This document provides instructions for configuring a site-to-site VPN between two ASA firewalls using ASDM. It begins with background information on network zones (outside, inside, DMZ) and VPN types. The lab steps then guide the user to: 1) configure routers, PCs and servers in GNS3; 2) add an ASA to GNS3 and install ASDM; 3) use ASDM to configure basic firewall settings on the local ASA; 4) configure a DMZ on the local ASA; 5) repeat the ASDM configuration on the remote ASA; and 6) use ASDM to establish an IPsec site-to-site VPN between the local and remote AS
We will discuss the following: Classical Security Methods, AAA, Authentication, Authorization, Accounting, AAA Characteristic, Local Based AAA, Server Based AAA, TACACS+ and RADIUS.
This shared slides is containing some of the basic information about Router Hardening project which my team and I did in our network security class project and we used it to present our project's process and procedures. Our project scenario was to harden the network and routers for hypothetical organization so we decided to do it for a bank and we called it ANS bank referring to first letters of the team members.
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
We will discuss the following: Classical Security Methods, AAA, Authentication, Authorization, Accounting, AAA Characteristic, Local Based AAA, Server Based AAA, TACACS+ and RADIUS.
This shared slides is containing some of the basic information about Router Hardening project which my team and I did in our network security class project and we used it to present our project's process and procedures. Our project scenario was to harden the network and routers for hypothetical organization so we decided to do it for a bank and we called it ANS bank referring to first letters of the team members.
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
Aircrack- ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools
Today connected devices are everywhere, where we expect a massive growth over the upcoming years. What are connected devices (IOT)? It connects people to machines, machines to machines and shares data both people and machines create. However, why should you care about security?
This presentation walks you through why connected devices (IOT) are being targeted, what typically goes wrong during development making these devices vulnerable to attacks and whats next...
It is the powerpoint slide.It is all about WPA 3.It will make wifi more secure.This is the future of wireless security.Know how the man in the middle attack and krack attack works.Know also about RC4 encryption.
DNS security is important. But, in today’s world of dynamic cloud environments (AWS and Azure), content delivery networks (CDNs) and crowdsourced content and advertisements, looking only at the domain name is not a complete indicator of security. “Grey” domains are no longer the exception, they have become the norm. Join this webcast to explore the risks of relying on DNS-only based solutions and ways to add security to your DNS traffic without sacrificing performance or additional security insights.
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
The infrastructure that deploys and manages digital certificates, known as a Public Key Infrastructure (PKI), is often the center for cryptography in an organization. It is also in service for 10+ years, which means that one must carefully consider design options before implementation. In this presentation, Frank will cover modern standards for cryptography, how they apply to a Microsoft PKI infrastructure, and share recommendations based on he has seen in the field.
In the following slides we will show you how to create a #DMZ using the #FortiGate
#Firewall. See next chapters on #FortiGate configuration. Stay with us!
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
Towards Secure and Dependable Authentication and Authorization InfrastructuresDiego Kreutz
We propose a resilience architecture for improving the security and dependability of authentication and au- thorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion- tolerant replication, trusted components and untrusted gate- ways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environ- ments, such as IT infrastructures with more than 400k users.
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
Aircrack- ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools
Today connected devices are everywhere, where we expect a massive growth over the upcoming years. What are connected devices (IOT)? It connects people to machines, machines to machines and shares data both people and machines create. However, why should you care about security?
This presentation walks you through why connected devices (IOT) are being targeted, what typically goes wrong during development making these devices vulnerable to attacks and whats next...
It is the powerpoint slide.It is all about WPA 3.It will make wifi more secure.This is the future of wireless security.Know how the man in the middle attack and krack attack works.Know also about RC4 encryption.
DNS security is important. But, in today’s world of dynamic cloud environments (AWS and Azure), content delivery networks (CDNs) and crowdsourced content and advertisements, looking only at the domain name is not a complete indicator of security. “Grey” domains are no longer the exception, they have become the norm. Join this webcast to explore the risks of relying on DNS-only based solutions and ways to add security to your DNS traffic without sacrificing performance or additional security insights.
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
The infrastructure that deploys and manages digital certificates, known as a Public Key Infrastructure (PKI), is often the center for cryptography in an organization. It is also in service for 10+ years, which means that one must carefully consider design options before implementation. In this presentation, Frank will cover modern standards for cryptography, how they apply to a Microsoft PKI infrastructure, and share recommendations based on he has seen in the field.
In the following slides we will show you how to create a #DMZ using the #FortiGate
#Firewall. See next chapters on #FortiGate configuration. Stay with us!
