cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1338
Views
5
Helpful
2
Replies

Verify Configuration

martinoj2009
Level 1
Level 1

I am taking my exam next week in my security class. We have to make a configuartion at home and then insert this config into the ASA5510 in class. I just need someone who has more experience than me to verify that my config is correct, any help or suggestions would be helpful. The config is kind of long, but I broke it up into pices for easy troubleshooting. If you see "(ipremoved)" I did that because we have public IP address assigned to the ASA outside interface. Thank you

What the ASA needs to do:

  1. Dynamic NAT hosts can browse the Internet, and the server has static NAT
  2. DHCP
  3. The instructor workstation ONLY can (www, ftp, ssh, rdp, ping) into an inside static nat server
  4. VPN into the network using the Cisco VPN client software
  5. Use SSH to authenticate through an AAA (Radius)

Config:

*****initial:

interface Ethernet0/1
nameif outside
security-level 0
no shut
ip address dhcp setroute

interface Ethernet0/0
nameif inside
security-level 100
no shut
ip address 192.168.30.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 (ipremoved) 1
http server enable
http 192.168.30.10 255.255.255.255 inside
username cisco password cisco
hostname CSSFINAL
enable password cisco
domain-name css210.edu


*****DHCP:

dhcpd address 192.168.30.200-192.168.30.250 inside
dhcpd lease 86400 interface inside
dhcpd domain css210.edu interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside

*****NAT (static, PAT):

nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255
global (outside) 1 interface

*****ACL:

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp host (IP of INST) host (ipremoved) eq 3389
access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq www
access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp
access-list outside_access_in extended permit tcp host (IP OF INST) host (ipremoved) eq ftp-data
access-list outside_access_in extended permit icmp host (IP OF INST) host (ipremoved) echo
access-list outside_access_in extended permit tcp host (IP OF INSTRUCTOR) any eq 22
access-group outside_access_in in interface outside

*****SSH:

key generate rsa modulus 1024
ssh 192.168.30.0 255.255.255.0 inside
ssh (ipremoved) 255.255.255.0 outside
ssh version 2


*****AAA:

aaa-server MSNPS protocol radius
aaa-server MSNPS (INSIDE) host 192.168.30.N key cisco
aaa authentication telnet console MSNPS LOCAL
aaa authentication ssh console MSNPS LOCAL


*****Logging:

logging host inside 192.168.30.10


*****IPsec VPN:

ip local pool MYVPNPOOL 192.168.30.100-192.168.30.150
nat (inside) 0 access-list VPN-NAT0
access-list VPN-NAT0 extended permit ip 192.168.30.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.30.0 255.255.255.0
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map MYDYNMAP 1 set transform-set MYSET
crypto dynamic-map MYDYNMAP 1 set security-association lifetime seconds 28800
crypto dynamic-map MYDYNMAP 1 set security-association lifetime kilobytes 4608000
crypto map MYMAP 1 ipsec-isakmp dynamic MYDYNMAP
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 84600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy MYPOLICY internal
group-policy MYPOLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
tunnel-group MYTGROUP type remote-access
tunnel-group MYTGROUP general-attributes
address-pool MYVPNPOOL
default-group-policy MYPOLICY
tunnel-group MYTGROUP ipsec-attributes
pre-shared-key cisco

2 Replies 2

Eugene Korneychuk
Cisco Employee
Cisco Employee

Hi Martino,

I went through configuration quite quckly, so I could miss something, but couple of things which I found:

To publish Server from Inside you have this command:

static (outside,inside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255

It should look like:

static (inside,outside) (OUTSIDE ADDRESS) 192.168.30.N netmask 255.255.255.255

Command:

key generate rsa modulus 1024

Is:

crypto key generate rsa modulus 1024

Also I will recomend to use separate network for RA Clients.

Please rate helpful posts

Best Regards,

Eugene

Thank you very much Eugene.

I have changed my static NAT, RSA line, and moved my RA Clients to a 172.16.x.x network. I completly missed this, thank you that was very helpful.

Review Cisco Networking for a $25 gift card