cisco asa firewall lab workbook
TRANSCRIPT
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Cisco ASA Firewall LAB WORKBOOK
Prepared By Sai Linn Thu
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Security Policy ( Allow / Deny )
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Security Policy ( Allow / Deny )
Employee E-‐mail Finance ( $ ) Internet Employee Deny Permit Deny Permit Execu9ve Deny Deny Permit Permit BYOD Deny Permit Deny Permit Guest Permit Deny Deny Permit
SourceDestination
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
{lowest 0} > Security Level < {highest 100}
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
{lowest 0} > Security Level < {highest 100}
Internet
outside ( 0 )
inside ( 100 )
dmz zone 1 ( 50 ) dmz zone 2 ( 60 )
dmz zone 3 ( 70 )
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Incoming traffic / Outgoing traffic
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
Incoming traffic ( Low – to – High )
Outgoing traffic ( High – to – Low )
(Block, Explicitly Allow)
(Allow, but Inspected)
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
192.168.5.5/24
10.10.10.10/24
ASA int g0 nameif inside security-level 100 ip add 10.1.1.100 255.255.255.0 int g1 nameif outside security-level 0 ip add 150.1.1.100 255.255.255.0 ! int g2 nameif dmz security-level 50 ip add 192.168.1.100 255.255.255.0 !
#show int ip brief
LAB
©2016 RHC Technologies
Verify ping test on ASA !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAASA#ping 173.252.74.68ASA#ping 10.10.10.10ASA#ping 192.168.5.5
SUCCESS [or] FAIL ?
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
192.168.5.5/24
10.10.10.10/24
ASA route outside 0 0 150.1.1.1 route inside 10.10.10.0 255.255.255.0 10.1.1.1 route dmz 192.168.5.0 255.255.255.0 192.168.1.1
#show route
©2016 RHC Technologies
Verify ping test on ASA !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAASA#ping 173.252.74.68ASA#ping 10.10.10.10ASA#ping 192.168.5.5
SUCCESS [or] FAIL ?
©2016 RHC Technologies
Configure default routes from LAN , DMZ and INTERNET !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LAN#ip route 0.0.0.0 0.0.0.0 10.1.1.100DMZ#ip route 0.0.0.0 0.0.0.0 192.168.1.100INTERNET#ip route 0.0.0.0 0.0.0.0 150.1.1.100
©2016 RHC Technologies
Verify ping test from LAN to INTERNET !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LANLAN#ping 173.252.74.68LAN#ping 173.252.74.68 source lo0
SUCCESS [or] FAIL ?
Outbound traffic : Low > High is OK ( inspected )Inbound traffic : High > Low is DROP ( require ACL )
©2016 RHC Technologies
Configure vty password & enable password on LAN , DMZ and INTERNET !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LANline vty 0 4 password testlan!enable password testlan!
DMZline vty 0 4 password testdmz!enable password testdmz!
INTERNETline vty 0 4 password testout!enable password testout!
©2016 RHC Technologies
Verify telnet test from LAN < > INTERNET // LAN < > DMZ // DMZ < > INTERNET
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LANLAN#telnet 173.252.74.68
LAN#telnet 173.252.74.68 /source-interface lo0
Please also test LAN < > DMZ // DMZ < > INTERNET.
SUCCESS [or] FAIL ?
INTERNETINTERNET#telnet 10.10.10.10
INTERNET#telnet 10.10.10.10 /source-interface lo0
©2016 RHC Technologies
Configure ACL to allow telnet traffic from INTERNET to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit tcp any any eq telnet!access-group INTERNET_LAN in interface outside!
INTERNETINTERNET#telnet 10.10.10.10INTERNET#telnet 10.10.10.10 /source-interface lo0INTERNET#telnet 10.10.10.10 /source-interface lo1
Verify telnet test from INTERNET to LAN
SUCCESS [or] FAIL ?
©2016 RHC Technologies
Configure ACL to allow telnet traffic from DMZ to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list DMZ_LAN permit tcp any any eq telnet!access-group DMZ_LAN in interface dmz!
DMZDMZ#telnet 10.10.10.10DMZ#telnet 10.10.10.10 /source-interface lo0
Verify telnet test from DMZ to LAN
SUCCESS [or] FAIL ?
©2016 RHC Technologies
Verify telnet test from INTERNET to DMZ !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
INTERNETINTERNET#telnet 192.168.5.5INTERNET#telnet 192.168.5.5 /source-interface lo0INTERNET#telnet 192.168.5.5 /source-interface lo1
Why SUCCESS ?Because of the below config we configured in the previous step.
ASAaccess-list INTERNET_LAN permit tcp any any eq telnet!access-group INTERNET_LAN in interface outside!
©2016 RHC Technologies
Delete the below config
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASANO access-list INTERNET_LAN permit tcp any any eq telnet!NO access-group INTERNET_LAN in interface outside!
After deleting the config,We cannot be able to TELNET from INTERNET to LAN, and also from INTERNET to DMZ.
But we still can be able to telnet from DMZ to LAN.
©2016 RHC Technologies
Configure the policy as below : 1) ONLY Allow TELNET from 173.252.74.68 to LAN.
2) ONLY Allow TELNET from 172.217.25.174 to DMZ.
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit tcp host 173.252.74.68 10.10.10.0 255.255.255.0 eq telnet!access-list INTERNET_LAN permit tcp host 172.217.25.174 192.168.5.0 255.255.255.0 eq telnet! access-group INTERNET_LAN in interface outside!
