Trabajo práctico final CCNASecurity 2016
Fecha: 30 de noviembre del 2016 Resuelto por: Rodrigo Flores, Marcos Leiva
Este trabajo se presentó a los alumnos presentes en la clase como desafío para la finalización del curso CCNASec 2016.
El mismo hace incapié en la importancia de documentar las topologías que nos podríamos hacer cargo en un futuro, la
topología hay que imaginarla a partir de los names y objetos, sus IP e interfaces correspondientes en el firewall, así
como los peers VPN y los NAT.
Escenario
A partir de la configuración de un Cisco ASA 5510, relevar las caracterísiticas de la misma, diseñar el contexto físico del mismo
y realizar en Packet Tracer una topología tentativa (sin implementar configuraciones) agregando la mayor cantidad de detalles
posibles en los anotadores (protocolos, IP, etc).
Configuración del ASA:
FW_Rosario#sh runn
: Saved
:
: Serial Number: JMX1855914A
: Hardware:
ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 8.4(7)30
!
hostname FW_Rosario
enable password hGsHQ2/QA2fD6C4Z encrypted
names
name 192.168.10.10 SRVROS10
name 192.168.10.11 SRVROS11
name 192.168.10.12 SRVROS12
name 192.168.10.13 SRVROS13
name 192.168.10.14 SRVROS14
name 192.168.10.100 SWROS100
name 192.168.10.101 SWROS101
name 192.168.10.102 SWROS102
!
interface Ethernet0/0
description OUTSIDE
nameif
outside
security-level 0
ip
address 200.45.0.1 255.255.255.248 standby 200.45.0.2
!
interface Ethernet0/1
description DMZ
nameif
dmz
security-level
50
ip
address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Ethernet0/2
description WiFI invitados
nameif
invitados
security-level 25
ip
address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
interface Ethernet0/3
no
nameif
no
security-level
no ip
address
!
interface Ethernet0/3.10
description Inside servers
vlan 10
nameif
servers
security-level 100
ip
address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface Ethernet0/3.20
description Inside usuarios
vlan 20
nameif
usuarios
security-level 90
ip
address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
interface Management0/0
description LAN/STATE Failover Interface
management-only
!
boot system disk0:/asa847-30-k8.bin
clock timezone AR -3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-SRVROS10
host
192.168.10.10
object network obj-SRVROS11
host
192.168.10.11
object network obj-SRVROS12
host
192.168.10.12
object network obj-SRVROS13
host
192.168.10.13
object network obj-SRVDMZ10
host
10.0.0.10
object network obj-SRVDMZ11
host
10.0.0.11
object network obj-SRVDMZNAT
host
10.0.0.254
object service obj-tcp-source-eq-80
service
tcp source eq www
object service obj-tcp-source-eq-443
service
tcp source eq https
object service obj-tcp-source-eq-1433
service
tcp source eq 1433
object service obj-tcp-source-eq-450
service
tcp source eq 450
object network obj-SERVERS
subnet
192.168.10.0 255.255.255.0
object network obj-USUARIOS
subnet 192.168.20.0
255.255.255.0
object network obj-DMZ
subnet
10.0.0.0 255.255.255.0
object network obj-INVITADOS
subnet
172.16.0.0 255.255.255.0
object network obj-200.45.0.1
host
200.45.0.1
object network obj-200.45.0.2
host
200.45.0.2
object network obj-200.45.0.3
host
200.45.0.3
object network obj-200.45.0.4
host
200.45.0.4
object network obj-200.45.0.5
host
200.45.0.5
object network obj-200.45.0.6
host
200.45.0.6
object-group network obj-ROSARIO
network-object 192.168.10.0 255.255.255.0
network-object
192.168.20.0 255.255.240.0
object-group network obj-CORDOBA
network-object 192.168.100.0 255.255.255.0
object-group network obj-TUCUMAN
network-object 192.168.110.0 255.255.255.0
access-list ACL-FROM-USUARIOS extended permit
tcp object-group obj-ROSARIO any eq 80
access-list ACL-FROM-USUARIOS extended permit
tcp object-group obj-ROSARIO any eq 443
access-list ACL-FROM-USUARIOS extended permit
udp object-group obj-ROSARIO host 8.8.8.8 eq 53
access-list ACL-FROM-USUARIOS extended permit
tcp object-group obj-ROSARIO object-group obj-DMZ eq 3389
access-list ACL-FROM-USUARIOS extended permit
tcp object-group obj-ROSARIO object-group obj-DMZ eq 443
access-list ACL-FROM-USUARIOS extended permit
ip object-group obj-ROSARIO object-group
obj-CORDOBA
access-list ACL-FROM-USUARIOS extended permit
ip object-group obj-ROSARIO object-group
obj-TUCUMAN
access-list ACL-FROM-DMZ extended permit tcp
object-group obj-DMZ object-group obj-SRVROS10 eq 1433
access-list ACL-FROM-DMZ extended permit tcp
object-group obj-DMZ object-group obj-SRVROS11 eq 1433
access-list ACL-FROM-DMZ extended permit tcp
object-group obj-DMZ any eq 80
access-list ACL-FROM-DMZ extended permit tcp
object-group obj-DMZ any eq 443
access-list ACL-FROM-DMZ extended permit udp
object-group obj-DMZ any eq 53
access-list ACL-FROM-DMZ extended permit tcp
object-group obj-DMZ any eq 450
access-list ACL-FROM-INVITADOS extended permit
tcp object-group obj-INVITADOS any eq 80
access-list ACL-FROM-INVITADOS extended permit
tcp object-group obj-INVITADOS any eq 443
access-list ACL-FROM-INVITADOS extended permit
udp object-group obj-INVITADOS any eq 53
access-list ACL-FROM-SERVERS extended permit
tcp object-group obj-SERVERS any eq 80
access-list ACL-FROM-SERVERS extended permit tcp
object-group obj-SERVERS any eq 443
access-list ACL-FROM-SERVERS extended permit
udp object-group obj-SERVERS any eq 53
access-list ACL-FROM-SERVERS extended permit
tcp object-group obj-SERVERS object-group obj-DMZ eq 1433
access-list ACL-FROM-OUTSIDE extended permit
tcp object-group obj-SRVDMZ10 any eq 443
access-list ACL-FROM-OUTSIDE extended permit
tcp object-group obj-SRVDMZ11 any eq 443
access-list VPN-ROSARIO-CORDOBA extended permit
ip object-group obj-ROSARIO object-group
obj-CORDOBA
access-list VPN-ROSARIO-TUCUMAN extended permit
ip object-group obj-ROSARIO object-group
obj-TUCUMAN
logging enable
logging timestamp
logging buffer-size 256000
logging trap errors
logging host 192.168.10.12
logging asdm informational
flow-export destination inside 192.168.10.14
9996
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu tlsptp 1500
mtu tlsmerval 1500
failover
failover lan unit secondary
failover lan interface heartbeat Management0/0
failover polltime interface 2 holdtime 10
failover replication http
failover mac address Ethernet0/0 d48c.b5c9.51fc
0013.c480.a45c
failover mac address Ethernet0/1 d48c.b5c9.51fd
0013.c480.a45d
failover mac address Ethernet0/2 d48c.b5c9.51fe
0013.c480.a45e
failover mac address Ethernet0/3 d48c.b5c9.51ff
0013.c480.a45f
failover link heartbeat Management0/0
failover interface ip heartbeat 10.10.10.1
255.255.255.0 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.0.0 inside
asdm image disk0:/asdm-752-153.bin
nat (dmz,outside) source static obj-SRVDMZ10
obj-200.45.0.4 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (dmz,outside) source static obj-SRVDMZ11
obj-200.45.0.5 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (servers,dmz) source static obj-SRVROS14
obj-SRVDMZNAT service obj-tcp-source-eq-1433 obj-tcp-source-eq-1433
nat (servers,dmz) source static obj-SRVROS14
obj-SRVDMZNAT service obj-tcp-source-eq-450 obj-tcp-source-eq-450
nat (servers,outside) source static obj-SERVERS
obj-SERVERS destination static obj-CORDOBA obj-CORDOBA
nat (servers,outside) source static obj-SERVERS
obj-SERVERS destination static obj-TUCUMAN obj-TUCUMAN
nat (usuarios,outside) source static
obj-USUARIOS obj- USUARIOS destination static obj-CORDOBA obj-CORDOBA
nat (usuarios,outside) source static
obj-USUARIOS obj- USUARIOS destination static obj-TUCUMAN obj-TUCUMAN
nat (dmz,outside) source dynamic obj-DMZ
