ISP ROUTER
ISP#show run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP
!
ip subnet-zero
ip domain-name lab.local
!
interface Ethernet0/0
ip address
10.1.1.10 255.255.255.0
no shut
no ip
directed-broadcast
!
interface Ethernet0/1
ip address
10.1.2.10 255.255.255.0
no shut
no ip
directed-broadcast
!
interface Ethernet0/2
ip address
10.1.3.10 255.255.255.0
no shut
no ip
directed-broadcast
!
interface Ethernet0/3
ip address
100.1.1.1 255.255.255.0
no shut
no ip
directed-broadcast
!
ip classless
no ip http server
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport input none
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password test
login
!
end
ISP#
HO- ASA
HO(config)# show run
: Saved
:
ASA Version 8.0(2)
!
Configuring hostname
hostname HO
enable password 8Ry2YjIyt7RRXU24 encrypted
names
Configuring name
name
192.168.1.10 Router-inside
name
192.168.4.5 Remote-user1
!
Configuring outside interface
interface
Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
no shut
!
Configuring inside interface
interface
Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
configuring nat0 exception
access-list, for BO1
access-list
nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
configuring nat0 exception access-list, for BO2
access-list
nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
configuring nat0 exception access-list, for VPN Clients
access-list
nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
Configuring crypto access-list, to associate with BO1 crypto map
access-list
crypto extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Configuring crypto access-list, to associate with BO2 crypto map
access-list
crypto2 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Configuring splitunnel access-list, for VPN Clients
access-list
splitunnel standard permit 192.168.1.0 255.255.255.0
Configuring
VPNFILTER12 access-list ,this
will allow host 192.168.2.10 from BO1 to telnet Router 192.168.1.10 inside the HO and allow 192.168.1.10
router in HO1 to telnet 192.168.2.10
router in BO1
access-list
VPNFILTER12 extended permit tcp host 192.168.2.10 eq telnet host Router-inside
access-list
VPNFILTER12 extended permit tcp host 192.168.2.10 host Router-inside eq telnet
Configuring VPNFILTER12 access-list, this will allow
192.168.1.11 router in HO to telnet 192.168.2.11 in BO1
access-list
VPNFILTER12 extended permit tcp host 192.168.2.11 eq telnet host 192.168.1.11
This access-list allow webserver 10.1.1.56 which is natted to inside host to access
from internet
access-list
outside-in extended permit tcp any host 10.1.1.56 eq www
This access-list allow to telnet 10.1.1.56
which is natted to inside host to access from internet
access-list
outside-in extended permit tcp any host 10.1.1.56 eq telnet
This access-list
limits vpn user1 to telnet
router 192.168.1.10 (router-inside)
access-list
limited-access-4-vpn-user extended permit tcp host Remote-user1 host
Router-inside eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
Creating dhcp pool for
remote vpn users
ip local pool
vpn-pool 192.168.4.1-192.168.4.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
configuring dynamic nat address on outside interface
global (outside)
1 10.1.1.50-10.1.1.55 netmask 255.255.255.255
configuring nat0 exception to avoid
natting for site-site vpn and remote access vpn
nat (inside) 0
access-list nat0
natting inside address
nat (inside) 1
192.168.1.0 255.255.255.255
Configuring static NAT
It creates a mapping between an address on
the outside and the address of the server on the inside. Users on the outside
can then access the server on the insdie via the outside address (any one can
access web server form internet)
static
(inside,outside) tcp 10.1.1.56 www 192.168.1.20 www netmask 255.255.255.255
Configuring static NAT
It creates a mapping between an address on
the outside and the address of the server on the inside. Users on the outside
can then access the server on the insdie via the outside address (any one can telnet
form internet)
static
(inside,outside) tcp 10.1.1.56 telnet 192.168.1.20 telnet netmask
255.255.255.255
Assigning access-list
on outside interface
access-group
outside-in in interface outside
Creating route to ISP
to access internet from inside
route outside
0.0.0.0 0.0.0.0 10.1.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
Enabling ASDM access
and allowing too access from inside
http server
enable
http
192.168.1.15 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
coldstart
PHASE 2 OF IPSEC VPN
Configure transform-set by name transform1 for site to site
VPN
crypto ipsec
transform-set transform1 esp-aes-192 esp-sha-hmac
