CCRG-4-1-2 (1)

Interfaces • Cisco ASA OS 8.3+ • Configures WAN facing interface using the alias “outside” • Configures LAN facing interface using the alias “inside”interface Ethernet0nameif outsideip address 1.1.1.1 255.255.255.0interface Ethernet1nameif insideip address 192.168.10.1 255.255.255.0Static Routing • Cisco ASA OS 8.3 • Configures default gateway through the WAN interface (outside)route outside 0.0.0.0 0.0.0.0 1.1.1.2 1Device Access (SSH, Telnet) • Enable Telnet access from 192.168.10.0 (from the inside) • Enable SSH access from host 6.7.7.8 (from the outside) and 192.168.10.0 (from the inside) • Telnet and SSH access will use local database. • User account “admin” will be added to the local user databasetelnet 192.168.10.0 255.255.255.0 insidetelnet timeout 60domain-name routehub.localcrypto key generate rsa modulus 1024ssh 6.7.7.8 255.255.255.255 outsidessh 192.168.10.0 255.255.255.0 insidessh timeout 40username admin password cisco123 privilege 15aaa authentication telnet console LOCALaaa authentication ssh console LOCAL Configuration Reference Guide | [C] 66

ASA Image • Cisco ASA OS 8.3 • Specify the ASA OS version that will be loaded. • Note: after the change is completed a reload of the ASA is requiredboot system disk0:/asa804-k8.binHTTP and ASDM • Cisco ASA OS 8.3 • Enable ASDM on the ASA to use TCP port 8080 • Anyone on the Internet (outside) can access the ASDM, but on the inside only users on the 192.168.10.0 network can access the ASDM for administration • Specify the ASDM image that will be loaded and used on ASAhttp server enable 8080http 192.168.10.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideasdm image disk0:/asdm-613.binRADIUS • Cisco ASA OS 8.3 • Enable RADIUS using RADIUS server is 192.168.10.11 using the key “cisco123” • Use RADIUS for Telnet and SSH access into the ASA firewallaaa-server IAS protocol radiusaaa-server IAS host 192.168.10.11timeout 5key cisco123aaa authentication telnet console IASaaa authentication ssh console IAS Configuration Reference Guide | [C] 67

DHCP Server • Cisco ASA OS 8.3 • Specify DHCP scope for the IP subnet (192.168.10.0), interface (inside), DNS, WINS, and domain • Apply DHCP services on “inside” interfacedhcpd address 192.168.10.0 insidedhcpd dns 192.168.10.10 4.2.2.2 interface insidedhcpd wins 192.168.10.10 interface insidedhcpd domain routehub.local interface insidedhcpd update dns both override interface insidedhcpd enable insidePPPoE • Enable PPPoE on WAN facing (outside) interface • PPP username will be “pppoeuser” and password will be “Cisco123”vpdn group Internet request dialout pppoevpdn group Internet localname pppoeuservpdn group Internet ppp authentication papvpdn username pppoeuser password Cisco123 store-localdhcpd auto_config outsideinterface Ethernet0nameif outsidesecurity-level 0pppoe client vpdn group Internetip address pppoe setrouteCopy using FTP • FTP server (192.168.10.10), FTP username/password (cisco/cisco123) • Copy ASA file (e.g. ASA OS, ASDM) from FTP server to local flash (disk0)copy ftp://cisco:cisco123@192.168.10.10 disk0: Configuration Reference Guide | [C] 68

LDAP • Enable LDAP authentication pointing to Microsoft LDAP server (192.168.10.10) located on the inside • Specify LDAP domain (dc=routehub,dc=local) • User account names will be based on “samAccountName” in Active Directory • Authenticating with LDAP will use the Administrator account located in the “Users” containers. The AD password for the Administrator account is cisco123aaa-server RHG-AAA-LDAP protocol ldapaaa-server RHG-AAA-LDAP (inside) host 192.168.10.10server-port 389ldap-base-dn dc=routehub,dc=localldap-scope subtreeldap-naming-attribute samAccountNameldap-login-dn cn=Administrator,cn=Users,dc=routehub,dc=localserver-type Microsoftldap-login-password cisco123Rate Limiting (Policing) • Cisco ASA OS 8.3 • Rate limit all traffic (in/out) of the “outside” interface to 700Kbpspolicy-map rate-limit-policyclass class-default police input 700000 1000 police output 700000 1000service-policy rate-limit-policy interface outside Configuration Reference Guide | [C] 69

