Friday, 20 January 2023

How to configure Static MAC Address table Entries?

 By default, our switch dynamically learns the MAC address and stores it in the CAM table. by just looking at the source MAC address of the incoming frame. 




This dynamically learning the MAC addresses and filling in the CAM table the process is vulnerable to layer 2 MAC address spoofing attacks. The attacker easily spoofs a few MAC addresses to change entries in the MAC address table. We can deal with this problem by manually configuring entries in the MAC address table. A statically configured MAC address will always overrule dynamic entry. 




Let's configure the Static MAC Address table Entries: -

Topology:




Goal: -

  • configure the topology as per the diagram.
  • configure the IP addresses as per the topology
  • configure IP addresses on the PC as per the topology 
  • ping from PC 1 to all the PCs 
  • configure STATIC MAC addresses

Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown 
Router(config-if)#exit


%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up



Switch(config)#interface vlan 1

Switch(config-if)#ip address 192.168.1.2 255.255.255.0

Switch(config-if)#no shutdown

Switch(config-if)#exit


C:\>ping 192.168.1.4


Pinging 192.168.1.4 with 32 bytes of data:


Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128

Reply from 192.168.1.4: bytes=32 time=1ms TTL=128

Reply from 192.168.1.4: bytes=32 time<1ms TTL=128


Ping statistics for 192.168.1.4:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms


C:\>ping 192.168.1.5


Pinging 192.168.1.5 with 32 bytes of data:


Reply from 192.168.1.5: bytes=32 time=1ms TTL=128

Reply from 192.168.1.5: bytes=32 time<1ms TTL=128

Reply from 192.168.1.5: bytes=32 time=1ms TTL=128

Reply from 192.168.1.5: bytes=32 time<1ms TTL=128


Ping statistics for 192.168.1.5:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms


C:\>ping 192.168.1.6

C:\>ping 192.168.1.7

C:\>ping 192.168.1.8

C:\>ping 192.168.1.9

C:\>ping 192.168.1.10

C:\>ping 192.168.1.11


Router#ping 192.168.1.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms


Switch#show mac address-table

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c92e.016d DYNAMIC Fa0/9

1 0004.9a7b.331d DYNAMIC Fa0/2

1 000a.418d.0b8b DYNAMIC Fa0/4

1 000d.bd40.3c82 DYNAMIC Fa0/10

1 0010.1141.3d28 DYNAMIC Fa0/6

1 0030.f2d1.9701 DYNAMIC Fa0/1

1 0050.0f64.a758 DYNAMIC Fa0/7

1 0060.3e6e.6dd5 DYNAMIC Fa0/3

1 0060.7020.0505 DYNAMIC Fa0/5

1 0090.2b15.c5cd DYNAMIC Fa0/8


(Our switch dynamically learns and store the MAC entries)


Switch(config)#mac address-table static 0030.f2d1.9701 vlan 1 interface fastEthernet 0/1

Switch(config)#

Switch(config)#mac address-table static 0004.9A7B.331D vlan 1 interface fastEthernet 0/2

Switch(config)#

Switch(config)#mac address-table static 0060.3E6E.6DD5 vlan 1 interface fastEthernet 0/3

Switch(config)#

Switch(config)#mac address-table static 000A.418D.0B8B vlan 1 interface fastEthernet 0/4

Switch(config)#

Switch(config)#mac address-table static 0060.7020.0505 vlan 1 interface fastEthernet 0/5

Switch(config)#

Switch(config)#mac address-table static 0010.1141.3D28 vlan 1 interface fastEthernet 0/6

Switch(config)#

Switch(config)#mac address-table static 0050.0F64.A758 vlan 1 interface fastEthernet 0/7

Switch(config)#

Switch(config)#mac address-table static 0090.2B15.C5CD vlan 1 interface fastEthernet 0/8

Switch(config)#

Switch(config)#mac address-table static 0001.C92E.016D vlan 1 interface fastEthernet 0/9

Switch(config)#

Switch(config)#mac address-table static 000D.BD40.3C82 vlan 1 interface fastEthernet 0/10

Switch(config)#end


Switch#show mac address-table static

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c92e.016d STATIC Fa0/9

1 0004.9a7b.331d STATIC Fa0/2

1 000a.418d.0b8b STATIC Fa0/4

1 000d.bd40.3c82 STATIC Fa0/10

1 0010.1141.3d28 STATIC Fa0/6

1 0030.f2d1.9701 STATIC Fa0/1

1 0050.0f64.a758 STATIC Fa0/7

1 0060.3e6e.6dd5 STATIC Fa0/3

1 0060.7020.0505 STATIC Fa0/5

1 0090.2b15.c5cd STATIC Fa0/8




Switch#show mac address-table

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----


1 0001.c92e.016d STATIC Fa0/9

1 0004.9a7b.331d STATIC Fa0/2

1 000a.418d.0b8b STATIC Fa0/4

1 000d.bd40.3c82 STATIC Fa0/10

1 0010.1141.3d28 STATIC Fa0/6

1 0030.f2d1.9701 STATIC Fa0/1

1 0050.0f64.a758 STATIC Fa0/7

1 0060.3e6e.6dd5 STATIC Fa0/3

1 0060.7020.0505 STATIC Fa0/5

1 0090.2b15.c5cd STATIC Fa0/8












Thursday, 22 December 2022

What is ASA Firewall Static NAT? How to configure Static Network Address Translation

 Static Network Address Translation

 

Static NAT –

This means a single private IP address (unregistered) is configured and mapped with the public IP address (registered) one-to-one mapped.

This is not for organizations because of many devices. We use this in web hosting or home networks.

In the previous blog, we have seen dynamic NAT where the inside network can access the outside but now the outside wants to reach our DMZ server. Let's see how to configure 

Topology:-



Goal:

  • configure the topology as per the diagram 
  • configure the IP addresses to their interfaces 
  • configure security zones and levels 
  • configure access lists 
  • configure Static NAT 
  • make sure PCs can reach servers 


INSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1
INSIDE-ROUTER(config-if)#ip address 10.1.1.1 255.0.0.0
INSIDE-ROUTER(config-if)#no shutdown 
INSIDE-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up





DMZ-ROUTER(config)#interface gigabitEthernet 0/0/1
DMZ-ROUTER(config-if)#ip address 20.1.1.1 255.0.0.0
DMZ-ROUTER(config-if)#no shutdown 
DMZ-ROUTER(config-if)#exit

 
HANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up



DMZ-ROUTER(config)#interface gigabitEthernet 0/0/0
DMZ-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0
DMZ-ROUTER(config-if)#no shutdown 
DMZ-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to up


OUTSIDE-ROUTER(config)#interface gigabitEthernet 0/0/1
OUTSIDE-ROUTER(config-if)#ip address 30.1.1.1 255.0.0.0
OUTSIDE-ROUTER(config-if)#no shutdown 
OUTSIDE-ROUTER(config-if)#exit

%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up



CISCO-ASA(config)#interface gigabitEthernet 1/1
CISCO-ASA(config-if)#ip address 192.168.1.2 255.255.255.0
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif inside 
CISCO-ASA(config-if)#security-level 100
CISCO-ASA(config-if)#exit

CISCO-ASA(config)#interface gigabitEthernet 1/3
CISCO-ASA(config-if)#ip address 192.168.2.2 255.255.255.0
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

CISCO-ASA(config-if)#security-level 50
CISCO-ASA(config-if)#exit

CISCO-ASA(config)#interface gigabitEthernet 1/2
CISCO-ASA(config-if)#ip address 192.168.3.2 255.255.255.0
CISCO-ASA(config-if)#no shutdown 
CISCO-ASA(config-if)#nameif outside
CISCO-ASA(config-if)#security-level 0
CISCO-ASA(config-if)#exit





INSIDE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
INSIDE-ROUTER(config)#exit

DMZ-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 
DMZ-ROUTER(config)#exit

OUTSIDE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
OUTSIDE-ROUTER(config)#exit

