dmz

1. SEGURIDAD ASA
PROYECTADO POR:
ALEXANDER ZAMBRANO
ANDRES FELIPE PACHECO
FARID ESCOBAR

2. Servidores en la DMZ
Con ella creamos una
interfaz nueva y una
subred independiente,
pero siempre interna,
para poder controlar
mejor el acceso a los
servidores.
Outside
Inside
DMZ

3. La DMZ es una subred independiente, separada
de la LAN y de Internet

4. Tabla de reglas DMZ

5. COMANDO EN PACKET TRACER
 ciscoasa(config)#interface vlan 2
 ciscoasa(config-if)#ip addres 10.0.0.14 255.255.255.240
 ciscoasa(config)#interface vlan 3
 ciscoasa(config-if)#security-level 50
 ciscoasa(config)#interface vlan 3
 ciscoasa(config-if)#ip address 192.168.100.1 255.255.255.248
 ciscoasa(config-if)#nameif dmz
 ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1
interface(s) with nameif already configured.

6. COMANDO EN PACKET TRACER
 ciscoasa(config-if)#no forward interface vlan 1 (deniega el trafico de la vlan 1)
 ciscoasa(config-if)#nameif dmz
 ciscoasa(config)#class-map INSIDE-DMZ
 ciscoasa(config-cmap)#match any
 ciscoasa(config)#policy-map POLITICA-INSIDE-DMZ
 ciscoasa(config-pmap)#class INSIDE-DMZ
 ciscoasa(config-pmap-c)#INspect ?
 mode commands/options:
 dns
 ftp
 h323
 http
 icmp
 tftp

7. COMANDO EN PACKET TRACER
 ciscoasa(config-pmap-c)#INspect icmp
 ciscoasa(config-pmap-c)#exit
 ciscoasa(config)#SERvice-policy POLITICA-INSIDE-DMZ INTerface INside
 ciscoasa(config)#SH RUN
 ciscoasa(config)#OBJECT NETwork LAN
 ciscoasa(config-network-object)#SUBnet 192.168.1.0 255.255.255.0
 ciscoasa(config-network-object)#NAT (INside,Outside) DYnamic Interface
 ciscoasa(config)#OBJECT NETwork DMZ
 ciscoasa(config-network-object)#SUbnet 192.168.100.0 255.255.255.248

8. COMANDO EN PACKET TRACER
 ciscoasa(config-network-object)#NAT (dmz,outside) dynamic interface
 ciscoasa(config)#object network HTTP-MAIL-FTP
 ciscoasa(config-network-object)#HOSt 192.168.100.2
 ciscoasa(config-network-object)#nat (dmz,outside) static 10.0.0.4
 ciscoasa(config-network-object)#exit
 ciscoasa(config)#access-list ENTRANTE PERmit icmp any host 10.0.0.4 echo
 ciscoasa(config)#access-list ENTRANTE PERmit tcp any host 10.0.0.4 eq www

9. COMANDO EN PACKET TRACER
 ciscoasa(config)#access-list ENTRANTE PERmit tcp any host 10.0.0.4 eq ftp
 ciscoasa(config)#access-list ENTRANTE PERmit tcp any host 10.0.0.4 eq smtp
 ciscoasa(config)#access-list ENTRANTE PERmit tcp any host 10.0.0.4 eq
pop3
 ciscoasa(config)#access-list ENTRANTE PERmit tcp any host 10.0.0.4 lt ftp
 ciscoasa(config)#access-list ENTRANTE PERmit tcp any host 10.0.0.4 gt ftp

10. GRACIAS POR SU
ATENCION