OSPF Routing • Enable OSPF routing on ASA for the LAN (192.168.10.0) and DMZ (192.168.11.0) networks. • LAN will exist in Area 0 and the DMZ will exist in Area 11 • Advertise a OSPF default route to other OSPF neighbors using the ASA as the gateway of last resortrouter ospf 1network 192.168.11.0 255.255.255.0 area 11network 192.168.10.0 255.255.255.0 area 0log-adj-changesdefault-information originate alwaysinterface Ethernet1ip address 192.168.10.1 255.255.255.0nameif insideospf hello-interval 1ospf dead-interval 3 Configuration Reference Guide | [C] 70

EIGRP Routing • Enable EIGRP routing on ASA for the LAN (192.168.10.0) and DMZ (192.168.11.0) networks. • EIGRP ASN 1 • Disable EIGRP communication through Outside and DMZ interfaces. EIGRP neighbor will only be established to router on the LAN. • Redistribute any configured static routes on the ASA firewall into EIGRProuter eigrp 1no auto-summarynetwork 192.168.11.0network 192.168.10.0passive-interface outsidepassive-interface dmzredistribute static Configuration Reference Guide | [C] 71

RIPv2 Routing and Authentication • Enable RIPv2 routing on ASA for the LAN (192.168.10.0) and DMZ (192.168.11.0) networks. • Configure RIP MD5 Authentication between other RIPv2 routers using the password “cisco123” • Advertise a RIP default route to other OSPF neighbors using the ASA as the gateway of last resortinterface Ethernet0/1nameif RHG-LANsecurity-level 100ip address 192.168.10.1 255.255.255.0rip authentication mode md5rip authentication key cisco123 key_id 1router ripnetwork 192.168.10.0network 192.168.11.0passive-interface defaultno passive-interface RHG-LANdefault-information originateversion 2 Configuration Reference Guide | [C] 72

IP SLA with Dual ISP • Configure IP SLA with two connected ISP’s for Internet redundancy. • Primary Internet access through ISP1. Secondary Internet access through ISP2. • If 1.1.1.2 is not pingable by the ASA then declare ISP1 down and change default route towards ISP2sla monitor 100type echo protocol ipIcmpEcho 1.1.1.2 interface outside-isp1num-packets 3frequency 10sla monitor schedule 100 life forever start-time nowtrack 1 rtr 100 reachabilityroute outside-isp1 0.0.0.0 0.0.0.0 1.1.1.2 10 track 1route outside-isp2 0.0.0.0 0.0.0.0 1.2.2.2 254Factory Defaults for ASA 5500 • Putting ASA back to factory defaults • Completed in the “config mode” • The ASA will return to factory defaults using the default IP “192.168.1.1”config factory-defaultreload save-config noconfirm Configuration Reference Guide | [C] 73

802.1q (VLAN tagging) • Cisco ASA OS 8.3 • Configure 802.1Q Trunking (VLAN tagging) on physical interface ethernet0/1 for VLAN 10 (192.168.10.0; LAN) and VLAN20 (192.168.11.0; Guest)interface Ethernet0/1no nameifno ip addressno shutdowninterface Ethernet0/1.10description RHG VLAN LANvlan 10nameif RHG-LANsecurity-level 100ip address 192.168.10.1 255.255.255.0interface Ethernet0/1.11description RHG VLAN GUESTvlan 11nameif RHG-GUESTsecurity-level 50ip address 192.168.11.1 255.255.255.0DNS Requests • Cisco ASA OS 8.3 • Static NAT will provide the internal IP if accessing this Public IP from the inside networkstatic (inside,outside) 1.1.1.10 192.168.10.10 netmask 255.255.255.255 dns Configuration Reference Guide | [C] 74

