Differences

This shows you the differences between two versions of the page.

--- wiki:site:cisco:asa [2018/01/18 08:55]
root
+++ wiki:site:cisco:asa [2018/01/24 21:27] (current)
root
@@ Line 1: / Line 1: @@
+====== Cisco ASA5505 ======
+  * Lze konfigurovat aplikací ASDM nebo přes CLI
+  * CLI není tak intuitivní, zato je v něm pak čitelnější konfigurace
+WAN / LAN:
 <code bash>
 interface GigabitEthernet1/1                           # Popis
@@ Line 4: / Line 9: @@
  nameif outside
  security-level 0
- ip address 213.168.183.16 255.255.255.192
+ ip address 213.168.x.x 255.255.255.192
 !
 interface GigabitEthernet1/2
@@ Line 13: / Line 18: @@
 </code>
-<code>
+NAT maškaráda:
-: Saved
+<code bash>
+nat (inside,outside) after-auto source dynamic any interface
+</code>
-:
+NAT portforward:
-: Serial Number: *****************
+<code bash>
-: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
+object network SERVER
-:
-ASA Version 9.6(1)
-!
-hostname firewall
-enable password ************** encrypted
-names
-ip local pool VPNpool 192.168.5.1-192.168.5.50 mask 255.255.255.0
-!
-interface GigabitEthernet1/1
- description WAN
- nameif outside
- security-level 0
- ip address x.x.x.x y.y.y.y
-!
-interface GigabitEthernet1/2
- description LAN
- nameif inside
- security-level 100
- ip address 192.168.1.1 255.255.255.0
-!
-interface GigabitEthernet1/3
- shutdown
- no nameif
- no security-level
- no ip address
-!
-interface GigabitEthernet1/4
- shutdown
- no nameif
- no security-level
- no ip address
-!
-interface GigabitEthernet1/5
- shutdown
- no nameif
- no security-level
- no ip address
-!
-interface GigabitEthernet1/6
- shutdown
- no nameif
- no security-level
- no ip address
-!
-interface GigabitEthernet1/7
- shutdown
- no nameif
- no security-level
- no ip address
-!
-interface GigabitEthernet1/8
- shutdown
- no nameif
- no security-level
- no ip address
-!
-interface Management1/1
- management-only
- no nameif
- no security-level
- no ip address
-!
-ftp mode passive
-clock timezone CET 1
-clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
-dns domain-lookup outside
-dns domain-lookup inside
-dns server-group DefaultDNS
- name-server 192.168.1.2
- name-server 8.8.8.8
-object network obj_any
- subnet 0.0.0.0 0.0.0.0
-object network Server-AD
  host 192.168.1.2
 object service SRC-HTTP
@@ Line 98: / Line 31: @@
 object service SRC-HTTPS
  service tcp source eq https
-object service SRC-RDP
- service tcp source eq 3389
+# dst-nat
-object service SRC-SMTP
+access-list OUTSIDE extended permit tcp any object SERVER eq www
- service tcp source eq smtp
+access-list OUTSIDE extended permit tcp any object SERVER eq https
-object service SRC-SMTPS
- service tcp source eq 465
+# src-nat (zachování portu služby)
-object service SRC-IMAPV4
+nat (inside,outside) source static SERVER interface service SRC-HTTP SRC-HTTP
- service tcp source eq imap4
+nat (inside,outside) source static SERVER interface service SRC-HTTPS SRC-HTTPS
-object service SRC-IMAPV4S
- service tcp source eq 993
+access-group OUTSIDE in interface outside
-object network VPNCLA
+</code>
- subnet 192.168.20.0 255.255.255.0
-object network LAN
+DNS client:
- subnet 192.168.1.0 255.255.255.0
+<code bash>
-object network WAN-IP-16
+dns domain-lookup outside     # povoleni DNS dotazu na public servery
- host x.x.x.16
+dns domain-lookup inside      # povoleni DNS dotazu na vnitrni server
-object network WAN-IP-17
+dns server-group DefaultDNS
- host x.x.x.17
+ name-server 192.168.1.2      # Active Directory
-object network AnyVPN
+ name-server 8.8.8.8
