Both Net Admin and DMZ Web Svr can access the website Branch Admin can access the website Branch Admin can also establish an FTP connection to the web server using the username cisco and the password cisco. – FTP traffic from the branch administrator workstation is allowed to the DMZ web server. – DNS traffic (both TCP and UDP) is allowed to the DMZ DNS server (two separate ACEs). – HTTP traffic is allowed to DMZ Web Svr. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): – Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ-ASA. Configure an ACL to allow access to the DMZ servers from the Internet. – Attach the policy map globally to all interfaces.ī. – Create a policy-map global_policy and specify the inspect with dns, ftp, http, and icmp.
– Create a class inspection_default that matches default-inspection-traffic. Modify the default MPF application inspection global service policy to enable hosts in the Internal network to access the web servers on the Internet Step 5: Configure ACL and firewall on the ASA device to implement the Security Policy.Ī. Create an object dmz-web-server to statically translate the web server in the DMZ to the public IP address. Create an object dmz-dns-server to statically translate the DNS server in the DMZ to the public IP address.Ĭ. Create an object inside-nat with subnet 192.168.10.0/24 and enable the IP addresses of the hosts in the internal network to be dynamically translated to access the external network via the outside interface.ī. Step 4: Configure NAT Service for the ASA device for both inside and DMZ networks.Ī. – Configure SSH session timeout to be 20 minutes. – Configure HQ-ASA to accept SSH connections only from the Net Admin workstation. – Generate a RSA key pair to support with modulus size of 1024 bits. – Configure AAA to use the local database for SSH connections to the console port. Note: the HQ-ASA is preconfigured with a username Car1Admin with password adminpass01 Configure the ASA device with AAA authentication and verify its functionality:
– The authentication key is key 1 with the password corpkey.ī. – Enable the authentication to the NTP server. – as an NTP client to the AAA/NTP/Syslog server Step 3: Configure Secure Network Management for the ASA Device. Verify that the internal users (PC0 and PC1) obtain the dynamic addressing information correctly.
DHCP service should provide DNS server (AAA/NTP/syslog server) information.Ĭ. Step 2: Configure DHCP service on the ASA device for the internal network.Ī. Configure the inside, outside, and dmz interfaces with the following information: Access HQ-ASA and enter the privileged mode with the enable password of Thecar1Admin.ī. Note: HQ-ASA is already configured with a password Thecar1Admin.Ī. Step 1: Configure Basic Device Hardening for the ASA device.
Note: Appropriate verification procedures should be taken after each configuration task to ensure that the task has been properly implemented.