©2016 RHC Technologies #LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
Verify telnet test from INTERNET to LAN !
INTERNETINTERNET#telnet 10.10.10.10 > {success/fail}INTERNET#telnet 10.10.10.10 /source-interface lo0 > {success/fail}INTERNET#telnet 10.10.10.10 /source-interface lo1 > {success/fail}
Verify telnet test from INTERNET to DMZ !
INTERNETINTERNET#telnet 192.168.5.5 > {success/fail}INTERNET#telnet 192.168.5.5 /source-interface lo0 > {success/fail}INTERNET#telnet 192.168.5.5 /source-interface lo1 > {success/fail}
©2016 RHC Technologies
Configure the policy as below : 1) Allow ping ( ICMP ) from LAN to DMZ.
2) Allow ping ( ICMP ) from LAN to INTERNET.
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit icmp any any echo-reply!access-list DMZ_LAN permit icmp any any echo-reply! access-group INTERNET_LAN in interface outside!access-group DMZ_LAN in interface dmz
©2016 RHC Technologies
Verify ping test from LAN to INTERNET & DMZ !
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
LAN
LAN#ping 173.252.74.68 source lo0LAN#ping 192.168.5.5 source lo0
SUCCESS [or] FAIL ?
Outbound traffic : Low > High is OK ( inspected )Inbound traffic : High > Low is OK ( required ACL is configured )
©2016 RHC Technologies
Configure the policy as below : 1) Allow ping ( ICMP ) from INTERNET to LAN.
2) Allow ping ( ICMP ) from DMZ to LAN.
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAaccess-list INTERNET_LAN permit icmp any any echoaccess-list INTERNET_LAN permit icmp any any echo-reply!access-group INTERNET_LAN in interface outside!access-list DMZ_LAN permit icmp any any echoaccess-list DMZ_LAN permit icmp any any echo-reply!access-group DMZ_LAN in interface dmz
©2016 RHC Technologies
Verify ping test from INTERNET to LAN & DMZ to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ping testINTERNET#ping 10.10.10.10 source lo0INTERNET#ping 10.10.10.10 source lo1INTERNET#ping 192.168.5.5 source lo0INTERNET#ping 192.168.5.5 source lo1
DMZ#ping 10.10.10.10 source lo0DMZ#ping 10.10.10.10 source lo1
SUCCESS {or} FAIL ?
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
10.10.10.10/24
ASA int g0 nameif inside security-level 100 ip add 10.1.1.100 255.255.255.0 int g1 nameif outside security-level 0 ip add 150.1.1.100 255.255.255.0 ! int g2 nameif dmz security-level 50 ip add 192.168.1.100 255.255.255.0 !
#show int ip brief
LAB
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
10.10.10.10/24
ASA route outside 0 0 150.1.1.1 route inside 10.10.10.0 255.255.255.0 10.1.1.1 route inside 11.11.11.0 255.255.255.0 10.1.1.1 route inside 12.12.12.0 255.255.255.0 10.1.1.1 route dmz 192.168.5.0 255.255.255.0 192.168.1.1
#show route
©2016 RHC Technologies
Configure the policy using object-group as below :
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ASAobject-group network GoogleDNS network-object host 8.8.8.8 network-object host 8.8.4.4!object-group network LAN network-object 10.10.10.0 255.255.255.0 network-object 11.11.11.0 255.255.255.0 network-object 12.12.12.0 255.255.255.0!object-group service PING service-object icmp echo service-object icmp echo-reply!access-list INTERNET_LAN permit object-group PING object-group GoogleDNS object-group LAN!access-group INTERNET_LAN in interface outside
©2016 RHC Technologies
Verify ping test from INTERNET to LAN!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ping testINTERNET#ping 10.10.10.10 source lo0INTERNET#ping 10.10.10.10 source lo1INTERNET#ping 10.10.10.10 source lo2INTERNET#ping 10.10.10.10 source lo3
INTERNET#ping 11.11.11.11 source lo0INTERNET#ping 11.11.11.11 source lo1INTERNET#ping 11.11.11.11 source lo2INTERNET#ping 11.11.11.11 source lo3
INTERNET#ping 12.12.12.12 source lo0INTERNET#ping 12.12.12.12 source lo1INTERNET#ping 12.12.12.12 source lo2INTERNET#ping 12.12.12.12 source lo3
©2016 RHC Technologies
R H C TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24150.1.1.5/32
10.10.10.10/24
ASA Object network DMZ-Private host 192.168.5.5 ! Object network DMZ-Public host 150.1.1.5 ! nat(dmz,outside) source static DMZ-Private DMZ-Public ! Access-list INTERNET_LAN permit tcp any any eq telnet
LAB
DMZline vty 0 4 password testdmz!enable password testdmz!
©2016 RHC Technologies
Verify telnet from INTERNET to DMZ Public IP!
#LIKE #FOLLOW #WATCH
R H C TECHNOLOGIES
ping testINTERNET#telnet 150.1.1.5 /source-interface lo0INTERNET#telnet 150.1.1.5 /source-interface lo1INTERNET#telnet 150.1.1.5 /source-interface lo2INTERNET#telnet 150.1.1.5 /source-interface lo3
© www.rhctechnologies.com
R H C TECHNOLOGIES
RHC Technologies
#LIKE #FOLLOW #WATCH