- subnet 192.168.5.0 255.255.255.0
+</code>
-access-list OUTSIDE extended permit tcp any object Server-AD eq www
-access-list OUTSIDE extended permit tcp any object Server-AD eq https
+Český čas:
-access-list OUTSIDE extended permit tcp any object Server-AD eq 3389
+<code bash>
-access-list OUTSIDE extended permit tcp any object Server-AD eq smtp
+clock timezone CET 1
-access-list OUTSIDE extended permit tcp any object Server-AD eq 465
+clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
-access-list OUTSIDE extended permit tcp any object Server-AD eq 993
-access-list OUTSIDE extended permit tcp any object Server-AD eq imap4
+ntp server x.x.x.x
-access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA
+</code>
-access-list no_nat extended permit ip object LAN object VPNCLA
-access-list SPLIT standard permit 192.168.1.0 255.255.255.0
+Logování:
-pager lines 24
+<code bash>
 logging enable
 logging timestamp
 logging buffer-size 512000
 logging buffered informational
 logging asdm informational
-mtu outside 1500
+</code>
-mtu inside 1500
-icmp unreachable rate-limit 1 burst-size 1
+Povolení ICMP:
-no asdm history enable
+<code bash>
-arp timeout 14400
+policy-map global_policy
-no arp permit-nonconnected
+ class inspection_default
-nat (inside,outside) source static LAN LAN destination static VPNCLA VPNCLA no-proxy-arp route-lookup
+  inspect icmp
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-HTTP SRC-HTTP
+</code>
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-HTTPS SRC-HTTPS
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-RDP SRC-RDP
+Management:
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-SMTP SRC-SMTP
+<code bash>
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-SMTPS SRC-SMTPS
+enable password ***********
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-IMAPV4 SRC-IMAPV4
+username admin password ********* privilege 15
-nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-IMAPV4S SRC-IMAPV4S
-nat (inside,outside) source static LAN LAN destination static AnyVPN AnyVPN no-proxy-arp route-lookup
-!
-object network obj_any
- nat (any,outside) dynamic interface
-!
-nat (inside,outside) after-auto source dynamic any interface
-access-group OUTSIDE in interface outside
-route outside 0.0.0.0 0.0.0.0 213.168.183.1 1
-route inside 172.27.12.0 255.255.255.0 192.168.1.95 1
-route inside 192.168.30.0 255.255.255.0 192.168.1.95 1
-timeout xlate 3:00:00
-timeout pat-xlate 0:00:30
-timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
-timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
-timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
-timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
-timeout tcp-proxy-reassembly 0:01:00
-timeout floating-conn 0:00:00
-ldap attribute-map MAP-ANYCONNECT-LOGIN
-  map-name  memberOf Group-Policy
-  map-value memberOf CN=vpn_users,OU=skupiny,DC=DOMAIN,DC=local ANYCONNECT
-aaa-server LDAP protocol ldap
-aaa-server LDAP (inside) host 192.168.1.2
- ldap-base-dn DC=DOMAIN,DC=local
- ldap-scope subtree
- ldap-naming-attribute sAMAccountName
- ldap-login-password ***********
- ldap-login-dn DOMAIN\ciscoasa
- ldap-over-ssl enable
- server-type microsoft
- ldap-attribute-map MAP-ANYCONNECT-LOGIN
-user-identity default-domain LOCAL
 aaa authentication ssh console LOCAL
+http server enable
 http 192.168.1.0 255.255.255.0 inside
-http 213.168.186.2 255.255.255.255 outside
+http 213.168.x.x 255.255.255.255 outside   # povoleni pristupu z konkretni adresy
-no snmp-server location
-no snmp-server contact
+ssh 213.168.x.x 255.255.255.255 outside    # povoleni pristupu z konkretni adresy
-service sw-reset-button
+ssh 192.168.1.0 255.255.255.0 inside
-crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
+ssh timeout 30
+ssh version 2
+ssh key-exchange group dh-group1-sha1
+no call-home reporting anonymous                     # zákaz reportování statistik do cisca
+</code>
+IPSec Site-to-Site VPN:
+<code bash>
+object network VPNCLA
+ subnet 192.168.20.0 255.255.255.0
+object network LAN
+ subnet 192.168.1.0 255.255.255.0
+access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA
+access-list no_nat extended permit ip object LAN object VPNCLA
+nat (inside,outside) source static LAN LAN destination static VPNCLA VPNCLA no-proxy-arp route-lookup
 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
-crypto ipsec security-association pmtu-aging infinite
 crypto map outside_map 20 match address outside_cryptomap_20
-crypto map outside_map 20 set peer r.r.r.r
+crypto map outside_map 20 set peer 213.168.x.x
 crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA
 crypto map outside_map interface outside
@@ Line 201: / Line 122: @@
  group 2
  lifetime 86400
-telnet timeout 5
-ssh stricthostkeycheck
-ssh s.s.s.s 255.255.255.255 outside
-ssh 192.168.1.0 255.255.255.0 inside
-ssh timeout 30
-ssh version 2
-ssh key-exchange group dh-group1-sha1
-console timeout 0
-dhcpd auto_config outside
+tunnel-group 213.168.x.x type ipsec-l2l
-!
+tunnel-group 213.168.x.x ipsec-attributes
-dhcpd address 192.168.1.5-192.168.1.254 inside
+ ikev1 pre-shared-key *****
-!
+</code>
-ntp server t.t.t.t
-webvpn
- enable outside
- anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
- anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2
- anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 3
- anyconnect enable
- tunnel-group-list enable
- cache
-  disable
- error-recovery disable
-group-policy ANYCONNECT_NO_ACCESS internal
-group-policy ANYCONNECT_NO_ACCESS attributes
- vpn-simultaneous-logins 0
-group-policy ANYCONNECT internal
-group-policy ANYCONNECT attributes
- wins-server value 192.168.1.2
- dns-server value 192.168.1.2 8.8.8.8
- vpn-simultaneous-logins 25
- vpn-tunnel-protocol ssl-client ssl-clientless
- split-tunnel-policy tunnelspecified
- split-tunnel-network-list value SPLIT
- default-domain value DOMAIN.local
-dynamic-access-policy-record DfltAccessPolicy
-username admin password *************** encrypted privilege 15
-tunnel-group r.r.r.r type ipsec-l2l
-tunnel-group r.r.r.r ipsec-attributes
- ikev1 pre-shared-key ************
-tunnel-group ANYCONNECT_VPN type remote-access
-tunnel-group ANYCONNECT_VPN general-attributes
- address-pool VPNpool
- authentication-server-group LDAP
- default-group-policy ANYCONNECT_NO_ACCESS
-tunnel-group ANYCONNECT_VPN webvpn-attributes
- group-alias ANYCONNECT enable
-!
-class-map inspection_default
- match default-inspection-traffic
-!
-!
-policy-map type inspect dns preset_dns_map
- parameters
-  message-length maximum client auto
-  message-length maximum 512
-policy-map global_policy
- class inspection_default
-  inspect dns preset_dns_map
-  inspect ftp
-  inspect h323 h225
-  inspect h323 ras
-  inspect rsh
-  inspect rtsp
-  inspect esmtp
-  inspect sqlnet
-  inspect skinny
-  inspect sunrpc
-  inspect xdmcp
-  inspect sip
-  inspect netbios
-  inspect tftp
-  inspect ip-options
-  inspect icmp
-!
-service-policy global_policy global
-prompt hostname context
-no call-home reporting anonymous
-Cryptochecksum:2cf8158ddc1e00d83e2668756a68b974
-: end
-</code>

wiki.lkaplan.cz

User Tools

Site Tools

Differences

Page Tools