Use the following script to configure R1. On the Startup Wizard Step 6 screen DHCP Server, click the Enable DHCP server on the inside interface check box. Cable the network and clear previous device settings. Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet interfaces. By, the ASA sets its own IP address as the DHCP default. 1 Router (Cisco 4221 with Cisco XE Release 16.9.6 universal image or comparable with a Security Technology Package license), 3 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image or comparable), 3 PCs (Windows OS with a terminal emulation, such as PuTTY or Tera Term installed), 1 ASA 5506-X (OS version 9.15(1) and ASDM version 7.15(1) and Base license or comparable), Console cables to configure Cisco networking devices, Ethernet cables as shown in the topology. However, PC-C should be able to ping the R1 interface. Step 2:Configure the enable mode password. This is the range of addresses to be assigned to inside DHCP clients. b. In Part 1 of this lab, you will configure the topology and non-ASA devices. Part 2 uses the ASA CLI to prepare the ASA for ASDM Access. Design The ASA used with this lab is a Cisco model 5505 with an eight-port integrated switch, running OS version 9.2(3) and ASDM version 7.4(1), and comes with a Base license that allows a maximum of three VLANs. You can also go directly to the CLI to configure the ASA settings, as described in Part 3. a. In a pop-up window, you should be prompted by R1 that authentication is required. Yes. Step 3: Modify the default MPF application inspection global service policy. c. On the Startup Wizard Step 5 screen Interface IP Address Configuration, enter an Outside IP Address of 209.165.200.226 and a Mask of 255.255.255.248. Optional activities are designed to enhance understanding and/or to provide additional practice. o Site-to-Site VPN La importancia de la responsabilidad social en las organizaciones, 1.9.3 Lab - Research IT and Networking Job Opportunities, Sesion N 7 Controlador Logico Programable, Fernandez-P- Final - Practica y solucion del curso de Radiopropagacion de la UNI, Manual 2018 05 Redes de Voz (1939) completo, 2317 Fundamentos de Gestin Empresarial T1LC 00 T1LJ 00 CF Leoncio Puelles Cacho. Step 3: Bypass Setup mode and configure the ASDM VLAN interfaces. Configure a network object named dmz-server and assign it the static IP address of the DMZ server (192.168.2.3). ____________________________________________________________________________________ Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers. The focus of this lab is the configuration of the ASA as a basic firewall. Modify the default MPF application inspection global service policy. Lab - Configuring Basic Router Settings with IOS CLI (Instructor Version - Optional Lab) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Use the show interface ip brief command to verify this. 9.3.1.2 Lab A: Configuring ASA Basic Settings and Firewall Using CLI (Instructor Version), Chapter 9 Lab A: Configuring ASA Basic Settings and Firewall Using CLI (Instructor Version). Use the terminal emulation program to copy it from the ASA and paste it into a text document. output produced might vary from what is shown in th. Security level 100 (inside) is the most secure and level 0 (outside) is the least secure. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. The enable password is not set.Please set it now. Step 3: Configure static routing on the routers. This lab uses the ASA CLI, which is similar to the IOS CLI, to configure basic device and security settings. Also, some CLI commands are necessary to prepare the ASA for GUI access. On the Startup Wizard Step 7 screen Address Translation (NAT/PAT), click Use Port Address Translation (PAT). Create the network object INSIDE-NET and assign attributes to it using the subnet and nat commands. 2. There are a number of aspects of the ASA that can be monitored using the Monitoring screen. NETSEC-ASA(config)# object network DMZSERVER, NETSEC-ASA(config-network-object)# host 192.168.2.3, NETSEC-ASA(config-network-object)# nat (DMZ,OUTSIDE) static 209.165.200.227. Check the box Enable traffic between two or more interfaces which are configured with the same security levels. If either port is administratively down, bring it up with the no shutdown command. You will only configure the VLAN 1 (inside) and VLAN 2 (outside) interfaces at this time. CCNA Cybersecurity Operations (Version 1.1) CyberOps 7 When prompted to log in, enter the user name admin01 and the password admin01pass. When prompted to log in, enter the user name admin01 and the password admin01pass. Would love your thoughts, please comment. To accommodate the addition of a DMZ and a web server, you will use another address from the ISP range assigned 209.165.200.224/29 (.224-.231). ____________________________________________________________________________________ Ensure that PC-B has a static IP address of 192.168.1.3, a subnet mask of 255.255.255.0, and a default gateway of 192.168.1.1 (the IP address of ASA VLAN 1 inside interface). The ping should succeed this time. On the first Startup Wizard screen, modify the existing configuration or reset the ASA to the factory defaults. Ping the DMZ server (PC-A) internal address (192.168.2.3) from inside network host PC-B (192.168.1.X). Previously, you configured address translation using PAT for the inside network. Notice that, of the pings from PC-B, four were translated and four were not because ICMP is not being inspected by the global inspection policy. Note: If the GUI dialogue box stops responding during the reload process, close it, exit ASDM, and restart the browser and ASDM. The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.5 and 192.168.1.36 (base license) though the actual range may vary. Step 1: Configure the ASA DMZ VLAN 3 interface. Step 5: Modify the MPF application inspection policy. The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates a stateful firewall, VPN, and FirePOWER services. Part 1: Basic Router/Switch/PC Configuration, Part 2: Accessing the ASA Console and Using CLI Setup Mode to Configure Basic Settings. Note: You can specify Public services if they are different from the Private services, using the option on See the Router Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. .Note: You may receive a message that a RSA key pair is already defined. Configuration was performed using the nat, global, and static commands. After the creation of the DMZ server object and selection of services, ASDM automatically generates an Access Rule (ACL) to permit the appropriate access to the server and applies it to the outside interface in the incoming direction. Ports E0/0 to E0/5 are normal Fast Ethernet ports and ports E0/6 and E0/7 are PoE ports for use with PoE devices, such as IP phones or network cameras. You should remove password commands and enter the no shut command to bring up the desired interfaces. [confirm]
. interface to control the type of access to be permitted or denied to the DMZ server from inside hosts. interface is configured with a static address. isplay the status for all ASA interfaces using the, Display the information for the interfaces using the, and assign it the static IP address of the DMZ server (, ). The pings from PC-B to PC-A will not affect the NAT translation counts because both PC-B and PC-A are behind the firewall, and no translation takes place. In Part 3, you configured address translation using PAT for the inside network. You will configure it as the inside interface for this lab. The login password isused for Telnet connections (and SSH prior to ASA version 8.4). Add the inspection of ICMP traffic to the policy map list using the following commands: c. Display the default MPF polich map to verify ICMP is now listed in the inspection rules. System config has been modified. Part 2: Accessing the ASA Console and Using CLI Setup Mode to Configure Basic Settings Access the ASA console and view hardware, software, and configuration settings. Executing command: same-security-traffic permit inter-interface, Factory-default configuration is completed, Erase configuration in flash memory? Part 2 uses the CLI Setup mode. Instructions for erasing the ASA and accessing the console are provided in this lab. Inside users can access the DMZ and outside resources. Test connectivity to the ASA. The first image found in disk0:/ will be used to boot the, Verify there is a valid image on disk0:/ or the system will. This default routed mode firewall behavior of the ASA allows packets to be routed from the INSIDE network to the OUTSIDE network, but not vice-versa. Connect to the ASA console port with a rollover cable. Note: Before you begin, ensure that the devices have been erased and have no startup configurations. In Part 2, the MGMT interface was configured with an IP address of 192.168.100.1. On the Edit Service Policy Rule window, click the Rule Actions tab and select the ICMP check box. By default, all ASA physical interfaces are administratively down unless the Setup utility has been run, or the factory defaults have been reset. lg g8 thinq apn settings . How does the configuration of the ASA firewall differ from that of an ISR? Attach the devices that are shown in the topology diagram and cable as necessary. (The clock is a 24-hour clock.) Part 3: Configure ASA Settings and Firewall Using the ASDM Startup Wizard. The date and time can be set manually using the clock set command. Step 4: Enable the HTTP server and configure a user account, encrypted passwords, and crypto keys for SSH. c. Ensure that the Use Static IP option is selected and enter an IP address of 192.168.2.1 with a subnet mask of 255.255.255.0. Save your ASA configuration for the next lab. The ASA default security policy permits outbound traffic, which is inspected, by default. R1 should be able to ping the OUTSIDE interface for the ASA. Note: For added security, starting with ASA version 8.4(2), configure AAA authentication to support SSH connections. No console or enable passwords are required, and the default hostname is ciscoasa. f. Display the information for the Layer 3 VLAN interfaces using the show ip address command. which identifies basic settings for the ASA, including a list of contexts. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. In Part 1 of this lab, you will configure the topology and non-ASA devices. The main categories on this screen are Interfaces, VPN, Routing, Properties, and Logging. Main Menu; Earn Free Access; It may be necessary to issue the, Define a local user named admin by entering the. You can no longer connect to the ASA using SSH with the default username and the login password. However, ICMP is denied, by default, be the firewall inspection policy. There are five areas on the Device dashboard: o Device Information ____________________________________________________________________________________ The default route is derived from the DHCP default gateway. This lab employs an ASA 5505 to create a firewall and protect an internal corporate network from external intruders while allowing internal hosts access to the Internet. ____________________________________________________________________________________ Ensure that the Modify Existing Configuration option is selected, and click Next to continue. Display the contents of flash memory using one of these commands: show flash, show disk0, dir flash:, Ping the DMZ server public address from R2 using the loopback interface as the source of the ping. Other devices will receive minimal configuration to support the ASA portion of the lab. Click Edit Site List. Step 2: Configure the DMZ server and static NAT. Attach the devices that are shown in the topology diagram and cable as necessary. Part 1: Basic Router/Switch/PC Configuration Part 2: Accessing the ASA Console and Using CLI Setup to Configure Basic Settings Part 3: Configuring ASA Settings and Interface Security Using the CLI Part 4: Configuring Routing, Address Translation, and Inspection Policy Using the CLI Part 5: Configuring DHCP, AAA, and SSH This lab employs an ASA 5505 to create a firewall and protect an internal corporate network from external intruders while allowing internal hosts access to the Internet. 