Configure transform-set by name vpn-rs for remote user VPN
crypto ipsec
transform-set vpn-rs esp-des esp-sha-hmac
Configure transform-set by name vpn-rs1 for remote user VPN
crypto ipsec
transform-set vpn-rs1 esp-des esp-md5-hmac
crypto
dynamic-map dyn-map 20 set pfs
creating crypto dynamic-map
by name dyn-map and sequence number 20 and
associate it with transport-set vpn-rs and vpn-rs1
crypto
dynamic-map dyn-map 20 set transform-set vpn-rs vpn-rs1
creating crypto map by name mymap and sequence number 2 and associating access-list crypto with it
crypto map
mymap 2 match address crypto
Associate crypto map mymap 2 with peer ip address 10.1.2.1
crypto map
mymap 2 set peer 10.1.2.1
Associate crypto map mymap 2 with transform-set transform1
crypto map
mymap 2 set transform-set transform1
creating crypto map by name mymap and sequence number 3 and associating access-list crypto2 with it
crypto map
mymap 3 match address crypto2
Associate crypto map mymap 3 with peer ip address 10.1.3.1
crypto map
mymap 3 set peer 10.1.3.1
Associate crypto map mymap 3 with transform-set transform1
crypto map
mymap 3 set transform-set transform1
creating crypto map by name mymap and sequence number 20 and associate dynamic crypto map dyn-map with
it
crypto map
mymap 20 ipsec-isakmp dynamic dyn-map
enabling mymap cryptomap on outside interface
crypto map
mymap interface outside
PHASE 1 OF IPSEC VPN
enabling isakmp policy on outside interface
crypto isakmp
enable outside
creating crypto isakmp policy and sequence number 20
crypto isakmp
policy 10
Defining authentication i.e. pre-share key
authentication pre-share
Defining encryption i.e. aes
encryption aes
Defining hashing i.e. sha
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
enabling any connect VPN
access on ASA
webvpn
Enable client less VPN connection on outside interface
enable outside
Assigning any connect image
svc image
disk0:/anyconnect-win-2.4.1012-k9.pkg 1
Without this command any connect won't work
svc enable
creating group-policy by name
SSLCLientPolicy
group-policy
SSLCLientPolicy internal
configuring attributes
for SSLCLientPolicy
group-policy SSLCLientPolicy
attributes
Assigning dns-server for SSLCLientPolicy attributes
dns-server value 192.168.1.100
Assigning vpn-tunnel-protocol for
SSLCLientPolicy attributes
vpn-tunnel-protocol svc
enabling split-tunneling
split-tunnel-policy tunnelspecified
Assigning access-list splittunnel to split-tunnel-network for SSLCLientPolicy attributes
split-tunnel-network-list value splitunnel
Assigning domain name for SSLCLientPolicy attributes
default-domain value test.com
Assigning dhcp for SSLCLientPolicy
attributes
address-pools value vpn-pool
creating group-policy 10.1.2.1 for site-site vpn between HO and BO1
group-policy
10.1.2.1 internal
configuring attributes
for group-policy 10.1.2.1
group-policy
10.1.2.1 attributes
adding vpn-filter with access list VPNFILTER12 to 10.1.2.1
attributes
vpn-filter value VPNFILTER12
creating group-policy for IPsec vpn users by name company-vpn-policy
group-policy
company-vpn-policy internal
configuring attributes
for group-policy company-vpn-policy
group-policy
company-vpn-policy attributes
Assigning dna server ip address to company-vpn-policy attributes
dns-server value 192.168.1.100
Assigning idel time out i.e. 30 sec to company-vpn-policy attributes
vpn-idle-timeout 30
enabling split-tunneling
split-tunnel-policy tunnelspecified
Assigning access-list splittunnel to split-tunnel-network for company-vpn-policy attributes
split-tunnel-network-list value splitunnel
creating anyconnect user by name ssl1 to connect to any
connec vpn
username ssl1
password ssl1
configuring ssl1
user attributes
username ssl1
attributes
assigning
vpn-group-policy i.e. SSLCLientPolicy
for ssl1 user attributes
vpn-group-policy SSLCLientPolicy
assigning
vpn-tunnel-protocol i.e. svc for
ssl1 user attributes
vpn-tunnel-protocol svc
assigning service-type remote-access
service-type remote-access
creating user for asdm access
username test
password test privilege 15
creating ipsec remote VPN user by name user1
username user1
password test
configuring user1
user attributes
username user1
attributes
assigning
vpn-group-policy i.e. company-vpn-policy for user1 user attributes
vpn-group-policy company-vpn-policy
assigning vpn-filter
access-list i.e. limited-access-4-vpn-user
for user1 user attributes
vpn-filter value limited-access-4-vpn-user
assigning
vpn-tunnel-protocol i.e. IPSEC
for user1 user attributes
vpn-tunnel-protocol IPSec
assigning ip address for user1 whenever it connect using
IPSec VPN ASA will assign 192.168.4.5
IP address
vpn-framed-ip-address 192.168.4.5
255.255.255.0
locking user1 to a group i.e.
