Scribd
Upload
820 views

Activacion Asa 8.4 en Gns3: - VNC None - Vga None - M 1024 - Icount Auto - Hdachs 980,16,32

This document provides configuration instructions for setting up different security zones, interfaces, and policies on an ASA firewall using GNS3. It includes configurations for an outside interface connected to the internet, an inside interface connected to a internal LAN, a DMZ interface, NAT, ICMP inspection, activation keys, site-to-site VPN between two networks, and remote access VPN for clients.

Uploaded by

Anibal Velozo Velozo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
820 views

Activacion Asa 8.4 en Gns3: - VNC None - Vga None - M 1024 - Icount Auto - Hdachs 980,16,32

This document provides configuration instructions for setting up different security zones, interfaces, and policies on an ASA firewall using GNS3. It includes configurations for an outside interface connected to the internet, an inside interface connected to a internal LAN, a DMZ interface, NAT, ICMP inspection, activation keys, site-to-site VPN between two networks, and remote access VPN for clients.

Uploaded by

Anibal Velozo Velozo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

ACTIVACION ASA 8.

4 EN GNS3

Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=655

http://www.filedropper.com/asa842-initrd
http://www.filedropper.com/asa842-vmlinuz

ACTIVACION ASA 8.4 EN GNS3

RED DE TRABAJO
D.M.Z
( de-militarized-zone )

OUTSIDE
( Internet )

INSIDE
( LAN )

GigabitEthernet0
meif outside
ddress 200.54.0.2 255.255.255.248ZONAS

NAT SERVICE POLICY

GigabitEthernet1
meif inside
ddress 192.168.0.1 255.255.255.0

e outside 0.0.0.0 0.0.0.0 200.54.0.1

ct network inside
net 192.168.0.0 255.255.255.0
(inside,outside) dynamic interface

Comprobacin
# show xlate
# show conn
#debug icmp trace

ss-map inspection_default
atch default-inspection-traffic

icy-map global_policy
ass inspection_default
spect icmp

vice-policy global_policy global

#ping 4.2.2.2 repeat 1000

interface GigabitEthernet2
ACTIVACIN
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
object network DMZ
subnet 10.10.10.0 255.255.255.0
nat (dmz,outside) dynamic 200.54.0.3

#ping 4.2.2.2 repeat 1000

DMZ

SERVIDOR DMZ PUBLICO

object network server_dmz


host 10.10.10.5
nat (dmz,outside) static 200.54.0.4
access-list desde_outside permit tcp any host 10.10.10.5 eq
telnet
!
access-group desde_outside in interface outside

VERIFICACIN ZONAS DISTINTO NIVEL DE SEGURIDAD


ciscoasa# packet-tracer input dmz icmp 10.10.10.5 8 8 192.168.0.5
detailed
R1#ping 10.10.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.5, timeout
is 2 seconds:
!!!!!
R4#ping 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout
is 2 seconds:
.....
access-list desde_dmz extended permit ip 10.10.10.0 255.255.255.0
192.168.0.0 255.255.255.0
access-group desde_dmz in interface dmz

ACTIVACION KEY PARA PERFILES DE SEGURIDAD

(Opcin-1)ciscoasa(config)#activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5


Opcin-2)ciscoasa(config)#activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6;
ciscoasa(config)#wr save configuration;
ciscoasa(config)#exit

object network local_192.168.0.0


subnet 192.168.0.0 255.255.255.0
description "For NAT exempt"
!
object network remote_192.168.100.0
subnet 192.168.100.0 255.255.255.0
description "remote subnet for Site2
!
access-list crypto-access permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

VPN SITE to SITE

e) source static local_192.168.0.0 local_192.168.0.0 destination static remote_192.168.100.0 remote_192.168.100.0 no-proxy-arp


transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

e_map
e_map
e_map
e_map

1 match address crypto-access


1 set peer 190.208.0.2
1 set ikev1 transform-set ESP-3DES-SHA
interface outside

e outside
y 10
-share
tunnel-group 190.208.0.2 type ipsec-l2l
tunnel-group 190.208.0.2 ipsec-attributes
ikev1 pre-shared-key cisco123

crypto ikev1 policy 65535


authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
ip local pool client_pool 192.168.1.1-192.168.1.5 mask
255.255.255.248
access-list split_tunnel_acl standard permit 192.168.100.0
255.255.255.0
!
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
tunnel-group ipsec_ra_tunnel type remote-access
tunnel-group ipsec_ra_tunnel general-attributes
address-pool client_pool
default-group-policy ipsec_ra_policy
authentication-server-group LOCAL
tunnel-group ipsec_ra_tunnel ipsec-attributes
ikev1 pre-shared-key cisco
crypto
crypto
crypto
crypto

dynamic-map dyn_map 65535 set ikev1 transform-set set1


map outside_map 65535 ipsec-isakmp dynamic dyn_map
map outside_map interface outside
ikev1 enable outside

username operador password ultra_10


object-group network obj_192.168.1.1_248
network 192.168.1.0 255.255.255.248
object-group network obj_192.168.100.0_24
network 192.168.100.0 255.255.255.0
nat (inside,outside) source static obj_192.168.100.0_24
obj_192.168.100.0_24 destination static obj_192.168.1.1_248
obj_192.168.1.1_248 no-proxy-arp route-lookup

VPN - CLIENT

You might also like