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
Towards Secure and Dependable Authentication and Authorization InfrastructuresDiego Kreutz
We propose a resilience architecture for improving the security and dependability of authentication and au- thorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion- tolerant replication, trusted components and untrusted gate- ways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environ- ments, such as IT infrastructures with more than 400k users.
Continuous Integration has become a focus for established technologies and those developers who desire to deliver the best product with the highest safe guards and with the least effort. However, for many mobile developers the concept of ‘Reach’ has caused them to move away from native development and their familiar CI strategies and into the younger world of Cross-Platform development. Many of these developers have turned to Xamarin and PhoneGap for Cross-Platform development allowing for their ‘Reach’ to be near universal. These younger technologies are still lacking in an established ALM and CI solutions. We will take a look at using today’s available Continuous Integration technologies and how we can apply them to Xamarin and PhoneGap, with the ability to; integrate with source control, run automated unit tests, run integration tests, deploy automated builds from QA testing, and deploy automated builds for Store Deployment.
Información del deporte en Chipiona durante el verano 2016. Eventos y actividades deportivas, torneos, cursos, instalaciones deportivas municipales, instalaciones privadas al público.
Il seminario intende offrire una visione innovativa della conformità ai requisiti definiti nella nuova normativa, fornendo peraltro indicazioni utili affinché il CMS possa essere efficacemente integrato con altri schemi di Certificazione.
Salud 2.0 : Una oportunidad para la EPS en la escuela.Ignacio Basagoiti
Presentación en el V Congreso Internacional de Educared, donde reflexiones sobre la educación para la Salud en la escuela, y las posibilidades de las 2.0, sin olvidar la experiencia de Educasalud.
This is a presentation I made to the Indian School of Mines Community on my journey at ISM and as an Entrepreneur. Hope it is inspirational for others.
- Pavan Kota
Actividades que han de hacer aquellos alumnos que tengan que recuperar la asignatura de Cambios Sociales de 1ºESO C/D/E. Estas actividades las entregarán en septiembre el día y a la hora que se indique en los paneles del Centro.
Un delito informático o ciber-delincuencia es toda aquella acción típica, antijurídica y culpable, que se da por vías informáticas o que tienen como objetivo destruir o dañar ordenadores, medios electrónicos y redes de internet.
Radiographic assessment in paediatric dentistryS. K.
Radiographic assessment in paediatric dentistry, a seminar prepared mainly to explain the radiography in paediatric dentistry. it includes the uses, indications, and contraindications of the most common views in paediatric dentistry. prepared by undergraduate students form International Islamic University Malaysia.
Aure Bastion is a PaaS solution for your remote desktop which is more secure than the
jump server. It comes with web-based login, and never expose VM public IP to the
internet. This service will work seamlessly on your environment using VM’s private IP
address within your Vnet. Highly secure and trustable.
Public key authentication is the most secure colution and utilizes a.pdfmohammadirfan136964
Public key authentication is the most secure colution and utilizes a public key cryptography(PKI)
system, using both public and private keys.A PKI is certainly the easiest solution from the users
prespective.It mainly supports the distribution and identification of public encryption keys,
enabling users and computers to both securely exchange data over networks such as the internet
and verify the identity of the other party.
Without PKI , sensitive information can still be encrypted ( ensuring confidentiality) and
exchanged but there would be no assurance of the identity(authentication) of the other party. Any
form of sensitive data exchanged over the internet is relianton PKI for security.
Elements of PKI
A typical PKI consists of hardware, software , policies and standards to manage the
creation,admisinstration , distribution and revocation of keys and digital certificates. Digital
certificates are at the heart of PKI as they affrim the identity of the certificate subject that bind
the identity to the public key contained in the certificate.
Following are the elements of the PKI:
Certificate Authority (CA)
Registration authority
A certificate database , it mainly stores the certificate requests and issues and revokes
certificates.
A certificate store , which resides on a local computer as a place to store issues certificates and
private keys.
--------------------------************************-----------------------------
To connect many distant employees at once, all office locations must be able to access the same
network resource. Most time iof we will would house the core infrastucture needed to establish
the network, such as the servers and databases. Generally Wide area network (WAN) to connect
the remote offices. WAN are used to connect Local area network(LAN) for disparate offices
together.
However installation and overhead of LNS and WANS is expensive.
To over come this Virtual private networks that run over the internet.
VPN it mainly provides secure connections between individual users and their organizations
network over and their organizations network over the internet, have several upsides. They
provide more secure site to site connections. They provide information transfer much faster that
WAN\'s and most importantly to small and medimum sized business, VPN\'s are much
lessexpensive since you can use a single leased line to the internet for each ofice, cutting down
on broadband cost.
