Dead Packets

30/06/2010

SNAF Lab Notes

Filed under: certificação,cisco — drak @ 11:02 AM

Seguindo o mesmo espírito do CCNA Security Lab Notes, seguem algumas anotações utilizadas durante o estudo. Para este exame utilizei como principais recursos:

– Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition)
– Material do curso Securing Networks with ASA Fundamentals (SNAF)
– Labs em equipamentos reais

wr erase
reload
sh mem
sh ver
sh hist
sh bootvar
dir
boot system disk0:/asa822-k8.bin
asdm image disk0:/asdm-631.bin
wr mem
logging enable
logging host inside 10.1.1.1
logging trap debugging

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd enable inside
dhcpd dns 192.189.10.10 interface inside
dhcpd wins 192.189.10.10 interface inside
dhcpd lease 80000 int inside

! Modular Policy Framework

access-l INTERNET_ACL permit tcp any object-group WEBSERVERS object-group HTTP_SVC
access-l VOIP_ACL permit object-group VOIP_Protocols 192.168.1.0 255.255.255.0 172.18.0.0 255.255.0.0

class-map VOICE_MAP
match access-l VOIP_ACL
class-map INTERNET_MAP
match access-l INTERNET_ACL
policy-map OUTSIDE_POL
class VOICE_MAP
priority
class INTERNET_MAP
ips inline fail-open
service-policy OUTSIDE_POL interface outside

class-map type management MANAGEMENT
match port tcp eq https
policy-map outside-policy
class MANAGEMENT
set connection conn-max 10 embryonic-conn-max 8

sh service-policy

class-map 8080_INSPECT_TRAFFIC
match port tcp eq 8080
policy-map global_policy
class 8080_INSPECT_TRAFFIC
inspect http

! Threat detection

threat-detection basic-threat
threat-detection rate
threat-detection rate dos-drop rate-interval 600 average-rate 50 burst-rate 100
sh threat-detection scanning-threat attacker
sh threat-detection shun
sh threat-detection statistics

! VPN

crypto isakmp enable outside

crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

tunnel-group 192.168.11.2 type ipsec-l2l
tunnel-group 192.168.11.2 ipsec-attributes
pre-shared-key CHAVE
isakmp keepalive threshold 10 retry 2

access-l outside_1_cryptomap line 1 extended permit ip 10.0.1.0 255.255.255.0 10.0.11.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 192.168.11.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 interface outside

access-l inside_nat0_outbound line 1 extended permit ip 10.0.1.0 255.255.255.0 10.0.11.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound tcp 0 0 udp 0

sh run access-l
sh run isakmp
sh run tunnel-group
sh run ipsec
sh run crypto map

sh crypto isakmp sa
sh crypto ipsec sa

crypto isakmp enable outside

crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

ip local pool MYPOOL 10.0.21.1-10.0.21.254 mask 255.255.255.0

tunnel-group REMOTE type remote-access
tunnel-group REMOTE ipsec-attributes
pre-shared-key CHAVE
tunnel-group REMOTE general-attributes
default-group-policy POL_REMOTE
address-pool MYPOOL
group-policy POL_REMOTE internal
group-policy REMOTE attributes
vpn-tunnel-protocol IPSec
dns-server value 10.0.1.15 172.30.1.15
wins-server value 10.0.1.16 172.30.1.16
default-domain value remote.com
username CarterB attributes vpn-group-policy MYGROUP

webvpn
enable outside
import webvpn url-list URL disk0:/tmpAsdmImportFile128451205
delete /noconfirm disk0:/tmpAsdmImportFile128451205
username usuario1 password LBc0wsr7MhAKY5C5 encrypted privilege 0
username usuario1 attributes
vpn-group-policy Grp_Pol_VPN1
group-policy Grp_Pol_VPN1 internal
group-policy Grp_Pol_VPN1 attributes
vpn-tunnel-protocol webvpn
webvpn
rl-list value URL
tunnel-group AUSTIN type remote-access
tunnel-group AUSTIN general-attributes
default-group-policy Grp_Pol_VPN1

sh import webvpn url-list

! Firewall virtualization

sh mode
sh context
mode multiple

class MEDIUM-RESOURCE-SET
limit-resource conns 20%
limit-resource ASDM 4
limit-resource telnet 5
limit-resource ssh 5

context CLIENT1
member MEDIUM-RESOURCE-SET
allocate-interface Ethernet0/0 invisible
config-url disk0:/client1.cfg
mac-address auto
changeto system
chanteto context CLIENT1
sh cpu usage context all

redundant-interface redundant1 active member
Anúncios

Deixe um comentário »

Nenhum comentário ainda.

RSS feed for comments on this post. TrackBack URI

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

Crie um website ou blog gratuito no WordPress.com.

%d blogueiros gostam disto: