Вы находитесь на странице: 1из 10

ACTIVACION ASA 8.

4 EN GNS3

Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=655

http://www.filedropper.com/asa842-initrd
http://www.filedropper.com/asa842-vmlinuz

ACTIVACION ASA 8.4 EN GNS3

RED DE TRABAJO
D.M.Z
( de-militarized-zone )

OUTSIDE
( Internet )

INSIDE
( LAN )

GigabitEthernet0
meif outside
ddress 200.54.0.2 255.255.255.248ZONAS

NAT SERVICE POLICY

GigabitEthernet1
meif inside
ddress 192.168.0.1 255.255.255.0

e outside 0.0.0.0 0.0.0.0 200.54.0.1

ct network inside
net 192.168.0.0 255.255.255.0
(inside,outside) dynamic interface

Comprobacin
# show xlate
# show conn
#debug icmp trace

ss-map inspection_default
atch default-inspection-traffic

icy-map global_policy
ass inspection_default
spect icmp

vice-policy global_policy global

#ping 4.2.2.2 repeat 1000

interface GigabitEthernet2
ACTIVACIN
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
object network DMZ
subnet 10.10.10.0 255.255.255.0
nat (dmz,outside) dynamic 200.54.0.3

#ping 4.2.2.2 repeat 1000

DMZ

SERVIDOR DMZ PUBLICO

object network server_dmz


host 10.10.10.5
nat (dmz,outside) static 200.54.0.4
access-list desde_outside permit tcp any host 10.10.10.5 eq
telnet
!
access-group desde_outside in interface outside

VERIFICACIN ZONAS DISTINTO NIVEL DE SEGURIDAD


ciscoasa# packet-tracer input dmz icmp 10.10.10.5 8 8 192.168.0.5
detailed
R1#ping 10.10.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.5, timeout
is 2 seconds:
!!!!!
R4#ping 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.5, timeout
is 2 seconds:
.....
access-list desde_dmz extended permit ip 10.10.10.0 255.255.255.0
192.168.0.0 255.255.255.0
access-group desde_dmz in interface dmz

ACTIVACION KEY PARA PERFILES DE SEGURIDAD

(Opcin-1)ciscoasa(config)#activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5


Opcin-2)ciscoasa(config)#activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6;
ciscoasa(config)#wr save configuration;
ciscoasa(config)#exit

object network local_192.168.0.0


subnet 192.168.0.0 255.255.255.0
description "For NAT exempt"
!
object network remote_192.168.100.0
subnet 192.168.100.0 255.255.255.0
description "remote subnet for Site2
!
access-list crypto-access permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

VPN SITE to SITE

e) source static local_192.168.0.0 local_192.168.0.0 destination static remote_192.168.100.0 remote_192.168.100.0 no-proxy-arp


transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

e_map
e_map
e_map
e_map

1 match address crypto-access


1 set peer 190.208.0.2
1 set ikev1 transform-set ESP-3DES-SHA
interface outside

e outside
y 10
-share
tunnel-group 190.208.0.2 type ipsec-l2l
tunnel-group 190.208.0.2 ipsec-attributes
ikev1 pre-shared-key cisco123

crypto ikev1 policy 65535


authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
ip local pool client_pool 192.168.1.1-192.168.1.5 mask
255.255.255.248
access-list split_tunnel_acl standard permit 192.168.100.0
255.255.255.0
!
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
tunnel-group ipsec_ra_tunnel type remote-access
tunnel-group ipsec_ra_tunnel general-attributes
address-pool client_pool
default-group-policy ipsec_ra_policy
authentication-server-group LOCAL
tunnel-group ipsec_ra_tunnel ipsec-attributes
ikev1 pre-shared-key cisco
crypto
crypto
crypto
crypto

dynamic-map dyn_map 65535 set ikev1 transform-set set1


map outside_map 65535 ipsec-isakmp dynamic dyn_map
map outside_map interface outside
ikev1 enable outside

username operador password ultra_10


object-group network obj_192.168.1.1_248
network 192.168.1.0 255.255.255.248
object-group network obj_192.168.100.0_24
network 192.168.100.0 255.255.255.0
nat (inside,outside) source static obj_192.168.100.0_24
obj_192.168.100.0_24 destination static obj_192.168.1.1_248
obj_192.168.1.1_248 no-proxy-arp route-lookup

VPN - CLIENT