While VPN\'s are highly recommended and trusted a new technology gaining traction with
compaines is the remote desktop. Remote dsktops requires software or an operating system that
allows aplications to run remotely on a server, but to be displayed locally simultaneously. This
network server hosts remote files and application in a secure location , ensuring your data is
never lost , even when something happens to device you are working on.
Solution
Public key authentication is the most secure colution and utilizes a public key cryptography(PKI)
sy.
Virtual private network feature and benefitsAnthony Daniel
Cyberoam VPN offers the option of IPSec VPN, SSL VPN, LT2P, PPTP on the UTM appliances, providing secure remote access to organizations. It replaces most other best-of-breed firewall-VPN appliances to offer cost-effective security to organizations.
HuskyVPN provides a reliable and secure virtual private network (VPN) service to protect your online privacy and security. With our easy-to-use software, you can browse the internet anonymously and securely, access geo-restricted content, and protect your data on public Wi-Fi.
A technology that creates a network that is physically public, but virtually private
That is a Secure way of adding an extra level of privacy to your online activity Like web surfing.
This project mainly focuses on remotely scanning the organization’s internal network using precise, advanced and most efficient tools built installed on the Raspberry Pi. Keeping all the security aspects in scope, this tool is built and configured to meet and protect one’s required operations through the process. The whole scanning operation is done through the Secured Shell because it’s open source and uses open protocol, so it’s hard to plant a backdoor attack. The encryption will provide privacy and maintain integrity throughout the operation and will protect against network sniffers, eavesdropping and Man in the Middle Attack. This tool is made to completely eliminate the physical traveling of security team to the client’s location and to perform any contractual based security operations. Sharique Raza | Feon Jaison Maliyekkal | Nitin Choudhary "Remotely Scanning Organization’s Internal Network" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd33636.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-network/33636/remotely-scanning-organization’s-internal-network/sharique-raza
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
1. Configuring ASA Site-To-Site VPN
Contents
Purpose:............................................................................................................................................2
Background: ......................................................................................................................................2
Outside:.....................................................................................................................................................2
Inside:........................................................................................................................................................3
DMZ:..........................................................................................................................................................3
VPN:..................................................................................................................................................3
ASA VPN Types: .................................................................................................................................3
Clientless VPN: ..........................................................................................................................................3
Any Connect VPN:.....................................................................................................................................4
Site-to-Site VPN:........................................................................................................................................4
There are two types of site-to-site VPNs:.............................................................................................4
ASDM:...............................................................................................................................................4
Learning Objectives:...........................................................................................................................5
Network Diagram:..............................................................................................................................6
Lab: ...................................................................................................................................................6
Task 1: Configure all other devices except the ASA..................................................................................6
PC’s and servers:...................................................................................................................................6
ISP:.........................................................................................................................................................6
R1: .........................................................................................................................................................7
R2: .........................................................................................................................................................7
Task 2: Create an MS Loopback interface.................................................................................................8
Task 3: Add the ASA device to GNS3.........................................................................................................9
Local Site. ..........................................................................................................................................9
Task 4: Install ASDM on the ASA device....................................................................................................9
Task 5: Configure the ASA using ASDM...................................................................................................11
Step 1: Basic configuration. ................................................................................................................11
Step 2: Create a global service policy. ................................................................................................17
Step 3: Configure the dmz. .................................................................................................................19
Step 4: Create an Access Rule.............................................................................................................22
2. Task 6: Verifying the Local configuration................................................................................................24
Remote Site.....................................................................................................................................25
Task 7: Install ASDM on the ASA device..................................................................................................25
Task 8: Configure the ASA using ASDM.................................................................................................26
Step 1: Basic configuration.................................................................................................................26
Step 2: Create a global service policy. ...............................................................................................31
Task 9: Verifying the Remote configuration..........................................................................................33
Configure the Site-To-Site VPN .........................................................................................................33
Local site. ........................................................................................................................................34
Remote site. ....................................................................................................................................40
Verifying the VPN configuration .......................................................................................................47
Purpose:
The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5520
Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus,
intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will use GNS3
to learn how to configure the ASA as a basic Firewall with the addition of a third zone referred
to as a DMZ and finally we will create a site-to-site VPN between the sites. This knowledge is
essential to passing the CCNP Security exam and will be used in daily in your position as a Cisco
network engineer.
Background:
In this lab we will be using GNS3 and ASDM to model a network with LOCAL and REMOTE site.