obj-200.45.0.4
nat (servers,outside) source dynamic obj-DMZ
interface
nat (servers,dmz) source dynamic obj-SERVERS
obj-SRVDMZNAT
nat (inside,outside) source dynamic obj-ROSARIO
obj-200.45.0.5
nat (servers,dmz) source dynamic obj-USUARIOS
obj-SRVDMZNAT
nat (invitados,outside) source dynamic
obj-INVITADOS obj-200.45.0.3
access-group ACL-FROM-SERVERS in interface
servers
access-group ACL-FROM-USUARIOS in interface
usuarios
access-group ACL-FROM-INVITADOS in interface
invitados
access-group ACL-FROM-DMZ in interface dmz
access-group ACL-FROM-OUTSIDE in interface
outside
route outside 0.0.0.0 0.0.0.0 200.0.0.6 (aquí hay un error de tipeo del documento, el próximo salto debe ser 200.45.0.6,
timeout xlate 1:00:00 ya que las IP 1,2,3,4 y 5 se utilizan en el ASA, visto de otra manera podemos utilizarlo
timeout pat-xlate 0:00:30 como trampa para ver si se prestó atención o no ;-)
timeout conn 1:00:00 half-closed 0:10:00 udp
0:02:00 icmp 0:00:02
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.20.123 255.255.255.255 usuarios
snmp-server host inside 192.168.10.12 community
Ro5ar1o version 2c
snmp-server location FW-ROSARIO
snmp-server contact SISTEMAS
snmp-server community Ro5ar1o
snmp-server enable traps snmp authentication
linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec ikev1 transform-set AES-256-SHA
esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSET-3DES-SHA
esp-3des esp-sha-hmac
crypto map STATIC-MAP 10 match address
VPN-ROSARIO-CORDOBA
crypto map STATIC-MAP 10 set peer 200.69.0.1
crypto map STATIC-MAP 10 set ikev1
transform-set TSET-3DES-SHA
crypto map STATIC-MAP 20 match address
VPN-ROSARIO-TUCUMAN
crypto map STATIC-MAP 20 set peer 190.1.2.3
crypto map STATIC-MAP 20 set ikev1
transform-set TSET-AES-256-SHA
crypto map STATIC-MAP 20 set
security-association lifetime seconds 28800
crypto map STATIC-MAP 20 set
security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication
pre-share
encryption 3des
hash sha
group 5
lifetime
10800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime
86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime
86400
!
dhcpd address 172.16.0.10-172.16.0.250
invitados
dhcpd enable invitados
!
ssh 192.168.20.123 255.255.255.255 usuarios
ssh 192.168.10.0 255.255.255.0 servers
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access servers
username administrator password
iz7YVX.Y.ynPeumC encrypted privilege 15
tunnel-group 200.69.0.1 type ipsec-l2l
tunnel-group 200.69.0.1 ipsec-attributes
ikev1
pre-shared-key *****
tunnel-group 190.1.2.3 type ipsec-l2l
tunnel-group 190.1.2.3 ipsec-attributes
ikev1
pre-shared-key *****
!
class-map inspection_default
match
default-inspection-traffic
class-map NETFLOW-MAP
match
any
!
policy-map global_policy
class
inspection_default
inspect
ftp
inspect
tftp
inspect
ip-options
inspect
icmp
inspect
h323 h225
inspect
h323 ras
inspect
sip
class
NETFLOW-MAP
flow-export event-type all destination 192.168.10.14
class
class-default
!
service-policy global_policy global
Cryptochecksum:ecb96e45e3d142743591a2ba70c32519
: end
FW_Rosario#
Resolución de Rodrigo Flores:
El trabajo realizado consta en relevar los names, los objetos, sus IP y comenzar a realizar un diagrama físico y lógico
donde a veces interviene mas la imaginación que los conceptos técnicos, la palabra es abstracción.
Resolución de Marcos Leiva:
La principal diferencia es la presencia de los dos ASA en failover.
Las dos visiones de la red son diferentes pero similares al fín, se comprueba que no hay reglas estrictas en cuanto a documentación
pero lo imortante a transmitir es la cantidad de información útili que un layout puede proporcionar para un rápido troubleshooting.
(2016) IT Security may cause paranoid minds
Rosario, Argentina