Wednesday, March 27, 2013

BLOCKING URL'S AND INSTANT MESSENGER IN ASA Example



BLOCKING URL'S AND INSTANT MESSENGER IN ASA  Example

 
 
 
 ASA Configuration
interface Ethernet0/0
nameif outside
 security-level 0
 ip address 192.168.137.2 255.255.255.0
no shut
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
no shut

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.137.1


 URLs to be block with domain name  like facebook

regex url1 "facebook.com"
regex url2 "myspace.com"
regex url4 "twitter.com"


Create Class map by name urleg in order to match the domain names to be blocked

class-map type regex match-any urlreg
match regex url1
match regex url2
match regex url4

Inspecting  http traffic by  the name http_url_policy  

class-map type inspect http match-all http_url_policy
match request header host regex class urlreg

Inspecting  IM traffic by the name im-traffic

class-map type inspect im match-all im-traffic
match protocol msn-im yahoo-im

Create ACL of the interesting traffic for http

access-list http permit tcp any any eq 80

Create ACL of the interesting traffic for IM

access-list 101 line 1 extended deny ip 192.168.1.0 255.255.255.0 any
access-list 101 extended permit ip any any

Create a class by the name http-inspection to capture http interesting traffic and assign access-list i.e http

class-map http-inspection
match access-list http

Create a class by the name im_inspection to capture IM interesting traffic and assign access-list i.e 101

class-map im_inspection
match access-list 101

Create Http inspection policy by the name http_policy and map class-map i.e  http_url_policy

policy-map type inspect http http_policy
parameters
class http_url_policy
drop-connection

Create IM inspection policy by the name im_policy and map class-map ie im-traffic

policy-map type inspect im im-policy
parameters
class im-traffic
drop-connection log

Create policy-map by the name block-url-im and Map the inspection policy-map to the class

policy-map block-url-im
class http-inspection
inspect http http_policy
class im_inspection
inspect im im-policy

 Applying  service policy and mapping policy-map i.e block-url-im  onto interface to take effect

service-policy block-url-im interface outside
Posted by at No comments:

Saturday, March 23, 2013

Site to site IP-Sec VPN tunnel between ASA and Cisco Router,Example


 Site to site IP-Sec VPN tunnel between ASA and Cisco Router,Example



ASA Configuration

 ciscoasa# show run

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 11.11.11.10 255.255.255.0

no shut

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.11.1 255.255.255.0

no shut

!

access-list ACL-RED-VPN extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0

!
nat (inside) 0 access-list ACL-INSIDE-NONAT

route outside 0.0.0.0 0.0.0.0 11.11.11.11 1

!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN

crypto map MAP-OUTSIDE 20 set peer 11.11.11.11

crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA

crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000

crypto map MAP-OUTSIDE interface outside

crypto isakmp enable outside

crypto isakmp policy 5

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 36400

!

tunnel-group 11.11.11.11 type ipsec-l2l

tunnel-group 11.11.11.11 ipsec-attributes

 pre-shared-key  123456

prompt hostname context

: end

ciscoasa#

 

Branchoffice Router configuration

Branchoffice#show run

Building configuration...

 !

hostname Branchoffice

!
crypto isakmp policy 5

 encr aes

 authentication pre-share

 group 2

crypto isakmp key 123456 address 11.11.11.10

!

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto map VPN-TUNNEL 1 ipsec-isakmp

 set peer 11.11.11.10

 set transform-set AES-SHA

 match address ACL-VPN

!

interface Ethernet1/0

 ip address 11.11.11.11 255.255.255.0

crypto map VPN-TUNNEL

no shut

!

interface Ethernet1/1

 ip address 172.16.22.1 255.255.255.0

no shut

!

ip route 0.0.0.0 0.0.0.0 11.11.11.10

 !
ip access-list extended ACL-VPN

 permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255

!
end

Branchoffice#
Posted by at No comments:

Saturday, March 9, 2013

Basic ASA Usename and Password Configuration Example


Creating username and password  and use this local username to authenticate for SSH Connections

ciscoasa(config)# username user1 password user1

ciscoasa(config)# crypto key generate rsa modulus 1024

ciscoasa(config)#aaa authentication ssh console LOCAL

ciscoasa (config)#ssh 192.168.1.0 255.255.255.255 inside

 
Enabling  telnet on ASA for telnet connection

ciscoasa(config)#telnet 192.168.1.0 255.255.255.255 inside

ciscoasa(config)#passwd test

ciscoasa(config)#enable password test1
 

Enable remote management with the following command

ciscoasa(config)#management-access inside
 

Enable the HTTP server for ASDM connection

ciscoasa (config)# http server enable
ciscoasa (config)# http 192.168.1.0 255.255.255.255 inside
 

Configuring clock settings:

ciscoasa(config)# clock set 12:00:00 jan 10 2013
 

Configuring Network time protocol

ciscoasa(config)#ntp server 192.168.1.10  source inside
 

configure Authentication using the Local username databse:

ciscoasa(config) username user2 password user2

ciscoasa(config) aaa authentication serial console LOCAL

ciscoasa(config) aaa authentication telnet console LOCAL

ciscoasa(config) aaa authentication ssh console LOCAL

ciscoasa(config) aaa authentication enablel console LOCAL
Posted by at No comments:
Subscribe to: Posts (Atom)