In today’s Practice Lab, I will configure the following:

- Configure basic ASA device and secure network management.

- Configure DHCP and NAT on the ASA device
- Configure the ASA firewall to implement security policies
- Configure a site-to-site IPsec VPN.
I have already configured the interfaces on the routers, and
configured static and default route.
On the description of this video, you will find two files, one for the
Packet Tracer’s source files, and the walk through documents.
If you want to know what had been configured on the device, just run
the command : show run, and scroll through the configurations.
if you like my videos, please subscribe to my channel, and share it on
your facebook page, and give me the thumbs up, and please let me
know if you have any suggestions, comments or questions, I will
gladly answer you back.
I will create new videos covering the changes to the CISCO exam with
practice labs. These videos should help students pass the exam. Let
me know if there are subjects you want me to cover.

I will configure the ASA device.

On the HQ-ASA:
# enable
# enter, no password is configured yet on the device.
# conf t
# username Admin1 password Admin1
# hostname HQ-ASA
# enable password cisco
I will configure the domain name as theccna.com, then I will configure
the inside, outside and dmz interfaces .
I will configure the domain name on the ASA device
# domain-name theccna.com
I will configure the inside with the following information
 VLAN 1 – IP address 192.168.10.1/24, nameif inside, security
level 100, and I will assign to E0/1
On the HQ-ASA:
# int vlan 1
# ip address 192.168.10.1 255.255.255.0
# no shut
# nameif inside
# security-level 100
# int e0/1
# switchport access vlan 1
# no shut
 VLAN 2 – IP address 209.165.200.253/28, nameif outside,
security-level 0 , assign to E0/0
# int vlan 2
# ip address 209.165.200.253 255.255.255.240
# no shut
# nameif outside
# security-level 0
# int e0/0
# switchport access vlan 2
# no shut
 VLAN 3 – IP Address 192.168.20.1/24, nameif dmz, security-level
70, assign to E0/2
# int vlan 3
# ip address 192.168.20.1 255.255.255.0
# no forward interface vlan 1
# nameif dmz
# security-level 70
# int e0/2
# switchport access vlan 3
# no shut
# exit

NEXT:
I will configure DHCP service on the ASA device for internal network.
On the HQ-ASA:
# dhcpd address 192.168.10.25-192.168.10.35 inside
DHCP service should provide DNS server (AAA/NTP/Syslog Svr)
information
# dhcpd dns 192.168.10.10
# dhcpd option 3 ip 192.168.10.1
# dhcpd enable inside
I will verify that the internal PCs, PC0 and PC1 received their IP
addresses from the DHCP server.

NEXT:
I will configure Secure Network Management for the ASA device.
I will enable the ASA device as an NTP client to the AAA/NTP/Syslog
server, and I will enable the authentication to the NTP server, and use
the authentication key 1 with the password (corpkey).
On the HQ-ASA:
# ntp authenticate
# ntp authentication-key 1 md5 corpkey
# ntp server 192.168.10.10 key 1

NEXT:
I will configure the ASA device with AAA authentication and verify its
functionality.

I will configure AAA to use the local database for SSH connections to
the console port
On HQ-ASA:
# aaa authentication ssh console LOCAL
Now, I will generate a RSA key pair to support with modulus size of
1024 bit.
# crypto key generate rsa modulus 1024
# yes
Then, I will configure HQ-ASA to accept SSH connections only from the
Net Admin workstation.
# ssh 192.168.10.5 255.255.255.255 inside
Then, I will configure SSH session timed out to be 20 minutes
# ssh timeout 20

NEXT:
I will configure NAT Service for the HQ-ASA device for both inside and
DMZ networks.
I will create an object (inside-nat) with subnet 192.168.10.0/24 and
enable the IP addresses of the hosts in the internal network to be
dynamically translated to access the external network via the outside
interface.
# object network inside-nat
# subnet 192.168.10.0 255.255.255.0
# nat (inside,outside) dynamic interface
Then, I will create an object( dmz-dns-server) to statically translate
the DNS server in the DMZ to the public IP address.
# object network dmz-dns-server
# host 192.168.20.5
# nat (dmz,outside) static 209.165.200.242
Next, I will create an object (dmz-web-server) to statically translate
the web server to the public IP address.
# object network dmz-web-server
# host 192.168.20.2
# nat (dmz,outside) static 209.165.200.241
Run this show command on the HQ-ASA
# end
# show nat
Nothing has been translated yet.

NEXT:
I will configure ACL and Firewall on the ASA device to implement the
security policy.
I will modify the default MPF ( Modular Policy Framework) application
inspection global service policy to enable hosts in the internal
network to access the web server on the internet.
First,
I will create a class ( inspection_default) that matches ( default-
inspection-traffic).
On the HQ-ASA:
# conf t
# class-map inspection_default
# match default-inspection-traffic
Next, I will create a policy-map ( global_policy) and specify the
(inspect) with ( dns, ftp, http and icmp).
# policy-map global_policy
# class inspection_default
# inspect dns
# inspect ftp
# inspect http
# inspect icmp
Next, I will attach the policy map globally to all interfaces
# exit
# service-policy global_policy global