Each of these sites will have access to the internet. The local site will also have a DMZ zone that
can be access by any outside device as well as inside devices, but will not be able to connect to
any inside device. In addition to this we will create a site-to-site VPN between the local site and
remote site. Before we continue with our lab let’s take a look at some basic interface being
used in this lab.
Outside:
The outside interface is a public untrusted zone commonly used to connect to public address
within the internet. Devices within this zone cannot access devices in the inside or DMZ without
permission.
3. Inside:
The inside interface is a private trusted interface generally used for local devices using a private
address space. To access public address in the outside the private address will need to be
translated using NAT or PAT. Device can access devices in the outside or DMZ unless restricted.
DMZ:
In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter
network) is a physical or logical sub network that contains and exposes an organization's
external-facing services to a larger and untrusted network, usually the Internet. The purpose of
a DMZ is to add an additional layer of security to an organization's local area network (LAN); an
external attacker only has direct access to equipment in the DMZ, rather than any other part of
the network.
VPN:
VPNs allow employees to securely access their company's intranet while traveling outside the
office. Similarly, VPNs securely connect geographically separated offices of an organization,
creating one cohesive network. VPN technology is also used by individual Internet users to
secure their wireless transactions, to circumvent geo restrictions and censorship, and to
connect to proxy servers for the purpose of protecting personal identity and location.
ASA VPN Types:
There are basically three types of VPN available to the Cisco ASA product line they are as
follows:
Clientless VPN:
Clientless SSL VPN enables end users to securely access resources on the corporate network
from anywhere using an SSL-enabled Web browser. The user first authenticates with a
Clientless SSL VPN gateway, which then allows the user to access pre-configured network
resources.
Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a Web browser
without requiring a software or hardware client. It provides secure and easy access to a broad
range of Web resources and both web-enabled and legacy applications from almost any device
that can connect to the Internet via HTTP. They include:
• Internal websites.
• Web-enabled applications.
• NT/Active Directory file shares.
• email proxies, including POP3S, IMAP4S, and SMTPS.
• Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007.
• Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.
4. • Application Access (smart tunnel or port forwarding access to other TCP-based
applications)
Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor, Transport Layer
Security (SSL/TLS1) to provide the secure connection between remote users and specific,
supported internal resources that you configure at an internal server. The ASA recognizes
connections that must be proxied, and the HTTP server interacts with the authentication
subsystem to authenticate users.
The network administrator provides access to resources by users of Clientless SSL VPN sessions
on a group basis. Users have no direct access to resources on the internal network.
Any Connect VPN:
Cisco AnyConnect is an app designed to let you connect securely to VPNs. This is an app for
enterprise users who need a secure way to connect to a VPN at their place of work. Coming
from a trusted name like Cisco, the app provides a level of safety and security that should be
welcome by those who have need of such an app.
Site-to-Site VPN:
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with
each other over a public network such as the Internet. Site-to-site VPN extends the company's
network, making computer resources from one location available to employees at other
locations. An example of a company that needs a site-to-site VPN is a growing corporation with
dozens of branch offices around the world.
There are two types of site-to-site VPNs:
• Intranet-based -- If a company has one or more remote locations that they wish to join
in a single private network, they can create an intranet VPN to connect each separate
LAN to a single WAN.
• Extranet-based -- When a company has a close relationship with another company (such
as a partner, supplier or customer), it can build an extranet VPN that connects those
companies' LANs. This extranet VPN allows the companies to work together in a secure,
shared network environment while preventing access to their separate intranets.
Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it
could use some of the same software and equipment. Ideally, though, a site-to-site VPN should
eliminate the need for each computer to run VPN client software as if it were on a remote-
access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this
goal in a site-to-site VPN.
ASDM:
Cisco’s ASDM is a simple, GUI-Based Firewall Appliance Management tool that is user friendly
and allows the user to configure, monitor, and troubleshoot Cisco firewall appliances and
5. firewall service modules. Ideal for small or simple deployments, the Cisco Adaptive Security
Device Manager provides the following:
Setup wizards that help you configure and manage Cisco firewall devices, including the
Cisco ASA Adaptive Security Appliances, Cisco PIX appliances, and Cisco Catalyst 6500
Series Firewall Services Modules without cumbersome command-line scripts
Powerful real-time log viewer and monitoring dashboards that provides an at-a-glance
view of firewall appliance status and health
Handy troubleshooting features and powerful debugging tools such as packet trace and
packet capture.
Learning Objectives:
Add the ASA to GNS3.
Configure MS Loopback Interface.
Install and configure ASDM.
Use ASDM to configure the ASA.
