enable
conf t
show run int m0/0
## Configure interfaces
int m 0/0
no shutdown
nameif management
security-level 100
ip address 192.168.1.100 255.255.255.0
exit
int Gig 0/0
no shutdown
nameif outside
security-level 0
ip address 10.123.0.100 255.255.255.0
exit
int Gig 0/1
no shutdown
nameif inside
security-level 100
ip address 10.1.0.100 255.255.255.0
exit
int Gig 0/2
no shutdown
nameif dmz
security-level 50
ip address 172.16.5.100 255.255.255.0
exit
## To manage ASA from GUI
http server enable
http 192.168.1.0 255.255.255.0 management
## verify the config
show int ip brief
##create a default route pointing to R2
route outside 0.0.0.0 0.0.0.0 10.123.0.1 1 : 1 is AD here. Lower AD is preferred.
##Configure SNMP v3
snmp-server location CBT Nuggets Lab
snmp-server contact Keith Barker
snmp-server group G1 v3 priv
snmp-server user U1 G1 v3 auth sha a-pass priv aes 128 e-pass
snmp-server host management 192.168.1.23 version 3 U1 # who are going to send snmp message to .23
snmp cpu threshold rising 80 1 ## generate traps if CPU rising above 80 %
snmp-server enable traps cpu threshold rising
## Verify
show snmp user
show snmp group
##By default logging is disabled on ASA.
show logging
logging enable
logging host management 192.168.1.23 ## send syslog messages to .23
logging trap 5
logging console 4
logging buffered 6
clear logging buffer
exit
conf t
show log
## to remove particular log message
no logging message 111005
## to change syslog messsage
logging message 111007 level Informational: Informational is level 6
exit
conf t
## Verify
show logging | include 111007
## to clear buffer
clear logging buffer
exit
conf t
### To send some particular syslog messages to email
logging list Our-Event-List message 101001-101003
logging list Our-Event-List level Informational ## send only those messages are Informational or below
smtp-server 192.168.1.23
logging from-address ASA@Here.net
logging recipient-address Keith@there.com level Informational ## send messages to this email address
logging mail Our-Event-List ## only syslog messages for this list should be sent
##Set up a time Zone
clock timezone PST -8 0
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60
## Ping NTP server
ping 66.187.233.4
## setup ntp
ntp server 66.187.233.4 source outside
##verify
show ntp associations
show ntp status
## set up net flow
flow-export destination management 192.168.1.23 9996 ## send netwflow record out mgmt interface to .23 on port 9996
##configure MPF
class-map global-class
match any ## match on any traffic
exit
policy-map global_policy
class global-class
flow-export event-type all destination 192.168.1.23 ### any traffic that matches the global class, export the flow to .23 which is running NetFlow collector
exit
exit
## Configure NAT for DMZ server
object network Srv-1
host 172.16.5.5
nat static 10.123.0.5 net-to-net
## if we want to configure multiple hosts, we can create object-groups
object network Srv-2
host 172.16.5.6
object network Srv-3
host 172.16.5.7
object-group network DMZ-Servers
network-object object Srv-1
network-object object Srv-2
network-object object Srv-3
## To create service object group
object-group service WEB-Services
service-object tcp destination eq http
service-object tcp destination eq https
exit
## if traffic is destined to HTTP and https ports that are running on DMZ-servers permit
access-list outside_access_in permit object-group WEB-Services any object-group DMZ-Servers
access-group outside_access_in in interface outside
No comments:
Post a Comment