Active/Passive Failovernote Configure ASA Active Passive failover providing redundancy for the OUTSIDE (1.1.1.0), LAN (192.168.10.0), and DMZ • (192.168.11.0). • Failover interface for exchanging state and heat-beats will use ethernet0/3 on both firewalls.>>Primary ASA<<interface Ethernet0/0speed 100duplex fullnameif outsidesecurity-level 0ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2interface Ethernet0/1speed 100duplex fullnameif insidesecurity-level 100ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2interface Ethernet0/2speed 100duplex fullnameif dmzsecurity-level 60ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2interface Ethernet0/3description LAN/STATE Failover Interfacefailoverfailover lan unit primaryfailover lan interface failover Ethernet0/3failover link failover Ethernet0/3failover key cisco6778failover interface ip failover 9.9.9.1 255.255.255.252 standby 9.9.9.2failover replication httpfailover polltime unit msec 200 holdtime msec 800failover polltime interface msec 500 holdtime 5 Configuration Reference Guide | [C] 75

>>Secondary ASA<<failoverfailover lan unit secondaryfailover lan interface failover Ethernet0/3failover key cisco6778failover link failover Ethernet0/3failover polltime unit msec 200 holdtime msec 800failover polltime interface msec 500 holdtime 5failover interface ip failover 9.9.9.1 255.255.255.252 standby 9.9.9.2show failover state Configuration Reference Guide | [C] 76

Banner• Cisco ASA OS 8.3• Define the ASA banner to display upon login into the firewallbanner exec **WARNING**banner exec YOU ARE ATTEMPTING TO LOG INTO A PRIVATE SYSTEM.banner exec AUTHORIZED USERS ONLY!!banner exec ALL UNAUTHORIZED USE WILL BE PROSECUTED TO THEbanner exec FULLEST EXTENT OF THE LAW!!Standard Firewall Policy • Cisco ASA OS 8.3 • Configure firewall policy to allow any Internet host to access the web server at 1.1.1.10access-list ingress-acl extended permit tcp any host 1.1.1.10 eq 80access-group ingress-acl in interface outside Configuration Reference Guide | [C] 77

Standard Firewall Policy using Objects (Hosts) • Cisco ASA OS 8.3 • Add server (1.1.1.10) in an object group called “RHG-SERVERS1” • Configure group listing TCP and UDP ports for services used on the server (1.1.1.10) such as WWW (TCP/80) • Configure firewall policy using the object groups for allowing any Internet host to access the web server at 1.1.1.10object-group network RHG-SERVERS1network-object host 1.1.1.10object-group service RHG-APPS tcp-udpport-object eq wwwaccess-list ingress-acl extended permit tcp any object-group RHG-SERVERS1 object-group RHG-APPSaccess-group ingress-acl in interface outsideStandard Firewall Policy using Objects (Network) • Cisco ASA OS 8.3 • Add server network (1.1.1.0) in an object group called “RHG-SERVERS2” • Configure group listing TCP and UDP ports for services used on the server (1.1.1.10) such as WWW (TCP/80) • Configure firewall policy using the object groups for allowing any Internet host to access any web service on the 1.1.1.0 networkobject-group network RHG-SERVERS2network-object 1.1.1.0 255.255.255.0object-group service RHG-APPS tcp-udpport-object eq wwwaccess-list ingress-acl extended permit tcp any object-group RHG-SERVERS2 object-group RHG-APPSaccess-group ingress-acl in interface outside Configuration Reference Guide | [C] 78

PAT (NAT Overload) using Outside Interface • Cisco ASA OS 8.3 • Configure PAT (NAT Overload) using the IP configured on the “outside” interface. Any inside host on the LAN (192.168.10.0) will use the IP on the “outside” interface for Internet accessglobal (outside) 1 interfacenat (inside) 1 192.168.10.0 255.255.255.0Static NAT • Cisco ASA OS 8.3 • Configure a static translation where the inside host is 192.168.10.10 is mapped to the Public IP of 1.1.1.10static (inside,outside) 1.1.1.10 192.168.10.10 netmask 255.255.255.255 Configuration Reference Guide | [C] 79

NAT Port Redirect: using Outside Interface • Cisco ASA OS 8.3 • Any access to the IP configured on the “outside” interface for HTTPS (TCP/443) will be redirected to the inside server of 192.168.10.10.static (inside,outside) tcp interface https 192.168.10.10 https netmask 255.255.255.255 Configuration Reference Guide | [C] 80

Remote Access: SSL VPN (Tunnel Mode or SVC) using Local Authentication • Cisco ASA OS 8.3 • Configure Client VPN solution using SSL VPN (Tunnel Mode) • Specify the SSL VPN client image that can be used on a Windows or Mac system • The VPN pool for connected users will be 192.168.100.10 – 192.168.100.13 • LAN subnet behind the VPN device is: 192.168.10.0/24 • Enable split tunnel to allow VPN users access to the 192.168.10.0 network over the established VPN tunnel • VPN user authentication will be local. One of the local user accounts will be “user1”access-list split-tunnel standard permit 192.168.10.0 255.255.255.0access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0nat (inside) 0 access-list nonatip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0webvpnenable outsidesvc image disk0:/anyc-win.pkg 1svc image disk0:/anyc-mac.pkg 2svc enabletunnel-group-list enablegroup-policy RHG-GP-SSL internalgroup-policy RHG-GP-SSL attributesdns-server value 192.168.10.10vpn-tunnel-protocol webvpnsplit-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value split-tunneldefault-domain value routehub.localwebvpn svc required svc keep-installer installed svc rekey time 30 svc rekey method sslusername user1 password cisco123tunnel-group RHG-TG-SSL type remote-accesstunnel-group RHG-TG-SSL general-attributesaddress-pool routehub-pooldefault-group-policy RHG-GP-SSLtunnel-group RHG-TG-SSL webvpn-attributesgroup-alias ROUTEHUB enable Configuration Reference Guide | [C] 81

Remote Access: IPSec VPN using RADIUS Authentication • Cisco ASA OS 8.3 • Configure Client VPN solution using IPSec VPN • The VPN pool for connected users will be 192.168.100.10 – 192.168.100.13 • LAN subnet behind the VPN device is: 192.168.10.0/24 • Enable split tunnel to allow VPN users access to the 192.168.10.0 network over the established VPN tunnel • VPN user authentication will be using RADIUS (192.168.10.11) • For the VPN software client: The “Group Authentication” name will be ROUTEHUB and the “Group Authentication Password” will be cisco123access-list split-tunnel standard permit 192.168.10.0 255.255.255.0access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0nat (inside) 0 access-list nonatip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0crypto isakmp nat-traversal 300crypto isakmp enable outsidecrypto isakmp policy 30authentication pre-shareencryption 3deshash md5group 2lifetime 86400crypto ipsec transform-set RHG-TS-3DES-MD5 esp-3des esp-md5-hmaccrypto dynamic-map RHG-DMAP-VPN 10 set transform-set RHG-TS-3DES-MD5crypto map RHG-VPN 65535 ipsec-isakmp dynamic RHG-DMAP-VPNcrypto map RHG-VPN interface outsidegroup-policy RHG-GP-VPN internalgroup-policy RHG-GP-VPN attributesdns-server value 192.168.10.10 4.2.2.2vpn-idle-timeout 30vpn-session-timeout 480split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value split-tunneldefault-domain value routehub.localaaa-server RADIUS protocol radiusaaa-server IAS protocol radiusaaa-server IAS host 192.168.10.11timeout 5key cisco123 Configuration Reference Guide | [C] 82

tunnel-group ROUTEHUB type remote-accesstunnel-group ROUTEHUB general-attributesaddress-pool routehub-poolauthentication-server-group IASdefault-group-policy RHG-GP-VPNtunnel-group ROUTEHUB ipsec-attributespre-shared-key cisco123 Configuration Reference Guide | [C] 83

Site-Based VPN (ASA-to-ASA) • Cisco ASA OS 8.3 • Configure IPSec VPN tunnel between two Cisco ASA Firewalls • Site #1: WAN IP is 1.1.1.1. The LAN subnet is 192.168.10.0 • Site #2: WAN IP is 2.2.2.2. The LAN subnet is 192.168.20.0 • Disable NAT for routing between the two LAN subnets across the VPN • LAN subnets at Site #1 will communicate with the LAN subnets at Site #2 • LAN subnets at Site #2 will communicate with the LAN subnets at Site #1 • The VPN shared key will be “cisco123” • Enable VPN on outside” interface>>Site #1<<interface Ethernet0/0ip address 1.1.1.1 255.255.255.252speed 100duplex fullnameif outsideinterface Ethernet0/1ip address 192.168.10.1 255.255.255.0speed 100duplex fullnameif insideaccess-list ACL-NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0nat (inside) 0 access-list ACL-NONATcrypto isakmp identity addresscrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 86400crypto ipsec transform-set RHG-TS-ESP-MD5 esp-3des esp-md5-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000access-list RHG-ACL-VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0crypto map vpn 10 match address RHG-ACL-VPNcrypto map vpn 10 set pfscrypto map vpn 10 set peer 2.2.2.2crypto map vpn 10 set transform-set RHG-TS-ESP-MD5crypto map vpn interface outside Configuration Reference Guide | [C] 84

tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 ipsec-attributespre-shared-key cisco123>>Site #2<<interface Ethernet0/0ip address 2.2.2.2 255.255.255.252speed 100duplex fullnameif outsideinterface Ethernet0/1ip address 192.168.20.1 255.255.255.0speed 100duplex fullnameif insideaccess-list ACL-NONAT extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0nat (inside) 0 access-list ACL-NONATcrypto isakmp identity addresscrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 86400crypto ipsec transform-set RHG-TS-ESP-MD5 esp-3des esp-md5-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000access-list RHG-ACL-VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0crypto map vpn 10 match address RHG-ACL-VPNcrypto map vpn 10 set pfscrypto map vpn 10 set peer 1.1.1.1crypto map vpn 10 set transform-set RHG-TS-ESP-MD5crypto map vpn interface outsidetunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 ipsec-attributespre-shared-key cisco123 Configuration Reference Guide | [C] 85

Site-Based VPN (ASA to Cisco IOS) • Cisco ASA OS 8.3 • Configure IPSec VPN tunnel between a Cisco ASA Firewall & a Cisco IOS router • Site #1: WAN IP is 1.1.1.1. The LAN subnet is 192.168.10.0 • Site #2: WAN IP is 2.2.2.2. The LAN subnet is 192.168.20.0 • Disable NAT for routing between the two LAN subnets across the VPN • LAN subnets at Site #1 will communicate with the LAN subnets at Site #2 • LAN subnets at Site #2 will communicate with the LAN subnets at Site #1 • The VPN shared key will be “cisco123” • Enable VPN on outside” interface>>Site #1 (Cisco ASA)<<interface Ethernet0/0ip address 1.1.1.1 255.255.255.252speed 100duplex fullnameif outsideinterface Ethernet0/1ip address 192.168.10.1 255.255.255.0speed 100duplex fullnameif insideaccess-list ACL-NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0nat (inside) 0 access-list ACL-NONATcrypto isakmp identity addresscrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 86400crypto ipsec transform-set RHG-TS-ESP-MD5 esp-3des esp-md5-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000access-list RHG-ACL-VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 Configuration Reference Guide | [C] 86

crypto map vpn 10 match address RHG-ACL-VPNcrypto map vpn 10 set pfs group2crypto map vpn 10 set peer 2.2.2.2crypto map vpn 10 set transform-set RHG-TS-ESP-MD5crypto map vpn interface outsidetunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 ipsec-attributespre-shared-key cisco123>>Site #2 (Cisco IOS Router)<<crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key ciscokey address 1.1.1.1crypto ipsec transform-set ipsec-ts esp-3des esp-md5-hmacaccess-list 112 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255crypto map VPN 10 ipsec-isakmpset peer 1.1.1.1set transform-set ipsec-tsset pfs group2match address 112access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255access-list 110 permit ip 192.168.20.0 0.0.0.255 anyip nat inside source list 110 pool NATPOOL overloadinterface FastEthernet0/1description LAN interfaceip address 192.168.20.1 255.255.255.0interface FastEthernet0/0description WAN interfaceip address 2.2.2.2 255.255.255.0crypto map vpn Configuration Reference Guide | [C] 87

Remote Access: L2TP over IPSec using RADIUS Authentication • Cisco ASA OS 8.3 • Configure Client VPN solution using L2TP over IPSec VPN • The VPN pool for connected users will be 192.168.100.10 – 192.168.100.13 • LAN subnet behind the VPN device is: 192.168.10.0/24 • VPN users should have access to the 192.168.10.0 network over the established VPN tunnel • VPN user authentication will be using RADIUS (192.168.10.10) • The L2TP secret (configured on client) will be cisco123access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0nat (inside) 0 access-list nonatip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0aaa-server RADIUS protocol radiusaaa-server IAS protocol radiusaaa-server IAS host 192.168.10.10timeout 5key cisco123crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmaccrypto ipsec transform-set 3desmd5 mode transportcrypto ipsec transform-set aes128sha esp-aes esp-sha-hmaccrypto ipsec transform-set aes128sha mode transportcrypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmaccrypto ipsec transform-set aes256sha mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map RHG-DMAP-VPN 10 set transform-set 3desmd5 aes128sha aes256shacrypto map RHG-VPN 65000 ipsec-isakmp dynamic RHG-DMAP-VPNcrypto map RHG-VPN interface outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Configuration Reference Guide | [C] 88

crypto isakmp enable outsidecrypto isakmp identity addressgroup-policy DefaultRAGroup internalgroup-policy DefaultRAGroup attributes dns-server value 192.168.10.10 vpn-tunnel-protocol IPSec l2tp-ipsectunnel-group DefaultRAGroup general-attributesaddress-pool routehub-poolauthentication-server-group IAS default-group-policy DefaultRAGrouptunnel-group DefaultRAGroup ipsec-attributes pre-shared-key Cisco123tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2show vpn-sessiondb summaryshow vpn-sessiondb l2lshow vpn-sessiondb remoteshow vpn-sessiondb full remoteshow vpn-sessiondbshow vpn-sessiondb svcIPSec over TCP • Enable IPSec over TCP using port number 10,000crypto isakmp ipsec-over-tcp port 10000 Configuration Reference Guide | [C] 89

Packet Capture • Capture all IP traffic between hosts 192.168.10.10 and 6.7.7.8 (through inside interface)ASA(config)# access-list INET permit ip host 192.168.10.10 host 6.7.7.8ASA(config)# access-list INET permit ip host 6.7.7.8 host 192.168.10.10ASA# capture inside access-list INET interface insideASA# show captureVPN Monitoringshow isa sashow crypto ipsec sashow isakmp ipsec-over-tcp statsshow isakmp statsshow isakmp ipsec statsshow crypto protocol statistics ipsecshow crypto accelerator statistics Configuration Reference Guide | [C] 90

IPS using the Security Module • Inspect traffic from the LAN (192.168.10.0) and DMZ (192.168.11.0) networks • Enable Promiscuous monitoring and permit all traffic is the IPS service module fails (fail-open)access-list RHG-ACL-IPS-LAN extended permit ip 192.168.10.0 255.255.255.0 anyaccess-list RHG-ACL-IPS-DMZ extended permit ip 192.168.11.0 255.255.255.0 anyclass-map RHG-CMAP-IPS-LANmatch access-list RHG-ACL-IPS-LANclass-map RHG-CMAP-IPS-DMZmatch access-list RHG-ACL-IPS-DMZpolicy-map RHG-POL-IPS-LANclass RHG-CMAP-IPS-LAN ips promiscuous fail-open sensor vs0policy-map RHG-POL-IPS-DMZclass RHG-CMAP-IPS-DMZ ips promiscuous fail-open sensor vs0service-policy RHG-POL-IPS-LAN interface insideservice-policy RHG-POL-IPS-DMZ interface dmz Configuration Reference Guide | [C] 91

Application Inspection: Using PPTP • Cisco ASA OS 8.3 • Update Application Inspection list to inspect PPTPclass-map ROUTEHUB-CLASS-VPDNmatch port tcp eq pptppolicy-map global_policyclass ROUTEHUB-CLASS-VPDNinspect pptpservice-policy global_policy globalVirtualization: Configuration to Support Virtual Firewalls • Enable Cisco ASA firewall to operate in L2 mode (“firewall transparent”) • Add two new virtual firewall instances. One for Client 1 (CL1-FW) and another for Client 2 (CL2-FW) • Client 1 Virtual Firewall will use interfaces GE0.198 (for the outside) and GE1.198 (for the inside) • Client 1 Virtual Firewall will use interfaces GE0.298 (for the outside) and GE1.298 (for the inside)mode multiplefirewall transparentinterface gigabitethernet 0.198no shutdowninterface gigabitethernet 1.198no shutdowncontext CL1-FWallocate-interface gigabitethernet 0.198allocate-interface gigabitethernet 1.198configure disk0://CL1-FW.cfginterface gigabitethernet 0.298no shutdowninterface gigabitethernet 1.298no shutdowncontext CL2-FWallocate-interface gigabitethernet 0.298allocate-interface gigabitethernet 1.298configure disk0://CL2-FW.cfg Configuration Reference Guide | [C] 92