Monday, October 26, 2020

Basic ASA Security Policy

LAB Task

1) Configure the IP address, Security Name ,Host Name and Security Level according the given topology.

2) Configure the static routing.

3) Configure the Object-Group for Network(HOSTS) and Service(Protocol)

a. MGMT-HOSTS(2.2.2.2, 4.4.4.4)

b. TELNET-and-SSH(telnet, ssh)

4) Only host 2.2.2.2, 4.4.4.4 allow service telnet and ssh for Host 1.1.1.1.

LAB Configuration

#############################################################################
R1>
hostname R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
 ip address 10.1.101.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.101.10
line vty 0 4
 password cisco
 login    
 transport input telnet
R1>
#################################################################################
R2>
hostname R2      
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
interface Ethernet0/0
 ip address 10.1.102.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.102.10
line vty 0 4
 password cisco
 login    
 transport input telnet
R2>
################################################################################
R4>
hostname R4
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
interface Ethernet0/0
 ip address 10.1.104.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.104.10
line vty 0 4
 password cisco
 login    
 transport input telnet
R4>
#################################################################################
ASA-FW(config)# 
hostname ASA-FW
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.1.102.10 255.255.255.0 
interface Ethernet1
 nameif inside
 security-level 80
 ip address 10.1.101.10 255.255.255.0 
interface Ethernet2
 nameif DMZ   
 security-level 50
 ip address 10.1.104.10 255.255.255.0 
object-group network MGMT-HOSTS
 network-object host 2.2.2.2
 network-object host 4.4.4.4
object-group service TELNET-and-SSH tcp
 port-object eq telnet
 port-object eq ssh
access-list OUTSIDE_IN extended permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-group TELNET-and-SSH 
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list DMZ_IN extended permit icmp any any echo-reply 
access-list DMZ_IN extended permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-group TELNET-and-SSH 
access-group OUTSIDE_IN in interface outside
access-group DMZ_IN in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.1.102.20 1 
route inside 1.1.1.1 255.255.255.255 10.1.101.20 1 
route DMZ 4.4.4.4 255.255.255.255 10.1.104.20 1 
ASA-FW(config)#
##################################################################################

Thanks
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)