====== Cisco ASA5505 ======
  * Lze konfigurovat aplikací ASDM nebo přes CLI
  * CLI není tak intuitivní, zato je v něm pak čitelnější konfigurace

WAN / LAN:
<code bash>
interface GigabitEthernet1/1                           # Popis
 description WAN
 nameif outside
 security-level 0
 ip address 213.168.x.x 255.255.255.192 
!
interface GigabitEthernet1/2
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
</code>

NAT maškaráda:
<code bash>
nat (inside,outside) after-auto source dynamic any interface
</code>

NAT portforward:
<code bash>
object network SERVER
 host 192.168.1.2
object service SRC-HTTP
 service tcp source eq www 
object service SRC-HTTPS
 service tcp source eq https 

# dst-nat
access-list OUTSIDE extended permit tcp any object SERVER eq www 
access-list OUTSIDE extended permit tcp any object SERVER eq https 

# src-nat (zachování portu služby)
nat (inside,outside) source static SERVER interface service SRC-HTTP SRC-HTTP
nat (inside,outside) source static SERVER interface service SRC-HTTPS SRC-HTTPS

access-group OUTSIDE in interface outside
</code>

DNS client:
<code bash>
dns domain-lookup outside     # povoleni DNS dotazu na public servery
dns domain-lookup inside      # povoleni DNS dotazu na vnitrni server
dns server-group DefaultDNS
 name-server 192.168.1.2      # Active Directory
 name-server 8.8.8.8
</code>

Český čas:
<code bash>
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

ntp server x.x.x.x
</code>

Logování:
<code bash>
logging enable                                
logging timestamp
logging buffer-size 512000
logging buffered informational
logging asdm informational
</code>

Povolení ICMP:
<code bash>
policy-map global_policy
 class inspection_default
  inspect icmp
</code>

Management:
<code bash>
enable password ***********
username admin password ********* privilege 15
aaa authentication ssh console LOCAL 

http server enable
http 192.168.1.0 255.255.255.0 inside
http 213.168.x.x 255.255.255.255 outside   # povoleni pristupu z konkretni adresy

ssh 213.168.x.x 255.255.255.255 outside    # povoleni pristupu z konkretni adresy
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1

no call-home reporting anonymous                     # zákaz reportování statistik do cisca
</code>

IPSec Site-to-Site VPN:
<code bash>
object network VPNCLA
 subnet 192.168.20.0 255.255.255.0
object network LAN
 subnet 192.168.1.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA

access-list no_nat extended permit ip object LAN object VPNCLA

nat (inside,outside) source static LAN LAN destination static VPNCLA VPNCLA no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 213.168.x.x
crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 213.168.x.x type ipsec-l2l
tunnel-group 213.168.x.x ipsec-attributes
 ikev1 pre-shared-key *****
</code>