CISCO-ASA(config)#route inside 192.168.1.0 255.255.255.0 192.168.1.1

CISCO-ASA(config)#route dmz 192.168.2.0 255.255.255.0 192.168.2.1

CISCO-ASA(config)#route dmz 192.168.3.0 255.255.255.0 192.168.3.1

CISCO-ASA(config)#route inside 10.0.0.0 255.0.0.0 192.168.1.1

CISCO-ASA(config)#route inside 20.0.0.0 255.0.0.0 192.168.2.1

CISCO-ASA(config)#route inside 30.0.0.0 255.0.0.0 192.168.3.1

CISCO-ASA(config)#exit



CISCO-ASA(config)#access-list traffic_outside permit icmp any any 
CISCO-ASA(config)#access-list traffic_dmz permit icmp any any 

CISCO-ASA(config)#access-group traffic_outside in interface outside
CISCO-ASA(config)#access-group traffic_dmz in interface dmz

CISCO-ASA(config)#object network inside-outside-nat
CISCO-ASA(config-network-object)#host 192.168.1.1
CISCO-ASA(config-network-object)#nat (inside,outside) static 110.1.1.1
CISCO-ASA(config-network-object)#exit

CISCO-ASA(config)#object network dmz-outside-nat
CISCO-ASA(config-network-object)#host 192.168.2.1
CISCO-ASA(config-network-object)#nat (dmz,outside) static 111.1.1.1
CISCO-ASA(config-network-object)#exit















CISCO-ASA#show nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static dmz-outside-nat 111.1.1.1

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static inside-outside-nat 110.1.1.1

translate_hits = 0, untranslate_hits = 0





{ ping PC 0 to PC 2 (inside to outside) }









{ ping PC 1 to PC 2 (DMZ to OUTSIDE)}






































{Now ping from PC 2 to SERVER (OUTSIDE to DMZ)}

















































Sunday, 18 December 2022

How to configure ASA Firewall Dynamic NAT?

 Network address translation

NAT is the method of translation of a private IP address into a public IP address. In order to communicate with the internet, we must have a registered public IP address.


Address translation was originally developed to solve two problems:

To handle a shortage of IPv6 addresses

 Hide network addressing schemes.

Types of NAT: -Static NAT

Dynamic NAT

Port Address Translation (PAT)


Static NAT- one-to-one mapping was done manually for every private IP needed on registered IP address (one-to-one)


Dynamic NAT- one-to-one mapping is done automatically for every private IP that needs one registered IP address (one-to-one)


Port address translation (Dynamic NAT Overload)- Allows thousands of users to connect to the internet using only one real global IP address. Maps many to one by using different ports. PAT is the real reason we haven’t run out of valid IP addresses on the internet.


Just like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall.


I'm assuming that you already know about NAT, if you don't, please click here 

let's configure dynamic NAT: -

Topology: -




Goal: -

  • configure topology as per the diagram 
  • configure an IP address on ISP router 
  • configure VLANs on ASA firewall
  • configure DHCP on the ASA firewall for inside 
  • configure a static route for VLAN 1 (inside)
  • configure on ASA Dynamic NAT for VLAN 1
  • make sure PC-A can ping web server 8.8.8.8



ISP-ROUTER(config)#interface gigabitEthernet 0/0
ISP-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
ISP-ROUTER(config-if)#no shutdown 
ISP-ROUTER(config-if)#exit

ISP-ROUTER(config)#interface gigabitEthernet 0/1
ISP-ROUTER(config-if)#ip address 8.8.8.1 255.0.0.0
ISP-ROUTER(config-if)#no shutdown 
ISP-ROUTER(config-if)#exit


ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#ip address 10.1.1.1 255.0.0.0
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/2
ciscoasa(config-if)#switchport access vlan 1
ciscoasa(config-if)#exit

ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#ip address 192.168.1.2 255.255.255.0
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit

ciscoasa(config)#interface vlan 3
ciscoasa(config-if)#no forward interface vlan 1
ciscoasa(config-if)#ip address 20.1.1.1 255.0.0.0
ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#switchport access vlan 3
ciscoasa(config-if)#end

ciscoasa#show interface ip brief 
Interface              IP-Address      OK? Method Status                Protocol
 
Vlan1                  10.1.1.1        YES manual up                    up
 
Vlan2                  192.168.1.2     YES manual up                    up
 
Vlan3                  20.1.1.1        YES manual up                    up


ciscoasa#show ip address 
System IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside               10.1.1.1        255.0.0.0       manual
Vlan2                 outside              192.168.1.2     255.255.255.0   manual
Vlan3                 dmz                  20.1.1.1        255.0.0.0       manual

