2 Firewall, Double NAT, DMZ : CISCO

#Credit-RHC Technologies 

Step-1

ASA-1(config)# int gigabitEthernet 0

ASA-1(config-if)# ip add 203.81.71.2 255.255.255.0

ASA-1(config)# int gi 1

ASA-1(config-if)# ip add 192.168.12.1 255.255.255.0

ASA-1(config)# int gi 3

ASA-1(config-if)# ip add 172.16.12.1 255.255.255.0

ASA-1(config)# int gi 2

ASA-1(config-if)# ip add 172.31.12.1 255.255.255.0

Step-2

ASA-1(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ASA-1(config-if)# security-level 0

ASA-1(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ASA-1(config-if)# nameif dmz2

INFO: Security level for "dmz2" set to 0 by default.

ASA-1(config-if)# security-level 50

ASA-1(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ASA-1(config-if)# security-level 100 Step-3 ASA-1(config)# object network DMZ_NET ASA-1(config-network-object)# subnet 192.168.12.0 255.255.255.0 ASA-1(config-network-object)# description For DMZ ASA-1(config-network-object)# exit ASA-1(config)# object network LAN1_NET ASA-1(config-network-object)# subnet 172.31.12.0 255.255.255.0 ASA-1(config-network-object)# description For LAN ASA-1(config-network-object)# exit ASA-1(config)# object network DMZ2_NET ASA-1(config-network-object)# subnet 172.16.12.0 255.255.255.0 ASA-1(config-network-object)# description For DMZ2 access-list Outside_IN extended permit ip any object LAN_Net ASA route outside 0.0.0.0 0.0.0.0 203.81.71.1 access-group Outside_IN in interface outside Default Route To Internet  Default Route To Internet  Ping Test LAN1 To Internet ASA-1(config)# Object network LAN_Net ASA-1(config-network-object)# nat (inside,outside) dynamic interface verify sh xlate sh nat detail Step-6 ASA-1(config)# object network Static_Nat_Svr ASA-1(config-network-object)# host 192.168.12.11 ASA-1(config-network-object)# nat (dmz,outside) static 203.81.71.3 ASA-1(config)# access-list OUT_IN extended permit ip any object Static_Nat_Svr Static Route To Server IP  Ping Test To Public IP  Step-7 DMZ 's router 4 Telnet Service ON  Default Route to Internet  Step-8 ciscoasa(config)# object network STATIC_PAT_SER ciscoasa(config-network-object)# host 192.168.12.10 ciscoasa(config-network-object)# nat (dmz,outside) static interface service tcp telnet telnet Telenet Tesintg R2 To R4 Please Try yourself Complete Config:

Basic concept of Firewall & ACL

We must know Basic concept of Firewall ; 

• Inbound on the internal interface
• Outbound on the external interface
• Inbound on the external interface
• Outbound on the internal interface
• Source & Distination 

Configure a Router as a Firewall

Access-list 101 deny ip any any


-> Allow incoming traffic to a HTTP/HTTPS server located at 192.1.12.11
Access-list 101 permit tcp any host 192.1.12.11 eq 80

-> Allow incoming traffic to a SMTP server located at 192.1.12.12.
Access-list 101 permit tcp any host 192.1.12.12 eq 25

->Allow incoming traffic to a Telnet server located at 192.1.12.13.
Access-list 101 permit tcp any host 192.1.12.13 eq 23

->Allow R3 to Telnet and SSH to R1.
Access-list 101 permit tcp host 192.1.23.3 host 192.1.12.1 eq 23

->Routing Traffic from R3
Access-list 101 permit eigrp host 192.1.23.3 any
!

SSL VPN in Cisco Router

Comming Soon

IPSec VPN in Cisco Router

Comming Soon

AH&ESP in IPSec

Uses of Authentication Header (AH)

• Provide Authentication Services
• Verifies the originator of a message
• Verifies that data has not been changed on routing

Uses of Encapsulating Security Payload (ESP)

• Encrypted the IP datagram
•  AH ensures integrity but not privacy

    Example of AH&ESP

   #ah-md5-hmac AH-HMAC-MD5 transform  

   #ah-sha-hmac AH-HMAC-SHA transform  

   #esp-3des ESP transform using 3DES(EDE)cipher (168 bits) 

   #esp-des ESP transform using DES cipher (56 bits) 

   #esp-md5-hmac ESP transform using HMAC-MD5 auth 

   #esp-null ESP transform w/o cipher 

   #esp-sha-hmac ESP transform using HMAC-SHA auth 

   Command in CISCO Router

   Config(config)# crypto ipsec transform-set CorpHQ-vpn esp-3des esp-md5-hmac

   Config(config)# mode (tunnel or transport) 

Hash Function & MD5

Hash Function

   Hash Function is a mathematical function that converts a large, variably-sized data into a small datum. There are many hash function algorithms
(1) MD5
(2) SHA-1 , SHA-2 SHA-3 (Secure Hash Algorithm)

-----------------------------------------------------------------------------------

MD5 Algorithm

An algorithm created in 1991 by Professor Ronald Rivest that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.

Hash Function of MD5 uses IPSEC over GRE in CISCO Router

Data Encryption Standard (DES)

Data Encryption Standard (DES)

(1) AES (Advanced Encryption Standard) replaced DES.
(2) Developed by IBM
(3) DES used standard arithmetic and logical operations on numbers up to 64 bits long.

DES uses IPSEC over GRE in CISCO Router

Cryptography

Cryptography

        Mathematical techniques that protect information with Encryption & Decryption.

There are two types of Encryption Methods.

(1) Symmetric Encryption

        -Used same keys

Symmetric Encryption

(2) Asymmetric Encryption

       -Used different Keys (one for Public Key  and one for Private Keys)

Asymmetric Encryption

Introduction of Network Security,

·        Security attacks means any attacker hack security information when any person or organization sharing their own information’s.

(1)    Passive attach cannot affect source information.

(2)    Active attach can affect source information

·        Security Mechanisms  designed to detect, prevent, or recover from attacker

·        Security Service means that uses one or more security mechanisms.

(1)    Used of Authentication Methods

(2)    Used of ACL