NEXT,
I will configure an ACL to allow access to the DMZ servers from the
internet.
I will create, apply and verify an extended named ACL ( named
OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ-ASA.
HTTP traffic is allowed to DMZ Web Svr.
# access-list OUTSIDE-TO-DMZ extended permit tcp any host
209.165.200.241 eq 80
DNS traffic ( both TCP and UDP) is allowed to the DMZ DNS server
( two separate ACEs “ Access Control Entries”)
# access-list OUTSIDE-TO-DMZ extended permit tcp any host
209.165.200.242 eq 53
# access-list OUTSIDE-TO-DMZ extended permit udp any host
209.165.200.242 eq 53
FTP traffic from the branch administrator workstation is allowed to
the DMZ web server.
# access-list OUTSIDE-TO-DMZ extended permit tcp host 172.16.40.10
host 209.165.200.241 eq 21

Next,
Time to configure the interfaces for the incoming traffic
# access-group OUTSIDE-TO-DMZ in interface outside
I will verify HQ-ASA configurations.
Both Net Admin and DMZ Web Svr can access the website
www.externalone.com
On Net Admin PC:
On the web browser type:
# www.externalone.com it should be successful
On the DMZ Web Svr, on the web browser
# www.externalone.com it should successful
Branch Admin can access the website www.theccna.com
On Branch Admin PC: on the web browser
# www.theccna.com it should be successful
Also the Branch Admin can establish an FTP connection to the web
server www.theccna.com using the username (cisco) and the
password (cisco)
 On the Branch Admin PC:
# ftp 209.165.200.241 it should be successful

NEXT:
I will configure a Site-to-Site IPsec VPN
between HQ Router and the Branch Router.
ISAKMP Phase 1 Policy Parameters
Key Distribution Method ISAKMP
Encryption Algorithm AES
Number of Bits 256
Hash Algorithm SHA
Authentication Method Pre-Share
Key Exchange DH 5
IKE SA Lifetime 86400
ISAKMP Key cisco

ISAKMP Phase 2 Policy Parameters

Parameters HQ Router Branch Router
Transform Set Name VPN-SET VPN-SET
Transform Set Esp-aes 256 esp-sha-hmac Esp-aes 256 esp-sha-hmac
Peer Host Name Branch HQ
Peer IP Address 172.16.20.2 10.1.1.1
Encrypted Network 209.165.200.240/28 172.16.40.0/24
Crypto Map Name VPN-MAP VPN-MAP
SA Establishment Ipsec-isakmp Ipsec-isakmp
I will configure an ACL ( ACL 110) on the HQ router to identify the
interesting traffic, the interesting traffic is all IP traffic between the
two LANs ( 209.165.200.240/28 and 172.16.40.0/24)

On the HQ Router:
# conf t
# access-list 110 permit ip 209.165.200.240 0.0.0.15 172.16.40.0
0.0.0.255
Next, configure ISAKMP Phase 1 properties on the HQ router, the
crypto ISAKMP policy is ( 10).
# crypto isakmp policy 10
# encryption aes 256
# hash sha
# authentication pre-share
# group 5
# lifetime 86400
# exit
# crypto isakmp key cisco address 172.16.20.2
Next, I will configure ISAKMP Phase 2 properties on the HQ router
using (10) as the sequence number.
On the HQ router:
# crypto ipsec transform-set VPN-SET esp- aes 256 esp-sha-hmac
# crypto map VPN-MAP 10 ipsec-isakmp
# set peer 172.16.20.2
# set pfs group5 PFS stands for ( Perfect Forward Secrecy)
# set security-association lifetime seconds 86400
# set transform-set VPN-SET
# match address 110
NEXT, I will bind the VPN-MAP crypto map to the outgoing interfaces.
On the HQ router:
# exit
# int s0/0/0
# crypto map VPN-MAP

NEXT:
I will configure IPsec parameters on the Branch router using the same
parameters as on the HQ router, I will make sure the interesting traffic
is defined as the IP traffic from the two LANs.
On the Branch router:
# conf t
# access-list 110 permit ip 172.16.40.0 0.0.0.255 209.165.200.240
0.0.0.15
Next, configure ISAKMP Phase 1 properties on the Branch router, the
crypto ISAKMP policy is ( 10).
# crypto isakmp policy 10
# encryption aes 256
# hash sha
# authentication pre-share
# group 5
# lifetime 86400
# exit
# crypto isakmp key cisco address 10.1.1.1
Next, I will configure ISAKMP Phase 2 properties on the Branch router
using (10) as the sequence number.
On the Branch router:
# crypto ipsec transform-set VPN-SET esp- aes 256 esp-sha-hmac
# crypto map VPN-MAP 10 ipsec-isakmp
# set peer 10.1.1.1
# set pfs group5 PFS stands for ( Perfect Forward Secrecy)
# set security-association lifetime seconds 86400
# set transform-set VPN-SET
# match address 110
NEXT, I will bind the VPN-MAP crypto map to the outgoing interfaces.
On the HQ router:
# exit
# int s0/0/0
# crypto map VPN-MAP
Finally,
I will verity the VPN configuration by conducting an FTP session with
the username (cisco), and the password ( cisco) from the Branch
Admin PC to the DMZ Web Svr, and on the Branch router, I will check
that the packets are encrypted by running show commands.
On the Branch Admin PC:
On command prompt:
# ftp 209.165.200.241
Username: cisco
Password: cisco it should be successful.
# I will type “quit” to exit the ftp session
On the Net Admin PC
# on the web browser www.theccna.com it should be successful
Run the show command on the two routers, HQ-ASA and Branch
# show crypto ipsec sa