Konfiguration ASA-5506
Die ASA dient vorrangig als Verbindung zwischen Provider Subnetz und den Internen Netzen, welche vom Router bereitgestellt werden. Dabei baut die ASA in diesem Fall 3 DMZ Netze auf und verwaltet das Öffentliche Subnetz und nattet dieses nach Intern und extern. Die ASA hat in zweiter Funktion Packet-Inspection zu betreiben und mit den Policys der ASA Firepower zu prüfen, um Angreifer fern zu halten. In dritter Funktion stellt die ASA VPN Access in 3 Formen bereit. Anyconnect, Clientless und VPN Web Access. Die ASA wird speziell für das Natting zur VCSE benötigt, um Home-Office Usern den Zugriff auf die Internen Dienste zu ermöglichen. Die ASA sollte, wenn es mehrere Netze gibt im Routed Mode betrieben werden, da im Transparent Mode nur mit einem Subnet gearbeitet wird.
Hier hat sich das Deployment etwas geändert. Dadurch das ich es geschafft habe die Mgmt Interfaces gemeinsam zu Bridgen und die ASA auf die neuste Version zu updaten, fällt nun der unmanaged Switch weg. (ASA 9.7 and later)
Dazu ist hier die gekürzte Beispiel Konfiguration der ASA. Alle Argumente welche mit (cleared) gekennzeichnet sind müssen durch die richtigen Informationen ersetzt werden.
: Saved : : Serial Number: (cleared) : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(1) ! hostname (cleared) enable password (cleared) names ip local pool VPN-Pool-Internal 192.168.178.200-192.168.178.254 mask 255.255.255.0 ip local pool VPN-Pool-DMZ 192.168.100.200-192.168.100.254 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 217.24.238.7 255.255.255.0 ! interface GigabitEthernet1/2 bridge-group 2 nameif dmz-01 security-level 50 ! interface GigabitEthernet1/3 bridge-group 1 nameif internal-01 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif internal-02 security-level 100 ! interface GigabitEthernet1/5 bridge-group 3 nameif inside-01 security-level 100 ! interface GigabitEthernet1/6 bridge-group 3 nameif inside-02 security-level 100 ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif internal security-level 100 ip address 192.168.178.1 255.255.255.0 ! interface BVI2 nameif dmz security-level 50 ip address 192.168.100.1 255.255.255.0 ! interface BVI3 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! banner login You have logged in to a secure device. banner login If you are not authorized to access this device, banner login log out immediately or risk possible criminal consequences. boot system disk0:/asa981-lfbff-k8.SPA ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns domain-lookup dmz-01 dns domain-lookup internal-01 dns domain-lookup internal-02 dns domain-lookup inside-01 dns domain-lookup inside-02 dns domain-lookup internal dns domain-lookup dmz dns domain-lookup inside dns server-group DefaultDNS name-server (cleared) outside name-server (cleared) outside name-server 10.1.2.7 internal-01 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network NETWORK_OBJ_192.168.178.192_26 subnet 192.168.178.192 255.255.255.192 object network DEBOBBRT01 host 192.168.178.2 object network DEBOBFIRE01 host 192.168.1.2 object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp6 service-object tcp destination eq https service-object tcp destination eq www service-object tcp destination eq ssh service-object udp destination eq 4172 object-group service DM_INLINE_SERVICE_2 service-object tcp destination eq 5061 service-object tcp destination eq 5222 service-object tcp destination eq 8443 service-object tcp destination eq https service-object ip access-list AnyConnect_Client_Local_Print extended permit ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list inside_access_in extended permit ip any any access-list dmz_access_in extended permit ip any any access-list internal_access_in extended permit ip any any access-list internal_access_in_2 extended permit ip any any access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object-group DM_INLINE_NETWORK_1 access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0 access-list Split-Tunnel standard permit 10.1.0.0 255.255.0.0 access-list inside-01_access_in extended permit ip any any access-list dmz_access_in_1 extended permit ip any any access-list inside-02_access_in extended permit ip any any access-list