Current IP Addresses:
Interface             Name                 IP address      Subnet mask     Method
Vlan1                 inside               10.1.1.1        255.0.0.0       manual
Vlan2                 outside              192.168.1.2     255.255.255.0   manual
Vlan3                 dmz                  20.1.1.1        255.0.0.0       manual


ciscoasa#show switch vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    inside                           up        Et0/2, Et0/3, Et0/4, Et0/5
                                                Et0/6, Et0/7
2    outside                          up        Et0/0
3    dmz                              up        Et0/1



ciscoasa(config)#dhcpd address 10.1.1.5-10.1.1.15 inside
ciscoasa(config)#dhcpd dns 8.8.8.8 interface inside
ciscoasa(config)#dhcpd enable inside




(Verify PC-A-B-C is getting IP configuration from DHCP ASA firewall)

PC-A












PC-A











PC-A















ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 192.168.1.1















































ciscoasa(config)#object network inside
ciscoasa(config-network-object)#subnet 10.0.0.0 255.0.0.0
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface
ciscoasa(config-network-object)#exit


ciscoasa(config)#access-list ASA extended permit tcp any any
ciscoasa(config)#access-list ASA extended permit icmp any any
ciscoasa(config)#access-group ASA in interface outside




Wednesday, 14 December 2022

What are the basics of ethical hacking?

 Ethical Hacking (basic)


White-hat hackers are also known as ethical hackers and they are professionals with expertise in cybersecurity. They are authorized by the company and certified to hack the systems. They hack systems from the loop to find weaknesses in the system. They never intend to harm the system, rather than try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments. well, Ethical hacking is not illegal actually it is one of the most demanding jobs available in the IT Industry. many companies hire ethical hackers for penetration testing and vulnerability assessments. ethical hackers' job is to protect the system network from hackers.








What is hacking?

Hacking is the act of finding the possible entry points that exist in a computer system or computer network and finally entering into them. hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the system or to steal sensitive information available on the computer. Hacking is not always a malicious activity, but the term has mostly negative connotations due to its association with cybercrime. hacking is usually legal as long as it is being done to find weaknesses in a computer or network system for testing purposes. 

Types of hacking (BASIC)

we can segregate hacking into different categories, based on what is being hacked. 

here is a set of basic hacking examples: 


Social engineering

Social engineering is a manipulation technique. Using a fake identity and various psychological tricks, hackers can deceive you into disclosing personal or financial information. They rely on phishing scams, spam emails or instant messages, or even fake websites to achieve hacking.


Hacking passwords

Hackers use many ways to gain passwords. The trial-and-error method in which involves hackers trying to guess every possible combination to obtain access. Hackers also use simple algorithms to generate different combinations for letters, numbers, and symbols to help them identify password combinations. Another technique is known as a dictionary attack, which is a program that inserts common words into password fields to see if one works.

 

 Malware hacking

Hackers infiltrate a user’s device to install malware. More likely, hackers will target potential victims via email, instant messages, and websites with downloadable content or peer-to-peer networks.

 

Wireless Networks Hacking

hackers just simply take advantage of open wireless networks. Many people do not secure their Wi-Fi routers, and this can be exploited by hackers driving around looking for open and unsecured wireless connections. This is an activity known as wardriving. When hackers are connected to an unsecured network, they only need to bypass basic security to gain access to devices connected to that network.

 

Website hacking

Website hacking: hacking a website means taking unauthorized control over a web server and its associated software such as databases and other interfaces. 



Network hacking

Network hacking a network means gathering information about a network by using tools like telnet, NS lookup, ping, tracert, netstat, etc. with the intent to harm the network system and hamper its operation. 


Email hacking

Email hacking includes getting unauthorized access to an email account and using it without taking the consent of its owner. 

 

 

The advantages of hacking 

are quite valuable for the following scenarios:

Whenever you need to recover lost information, especially in case you lost your password. 

When you want to perform penetration testing to strengthen computer and network security. 

when to put adequate preventative measures in place to prevent security breaches. 

to have a computer system that prevents malicious hackers from gaining access. 

