Professional Documents
Culture Documents
TECHNOLOGIES
Security Policy
( Allow / Deny )
Security Policy
( Allow / Deny )
Destination
Source Employee
E-mail
Finance
(
$
)
Internet
Employee
Deny
Permit
Deny
Permit
Execu9ve
Deny
Deny
Permit
Permit
BYOD
Deny
Permit
Deny
Permit
Guest
Permit
Deny
Deny
Permit
Internet
outside ( 0 )
dmz ( 50 )
inside ( 100 )
Internet
dmz
zo n outside ( 0 )
e1
( 50
)
dmz zone 2 ( 60 )
0 )
( 7
3
zone inside ( 100 )
z
dm
Internet
Incoming traffic
(Allow, but Inspected)
( Low to High )
outside ( 0 )
dmz ( 50 )
inside ( 100 )
Facebook : 173.252.74.68/32
LAB Youtube : 172.217.25.174/32
Internet
#show int ip brief
ASA
150.1.1.0/24 int g0
nameif inside
security-level 100
outside ( 0 ) ip add 10.1.1.100 255.255.255.0
int g1
nameif outside
dmz ( 50 ) security-level 0
192.168.5.5/24 ip add 150.1.1.100 255.255.255.0
192.168.1.0/24 !
int g2
inside ( 100 ) nameif dmz
security-level 50
ip add 192.168.1.100 255.255.255.0
!
10.1.1.0/24
10.10.10.10/24
ASA
ASA#ping 173.252.74.68
ASA#ping 10.10.10.10
ASA#ping 192.168.5.5
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
Internet
150.1.1.0/24
10.1.1.0/24
10.10.10.10/24
ASA
ASA#ping 173.252.74.68
ASA#ping 10.10.10.10
ASA#ping 192.168.5.5
LAN
LAN#ping 173.252.74.68
LAN#ping 173.252.74.68 source lo0
Configure vty password & enable password on LAN , DMZ and INTERNET !
LAN
line vty 0 4
password testlan
!
enable password testlan
!
DMZ
line vty 0 4
password testdmz
!
enable password testdmz
!
INTERNET
line vty 0 4
password testout
!
enable password testout
!
2016 RHC Technologies #LIKE #FOLLOW #WATCH
R H C
TECHNOLOGIES
Verify telnet test from LAN < > INTERNET // LAN < > DMZ // DMZ < > INTERNET
LAN
LAN#telnet 173.252.74.68
INTERNET
INTERNET#telnet 10.10.10.10
Please also test LAN < > DMZ // DMZ < > INTERNET.
ASA
access-list INTERNET_LAN permit tcp any any eq telnet
!
access-group INTERNET_LAN in interface outside
!
INTERNET
INTERNET#telnet 10.10.10.10
INTERNET#telnet 10.10.10.10 /source-interface lo0
INTERNET#telnet 10.10.10.10 /source-interface lo1
ASA
access-list DMZ_LAN permit tcp any any eq telnet
!
access-group DMZ_LAN in interface dmz
!
DMZ
DMZ#telnet 10.10.10.10
DMZ#telnet 10.10.10.10 /source-interface lo0
INTERNET
INTERNET#telnet 192.168.5.5
INTERNET#telnet 192.168.5.5 /source-interface lo0
INTERNET#telnet 192.168.5.5 /source-interface lo1
Why SUCCESS ?
Because of the below config we configured in the previous step.
ASA
access-list INTERNET_LAN permit tcp any any eq telnet
!
access-group INTERNET_LAN in interface outside
!
ASA
NO access-list INTERNET_LAN permit tcp any any eq telnet
!
NO access-group INTERNET_LAN in interface outside
!
ASA
access-list INTERNET_LAN permit tcp host 173.252.74.68 10.10.10.0 255.255.255.0 eq telnet
!
access-list INTERNET_LAN permit tcp host 172.217.25.174 192.168.5.0 255.255.255.0 eq telnet
!
access-group INTERNET_LAN in interface outside
!
INTERNET
INTERNET#telnet 10.10.10.10 > {success/fail}
INTERNET#telnet 10.10.10.10 /source-interface lo0 > {success/fail}
INTERNET#telnet 10.10.10.10 /source-interface lo1 > {success/fail}
INTERNET
INTERNET#telnet 192.168.5.5 > {success/fail}
INTERNET#telnet 192.168.5.5 /source-interface lo0 > {success/fail}
INTERNET#telnet 192.168.5.5 /source-interface lo1 > {success/fail}
ASA
access-list INTERNET_LAN permit icmp any any echo-reply
!
access-list DMZ_LAN permit icmp any any echo-reply
!
access-group INTERNET_LAN in interface outside
!
access-group DMZ_LAN in interface dmz
LAN
ASA
access-list INTERNET_LAN permit icmp any any echo
access-list INTERNET_LAN permit icmp any any echo-reply
!
access-group INTERNET_LAN in interface outside
!
access-list DMZ_LAN permit icmp any any echo
access-list DMZ_LAN permit icmp any any echo-reply
!
access-group DMZ_LAN in interface dmz
ping test
INTERNET#ping 10.10.10.10 source lo0
INTERNET#ping 10.10.10.10 source lo1
INTERNET#ping 192.168.5.5 source lo0
INTERNET#ping 192.168.5.5 source lo1
Internet
#show int ip brief
ASA
150.1.1.0/24 int g0
nameif inside
security-level 100
outside ( 0 ) ip add 10.1.1.100 255.255.255.0
int g1
nameif outside
dmz ( 50 ) security-level 0
192.168.5.5/24 ip add 150.1.1.100 255.255.255.0
192.168.1.0/24 !
int g2
inside ( 100 ) nameif dmz
security-level 50
ip add 192.168.1.100 255.255.255.0
!
10.1.1.0/24
10.10.10.10/24
Internet
150.1.1.0/24
10.1.1.0/24
10.10.10.10/24
ASA
object-group network GoogleDNS
network-object host 8.8.8.8
network-object host 8.8.4.4
!
object-group network LAN
network-object 10.10.10.0 255.255.255.0
network-object 11.11.11.0 255.255.255.0
network-object 12.12.12.0 255.255.255.0
!
object-group service PING
service-object icmp echo
service-object icmp echo-reply
!
access-list INTERNET_LAN permit object-group PING object-group GoogleDNS object-group LAN
!
access-group INTERNET_LAN in interface outside
ping test
INTERNET#ping 10.10.10.10 source lo0
INTERNET#ping 10.10.10.10 source lo1
INTERNET#ping 10.10.10.10 source lo2
INTERNET#ping 10.10.10.10 source lo3
DMZ Internet
line vty 0 4
password testdmz
! 150.1.1.0/24
enable password testdmz
! outside ( 0 )
192.168.5.5/24 dmz ( 50 )
150.1.1.5/32
192.168.1.0/24
inside ( 100 )
ASA
Object network DMZ-Private
host 192.168.5.5
!
10.1.1.0/24
Object network DMZ-Public
host 150.1.1.5
!
nat(dmz,outside) source static DMZ-Private DMZ-Public
!
10.10.10.10/24
Access-list INTERNET_LAN permit tcp any any eq telnet
ping test
INTERNET#telnet 150.1.1.5 /source-interface lo0
INTERNET#telnet 150.1.1.5 /source-interface lo1
INTERNET#telnet 150.1.1.5 /source-interface lo2
INTERNET#telnet 150.1.1.5 /source-interface lo3
RHC Technologies
#LIKE #FOLLOW #WATCH
www.rhctechnologies.com