internal-01_access_in extended permit ip any any access-list inside_access_in_2 extended permit ip any any access-list internal-02_access_in extended permit ip any any access-list dmz-01_access_in extended permit ip any any pager lines 24 logging enable logging timestamp logging buffer-size 512000 logging buffered notifications logging trap notifications logging asdm notifications mtu outside 1500 mtu dmz-01 1500 mtu internal-01 1500 mtu internal-02 1500 mtu inside-01 1500 mtu inside-02 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any dmz-01 icmp permit any internal-01 icmp permit any internal-02 icmp permit any inside-01 icmp permit any inside-02 icmp permit any internal icmp permit any dmz icmp permit any inside asdm image disk0:/asdm-781.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (dmz-01,outside) source static (cleared) (cleared) nat (outside,outside) source dynamic any interface nat (outside,any) source static VPN-User-Subnet-all VPN-User-Subnet-all no-proxy-arp nat (outside,any) source static NETWORK_OBJ_192.168.178.192_26 NETWORK_OBJ_192.168.178.192_26 no-proxy-arp ! nat (inside-02,outside) after-auto source dynamic any interface nat (internal-01,outside) after-auto source dynamic any interface nat (inside-01,outside) after-auto source dynamic any interface nat (internal-02,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside access-group dmz-01_access_in in interface dmz-01 access-group internal-01_access_in in interface internal-01 access-group internal-02_access_in in interface internal-02 access-group inside-01_access_in in interface inside-01 access-group inside-02_access_in in interface inside-02 access-group internal_access_in_2 in interface internal access-group dmz_access_in_1 in interface dmz access-group inside_access_in_2 in interface inside route outside 0.0.0.0 0.0.0.0 (cleared) 1 route internal 10.1.1.0 255.255.255.0 192.168.178.2 1 route internal 10.1.2.0 255.255.255.0 192.168.178.2 1 route internal 10.1.3.0 255.255.255.0 192.168.178.2 1 route dmz (cleared) 255.255.255.255 192.168.100.2 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication telnet console LOCAL aaa authorization command LOCAL aaa authorization exec LOCAL auto-enable aaa authorization http console LOCAL aaa authentication login-history http server enable http 0.0.0.0 0.0.0.0 internal-01 http 0.0.0.0 0.0.0.0 internal-02 http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside-01 http 0.0.0.0 0.0.0.0 inside-02 http 0.0.0.0 0.0.0.0 dmz-01 http redirect outside 80 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal subject-name (cleared) crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate (cleared) quit crypto ca certificate chain ASDM_TrustPoint0 certificate (cleared) quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 65300 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 internal-01 ssh 0.0.0.0 0.0.0.0 inside-01 ssh 0.0.0.0 0.0.0.0 inside-02 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access internal dhcpd auto_config outside ! dhcpd address 192.168.178.20-192.168.178.200 internal dhcpd dns (cleared)10.1.2.7 interface internal dhcpd lease 640000 interface internal dhcpd domain (cleared)interface internal dhcpd enable internal ! dhcpd address 192.168.100.20-192.168.100.200 dmz dhcpd dns (cleared)10.1.2.7 interface dmz dhcpd lease 640000 interface dmz dhcpd domain (cleared) interface dmz dhcpd enable dmz ! dhcpd address 192.168.1.20-192.168.1.200 inside dhcpd dns (cleared) 10.1.2.7 interface inside dhcpd lease 640000 interface inside dhcpd domain (cleared) interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 130.149.17.21 source outside prefer ntp server 141.35.1.80 ssl trust-point ASDM_TrustPoint0 outside webvpn port 65300 enable outside dtls port 65300 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2 anyconnect profiles Deliberate-Anyconnect_client_profile disk0:/Deliberate-Anyconnect_client_profile.xml anyconnect profiles Deliberate-Anyconnect_tunnel_all disk0:/deliberate-anyconnect_tunnel_all.