vpn
group-lock value vpn
creating tunnel-group for HO site-site BO1 vpn i.e 10.1.2.1
tunnel-group
10.1.2.1 type ipsec-l2l
configure
tunnel-group 10.1.2.1
general-attributes
tunnel-group
10.1.2.1 general-attributes
assigning default-group-policy 10.1.2.1 general-attributes i.e. 10.1.2.1
default-group-policy 10.1.2.1
configuring
tunnel-group 10.1.2.1 ipsec-attributes
tunnel-group
10.1.2.1 ipsec-attributes
configuring pre-shared key for 10.1.2.1 ipsec-attributes
pre-shared-key 123456
creating tunnel-group for HO site-site BO2 vpn i.e 10.1.3.1
tunnel-group
10.1.3.1 type ipsec-l2l
configuring
tunnel-group 10.1.3.1 ipsec-attributes
tunnel-group
10.1.3.1 ipsec-attributes
configuring pre-shared key for 10.1.3.1 ipsec-attributes
pre-shared-key
123456
creating tunnel-group
by name vpn for ipsec remote-access vpn
tunnel-group
vpn type remote-access
configuring
tunnel-group vpn general-attributes
tunnel-group
vpn general-attributes
assigning dhcp address-pool i.e. vpn-pool to vpn general-attributes
address-pool vpn-pool
assigning default-group-policy i.e. company-vpn-policy
to vpn general-attributes
default-group-policy company-vpn-policy
configuring
tunnel-group vpn ipsec-attributes
tunnel-group
vpn ipsec-attributes
pre-shared-key 123456
creating tunnel-group
by name SSLClientProfile for anyconnect vpn users
tunnel-group
SSLClientProfile type remote-access
configuring
tunnel-group SSLClientProfile general-attributes
tunnel-group
SSLClientProfile general-attributes
assigning default-group-policy i.e. SSLCLientPolicy to SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
configuring
SSLClientProfile webvpn-attributes to
select a group alias that displays in the group list on the WebVPN
Login page
tunnel-group
SSLClientProfile webvpn-attributes
enabling SSLVPNClient
group-alias
group-alias SSLVPNClient enable
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
HO(config)#
BO1- ASA
BO1# show run
: Saved
:
ASA Version 8.0(2)
!
hostname BO1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address
10.1.2.1 255.255.255.0
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address
192.168.2.1 255.255.255.0
no shut
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nat0 extended permit ip 192.168.2.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list crypto extended permit ip 192.168.2.0
255.255.255.0 192.168.1.0 255.255.255.0
Configuring
VPNFILTER12 access-list ,this
will allow host 192.168.1.10 from HO to telnet Router 192.168.2.10 inside the BO1 and allow 192.168.2.10
router in BO1 to telnet
192.168.1.10 router in HO
access-list VPNFILTER12 extended permit tcp host
192.168.1.10 host 192.168.2.10 eq telnet
access-list VPNFILTER12 extended permit tcp host
192.168.1.10 eq telnet host 192.168.2.10
This VPNFILTER12 access-list, allow 192.168.1.11 router
in HO to telnet 192.168.2.11 in BO1
access-list VPNFILTER12 extended permit tcp host
192.168.1.11 host 192.168.2.11 eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nat0
route outside 0.0.0.0 0.0.0.0 10.1.2.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.15 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
coldstart
crypto ipsec transform-set transform1 esp-aes-192
esp-sha-hmac
crypto map mymap 2 match address crypto
crypto map mymap 2 set peer 10.1.1.1
crypto map mymap 2 set transform-set transform1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication
pre-share
encryption aes
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy 10.1.1.1 internal
group-policy 10.1.1.1 attributes
vpn-filter value
VPNFILTER12
username test password P4ttSyrm33SV8TYp encrypted
privilege 15
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 general-attributes
default-group-policy 10.1.1.1
tunnel-group 10.1.1.1 ipsec-attributes
pre-shared-key
123456
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
BO1#
BO2- ASA
BO2# show run
: Saved
:
ASA Version 8.0(2)
!
hostname BO2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address
10.1.3.1 255.255.255.0
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address
192.168.3.1 255.255.255.0
no shut
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nat0 extended permit ip 192.168.3.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list crypto extended permit ip 192.168.3.0
255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nat0
route outside 0.0.0.0 0.0.0.0 10.1.3.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
coldstart
crypto ipsec transform-set transform1 esp-aes-192
esp-sha-hmac
crypto map mymap 2 match address crypto
crypto map mymap 2 set peer 10.1.1.1
crypto map mymap 2 set transform-set transform1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication
pre-share
encryption aes
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 ipsec-attributes
pre-shared-key
123456
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
BO2#