3 PCs (Windows 7 or Windows 8.1, SSH Client, and WinRadius) To learn more about this feature, please visit: http://www.cisco.com/go/smartcall, Would you like to enable anonymous error reporting to help improve, the product? You'll need to create an ACL with all the internal subnets permitted. CCNA Cybersecurity Operations (Version 1.1) CyberOps 9 a. . These files are generated automatically by the ASA when it runs the file system check (fsck). Optionally, you may wish to configure router R1 as a DHCP server to provide the necessary information to the ASA. 1. No, the ASA does not have a route to 10.1.1.0/30. Click Close to continue. Press Enter at each prompt to confirm the deletion. In Part 3, you will use the ASDM Startup wizard to configure basic ASA settings and the firewall between the inside and outside networks. Note: You can also see the commands generated by using the Tools > Command Line Interface and entering the show run command. license udi pid ISR4221/K9 sn FGL23313183, username admin01 secret 9 $9$m1jhnk3g.tkrzF$gyTaS7FYmyJ3cy87mr40Yel6rs/NTqefCbXziAurHxg, Web Hosting Cloud VPS Security Firewall Online Training Technology Virtualization Education PC Router Switching Laptop Data Recovery Cyber Security SOC Network Monitoring Linux Window SDN Domain Antivirus Enterprise IT Audit Operation Office Lab Defend DNS Server Storage Integrity Access Risk Confidential BCP Disaster Recovery Media ISP Crypto Training Network Management System Database IT Security IT Service Docker Container API CDN Cache Web Firewall Online Degree Office Printer Camera email Privacy Pentest Programming Data Analyst Data Science AI Forensic Investigate Incident DR Side Loadbalancer Redundancy Fiber Throughput Bandwidth Wireless Controler Backup Data Designer Dedicated Server Ecommerce SEO Online Banking Certification IoT Big Data Artificial Intelligence Remote Working VPN Safty Trading Payment Loan Mortage Law Visa Master Card Ethernet Cable Flash Memory Digital Marketing Robotic Machine Learning Smart Device Smart Home Surveillance Camera Automation Phone Smart Watch Insurance Saving Account NAS SAN Security Control Security Alarm Data Center Core Banking Cooling System UPS Proxy Server CCTV Patching Encryptions Speed Modern Cyber Law Engineering DevOps Coding. ####### information from the device. an ACL to allow access to the DMZ server from the Internet. ) CCNA Cybersecurity Operations (Version 1.1) CyberOps 9 Note: The router commands and output in this lab are from a Cisco 1941 with Cisco IOS Release 15.4(3)M2 image with a Security Technology license. The password should be blank (no password) at this point. d. Configure the hostname for the switches. Configure the domain name as netsec.com. It provides outside users with limited access to the DMZ and no access to internal resources. On the Firewall menu, click the Public Servers option and click Add to define the DMZ server and services offered. a. ____________________________________________________________________________________ Specify a password of cisco12345. Click OK to accept the changes. CONFIGURACION BASICA Note: If the ASA OUTSIDE interface was configured as a DHCP client, it could obtain a default gateway IP address from the ISP. a. Ping from the ASA to R1 G0/0 at IP address 209.165.200.225. You should be prompted with a user authentication login dialog box from the R1 GUI device manger. Click Add to create a new interface. Step 3: Configure AAA user authentication using the ASA local database. b. Configure the ASA hostname using the hostname command. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. a. Returning traffic is allowed due to stateful packet inspection. Use the type 9 (SCRYPT) hashing algorithm. : To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. b. Assign VLAN 3 IP address 192.168.2.1/24, name it dmz, and assign a security level of 70. Optional Lab Configure ASA Network Services Routing and DMZ with ACLs Using CLI from IT 030 at Technological Institute of the Philippines. You will assign the IP address using ASDM. The ASA used with this lab is a Cisco model 5505 with an 8-port integrated switch, running OS version 9.2(3), Adaptive Security Device Manager (ASDM) version 7.4(1), and comes with a Base license that allows a maximum of three VLANs. Assign the interface IP address. Security, By default, the ASA applies a policy where t, raffic from a higher security level interface to one with a lower level is permitted, raffic from a lower security level interface to one with a higher, The ASA default security policy permits outbound traffic, which is inspected, by default. Configure the hostname, domain name, and enable the password. The ASA acts like a router between the two networks. You will use public address 209.165.200.227 and static NAT to provide address translation access to the server. [Y]es, [N]o, [A]sk later: N. ####### In the future, if you would like to enable this feature. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. The ASA has either Base or the Security Plus license. It may be necessary to issue the ipconfig /renewcommand on PC-B to force it to obtain a new IP address from the ASA. Step 3: View the DMZ Access Rule generated by ASDM. Use the security passwords command to set a minimum password length of 10 characters. Note: You must complete Part 2 before beginning Part 3. a. View the DMZ Access Rule generated by ASDM. CCNA Cybersecurity Operations (Version 1.1) CyberOps 5 Allow this user Full access (ASDM, SSH, Telnet, and console) and set the privilege level to 15. Set the date and time. Use the show run command to display the configuration for G1/3. The pings should be successful. The ASDM Welcome page will display. By default, the ASA applies a policy where traffic from a higher security level interface to one with a lower level is permitted and traffic from a lower security level interface to one with a higher security level is denied.The ASA default security policy permits outbound traffic, which is inspected, by default. However, to egress the OUTSIDE interface on the ASA. Configure ASDM and verify access to the ASA. What software version is this ASA running? From PC-C, open an SSH client, such as PuTTY, and attempt to access the ASA outside interface at 209.165.200.226. The following example shows how to set the date and time using a 24-hour clock: NETSEC-ASA(config)# clock set 2:23:00 feb 22 2021. Select the inside interface from the Interface drop-down list and click TCP from the Packet Type radio buttons. If prompted that the config has been modified and needs to be saved, respond with N, and then press Enter to proceed with the reload. Console cables to configure Cisco networking devices. [yes], In the above configuration, the IP address of the host running ASDM was left blank. To accommodate the addition of a DMZ and a web server, you will use another address from the ISP range assigned, 209.165.200.224/29 (.224-.231). Note: The next action you attempt within ASDM will require that you log in as admin01 with the password The actual output varies depending on the ASA model, version, and configuration status. Ping from the ASA to R1 G0/0/0 IP address 172.16.3.1. How much flash memory does this ASA have? What version of ASDM is this ASA running? a. Ensure that PC-B has a static IP address of 192.168.1.3, a subnet mask of 255.255.255.0, and a default gateway of 192.168.1.1. ray highlights indicate text that appears in the instructor copy only. [confirm]. c. What is the name of the ASDM file in flash:? The password is blank by default,so press Enter. Ping from the ASA to R1 G0/0/0 at IP address 172.16.3.1. The ASA initially prompts you to pre-configure the firewall using an interactive prompt. Save the basic running configuration for each router and switch. This will be explained further and configured in Part 6 of this lab. Answers Notes: Configuring the ASA as a DHCP client (informational only). The syntax for the clock set command is clock set hh:mm:ss {month day | day month} year. The pings should be successful. The ASA OUTSIDE interface is configured with a static IP address and subnet mask. Part 3: Configuring ASA Settings and Interface Security Using the CLI In Part 3, you will configure basic settings by using the ASA CLI, . An example of configuring PAT using the old commands is presented here for historical reference. In Part 2, you will configure routing, NAT, and the firewall between the inside and outside networks. 3 switches (Cisco 2960 or comparable) (not required) In Part 2, you will prepare the ASA for Adaptive Security Device Manager (ASDM) access. If these pings are not successful, troubleshoot the basic device configurations before continuing. Basic Cisco WLC Configuration . configure AAA authentication to support SSH connections. Use the serial port settings of 9600 baud, 8 data bits, no parity, one stop bit, and no flow control. With the exception of the hostname, the switches can be left in their default configuration state. Use the terminal emulation program to copy it from the ASA and paste it into a text document. These L3 VLAN interfaces are assigned security levels to control traffic from one interface to another. _______________________________________________________________________________________ Verify connectivity between hosts, switches, and routers. Display the ASA file system using the show file system command. The pool size on the ASA 5505 with a base license is limited to 32 addresses. ####### Based on the inside IP address and mask, the DHCP address, ####### pool size is reduced to 250 from the platform limit 256. ___________________________ No. Respond with no. Add SSH access to the ASA for the inside network 192.168.1.0 with a subnet mask of 255.255.255.0. You will then modify the default application inspection policy to allow specific traffic. Help to improve the ASA platform by enabling anonymous reporting, which allows Cisco to securely receive minimal error and health. The focus of this lab is the configuration of the ASA as a basic firewall. a. External hosts access the server using its public static NAT address, the ASA translates it to the internal host IP address, and then applies the ACL. There is no way to effectively list all the combinations of configurations for each router class. b. Use CLI Setup mode to configure basic settings (hostname, passwords, clock, etc. CCNA Cybersecurity Operations (Version 1.1) CyberOps 12 NETSEC-ASA(config-if)# ip address 192.168.2.1 255.255.255.0. Router R1. In this lab, the student uses ASDMto configure these features. o Firewall Review the summary and deliver the commands to the ASA. hits and addresses being translated for the HTTP