interface gigabitEthernet 0

no shutdown
security-level 0
nameif outside
ip address 16.16.0.1 255.255.255.248
!
interface GigabitEthernet 1
no shutdown
security-level 100
nameif inside
ip address 10.0.10.1 255.255.255.0
!
interface GigabitEthernet 2
no shutdown
security-level 100
nameif dmz1
ip address 10.0.100.1 255.255.255.0
!
interface GigabitEthernet 3
no shutdown
security-level 100
nameif dmz2
ip address 10.0.200.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 16.16.0.2
!

PAT - DINAMICO
--------------------------------------------------
object network inside
subnet 10.0.10.0 255.255.255.0
nat (inside,outside) dynamic 16.16.0.3

object network dmz1

subnet 10.0.100.0 255.255.255.0
nat (dmz1,outside) dynamic 16.16.0.3

object network acs

host 10.0.100.100
nat (dmz1,outside) static 16.16.0.3 service tcp 49 49

object network https

host 10.0.100.100
nat (dmz2,outside) static 16.16.0.4 service tcp 443 443

object network ssh

host 10.0.100.100
nat (dmz2,outside) static 16.16.0.4 service tcp 22 22

access-list prueba extended permit tcp any 10.0.200.100 255.255.255.255 eq 443

access-list prueba extended permit tcp any 10.0.100.100 255.255.255.255 eq 49
access-list prueba extended permit tcp any 10.0.200.100 255.255.255.255 eq 22
access-group prueba in interface outside

-----------------------------------------------------------------------------------
--
----------------------AUTECNTICACI�N AAA EN
ROUTER-----------------------------------

RouterRC1
.........

aaa new-model
tacacs-server host 16.16.0.5 key cisco123
aaa authentication login PRUEBA1 group tacacs+ group radius local-case none
aaa authentication enable default group tacacs+ enable none
!
aaa authorization exec PRUEBA2 GROup tacacs+
aaa authorization commands 0 PRUEBA2COMM group tacacs+
aaa authorization commands 1 PRUEBA2COMM group tacacs+
aaa authorization commands 15 PRUEBA2COMM group tacacs+
!
ip domain name marina.com
crypto key generate rsa modulus 1024
ip ssh version 2
line vty 0 6
login authentication PRUEBA1
transport input ssh
authorization exec PRUEBA2
AUTHorization COMMands 0 PRUEBA2COMM
AUTHorization COMMands 1 PRUEBA2COMM
AUTHorization COMMands 15 PRUEBA2COMM

RouterRS1
.........

aaa new-model
tacacs-server host 16.16.0.5 key cisco123
aaa authentication login PRUEBA1 group tacacs+ group radius local-case none
aaa authentication enable default group tacacs+ enable none

aaa authorization exec PRUEBA2 GROup tacacs+

aaa authorization commands 0 PRUEBA2COMM group tacacs+
aaa authorization commands 1 PRUEBA2COMM group tacacs+
aaa authorization commands 15 PRUEBA2COMM group tacacs+
!
ip domain name marina.com
crypto key generate rsa modulus 1024
ip ssh version 2
line vty 0 6
login authentication PRUEBA1
transport input ssh
authorization exec PRUEBA2
AUTHorization COMMands 0 PRUEBA2COMM
AUTHorization COMMands 1 PRUEBA2COMM
AUTHorization COMMands 15 PRUEBA2COMM

------------------------------------------
VPN-SITE TO SITE PARA EL 1
--------------------
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 enable outside
!
tunnel-group 2.0.0.18 type ipsec-l2l
tunnel-group 2.0.0.18 ipsec-attributes
ikev1 pre-shared-key cisco123

