Class#3 | Lab2,3,4 covering ACL scenerios, object-group and time-range acl [CONFIGS]
Lab#2 Traffic flow from 100 high security-level (most trusted) —-> 0 low security-level (least trusted)
CISCOASAV(config)# hostname CISCOASAV ! interface gi0/1 no shutdown nameif OUTSIDE security-level 0 ip add 200.200.200.2 255.255.255.0 ! int gi0/0 no shutdown ! int gi0/0.10 vlan 10 nameif HR_VLAN security-level 50 ip address 10.1.1.1 255.255.255.0 ! int gi0/0.20 vlan 20 nameif SALES_VLAN security-level 50 ip address 192.168.1.1 255.255.255.0 ! dhcpd address 192.168.1.2-192.168.1.150 SALES_VLAN dhcpd enable SALES_VLAN ! policy-map global_policy class inspection_default inspect icmp ! no same-security-traffic permit inter-interface ! exit ================ OUTSIDE_ISP_ROUTER Router(config)# ! hostname OUTSIDE_ISP_ROUTER ! interface e0/0 ip add 200.200.200.1 255.255.255.0 no shut ! ip route 0.0.0.0 0.0.0.0 200.200.200.2 ! exit
Lab#3 Traffic flow from 0 low security-level (least trusted) —-> 100 high security-level (most trusted)
CISCOASAV(config)# ! access-list OUTSIDE_IN line 100 extended deny tcp any any log access-list OUTSIDE_IN line 100 extended deny udp any any log access-list OUTSIDE_IN line 100 extended deny icmp any any log access-list OUTSIDE_IN line 1 extended permit icmp host 200.200.200.1 host 10.1.1.100 access-group OUTSIDE_IN IN interface OUTSIDE !
Additionally,
LAB#3b: If customer has ACL put up additionally on HR_VLAN egress direction. Troubleshoot:
====================
CISCOASAV(config)# access-list HR_VLAN_OUT line 1 extended permit icmp host 200.200.200.1 host 10.1.1.100 access-list HR_VLAN_OUT line 10 extended deny icmp any any access-group HR_VLAN_OUT out interface HR_VLAN
Additionally,
LAB#3c: Make use of Object-group:
====================
CISCOASAV(config)# object-group network HR_VLAN_users network-object host 10.1.1.100 ! object-group network OUTSIDE_users network-object host 200.200.200.1 ! access-list OUTSIDE_IN line 1 extended permit icmp object-group OUTSIDE_users object-group HR_VLAN_users no access-list OUTSIDE_IN line 1 extended permit icmp host 200.200.200.1 host 10.1.1.100
Lab#4 Traffic flow from 0 low security-level (least trusted) —-> 100 high security-level (most trusted) with TIME-RANGE feature added on access-list
CISCOASAV(config)# ! time-range CRITICALSERVERDONOTUSE periodic daily 00:35 to 00:40 access-list OUTSIDE_IN line 1 extended deny icmp host 200.200.200.1 host 10.1.1.100 time-range CRITICALSERVERDONOTUSE !