https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128258#M394401 <P>I am taking my exam next week in my security class. We have to make a configuartion at home and then insert this config into the ASA5510 in class. I just need someone who has more experience than me to verify that my config is correct, any help or suggestions would be helpful. The config is kind of long, but I broke it up into pices for easy troubleshooting. If you see "(ipremoved)" I did that because we have public IP address assigned to the ASA outside interface. Thank you <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>What the ASA needs to do:</P><OL start="1"><LI>Dynamic NAT hosts can browse the Internet, and the server has static NAT<BR /></LI><LI>DHCP<BR /></LI><LI>The instructor workstation ONLY can (www, ftp, ssh, rdp, ping) into an inside static nat server<BR /></LI><LI>VPN into the network using the Cisco VPN client software<BR /></LI><LI>Use SSH to authenticate through an AAA (Radius)<BR /></LI></OL><P></P><P>Config:</P><P></P><P></P><P>*****initial:</P><P>interface Ethernet0/1<BR />nameif outside<BR />security-level 0<BR />no shut<BR />ip address dhcp setroute</P><P>interface Ethernet0/0<BR />nameif inside<BR />security-level 100<BR />no shut<BR />ip address 192.168.30.1 255.255.255.0</P><P>route outside 0.0.0.0 0.0.0.0 (ipremoved) 1<BR />http server enable<BR />http 192.168.30.10 255.255.255.255 inside<BR />username cisco password cisco<BR />hostname CSSFINAL<BR />enable password cisco<BR />domain-name css210.edu</P><P><BR />*****DHCP:</P><P>dhcpd address 192.168.30.200-192.168.30.250 inside<BR />dhcpd lease 86400 interface inside<BR />dhcpd domain css210.edu interface inside<BR />dhcpd auto_config outside interface inside<BR />dhcpd enable inside</P><P></P><P>*****NAT (static, PAT):</P><P>nat (inside) 1 0.0.0.0 0.0.0.0<BR />static (outside,inside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255<BR />global (outside) 1 interface</P><P></P><P>*****ACL:</P><P>access-list outside_access_in extended permit icmp any any echo-reply<BR />access-list outside_access_in extended permit tcp host (IP of INST) host (ipremoved) eq 3389<BR />access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq www<BR />access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp<BR />access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp-data<BR />access-list outside_access_in extended permit icmp host (IP OF INST) host (ipremoved) echo<BR />access-list outside_access_in extended permit tcp host (IP OF INSTRUCTOR) any eq 22<BR />access-group outside_access_in in interface outside</P><P></P><P>*****SSH:</P><P>key generate rsa modulus 1024<BR />ssh 192.168.30.0 255.255.255.0 inside<BR />ssh (ipremoved) 255.255.255.0 outside<BR />ssh version 2</P><P><BR />*****AAA:</P><P>aaa-server MSNPS protocol radius<BR />aaa-server MSNPS (INSIDE) host 192.168.30.N key cisco<BR />aaa authentication telnet console MSNPS LOCAL<BR />aaa authentication ssh console MSNPS LOCAL</P><P><BR />*****Logging:</P><P>logging host inside 192.168.30.10</P><P><BR />*****IPsec VPN:</P><P>ip local pool MYVPNPOOL 192.168.30.100-192.168.30.150<BR />nat (inside) 0 access-list VPN-NAT0<BR />access-list VPN-NAT0 extended permit ip 192.168.30.0 255.255.255.0 192.168.30.0 255.255.255.0<BR />access-list SPLIT-TUNNEL standard permit 192.168.30.0 255.255.255.0<BR />crypto ipsec transform-set MYSET esp-3des esp-sha-hmac<BR />crypto ipsec security-association lifetime seconds 28800<BR />crypto ipsec security-association lifetime kilobytes 4608000<BR />crypto dynamic-map MYDYNMAP 1 set transform-set MYSET<BR />crypto dynamic-map MYDYNMAP 1 set security-association lifetime seconds 28800<BR />crypto dynamic-map MYDYNMAP 1 set security-association lifetime kilobytes 4608000<BR />crypto map MYMAP 1 ipsec-isakmp dynamic MYDYNMAP<BR />crypto map MYMAP interface outside<BR />crypto isakmp enable outside<BR />crypto isakmp policy 1<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 84600<BR />crypto isakmp policy 65535<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />group-policy MYPOLICY internal<BR />group-policy MYPOLICY attributes<BR />split-tunnel-policy tunnelspecified<BR />split-tunnel-network-list value SPLIT-TUNNEL<BR />tunnel-group MYTGROUP type remote-access<BR />tunnel-group MYTGROUP general-attributes<BR />address-pool MYVPNPOOL<BR />default-group-policy MYPOLICY<BR />tunnel-group MYTGROUP ipsec-attributes<BR />pre-shared-key cisco</P> Tue, 12 Mar 2019 00:35:08 GMT martinoj2009 2019-03-12T00:35:08Z https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128258#M394401 <P>I am taking my exam next week in my security class. We have to make a configuartion at home and then insert this config into the ASA5510 in class. I just need someone who has more experience than me to verify that my config is correct, any help or suggestions would be helpful. The config is kind of long, but I broke it up into pices for easy troubleshooting. If you see "(ipremoved)" I did that because we have public IP address assigned to the ASA outside interface. Thank you <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>What the ASA needs to do:</P><OL start="1"><LI>Dynamic NAT hosts can browse the Internet, and the server has static NAT<BR /></LI><LI>DHCP<BR /></LI><LI>The instructor workstation ONLY can (www, ftp, ssh, rdp, ping) into an inside static nat server<BR /></LI><LI>VPN into the network using the Cisco VPN client software<BR /></LI><LI>Use SSH to authenticate through an AAA (Radius)<BR /></LI></OL><P></P><P>Config:</P><P></P><P></P><P>*****initial:</P><P>interface Ethernet0/1<BR />nameif outside<BR />security-level 0<BR />no shut<BR />ip address dhcp setroute</P><P>interface Ethernet0/0<BR />nameif inside<BR />security-level 100<BR />no shut<BR />ip address 192.168.30.1 255.255.255.0</P><P>route outside 0.0.0.0 0.0.0.0 (ipremoved) 1<BR />http server enable<BR />http 192.168.30.10 255.255.255.255 inside<BR />username cisco password cisco<BR />hostname CSSFINAL<BR />enable password cisco<BR />domain-name css210.edu</P><P><BR />*****DHCP:</P><P>dhcpd address 192.168.30.200-192.168.30.250 inside<BR />dhcpd lease 86400 interface inside<BR />dhcpd domain css210.edu interface inside<BR />dhcpd auto_config outside interface inside<BR />dhcpd enable inside</P><P></P><P>*****NAT (static, PAT):</P><P>nat (inside) 1 0.0.0.0 0.0.0.0<BR />static (outside,inside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255<BR />global (outside) 1 interface</P><P></P><P>*****ACL:</P><P>access-list outside_access_in extended permit icmp any any echo-reply<BR />access-list outside_access_in extended permit tcp host (IP of INST) host (ipremoved) eq 3389<BR />access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq www<BR />access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp<BR />access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp-data<BR />access-list outside_access_in extended permit icmp host (IP OF INST) host (ipremoved) echo<BR />access-list outside_access_in extended permit tcp host (IP OF INSTRUCTOR) any eq 22<BR />access-group outside_access_in in interface outside</P><P></P><P>*****SSH:</P><P>key generate rsa modulus 1024<BR />ssh 192.168.30.0 255.255.255.0 inside<BR />ssh (ipremoved) 255.255.255.0 outside<BR />ssh version 2</P><P><BR />*****AAA:</P><P>aaa-server MSNPS protocol radius<BR />aaa-server MSNPS (INSIDE) host 192.168.30.N key cisco<BR />aaa authentication telnet console MSNPS LOCAL<BR />aaa authentication ssh console MSNPS LOCAL</P><P><BR />*****Logging:</P><P>logging host inside 192.168.30.10</P><P><BR />*****IPsec VPN:</P><P>ip local pool MYVPNPOOL 192.168.30.100-192.168.30.150<BR />nat (inside) 0 access-list VPN-NAT0<BR />access-list VPN-NAT0 extended permit ip 192.168.30.0 255.255.255.0 192.168.30.0 255.255.255.0<BR />access-list SPLIT-TUNNEL standard permit 192.168.30.0 255.255.255.0<BR />crypto ipsec transform-set MYSET esp-3des esp-sha-hmac<BR />crypto ipsec security-association lifetime seconds 28800<BR />crypto ipsec security-association lifetime kilobytes 4608000<BR />crypto dynamic-map MYDYNMAP 1 set transform-set MYSET<BR />crypto dynamic-map MYDYNMAP 1 set security-association lifetime seconds 28800<BR />crypto dynamic-map MYDYNMAP 1 set security-association lifetime kilobytes 4608000<BR />crypto map MYMAP 1 ipsec-isakmp dynamic MYDYNMAP<BR />crypto map MYMAP interface outside<BR />crypto isakmp enable outside<BR />crypto isakmp policy 1<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 84600<BR />crypto isakmp policy 65535<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />group-policy MYPOLICY internal<BR />group-policy MYPOLICY attributes<BR />split-tunnel-policy tunnelspecified<BR />split-tunnel-network-list value SPLIT-TUNNEL<BR />tunnel-group MYTGROUP type remote-access<BR />tunnel-group MYTGROUP general-attributes<BR />address-pool MYVPNPOOL<BR />default-group-policy MYPOLICY<BR />tunnel-group MYTGROUP ipsec-attributes<BR />pre-shared-key cisco</P> Tue, 12 Mar 2019 00:35:08 GMT https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128258#M394401 martinoj2009 2019-03-12T00:35:08Z https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128259#M394402 <HTML><HEAD></HEAD><BODY><P>Hi Martino,</P><P></P><P>I went through configuration quite quckly, so I could miss something, but couple of things which I found:</P><P></P><P>To publish Server from Inside you have this command:</P><P>static (outside,inside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255</P><P></P><P>It should look like:</P><P>static (inside,outside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255</P><P></P><P>Command:</P><P>key generate rsa modulus 1024</P><P>Is:</P><P>crypto key generate rsa modulus 1024</P><P></P><P>Also I will recomend to use separate network for RA Clients.</P><P></P><P>Please rate helpful posts <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Best Regards,</P><P>Eugene</P></BODY></HTML> Sat, 08 Dec 2012 22:20:12 GMT https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128259#M394402 Eugene Korneychuk 2012-12-08T22:20:12Z https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128260#M394403 <HTML><HEAD></HEAD><BODY><P> Thank you very much Eugene.</P><P></P><P>I have changed my static NAT, RSA line, and moved my RA Clients to a 172.16.x.x network. I completly missed this, thank you that was very helpful.</P></BODY></HTML> Sat, 08 Dec 2012 22:29:36 GMT https://community.cisco.com/t5/network-security/verify-configuration/m-p/2128260#M394403 martinoj2009 2012-12-08T22:29:36Z