 

The disadvantages of hacking 

are quite dangerous if it is done with harmful intent. it can cause: 

massive security breach. 

unauthorized system access to private information. 

privacy violation. 

hampering system operation.

denial of service attacks 

malicious attack on the system. 

purpose of hacking 

there could be various positive and negative intentions behind performing hacking activities, here is a list of some probable reasons why people indulge in hacking activities: 

just of fun 

show-off 

steal important information 

damaging the system 

hampering privacy 

money extortion 

system security testing 

to break policy compliance

 

Tuesday, 4 October 2022

What are Types of hackers? free cybersecurity course.

 Types of hackers

Who is a Hacker? 

A hacker is basically a person who has highly skilled in information technology. Hacker uses their technical skills to overcome an obstacle or sometimes even achieve a goal within a computerized system and networks. However, nowadays, the term hacker is always associated with a security hacker – someone who is always on the lookout for ways to acquire and exploit sensitive personal, financial and organizational information, which is otherwise not accessible to them. Legitimate figures often use hacking for legal purposes.



{A hacker has knowledge of computer networking, programming, cryptography, database, and other information technologies. for hacking, there is no particular syllabus. normally ethical hacker in the industry works in the scenario to save the data of the company from the hacker, finds bugs in the system, and inform the developer in a company. }

we can classify hackers into different categories such as white hat, black hat, and grey hat, based on their intention of hacking systems we differentiate. These different terms come from the Western style. where a bad guy wears a black cowboy hat and a good guy wears a white hat.

White hat hackers

 White hat hackers are also known as ethical hackers and they are professionals with expertise in cybersecurity. They are authorized by the company and certified to hack the systems. They hack systems from the loop to find weaknesses in the system. They never intend to harm the system, rather than try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments. well, Ethical hacking is not illegal actually it is one of the most demanding jobs available in the IT Industry. many companies hire ethical hackers for penetration testing and vulnerability assessments. ethical hackers' job is to protect the system network from hackers.

Black hat hackers.

Black hat hackers are highly skilled and knowledgeable in computer networks with the wrong intention. Black hat hackers hack another system to steal private data or destroy the system. They use the stolen data to profit themselves and sell them on the black market or harass their target company. As the intentions of the hacker make the hacker a criminal. 

 

Grey hat hackers

The Gray hat hacker falls between the black and white hat hackers or we can say Grey hat hackers are a blend of both black and white hat hackers. Grey hat hackers are not certified hackers like white hat hackers. Keep in mind the intention behind hacking decides the types of hackers. If the intention is to gain personal data without permission this considers a gray hat hacker. Well, they act without malicious intent but for their fun, they exploit a security weakness in a computer system or network without the owner's permission or knowledge. Their aim is not to rob people and not want to help the owner, their intent is to bring the weakness to the attention of the owners and get appreciation or a little bounty from the owners or find fun in hacking. 

 

 

Red hat hacker

Red hat hackers are again a blend of both black hat and white hat hackers, they are usually on the top level of hacking government agencies: top secret information hub, and generally anything that falls under the category of sensitive information. The difference between red hat hackers and white hat hackers is that the process of hacking through intention remains the same. Red hat hackers are very ruthless when dealing with black hat hackers or counteracting malware.

 

Blue hat hackers

A blue hat hacker is someone computer security consulting firm who is used to bug-test a system prior to its launch, they look for loopholes that can be exploited and try to close these gaps. Microsoft also uses the term blue hat to represent a series of security briefing events.

 

 

Script kiddies

 Script kiddies is a non-expert who breaks into computer systems by using a pre-packaged automated tool written by others, in other words, they try to hack the system with scripts from other fellow hackers. usually with little understating of the underlying concept, hence the term kiddies.

 

 

Hacktivist

A hacktivist is a hacker who utilizes technologies to announce a social, ideological, religious, or political message. These types of hackers intend to hack government websites. They pose themselves as activists, so known as a hacktivist. In general, most hacktivist involves website defacement or denial of service attacks.

 

 Neophyte

A neophyte, “noob”, or green hat hacker is someone who is new to hacking or phreaking and has almost no knowledge or experience of the working of technology and hacking.

 

 

                  

 

Sunday, 17 July 2022

What is ASA firewall security zones? How to configure security zones?