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_(cleared)_Anyconnect_tunnel_all internal group-policy GroupPolicy_(cleared)Anyconnect_tunnel_all attributes dns-server value 8.8.8.8 10.1.2.7 vpn-tunnel-protocol ikev2 ssl-client address-pools value VPN-Pool-DMZ client-firewall none webvpn anyconnect profiles value (cleared)-Anyconnect_tunnel_all type user group-policy GroupPolicy_(cleared)-Anyconnect internal group-policy GroupPolicy_(cleared)-Anyconnect attributes banner value Willkommen im Firmen Netzwerk der (cleared)! banner value Sollten Sie nicht berechtigt sein dieses zu nutzen, brechen Sie die Verbindung zum VPN sofort ab. banner value Andernfalls werden Strafrechtliche Konsequenzen folgen. banner value banner value mit freundlichen Grüßen, banner value der Administrator wins-server none dns-server value 8.8.8.8 10.1.2.7 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain value (cleared) ip-phone-bypass enable address-pools value VPN-Pool-Internal webvpn anyconnect keep-installer installed anyconnect profiles value (cleared)-Anyconnect_client_profile type user anyconnect ask none default webvpn always-on-vpn profile-setting group-policy GroupPolicy_Deliberate-Clientless internal group-policy GroupPolicy_Deliberate-Clientless attributes banner value Willkommen im Firmen Netzwerk der (cleared)! banner value Sollten Sie nicht berechtigt sein dieses zu nutzen, brechen Sie die Verbindung zum VPN sofort ab. banner value Andernfalls werden Strafrechtliche Konsequenzen folgen. banner value banner value mit freundlichen Grüßen, banner value der Administrator dns-server value 8.8.8.8 10.1.2.7 vpn-tunnel-protocol ssl-clientless default-domain value (cleared) webvpn url-list value Internal-Services anyconnect ask none default webvpn file-entry enable file-browsing enable url-entry enable dynamic-access-policy-record DfltAccessPolicy network-acl AnyConnect_Client_Local_Print webvpn url-list value Internal-Services file-browsing enable file-entry enable url-entry enable svc ask enable default webvpn always-on-vpn profile-setting username (cleared) password (cleared) tunnel-group (cleared)-Anyconnect type remote-access tunnel-group (cleared)-Anyconnect general-attributes address-pool VPN-Pool-Internal default-group-policy GroupPolicy_(cleared)-Anyconnect tunnel-group (cleared)-Anyconnect webvpn-attributes radius-reject-message proxy-auth sdi group-alias (cleared)-Anyconnect enable tunnel-group (cleared)-Clientless type remote-access tunnel-group (cleared)-Clientless general-attributes address-pool VPN-Pool-Internal default-group-policy GroupPolicy_(cleared)-Clientless tunnel-group (cleared)-Clientless webvpn-attributes radius-reject-message proxy-auth sdi group-alias (cleared)-Clientless enable tunnel-group (cleared)-Anyconnect_tunnel_all type remote-access tunnel-group (cleared)-Anyconnect_tunnel_all general-attributes address-pool VPN-Pool-DMZ default-group-policy GroupPolicy_(cleared)_Anyconnect_tunnel_all tunnel-group (cleared)-Anyconnect_tunnel_all webvpn-attributes group-alias (cleared)-Anyconnect_all enable ! class-map global-class match any class-map inspection_default match default-inspection-traffic ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class sfr fail-open monitor-only ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr (cleared) source-interface outside profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum: (cleared) : end
Teile dieser Konfiguration können per Copy und Paste im conf t Modus direkt eingespielt werden. Andere müssen je nach Syntax gemäß Cisco Command Guide schrittweise eingetragen werden.
Solltet Ihr also einen Teil der Konfig nicht direkt einspielen können, prüft mit Hilfe von Google die Syntax und bereitet die Config etwas auf. Es ist auch möglich das eure jetzige IOS Software Version bestimmte Befehle noch nicht unterstützen. Dazu habe ich noch einen kleinen Upgrade Guide weiter unten erstellt.
Bitte vergesst nicht den Befehl „wr“ abzusetzen um die Konfiguration auch im System Flash zu speichern.
Die ASA bringt nicht nur ein CMD Interface über SSH und Telnet mit sondern ist auch über den ASDM erreichbar.
Dazu muss die ASDM Software heruntergeladen und Installiert werden. Dazu müsst Ihr euch mit dem Port 1/5 anstecken (DHCP Enabled) und über Webbrowser die Default IP Adresse anwählen.
Über die bekannten Login Daten kann man dann die ASA Verwalten und etwaige Logs einsehen und Konfigurationen durchführen.
Let's go and write a comment