The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5520 Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will use GNS3 to learn how to configure the ASA as a basic Firewall with the addition of a third zone referred to as a DMZ and finally we will create a site-to-site VPN between the sites. This knowledge is essential to passing the CCNP Security exam and will be used in daily in your position as a Cisco network engineer.
In this lab we will be using GNS3 and ASDM to model a network with LOCAL and REMOTE site. Each of these sites will have access to the internet. The local site will also have a DMZ zone that can be access by any outside device as well as inside devices, but will not be able to connect to any inside device. In addition to this we will create a site-to-site VPN between the local site and remote site. Before we continue with our lab let’s take a look at some basic interface being used in this lab.
The outside interface is a public untrusted zone commonly used to connect to public address within the internet. Devices within this zone cannot access devices in the inside or DMZ without permission.
The inside interface is a private trusted interface generally used for local devices using a private address space. To access public address in the outside the private address will need to be translated using NAT or PAT. Device can access devices in the outside or DMZ unless restricted.
In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.
VPNs allow employees to securely access their company’s intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.
There are basically three types of VPN available to the Cisco ASA product line they are as follows:
Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources.
Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a Web browser without requiring a software or hardware client. It provides secure and easy access to a broad range of Web resources and both web-enabled and legacy applications from almost any device that can connect to the Internet via HTTP. They include:
- Internal websites.
- Web-enabled applications.
- NT/Active Directory file shares.
- email proxies, including POP3S, IMAP4S, and SMTPS.
- Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007.
- Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.
- Application Access (smart tunnel or port forwarding access to other TCP-based applications)
Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide the secure connection between remote users and specific, supported internal resources that you configure at an internal server. The ASA recognizes connections that must be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. The network administrator provides access to resources by users of Clientless SSL VPN sessions on a group basis. Users have no direct access to resources on the internal network.
Cisco AnyConnect is an app designed to let you connect securely to VPNs. This is an app for enterprise users who need a secure way to connect to a VPN at their place of work. Coming from a trusted name like Cisco, the app provides a level of safety and security that should be welcome by those who have need of such an app.
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company’s network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.
- Intranet-based — If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
- Extranet-based — When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies’ LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.
Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.
Cisco’s ASDM is a simple, GUI-Based Firewall Appliance Management tool that is user friendly and allows the user to configure, monitor, and troubleshoot Cisco firewall appliances and firewall service modules. Ideal for small or simple deployments, the Cisco Adaptive Security Device Manager provides the following:
- Setup wizards that help you configure and manage Cisco firewall devices, including the Cisco ASA Adaptive Security Appliances, Cisco PIX appliances, and Cisco Catalyst 6500 Series Firewall Services Modules without cumbersome command-line scripts
- Powerful real-time log viewer and monitoring dashboards that provides an at-a-glance view of firewall appliance status and health
- Handy troubleshooting features and powerful debugging tools such as packet trace and packet capture.
- Add the ASA to GNS3.
- Configure MS Loopback Interface.
- Install and configure ASDM.
- Use ASDM to configure the ASA.
- Configure a DMZ
- Configure a Site-to-Site VPN
Download this lab now for full details:
ASA SITE-TO-SITE VPN (37.0 MiB, 3,595 hits)
ASA842 for GNS3 (23.6 MiB, 268 hits)
You do not have permission to download this file.
ASDM 6.4.7 (18.1 MiB, 279 hits)
You do not have permission to download this file.
Cisco TFTP Server (1.3 MiB, 1,928 hits)
If you have found this lab helpful please help us keep this site running.