connection. CCNA Cybersecurity Operations (Version 1.1) CyberOps 12 a. Beginning with ASA version 8.3, network objects are used to configure all forms of NAT. From PC-C, ping the R1 G0/0 IP address (209.165.200.225). Create a logical VLAN 2 interface for the outside network (209.165.200.224/29), set the security level to the lowest setting of 0, and access the VLAN 2 interface. In some cases, a task assumes the configuration of certain features in a prior task. Click User Accounts >Add. 1 Router (Cisco 4221 with Cisco XE Release 16.9.6 universal image or comparable with a Security Technology Package license), 3 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image or comparable), 3 PCs (Windows OS with a terminal emulation, such as PuTTY or Tera Term installed), 1 ASA 5506-X (OS version 9.15(1) and ASDM version 7.15(1) and Base license or comparable), Console cables to configure Cisco networking devices, Ethernet cables as shown in the topology. However, to manually configure the default gateway, or set it to a different networking devices IP address, use the following command: NETSEC-ASA(config)# dhcpd option 3 ip 192.168.1.1, dhcpd address 192.168.1.5-192.168.1.100 INSIDE. From PC-C, ping the R1 G0/0/1 IP address (209.165.200.225). If the password has been changed to what is specified in this lab, enter the word class. d. In the Add Public Server dialog, click the ellipsis button to the right of Private Service. It is not necessary to install ASDM on a host. Use the type 9 (SCRYPT) hashing algorithm and set privilege level to 15. d. Configure the Console and VTY lines to use the local database for login. file is missing and prompt you to pre-configure the firewall using interactive prompts. This lab uses the ASA CLI, which is similar to the IOS CLI, to configure basic device and security settings. In this step, you will configure the ASA as a DHCP server to dynamically assign IP addresses for DHCP clients on the inside network. Configure the ASA to allow HTTPS connections from any host on the inside network (192.168.1.0/24). From the Configuration screen > Device Setup menu, click Routing > Static Routes. ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores), The system image file in the ASA for this lab is. CCNA Cybersecurity Operations (Version 1.1) CyberOps 3 Configure the ASA DMZ VLAN 3 interface. R1 G0/0 and the ASA outside interface are already using 209.165.200.225 and .226. enable secret 5 $1$IqzA$Yleqbiia3ztmP6txGC0KF. The objective here is not to use the ASDM configuration screens, but to verify HTTP/ASDM connectivity to the ASA. a. This causes the ASA to come up in CLI Setup mode. c. From the Browse Private IP Address window, verify that the DMZ-Server appears in the Selected Private IP Address field and click OK. You will return to the Add Public Server dialog box. Note: You must complete the previous part before beginning this part. However, in this lab, the outside interface is configured with a static address. Configure the DMZ interface VLAN 3 on the ASA. For additional security, configurethe lines to log out after five minutes of inactivity. R1 represents a customer-premise equipment (CPE)device managed by the ISP. You can modify this ACL to allow only services that you want to be exposed to external hosts, such as web (HTTP) or file transfer (FTP). How many Ethernet ports does this ASA have? The system image file in the ASA for this lab is asa9-15-1-1-lfbff-k8.SPA, and it was loaded from disk0: (or flash:). Attempt to set the range from 192.168.1.5 through 192.168.1.100. * 73654722563859148800diskrwdisk0: flash: 2838925172Jan 24 2021 20:50:06asdm-7151.bin, 3531000Oct 28 2020 13:46:04log/asa-appagent.log, 52265Feb 19 2021 15:25:22log/asa-cmd-server.log, 1659Aug 29 2017 14:26:28coredumpinfo/coredump.cfg, 3135209829Oct 04 2017 03:17:02anyconnect-win-4.5.02033-webdeploy-k9.pkg, 3270744710Oct 28 2020 22:31:52anyconnect-win-4.9.03049-webdeploy-k9.pkg, 33137859680Jan 24 2021 20:47:30asa9-15-1-1-lfbff-k8.SPA, 639Feb 19 2021 15:25:23snortpacketinfo.conf, 7365472256 bytes total (3859148800 bytes free). [Y]es/[N]o: Use the Setup interactive CLI mode to configure basic settings. Save the basic running configuration for each router and switch. b. NETSEC-ASA(config)# crypto key generate rsa modulus 2048, INFO: The name for the keys will be: , Keypair generation process begin. However, the ASA does not have a gateway of last resort defined. Enable HTTP access to R1 using the ip http server command in global config mode. b. Repeat the dhcpd command and specify the pool as 192.168.1.5-192.168.1.36. c. (Optional) Specify the IP address of the DNS server to be given to clients. b. Open a SSH client on PC-B, such as PuTTY, and connect to the ASA inside interface at IP address 192.168.1.1. b. Note: If you are working with the ASA 5505 Base license, you will see the error message shown in the output below. On the Configuration screen > Firewall area menu, click Service Policy Rules. the returning echo replies were blocked by the firewall policy. o Remote Access VPN NETSEC-ASA(config)# access-list OUTSIDE-DMZ permit ip any host 192.168.2.3, NETSEC-ASA(config)# access-group OUTSIDE-DMZ in interface OUTSIDE. The default is to use the IP address of the outside interface. In the example, inside addresses from the 192.168.1.0/24 network are being translated using the address of the outside interface. Note: Other parameters can be specified for clients, such as WINS server, lease length, and domain name. The traceroute should succeed and show the hops from the ASA through R1, R2, and R3 to host PC-C. Click Close to continue. Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C as shown in the IP Addressing Table. license udi pid ISR4221/K9 sn FGL23313183, username admin01 secret 9 $9$m1jhnk3g.tkrzF$gyTaS7FYmyJ3cy87mr40Yel6rs/NTqefCbXziAurHxg, Web Hosting Cloud VPS Security Firewall Online Training Technology Virtualization Education PC Router Switching Laptop Data Recovery Cyber Security SOC Network Monitoring Linux Window SDN Domain Antivirus Enterprise IT Audit Operation Office Lab Defend DNS Server Storage Integrity Access Risk Confidential BCP Disaster Recovery Media ISP Crypto Training Network Management System Database IT Security IT Service Docker Container API CDN Cache Web Firewall Online Degree Office Printer Camera email Privacy Pentest Programming Data Analyst Data Science AI Forensic Investigate Incident DR Side Loadbalancer Redundancy Fiber Throughput Bandwidth Wireless Controler Backup Data Designer Dedicated Server Ecommerce SEO Online Banking Certification IoT Big Data Artificial Intelligence Remote Working VPN Safty Trading Payment Loan Mortage Law Visa Master Card Ethernet Cable Flash Memory Digital Marketing Robotic Machine Learning Smart Device Smart Home Surveillance Camera Automation Phone Smart Watch Insurance Saving Account NAS SAN Security Control Security Alarm Data Center Core Banking Cooling System UPS Proxy Server CCTV Patching Encryptions Speed Modern Cyber Law Engineering DevOps Coding. Configure static routing, including default routes, between R1, R2, and R3. : R1 does not need any routing as all inbound packets from the ASA will have 209.165.200.226 as the source IP address. b. 9 3 1 2 lab configure ASA basic settings and firewall using CLI kho ti liu bch khoa Step 2: Configure address translation using PAT and network objects. Depending on the router model and Cisco IOS version, the available commands and output produced might vary from what is shown in this lab. Respond to the Setup interactive prompts as shown here, after the ASA reloads. The ASA used with this lab is a Cisco model 5506-X with an 8-port integrated switch, running OS version 9.15(1), Adaptive Security Device Manager (ASDM) version 7.15(1). Step 6: Use the Setup interactive CLI mode to configure basic settings. How does the configuration of the ASA firewall differ from that of an ISR? When the entries are completed, click Nextto continue. b. Ping from the ASA to R1 S0/0/0 at IP address 10.1.1.1. In this part of the lab, you will create a DMZ on the ASA, configure static NAT to a DMZ server, and apply ACLs to control access to the server. ####### Please remember to save your configuration. However, this is not considered to be a good security practice. In the next lab, you will use ASDM extensively to configure the ASA. In this part, you will set up the network topology and configure basic settings on the routers, such as interface IP addresses and static routing. With the ASA 5505, the eight integrated switch ports are Layer 2 ports. To replace the RSA key pair enter, ou configured address translation using PAT for the inside network. Step 6: Configure ASDM access to the ASA. There is no way to effectively list all t anyconnect-win-4.5.02033-webdeploy-k9.pkg, anyconnect-win-4.9.03049-webdeploy-k9.pkg, Check the content of flash memory occasionally to see if there are FSCK*.REC files. The final running configs for all devices are found at the end of the lab. Exit the browser. In the Add Interface dialog box, select port Ethernet0/2 and click Add. f. On the ASDM Tools menu, select Traceroute and enter the IP address of external host PC-C (172.16.3.3). In Part. If prompted to save the configuration to flash memory, respond with Yes. This default routed mode firewall behavior of the ASA allows packets to be routed from the inside network to the outside network, but not vice-versa. In this part, you will create a DMZ on the ASA, configure static NAT to a DMZ server, and apply an ACL to control access to the server. The Outside VLAN interface is named outside, and the security level is set to 0 (lowest). Use the reload command to restart the ASA. On the ASDM Tools menu, select Ping and enter the IP address of router R1 S0/0/0 (10.1.1.1). Note: The IOS command erase startup-config is not supported on the ASA. Verify the DHCP daemon configuration by using the, Access the Network Connection IP Properties for PC-B, and change it from a static IP address to a DHCP client so that it obtains an IP address automatically from the ASA DHCP server. All ASA ports (other than E0/0, in some cases) are in VLAN 1 by default. The modulus (in bits) can be 512, 768, 1024, or 2048. On the Startup Wizard Step 2 screen, configure the ASA hostname CCNAS-ASA and domain name ccnasecurity.com. In Blue color are my comments on each step of the configuration . Enter the DNS Server 1 address of 10.20.30.40 and the Domain Name ccnasecurity.com. Display the default MPF policy map that performs the inspection on inside-to-outside traffic. Attach the devices shown in the topology diagram and cable as necessary. Creating Local Server From Public Address Professional Gaming Can Build Career CSS Properties You Should Know The Psychology Price How Design for Printing Key Expect Future. By default, inside users can access the outside with an access list and outside users are prevented from accessing the inside. Inside users can access the DMZ and outside resources. Check the content of flash memory occasionally to see if there are FSCK*.REC files. CCNA Cybersecurity Operations (Version 1.1) CyberOps 7 The selection of any4 translates to a quad zero route. Configure the inside and outside VLAN interfaces. Layer 3 VLAN interfaces provide access to the three areas created in the lab: Inside, Outside, and DMZ. Instructor Notes: Configuring the ASA as a DHCP client (informational only). Click Close to continue. mode does not configure the ASA with factory defaults as described in Step 4. How many Ethernet ports does this ASA have? You will use the public address 209.165.200.227 and static NAT to provide address translation access to the server. the Cisco IOS CLI. ____________________________________________________________________________________ Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1. The system image file in the ASA for this lab is asa923-k8.bin, and it was loaded from disk0: (or flash:). These will be configured later in this lab using the CLI. Note: If the Cisco Smart Call Home window appears, click Do not enable Smart Call Home and click OK. f. Click the Configuration and Monitoring buttons to become familiar with their layout and to see what options are available. Note: R1 does not need any routing as all inbound packets from the ASA will have 209.165.200.226 as the source IP address. The ASA can be managed using a built-in GUI known as ASDM. The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates astateful firewall, VPN, and other capabilities. CCNA Cybersecurity Operations (Version 1.1) CyberOps 13 a. If you are unable to access ASDM, check your configurations. You will configure address translation using network objects to enhance firewall security. _______________________________________________________________________________________ In Part 4, you will configure additional settings via the ASDM configuration menu. The ASA 5506-X comes with an integrated eight-port Ethernet switch. Configure basic settings for routers and switches. From PC-C, ping the IP address of the static NAT public server address (209.165.200.227). The Security Level should be automatically set to the highest level of 100. What software version is this ASA running? Other devices will receive minimal configuration to support the ASA portion of. c. From PC-B, attempt to ping the R1 G0/0 interface at IP address 209.165.200.225. Click Apply at the Public Servers screen to send the commands to the ASA. Note: Unlike IOS ACLs, the ASA ACL permit statement must permit access to the internal private DMZ address. o VPN Sessions To enable the ASA to reach external networks, you will configure a default static route on the ASA OUTSIDE interface. Note: Depending on the processes and daemons running on the particular computer used as PC-B, you may see more translated and untranslated hits than the four echo requests and echo replies. Press Enter. Verify that PC-B was assigned an IP address from 192.168.1.5 to 192.168.1.100, which will most likely be 192.168.1.5. Enter global configuration mode using the, The login password is used for Telnet connections (and SSH prior to ASA version 8.4). The pings should not be successful. This course is designed to guide students doing all the Cisco Network Security Activities on Packet Tracer. 4) Click OK to add the IP address. ip address 209.165.200.226 255.255.255.248. Make sure, have been erased and have no startup configuration, : To avoid using the switches, use a cross-over cable to connect the end devices. that permits any IP protocol from any external host to, the internal IP address of the DMZ server. Ensure that the Enable HTTP server for HTTPS/ASDM access check box is selected. The menu at the top left of the screen contains three main sections: Home, Configuration, and Monitoring. The pings should be successful this time because ICMP traffic is now being inspected and legitimate return traffic is being allowed. modify the default application inspection policy to allow specific traffic. Determine the current running configuration. o Traffic Status. There will be no connectivity between devices that are connected to the ASA because the ASA is the focal point for the network zones and it has not been configured. a. Configure a static default route from R1 to R2 and from R3 to R2. Configure the ASA hostname as NETSEC-ASA. you will configure the ASA for additional services, such as DHCP, AAA, and SSH. Generate an RSA key pair, which is required to support SSH connections. Depending on the router model and Cisco IOS version, the commands available and the output produced might vary from what is shown in this lab. The procedure to do this varies depending on the PC operating system. Note: This time the flag is s, which indicates a static translation. Configure DHCP, address translation, and administrative access. The switches used in the labs are Cisco Catalyst 2960+ with Cisco IOS Release 15.2(7) (lanbasek9 image). Optionally, you may wish to configure router R1 as a DHCP server to provide the necessary information to the ASA. Objects and groups allow the creation of modular structures and the configuration of attributes. Router R1 G0/0 and the ASA outside interface are already using 209.165.200.225 and .226. In Part 1 of this lab, you will set up the network topology and configure basic settings on the routers, such as interface IP addresses and static routing. Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. Inside users can access the DMZ and outside resources. the ASA as a basic firewall. Wireless LAN Controller initial configuration with the . This lab employs an ASA 5506-X to create a firewall and protect an internal corporate network from external intruders while allowing internal hosts access to the Internet. e. Display the status for all ASA interfaces using the show interface ip brief command. In Part 3, you will configure basic settings by using the ASA CLI, even though some of them were already configured using the Setup mode interactive prompts in Part 2. The ASA splits the configuration into the object portion that defines the network to be translated and the actual. In Part 2, you will explore two ways to configure basic ASA settings. [confirm] , Et0/5, Et0/6, Et0/7
If the pings fail, troubleshoot the configuration as necessary. In addition, the process of moving between configuration modes and sub-modes is essentially the same. 2) In the Java Control Panel, select Security tab. However, the ASA does not have a gateway of last resort defined. The focus of this lab is the configuration of the ASA as a basic firewall. The ASA can be both a DHCP server and a DHCP client. In the next lab, you will extend your current configuration adding a DMZ, routing, NAT, DHCP, AAA, and SSH. Pre-configure Firewall now through interactive prompts [yes]? Pings from outside host PC-C to the DMZ are considered untranslated hits. ####### Begin to apply factory-default configuration: ####### Executing command: interface Management1/, ####### Executing command: management-only, ####### Executing command: no security-level, ####### Executing command: interface GigabitEthernet1/, ####### Executing command: nameif outside. To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. CCNA Cybersecurity Operations (Version 1.1) CyberOps 10 R3 represents an ISP that connects an administrator from a network management company, who has been hired to remotely manage your network. ____________________________________________________________________________________ In Parts 2 through 4 you will configure basic ASA settings and the firewall between the inside and outside networks. e. Ping from PC-B to R1 again and quickly issue the show xlate command to see the addresses being translated. You can also go directly to the CLI to configure the ASA settings, as described in Part 3. command to see the addresses being translated. f. Configure line console 0 to use the local user database for logins. If these pings are not successful, troubleshoot the basic device configurations before continuing. c. Close the browser. b. Sending 5, 100-byte ICMP Echos to 209.165.200.227, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1, Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms, 1 (DMZ) to (OUTSIDE) source static DMZ-server 209.165.200.227, 2 (INSIDE) to (OUTSIDE) source dynamic INSIDE-NET interface. However, to manually configure the default gateway, or set it to a different networking devices IP address, use the following command: d. Enable the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface (inside). Click Close to continue. NETSEC-ASA(config-if)# show interface ip brief, InterfaceIP-AddressOK? a. In addition, the process of moving between configuration modes and sub-modes is essentially the same. Note: Other parameters can be specified for clients, such as WINS server, lease length, and domain name. Step 1: Configure the ASA as a DHCP server. A network object is created, and it is within this object that NAT is configured. The pings should be successful because ofthe interface security level and the fact that ICMP is being inspected on the ins ide interface by the global inpsection policy. The R1 HTTP server was enabled in Part 1. output produced might vary from what is shown in th. You will clear the current configuration and use the CLI interactive setup utility to configure basic ASA settings. c. Enter privileged mode with the enable command and password (if a password has been set). Step 3: Configure an ACL to allow access to the DMZ server from the Internet. . Inside users can access the DMZ and outside resources. Assign ASA physical interface E0/2 to DMZ VLAN 3 and enable the interface. Configuring the VLAN management IP address for the switches is optional. In this part of the lab, you will create a DMZ on the ASA, configure static NAT to a DMZ server, and apply ACLs to control access to the server. What is the name of the system image file and from where was it loaded? The date and time can be set manually using the, internal and external interfaces, name them, assign IP addresses, configured with an IP address of 192.168.1, network, 192.168.1.0/24. Enter the username admin01 and the password admin01pass. interface are already using 209.165.200.225 and .226. Note: HTTP server access will be used to demonstrate ASDM tools in Part 3. Set the console and VTY passwords to cisco. In Part 4 of this lab,you will configure NAT to increase the firewall protection. ____________________________________________________________________________________ You can change this setting by using the CLI logging synchronous command or go to ASDM Device Management > Management Access >ASDM/HTTP/Telnet/SSH. CCNA Cybersecurity Operations (Version 1.1) CyberOps 2 Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C as shown in the IP Addressing Table. There are more security features and default settings, such as interface security levels, built-in ACLs, and default inspection policies. You can restore the ASA to its factory default settings by using the configure factory-default command. You will prepare the ASA for ASDM access and explore ASDM screens and options. Note: Before beginning, ensure that the routers and switches have been erased and have no startup Accessing the ASA via the console port is the same as with a Cisco router or switch. An example of this might be an ISDN BRI interface. In the Add Public Server dialog box, specify the Private Interface as dmz, the Public Interface as outside, and the Public IP address as 209.165.200.227. b. Click the ellipsis button to the right of Private IP Address. R1 should be able to ping the OUTSIDE interface for the ASA. In this step, you will create internal and external VLAN interfaces, name them, assign IP addresses, and set the interface security level. There are five main configuration areas: o Device Setup Determine the file system and contents of flash memory. , Enable password [