Configure a DMZ
Configure a Site-to-Site VPN
6. Network Diagram:
Lab:
Task 1: Configure all other devices except the ASA.
In this part of or lab we will configure the routers, PCs and servers as shown in the network
diagram.
Note: In this lab routers are being used to simulate the devices INTERNET, DMZ, and LOCAL
servers and the REMOTE and LOCAL PCs.
PC’s and servers:
1. Configure the INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs
devices as shown in the network diagram.
2. Configure a default route on the above devices.
ISP:
1. Configure the ISP as follows:
7. ISP#config t
ISP(config)#interface FastEthernet0/0
ISP(config)# ip address 209.165.200.9 255.255.255.248
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#interface serial1/0
ISP(config)# ip address 10.1.1.2 255.255.255.252
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#interface serial1/1
ISP(config)# ip address 10.1.1.2 255.255.255.252
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#ip route 209.165.200.224 255.255.255.248 10.1.1.1
ISP(config)#ip route 209.165.200.232 255.255.255.248 10.2.2.1
ISP(config)#exit
ISP#wr
R1:
1. Configure R1 as follows:
R1#config t
R1(config)#interface FastEthernet0/0
R1(config)# ip address 209.165.200.226 255.255.255.248
R1(config)#No Shutdown
R1(config)#exit
!
R1(config)#interface serial1/0
R1(config)# ip address 10.1.1.1 255.255.255.252
R1(config)#No Shutdown
R1(config)#exit
!
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2
R1(config)#exit
R1#wr
R2:
1. Configure R2 as follows:
R2#config t
R2(config)#interface FastEthernet0/0
8. R2(config)# ip address 209.165.200.233 255.255.255.248
R2(config)#No Shutdown
R2(config)#exit
!
R2(config)#interface serial1/1
R2(config)# ip address 10.2.2.1 255.255.255.252
R2(config)#No Shutdown
R2(config)#exit
!
R2(config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2
R2(config)#exit
R2#wr
Task 2: Create an MS Loopback interface.
Microsoft Loopback Adapter is a dummy network card, no hardware is involved. It is used as a
testing tool for a virtual network environment where network access is not available. You can
bind network clients, protocols, and other network configuration items to the Loopback
adapter.
1. In the host operating system, right-click My Computer, and then select Properties.
Depending on the style of the start menu, My Computer may be located in the Start
menu.
2. In the System Properties dialog box, on the Hardware tab, click Add Hardware Wizard.
3. In the Add Hardware dialog box, click Next.
4. When the Is the hardware connected? dialog box appears, click Yes, I have already
connected the hardware, and then click Next.
5. In the Installed hardware list, click Add a new hardware device, and then click Next.
6. In the What do you want the wizard to do? list, click Install the hardware that I manually
select from a list (Advanced), and then click Next.
7. In the Common hardware types list, click Network adapters, and then click Next.
8. In the Manufacturer list, click Microsoft.
9. In the Network Adapter list, click Microsoft Loopback Adapter, and then click Next twice.
10. If a message about driver signing appears, click Continue Anyway.
11. In the Completing the Add Hardware Wizard dialog box, click Finish, and then click OK.
12. Reboot the computer.
13. On the host operating system, open Network Connections, right-click the local area
connection for Microsoft Loopback Adapter, and then select Properties.
14. In the Microsoft Loopback Adapter Properties dialog box, verify that the Virtual Machine
Network services check box is selected.
15. Click Internet Protocol (TCP/IP), and then click Properties.
16. On the General tab, click Use the following IP address, and then type the IP address and
subnet mask 192.168.2.10 and 255.255.255.0.
17. Click OK, and then click Close.
9. Task 3: Add the ASA device to GNS3.
1. Copy the ASA842.zip Included with this lab.into the GNS3 Image directory.
2. Unzip the ASA842.zip file.
3. Open Edit -> Preferences -> Qemu and click the ASA tab
4. Enter an Identifier name – I used “ASA-5520″
5. Enter 1024 in RAM
6. Enter the following for Qemu Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7. Enter the paths where you placed the files from step 1 into the designated boxes for
Initrd and Kernel
8. Enter the following for Kernel cmd line:
-append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb
console=ttyS0,9600 bigphysarea=65536
9. Leave all other options at defaults
10. Click the Save button then click OK.
11. Copy the ASDM lab.zip file to the GNS3 project directory.
12. Extract the ASDM lab.zip file.
13. Open the lab topology.
14. Once the ASA is up, enter enable and then enter one of the following to activate
features:
activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Local Site.
Task 4: Install ASDM on the ASA device.
1. If you don’t already have a TFTP server installed, then you can download and install the
Cisco TFTP server available with this lab.
2. In the ASA console enter the following:
ciscoasa # config t
ciscoasa(config)#hostname ASA1
ASA1 (config) # int gi 5
ASA1 (config) # ip address 192.168.2.1 255.255.255.0
10. ASA1 (config) # nameif management
ASA1 (config) # no shut
3. Ping the Windows loopback adapter from the ASA firewall to test connectivity.
4. If you don’t already have the ASDM, then download the ASDM647 included with this
lab.
5. In the ASA console, copy the ASDM bin file to flash on the ASA:
ASA1# copy tftp flash
Address or name of remote host []? 192.168.2.10
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
6. Set the ASA to load the ASDM during the next boot
ASA1# config t
ASA1(config)# asdm image flash:asdm-647.bin
ASA1(config)# http server enable
ASA1(config)# http 192.168.2.10 255.255.255.255 management
ASA1(config)# username admin password cisco privilege 15
7. When the copy is complete save you configuration using the ‘wr’ command and then
reload the firewall using 'reload' command.
Note: to complete the next step, you will need to disable or configure your PC firewall.
You may also need to disable popup in your browser and in Java configuration. Lastly
you may need to add https://192.168.2.1 to the trusted site under the internet security
options. You may also need to install the certificate in your browser.
8. Open your browser and browse to https://192.168.2.1 and click the Install ASDM
Launcher button to download and install the ASDM app from the ASA.
9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and
password cisco.
11. Task 5: Configure the ASA using ASDM.
Step 1: Basic configuration.
1. From the ASDM window select configuration.
12. 2. Launch the startup wizard.
3. Select modify existing configuration and click next.
4. Hostname ASA1 Domain Name Local and click next.
5. Select enable interface and configure the interface with the following:
interface ………….GigabitEthernet0
interface name ..outside
security level…….0
ip address…………209.165.200.226
subnet mask…….255.255.255.248
6. Click next.
7. Highlight GigabitEthernet1 and click edit.
8. Select enable interface and configure the interface with the following:
interface ………….GigabitEthernet1
interface name ..inside
security level…….0
ip address…………192.168.20.1subnet mask…….255.255.255.0
13. 9. Click OK.
10.
11. Highlight GigabitEthernet2 and click edit.
12. Select enable interface and configure the interface with the following:
interface ………….GigabitEthernet2
interface name ..dmz
security level…….0
ip address…………172.16.1.1
subnet mask…….255.255.255.0
13. Click OK.
14. 14. Click next.
15. Click Add and enter the following:
Interface…….inside
Network……..any
Gateway IP…209.165.200.225
16. Click OK
17. Click next.
18. Enable DHCP server on the inside interface.
15. 19. Enter the starting IP address 192.168.10.10 and an ending IP address 192.168.10.100.
16. Click next.
17. Select use the IP address on GigabitEthernet0 interface.
16. 17. Click next.
18. Click next.
19. Click next
20. Select do not enable smart call home and click next.
21. Verify the configuration.
17. 18. Click finish.
19. Select send.
Step 2: Create a global service policy.
1. From the configuration tab select Firewall.
2. Select Service Policy Rules.
3. Click the Add button and select Add Service Policy Rule.
4. Click Global and make the policy Name global-policy the click next.
5. Check the box labeled Default Inspection Traffic and click next.
6. Click next.
7. Check the following inspection rules
19. 10. Click send.
Step 3: Configure the dmz.
1. From the Firewall drop down select Network Object/Group.
2. Click Add and select Network Object.
3. In the Network Object window enter the following:
Name……………..inside-subnet
Type……………….Network
IP Address…….192.168.1.0
Netmask……….255.255.255.0
4. Click the NAT and select Add Automatic Address Translation Rule.
5. Select the Type of Dynamic
6. Select the Translation Address as outside
7. Click Advanced.
8. Select the Source Interface as inside and Destination Interface outside
9. click OK.
20. 10. From the Firewall drop down select Network Object/Group.
11. Click Add and select Network Object.
12. In the Network Object window enter the following:
Name……………..dmz-subnet
Type……………….Network
IP Address…….172.16.1.0
Netmask……….255.255.255.0
13. Click the NAT and select Add Automatic Address Translation Rule.
14. Select the Type of Dynamic
15. Select the Translation Address as outside
16. Click Advanced.
21. 17. Select the Source Interface as dmz and Destination Interface outside
18. click OK.
19. Click OK.
20. Click Add and select Network Object.
21. In the Network Object window enter the following:
Name……………..dmz-host-ext
Type……………….host
IP Address…….209.165.200.229
22. Click OK
23. Click Add and select Network Object.
24. In the Network Object window enter the following:
22. Name……………..dmz-host-int
Type……………….host
IP Address…….172.16.1.200
25. Click the NAT and select Add Automatic Address Translation Rule.
26. Select the Type of Static
27. Select the Translation Address as dmz-host-ext
28. Click Advanced.
29. Select the Source Interface as dmz and Destination Interface outside.
30. Click OK
31. Click OK
32. Click Apply.
33. Click Send.
Step 4: Create an Access Rule.
1. From the Firewall select Access Rules.
2. Highlight outside (0 implicit incoming rules).
23. 3. Click Add and select Add Access Rule and enter the following
Interface: outside
Action: Permit
Source: any
Destination: dmz-host-int
Services: tcp/ftp, tcp/ftp-data, tcp/http, tcp/https, tcp/ssh, tcp/telnet
4. Click OK.
24. 5. Click Apply.
6. Click send.
7. From the menu bar click Save.
8. Click send.
Task 6: Verifying the Local configuration.
1. From LOCAL-PC Telnet the INTERNET server using the username admin ad the password
cisco.
2. Enter Exit.
3. From LOCAL-PC Telnet the DMZ server using the username admin ad the password
cisco.
4. Enter Exit.
5. From DMZ server Telnet the INTERNET server using the username admin ad the
password cisco.
6. Enter Exit.
7. Insure you cannot Telnet LOCAL-PC or server from DMZ.
25. Remote Site.
Task 7: Install ASDM on the ASA device.
1. If you don’t already have a TFTP server installed, then you can download and install the
Cisco TFTP server available with this lab.
2. In the ASA console enter the following:
ciscoasa # config t
ciscoasa(config)#hostname ASA2
ASA2 (config) # int gi 5
ASA2 (config) # ip address 192.168.2.2 255.255.255.0
ASA2 (config) # nameif management
ASA2 (config) # no shut
3. Ping the Windows loopback adapter from the ASA firewall to test connectivity.
4. If you don’t already have the ASDM, then download the ASDM647 included with this
lab.
5. In the ASA console, copy the ASDM bin file to flash on the ASA:
ASA2# copy tftp flash
Address or name of remote host []? 192.168.2.10
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
6. Set the ASA to load the ASDM during the next boot
ASA2# config t
ASA2(config)# asdm image flash:asdm-647.bin
ASA2(config)# http server enable
ASA2(config)# http 192.168.2.10 255.255.255.255 management
ASA2(config)# username admin password cisco privilege 15
7. When the copy is complete save you configuration using the ‘wr’ command and then
reload the firewall using 'reload' command.
Note: to complete the next step, you will need to disable or configure your PC firewall.
You may also need to disable popup in your browser and in Java configuration. Lastly
you may need to add https://192.168.2.2 to the trusted site under the internet security
options. You may also need to install the certificate in your browser.
8. Open your browser and browse to https://192.168.2.2 and click the Install ASDM
Launcher button to download and install the ASDM app from the ASA.
9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and
password cisco.
26. Task 8: Configure the ASA using ASDM.
Step 1: Basic configuration.
1. From the ASDM window select configuration.
27. 2. Launch the startup wizard.
3. Select modify existing configuration and click next.
4. Hostname ASA1 Domain Name Local and click next.
5. Select enable interface and configure the interface with the following:
interface ………….GigabitEthernet0
interface name ..outside
security level…….0
ip address…………209.165.200.226
subnet mask…….255.255.255.248
6. Click next.
7. Highlight GigabitEthernet1 and click edit.
8. Select enable interface and configure the interface with the following:
interface ………….GigabitEthernet1
interface name ..inside
security level…….0
ip address…………192.168.20.1subnet mask…….255.255.255.0
28. 9. Click OK.
10. Click next.
11. Click Add and enter the following:
Interface…….inside
Network……..any
Gateway IP…209.165.200.225
12. Click OK
29. 13. Click next.
14. Enable DHCP server on the inside interface.
15. Enter the starting IP address 192.168.0.10 and an ending IP address 192.168.10.100.
30. 16. Click next.
17. Select use the IP address on GigabitEthernet0 interface.
18. Click next.
19. Click next.
20. Click next
21. Select do not enable smart call home and click next.
22. Verify the configuration.
31. 23. Click finish.
24. Select send.
Step 2: Create a global service policy.
1. From the configuration tab select Firewall.
2. Select Service Policy Rules.
3. Click the Add button and select Add Service Policy Rule.
4. Click Global and make the policy Name global-policy the click next.
5. Check the box labeled Default Inspection Traffic and click next.
6. Click next.
7. Check the following inspection rules
33. 10. Click send.
Task 9: Verifying the Remote configuration.
1. From REMOTE-PC Telnet the INTERNET server using the username admin ad the
password cisco.
2. Enter Exit.
3. From REMOTE-PC Telnet the DMZ server outside address 209.165.200.229 using the
username admin ad the password cisco.
4. Enter Exit.
5. Insure you cannot Telnet the LOCAL-PC or server from REMOTE-PC.
Configure the Site-To-Site VPN
For this part of our lab we will be using ASDM to configure the Local and Remote side of our
Site-To-Site VPN.
34. Local site.
1. Open your browser and browse to https://192.168.2.1 and click the Install ASDM
Launcher button to download and install the ASDM app from the ASA.
2. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and
password cisco.
3. From the menu bar select wizards.
4. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.
35. 5. Click Next.
6. Enter the outside address of ASA2 as the Peer IP Address.
7. Insure the VPN Access Interface is outside.
8. Click Next.
9. We will be using IKE version 1 for this lab so uncheck IKE version 2
36. 10. Click next.
11. From the Local Network dropdown select the inside-subnet as the Local Network.
12. Select the Remote Network dropdown.
13. Click add and select network object. And enter the following:
Name: remote-subnet
Type: Network.
IP Address: 192.168.20.0
NetMask: 255.255.255.0
37. 13. Click OK
14. Select remote-subnet as the Remote Network.
15. Click Next.
16. Enter cisco as the Pre-shared key.
17. Click next.
18. Take the defaults for the IKE policy and IPsec Proposal.
39. 22. Insure the configuration is ok and click Finish.
23. Click send.
40. This completes the site-to-site VPN configuration on the Local site.
Remote site.
14. Open your browser and browse to https://192.168.2.2 and click the Install ASDM
Launcher button to download and install the ASDM app from the ASA.
15. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and
password cisco.
16. From the menu bar select wizards.
17. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.
42. 19. Enter the outside address of ASA1 as the Peer IP Address.
20. Insure the VPN Access Interface is outside.
21. Click Next.
22. We will be using IKE version 1 for this lab so uncheck IKE version 2
23. Click next.
43. 24. From the Local Network dropdown select the inside-subnet as the Local Network.
25. Select the Remote Network dropdown.
26. Click add and select network object. And enter the following:
Name: remote-subnet
Type: Network.
IP Address: 192.168.10.0
NetMask: 255.255.255.0
24. Click OK
25. Select remote-subnet as the Remote Network.
44. 26. Click Next.
27. Enter cisco as the Pre-shared key.
28. Click next.
29. Take the defaults for the IKE policy and IPsec Proposal.
30. Click Next.
31. Check the remaining 2 boxes.
47. This completes the site-to-site VPN configuration on the Local site.
Verifying the VPN configuration
1. From the REMOTE-PC telnet the LOCAL server 192.168.10.200 using the username
admin and password cisco.
2. Type exit
3. From the REMOTE-PC telnet the INTERNET server 209.165.200.11 using the username
admin and password cisco.
4. Type exit
5. From the REMOTE-PC telnet the DMZ server 209.165.200.229 using the username
admin and password cisco.
6. Type exit
7. From the INTERNET Server insure you cannot access the inside of the LOCAL or REMOTE
site.
8. From the command prompt of ASA2 issue the following commands and observer the
outputs.
ASA2# sh crypto isakmp sa
48. IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 209.165.200.226
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.234
access-list outside_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0
255.255.255.0
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 209.165.200.226
#pkts encaps: 201, #pkts encrypt: 201, #pkts digest: 201
#pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 201, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.165.200.234/0, remote crypto endpt.: 209.165.200.226/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 36C6AFF0
current inbound spi : DCCD0B9F
inbound esp sas:
spi: 0xDCCD0B9F (3704425375)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373992/28356)
IV size: 16 bytes
replay detection support: Y
49. Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x36C6AFF0 (918990832)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373991/28356)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip object inside-subnet object remote-
subnet (hitcnt=3) 0x6742cde6
access-list outside_cryptomap line 1 extended permit ip 192.168.20.0 255.255.255.0
192.168.10.0 255.255.255.0 (hitcnt=5) 0x6742cde6
ASA2# sh vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
Site-to-Site VPN : 1 : 1 : 1
IKEv1 IPsec : 1 : 1 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 1
Device Total VPN Capacity : 0
Device Load : 0%
***!! WARNING: Platform capacity exceeded !!***
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent