available
  • Latest equipments available for CCIE Security Version 4

Network Bulls Institute Gurgaon

Network Bulls Institute in Gurgaon is one of the best Cisco Certifications Training Centers in India. Network Bulls has Biggest Networking Training and Networking courses labs in North India. Network Bulls is offering Cisco Training courses on real Cisco Routers and Switches. Labs of Network Bulls Institute are 24x7 Available. There are many coaching Centers in Delhi, Gurgaon, Chandigarh, Jaipur, Surat, Mumbai, Bangalore, Hyderabad and Chennai, who are offering Cisco courses, but very few institutes out of that big list are offering Cisco Networking Training on real Cisco devices, with Live Projects. Network Bulls is not just an institute. Network Bulls is a Networking and Network Security Training and consultancy company, which is offering Cisco certifications Training as well support too. NB is awarded in January 2012, by Times, as Best Network Security and Cisco Training Institute for the year 2011. Network Bulls is also offering Summer Training in Gurgaon and Delhi. Network Bulls has collaboration with IT companies, from which Network Bulls is offering Networking courses in Summer Training and Industrial Training of Btech BE BCA MCA students on real Live projects. Job Oriented Training and Industrial Training on Live projects is also offered by network bulls in Gurgaon and Delhi NCR region. Network Bulls is also providing Cisco Networking Trainings to Corporates of Delhi, Gurgaon, bangalore, Jaipur, Nigeria, Chandigarh, Mohali, Haryana, Punjab, Bhiwani, Ambala, Chennai, Hyderabad.
Cisco Certification Exams are also conducted by Network Bulls in its Gurgaon Branch.
Network Bulls don't provide any Cisco CCNA, CCNP simulations for practice. They Provide High End Trainings on Real topologies for high tech troubleshooting on real Networks. There is a list of Top and best Training Institutes in India, which are providing CCNA and CCNP courses, but NB has a different image from market. Many students has given me their feedbacks and reviews about Network bulls Institute, but there were no complaints about any fraud from this institute. Network Bulls is such a wonderful place to get trained from Industry expert Trainers, under guidance of CCIE Certified Engineers.

About Blog

This Blog Contains Links shared by sites: Cisco Guides, Dumps collection, Exam collection, Career Cert, Ketam Mehta, GodsComp.co.cc.

NB

NB
Cisco Networking Certifications Training

Cisco Training in Delhi

ccna training in gurgaon. ccnp course institute in gurgaon, ccie coaching and bootcamp training near gurgaon and delhi. best institute of ccna course in delhi gurgaon india. network bulls provides ccna,ccnp,ccsp,ccie course training in gurgaon, new delhi and india. ccsp training new delhi, ccie security bootcamp in delhi.

Testimonials : Network Bulls

My Name is Rohit Sharma and i Have done CCNA and CCNP Training in Gurgaon Center of Network Bulls and it was a great experience for me to study in Network Bulls.

Cisco Networking Certifications

Myself Komal Verma and i took CCSP Training from Network Bulls in Gurgaon. The day i joined Network Bulls, the day i get addicted with Networking Technologies and I thank Mr. Vikas Sheokand for this wonderful session of Networking. :)
I must say that Network Bulls is Best Institute of CCNA CCNP CCSP CCIE Course Training in Gurgaon, New Delhi and in India too.
Komal Verma

About a wonderfull CCIE Training Institute in Gurgaon

I am Kiran shah from New Delhi. I have recently completed my CCNA CCNP & CCIE Training in Gurgaon from Network Bulls and i recommend Network Bulls for Cisco Training in India.

Kiran Shah

Cisco Coaching and Learning Center

Disclaimer: This site does not store any files on its server. I only index and link to content provided by other sites. If you see any file on server that is against copy right you can inform me at (sidd12341 [at] gmail.com). I will delete that materials within two days. This Website is not official Website of any Institute like INE, Network Bulls, IP Expert. Thanks

CCIE Security Version 4

Cisco Finally updated CCIE Security Lab exam blueprint. WSA Ironport and ISE devices are added in CCIE Security Version 4 Lab Exam Syllabus Blueprint. In Updated CCIE Security Version 4 Syllabus blueprint, new technologies like Mobile Security, VoIP Security and IPV6 Security along with Network Security, are added. As in CCIE Security Version 3 blueprint, Cisco had focused on Network Security only, but now as per market demand, Cisco is looking forward to produce Internet gear Security Engineer, not only Network Security engineers.
In CCIE Security Version 4 Bluerpint, Lab Exam is going to be more interested than before. What is Difference in CCIE Security Version 3 and Version 4? Just go through the CCIE Security Version 4 Lab Equipment and Lab Exam Syllabus Blueprints and find out!