----------------by pass nat -------------

object-group network local-network

network-object 10.0.10.0 255.255.255.0

object-group network remote-network

network-object 192.168.1.0 255.255.255.0

access-list asa-router-vpn extended permit ip object-group local-network object-

group remote-network
nat (inside,outside) source static local-network local-network destination static
remote-network remote-network
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto map outside_map 10 match address asa-router-vpn

crypto map outside_map 10 set peer 2.0.0.18
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
----------------------------------------------------------
----------------------------------------------------------
!
AL FINAL ELIMINAR LA SIGUIENTE LINEA EN EL ROUTER
!
ip nat inside source list 1 interface Serial0/0 overload
!
!
-------------------------------------Acceso_Remoto------------------------------

ip local pool VPNPOOL 172.16.0.1-172.16.0.254 mask 255.255.255.0

vpn-addr-assign local

object network obj-vpnpool

subnet 172.16.0.0 255.255.255.0

nat (dmz1,outside) 1 source static any any destination static obj-vpnpool obj-
vpnpool

group-policy company-vpn-policy internal

group-policy company-vpn-policy attributes
vpn-idle-timeout 30
dns-server value 8.8.8.8
wins-server value 10.0.100.250

username admin password admin

isakmp policy 30
encryption 3des
hash sha
authentication pre-share
 group 1
lifetime 3600

isakmp enable outside

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS ----> duda

crypto map outside_map 30 ipsec-isakmp dynamic DYN_MAP

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy company-vpn-policy

tunnel-group vpnclient ipsec-attributes

pre-shared-key XXXyyyzzz123

----------------------------------------------

ROUTER PRIMER SITE1

-----------
crypto isakmp policy 10
encr aes
hash sha
authentication pre-share
group 2

crypto isakmp key cisco123 address 16.16.0.1

access-list 110 remark Interesting traffic access-list

access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255

access-list 111 remark NAT exemption access-list

access-list 111 deny ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10

match ip address 111

ip nat inside source route-map nonat interface s0/0 overload

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

mode tunnel

crypto map outside_map 10 ipsec-isakmp

set peer 16.16.0.1
set transform-set ESP-AES-SHA
match address 110

interface serial 0/0

crypto map outside_map

ROUTER dos SITE2

---------------------
crypto isakmp policy 10
encr aes
hash sha
authentication pre-share
group 5

crypto isakmp key cisco123 address 12.12.12.1

access-list 110 remark Interesting traffic access-list

access-list 110 permit ip 192.168.2.0 0.0.0.255 10.0.20.0 0.0.0.255

access-list 111 remark NAT exemption access-list

access-list 111 deny ip 192.168.2.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 111 permit ip 192.168.2 .0 0.0.0.255 any

route-map nonat permit 10

match ip address 111

ip nat inside source route-map nonat interface s0/5 overload

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

mode tunnel

crypto map outside_map 10 ipsec-isakmp

set peer 12.12.12.1
set transform-set ESP-AES-SHA
match address 110

interface serial 0/5

crypto map outside_map

----------------------------------------------------------------------------------
--------------------CONF. ZPF-----------------------------------------------------

ROUTER RS1
...........

!
zone security outside
exit
!
zone security inside
exit
!
class-map type inspect match-any inside
match protocol http
match protocol https
match protocol dns
match protocol ssh
match protocol isakmp
match protocol icmp
!
policy-map type inspect PRIV-TO-PUB-INSIDE
class type inspect inside
inspect
!
zone-pair security PRIV-PUB source inside destination outside
service-policy type inspect PRIV-TO-PUB-INSIDE
!

!
class-map type inspect match-any inside10
match protocol icmp

!
policy-map type inspect PRIV-TO-PUB-INSIDE10
class type inspect inside10
inspect
!
zone-pair security PRIV-PUB10 source outside destination inside
service-policy type inspect PRIV-TO-PUB-INSIDE10
!

!
!
!
interface serial 0/0
zone-member security outside

interface FastEthernet0/0
zone-member security inside

!
!

sh nat =====> ver tunel activo

COSAS DE MAS

ftp://10.0.100.250