 By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want to restrict some routes.



 We have to configure some access lists but if we have a lot of access-list rules this becomes a nightmare to configure on each interface. 




.

From the above diagram, our router has two incoming access-list to deny some routes from the host's LAN. And also, our router has two access-list to prevent some routes from the internet WAN from entering our LAN network. its means we have to apply an access list to four interfaces in order to protect our LAN network. there is another solution that is better is called a security zone with an ASA firewall. 

let's see the example of how a security zone works. 





 


As you can see above, we have two security zones.

 

1.      INSIDE: which is our LAN network.

2.      OUTSIDE: Which is our WAN network (internet)

 These security zones have two simple rules. 

 

The ASA interface has been assigned to the correct security zone. Security zones have two simple rules:

Traffic coming from a high-security level to a lower security level should be permitted.

The traffic coming from a lower security level to a high-security level is should be denied.

 

Security levels – 

The ASA interface is by default in routed mode, operating at layer 3.

ASA firewall interfaces are assigned security level which is numbers between 0 to 100. The higher number, the more trust in the network connected to the ASA firewall.

 

Earlier we have seen some names like INSIDE, OUTSIDE, or DMZ

Also, note that we can assign names to the ASA interface like inside, outside, or DMZ. As soon as we assign these names to an interface, it automatically assigns a security level to itself. For example, if we have assigned a name inside an interface, it will assign 100 (Security level) to itself i.e most trusted network. If we assign the name Outside or DMZ or any other name to an interface, it will assign security level 0 automatically. These are default values and can be changed. 

It is a good practice to give a security level of 100 (maximum) to inside (most trusted network), 0(least) to outside (untrusted or public network), and 50 to DMZ (organization public device network). 

Note –  
It is not mandatory to assign a name (INSIDE, OUTSIDE, or DMZ) to the ASA interface but it is good practice to assign these names as they are simple and meaningful. 

 

 



 

 

Our LAN is our trusted network, which would have a high-security level. The WAN is untrusted so it will have a low-security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and will permit the return traffic from our LAN.

If you want to make an exception and permit traffic from the WAN to the LAN then this can be accomplished with an access list.

Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone).

 

DMZ security level is between INSIDE and OUTSIDE.

Traffic coming from INSIDE going to OUTSIDE is permitted.

Traffic coming from DMZ going to OUTSIDE is permitted.

Traffic coming from INSIDE going to DMZ is permitted.

Traffic coming from DMZ to going to INSIDE is denied.

Traffic is coming from OUTSIDE going to INSIDE is denied.

In order to provide full connectivity between DMZ and OUTSIDE we will use access list which only permits traffic to the IP or port numbers. If something happened to one of our servers (hacked), our inside network will still secure.

Let’s see the configurations: -

 Topology:-




Goal:

configure the topology as per the diagram 

configure IP address to their ports 

configure gig1/1 to outside zone

configure gig1/3 to the inside zone

configure gig 1/2 to DMZ


ciscoasa(config)#interface gigabitEthernet 1/1

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.30.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit


ciscoasa(config)#interface gigabitEthernet 1/3

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)#ip address 192.168.10.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit


ciscoasa(config)#interface gigabitEthernet 1/2

ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.20.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#security-level 50

ciscoasa(config-if)#exit


FROM SERVER



Router(config)#interface fastEthernet 0/0

Router(config-if)#ip address 192.168.30.2 255.255.255.0

Router(config-if)#no shutdown


%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up


Router(config-if)#exit




FROM PC

C:\>IPCONFIG


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::2E0:B0FF:FECD:EE09

IP Address......................: 192.168.10.3

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


ciscoasa#show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet1/1                outside 192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2                 dmz 192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3                  inside 192.168.10.1 255.255.255.0 unset



Current IP Addresses:

Interface                        Name IP address Subnet mask Method

GigabitEthernet1/1        outside     192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2             dmz     192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3         inside     192.168.10.1 255.255.255.0 unset



ciscoasa#ping 192.168.10.3


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/11/25 ms



ciscoasa#ping 192.168.20.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/16 ms



ciscoasa#ping 192.168.30.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/10/20 ms














What is layer 3 etherchannel? How to configure layer 3 etherchannel?

EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide ...