VPN de acceso remoto sobre un equipo verde, pues todas las redes y nombres aqui han sido editados a fin de evitar mostrar la configuracion real del equipo . La configuracion habla por si sola, por lo que se observa que se permite el acceso a varias redes internas una vez establecida una sesion desde fuera con el cisco vpn client .
: Saved
: Written by enable_15 at 20:10:05.757 PEST Mon Jun 8 2009
!
ASA Version 8.0(3)
!
hostname fw-asa
domain-name sapisa.com
enable password zZ306WW4h1rLbJq9F encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface GigabitEthernet0/2
description VLAN VOICE
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
description VLAN BACKUP
vlan 3
nameif BACKUP
security-level 100
ip address 10.1.20.1 255.255.255.0
!
interface GigabitEthernet0/2.2
description VLAN VIDEO
vlan 4
nameif VIDEO
security-level 100
ip address 10.1.30.1 255.255.255.0
!
interface GigabitEthernet0/2.3
description VLAN WORKSTATION
vlan 5
nameif WORKSTATION
security-level 100
ip address 10.1.50.1 255.255.255.0
!
interface GigabitEthernet0/2.4
description VLAN THINCLIENTS
vlan 6
nameif THINCLIENTS
security-level 100
ip address 10.1.60.1 255.255.255.0
!
interface GigabitEthernet0/2.5
vlan 7
nameif DEV
security-level 100
ip address 10.1.251.1 255.255.255.0
!
interface GigabitEthernet0/2.6
description VLAN TEST
vlan 8
nameif TEST
security-level 40
ip address 10.1.252.1 255.255.255.0
!
interface GigabitEthernet0/2.7
description vlan prod
vlan 9
nameif PROD
security-level 100
ip address 10.1.253.1 255.255.255.0
!
interface GigabitEthernet0/2.8
vlan 2
nameif VOICE
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Management0/0
nameif gestion
security-level 100
ip address 192.168.172.1 255.255.255.252
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/as
boot system disk0:/
boot system disk0:/asa722-k8.bin
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PEST -5
dns server-group DefaultDNS
domain-name sapisa.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.1.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 172.16.172.0 255.255.255.128
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.40.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.40.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.30.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.50.0 255.255.255.0
access-list nonat extended permit ip 10.1.30.0 255.255.255.0 10.2.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.30.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.5.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.30.0 255.255.255.0 10.5.30.0 255.255.255.0
access-list nonat extended permit ip 10.1.50.0 255.255.255.0 10.5.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 172.16.172.0 255.255.255.128
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.40.2.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.4.50.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.5.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.3.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.3.251.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.3.50.0 255.255.255.0
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
access-list 122 extended permit tcp host 192.168.254.229 any eq smtp
access-list 122 extended permit tcp host 192.168.254.229 any eq https
access-list inside_nat0_outbound extended permit ip interface inside 192.168.0.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.0.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 192.168.0.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.40.2.0 255.255.255.0 192.168.0.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip interface inside 192.168.0.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.120 255.255.255.252
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.40.2.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.40.1.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.254.120 255.255.255.252
access-list laintranet remark branches
access-list laintranet standard permit 192.168.254.0 255.255.255.0
access-list laintranet standard permit 192.168.250.0 255.255.255.0
access-list laintranet standard permit 192.40.2.0 255.255.255.0
access-list laintranet standard permit 10.5.50.0 255.255.255.0
access-list laintranet standard permit 172.16.0.0 255.255.255.0
access-list laintranet standard permit 10.3.50.0 255.255.255.0
access-list laintranet standard permit 10.3.251.0 255.255.255.0
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.238 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.238 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.237 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.237 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.236 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.236 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.235 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.235 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.196 eq domain
access-list 105 extended permit ip 172.16.254.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 105 extended permit udp host 172.16.0.209 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.209 host 192.168.254.196 eq domain
access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.196 eq ssh
access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.198 eq ssh
access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.224 eq ssh
access-list 105 extended permit udp host 172.16.0.233 host 192.168.254.196 eq domain
access-list 105 extended permit udp host 172.16.0.233 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.234 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.234 host 192.168.254.196 eq domain
access-list 105 extended permit tcp host 172.16.0.31 host 192.168.254.238 eq 8009
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.238 eq 8009
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.239 eq 8009
access-list 105 extended permit tcp host 172.16.0.31 host 192.168.254.239 eq 8009
access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.239 eq 8009
access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.239 eq 8009
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.198 eq domain
access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.196 eq domain
access-list 105 extended permit ip host 172.16.0.10 host 192.168.254.90 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.236 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.237 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.238 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.239 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.224 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.198 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.196 log
access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.235 log
access-list 105 extended permit ip host 172.16.0.30 host 192.168.254.198
access-list 105 extended permit ip host 172.16.0.30 host 192.168.254.196
access-list 105 extended permit tcp host 172.16.0.231 host 192.168.254.190 eq 7080
access-list 105 extended permit udp host 172.16.0.231 host 192.168.254.190 eq 7080
pager lines 24
logging enable
logging timestamp
logging emblem
logging asdm-buffer-size 500
logging trap debugging
logging asdm informational
logging device-id ipaddress inside
logging host inside 192.168.254.252
logging host inside 192.168.254.90
logging host inside 192.168.254.253
mtu outside 1500
mtu inside 1500
mtu BACKUP 1500
mtu VIDEO 1500
mtu WORKSTATION 1500
mtu THINCLIENTS 1500
mtu DEV 1500
mtu TEST 1500
mtu PROD 1500
mtu VOICE 1500
mtu DMZ 1500
mtu gestion 1500
ip local pool intervalo 192.168.0.120-192.168.0.126 mask 255.255.255.0
ip local pool caller-pool 172.16.172.1-172.16.172.126 mask 255.255.255.128
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location 10.2.30.0 255.255.255.0 outside
asdm location 10.4.10.0 255.255.255.0 outside
asdm location 10.4.30.0 255.255.255.0 outside
asdm location 10.4.50.0 255.255.255.0 outside
asdm location 10.5.10.0 255.255.255.0 outside
asdm location 10.5.30.0 255.255.255.0 outside
asdm location 10.5.50.0 255.255.255.0 outside
asdm location 10.5.60.0 255.255.255.0 outside
asdm location 172.16.172.0 255.255.255.128 outside
asdm location 192.40.1.0 255.255.255.0 outside
asdm location 192.40.2.0 255.255.255.0 outside
asdm location 192.168.20.0 255.255.255.0 outside
asdm location 192.168.250.0 255.255.255.0 outside
asdm location 192.168.254.90 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.200.20-192.168.200.30 netmask 255.255.255.255
global (outside) 1 192.10.1.10
global (outside) 1 interface
nat (inside) 0 access-list nonat
access-group outside in interface outside
access-group 105 in interface DMZ
!
router eigrp 1000
network 192.168.200.0 255.255.255.0
network 192.168.254.0 255.255.255.0
!
route DMZ 172.16.254.0 255.255.255.0 172.16.0.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.254.0 255.255.255.0 inside
http 192.168.172.0 255.255.255.252 gestion
http 192.168.172.2 255.255.255.255 gestion
http 192.168.254.90 255.255.255.255 gestion
snmp-server host inside 192.168.254.253 community internal
no snmp-server location
no snmp-server contact
snmp-server community internal
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 700
telnet timeout 5
ssh 192.40.2.71 255.255.255.255 inside
ssh 192.168.254.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access gestion
dhcpd dns 192.168.254.198 205.171.2.65
!
dhcpd address 192.168.254.2-192.168.254.90 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy caller-group internal
group-policy caller-group attributes
dns-server value 192.168.254.198
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value laintranet
default-domain value sapisa.com
username tsebastian password 7/iLDkN5eJkX8Scu encrypted
username mccara password YiavJo3SO1vRFK encrypted
username mdiaz password 6JqJs0jCEUkKBO encrypted
username jweexon password p4uuzwyy7/js encrypted
username pgonzales password fdFq54c5REVahQ encrypted
username egarcia password OXksXf9PTOUUq encrypted
username agallozo password N9uGUBGQUzFTNG encrypted
username pvaliente password dCxpUMN4mbU2iG encrypted
username ameen password 2HMn.wkKqOTsJ encrypted
tunnel-group caller-group type remote-access
tunnel-group caller-group general-attributes
address-pool caller-pool
default-group-policy caller-group
tunnel-group caller-group ipsec-attributes
pre-shared-key cLaBeZecr3ta
!
!
prompt hostname context
Cryptochecksum:fee3f0c4702a803d65247c008e89bdf4
: end
Delante del ASA se tiene un router, el cual natea la ip publicado (que sirve el servicio VPN a los usuarios moviles) hacia el ASA en 192.168.200.2/24 (outside). Este nat declarado sobre la inside del router es algo como :
ip nat inside source static 192.168.200.2 99.99.99.99 extendable
No hay comentarios.:
Publicar un comentario