Cisco ASA5505

WAN / LAN:

interface GigabitEthernet1/1                           # Popis
 description WAN
 nameif outside
 security-level 0
 ip address 213.168.x.x 255.255.255.192 
!
interface GigabitEthernet1/2
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

NAT maškaráda:

nat (inside,outside) after-auto source dynamic any interface

NAT portforward:

object network SERVER
 host 192.168.1.2
object service SRC-HTTP
 service tcp source eq www 
object service SRC-HTTPS
 service tcp source eq https 
 
# dst-nat
access-list OUTSIDE extended permit tcp any object SERVER eq www 
access-list OUTSIDE extended permit tcp any object SERVER eq https 
 
# src-nat (zachování portu služby)
nat (inside,outside) source static SERVER interface service SRC-HTTP SRC-HTTP
nat (inside,outside) source static SERVER interface service SRC-HTTPS SRC-HTTPS
 
access-group OUTSIDE in interface outside

DNS client:

dns domain-lookup outside     # povoleni DNS dotazu na public servery
dns domain-lookup inside      # povoleni DNS dotazu na vnitrni server
dns server-group DefaultDNS
 name-server 192.168.1.2      # Active Directory
 name-server 8.8.8.8

Český čas:

clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
 
ntp server x.x.x.x

Logování:

logging enable                                
logging timestamp
logging buffer-size 512000
logging buffered informational
logging asdm informational

Povolení ICMP:

policy-map global_policy
 class inspection_default
  inspect icmp

Management:

enable password ***********
username admin password ********* privilege 15
aaa authentication ssh console LOCAL 
 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 213.168.x.x 255.255.255.255 outside   # povoleni pristupu z konkretni adresy
 
ssh 213.168.x.x 255.255.255.255 outside    # povoleni pristupu z konkretni adresy
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
 
no call-home reporting anonymous                     # zákaz reportování statistik do cisca

IPSec Site-to-Site VPN:

object network VPNCLA
 subnet 192.168.20.0 255.255.255.0
object network LAN
 subnet 192.168.1.0 255.255.255.0
 
access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA
 
access-list no_nat extended permit ip object LAN object VPNCLA
 
nat (inside,outside) source static LAN LAN destination static VPNCLA VPNCLA no-proxy-arp route-lookup
 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 213.168.x.x
crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
tunnel-group 213.168.x.x type ipsec-l2l
tunnel-group 213.168.x.x ipsec-attributes
 ikev1 pre-shared-key *****