TASK 1: Đặt IP and Security-Level interface GigabitEthernet0/0 nameif outside security-level ip address 200.200.200.2 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 172.16.1.1 255.255.255.0 TASK 2: object network DMZ-Server-172.16.1.100 host 172.16.1.100 nat (dmz,outside) static 200.200.200.100 access-list OUTSIDE-to-DMZ extended permit ip any host 172.16.1.100 access-group OUTSIDE-to-DMZ in interface outside route outside 0.0.0.0 0.0.0.0 200.200.200.1 policy-map global_policy class inspection_default inspect icmp TASK 3,4: SSL VPN https://bit.ly/3oCxPu3 https://www.youtube.com/watch?v=oSgTqDQtmG0 ###Bật tính vpn ssl#### webvpn #####Chỉ Gói down client họ connect##### anyconnect image flash:/anyconnect-win-4.1.08005-k9.pkg ****lấy từ lệnh show flash: firewall ra******* #####cho phép gọi đến IP outside để VPN###### enable outside ####mở tính anyconnect kết nối##### anyconnect enable #####cho phép traffic VPN từ vào#### sysopt connection permit-vpn #######Tạo POOL IP gán cho user VPN########## ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0 #######Chỉ dải mạng LAN mà user VPN gọi vào########## access-list ALLOW-ACCESS-LAN standard permit 192.168.1.0 255.255.255.0 #######Tạo policy áp đặt cho người kết nối VPN######## group-policy ANYCONNECT_POLICY internal group-policy ANYCONNECT_POLICY attributes vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value ALLOW-ACCESS-LAN dns-server value 8.8.8.8 exit #######Tạo tunnel vpn gắn với policy vừa tạo########## tunnel-group MY_TUNNEL type remote-access tunnel-group MY_TUNNEL general-attributes default-group-policy ANYCONNECT_POLICY address-pool VPN_POOL exit tunnel-group MY_TUNNEL webvpn-attributes group-alias CHI_NHANH_01 enable webvpn tunnel-group-list enable #######Tạo account######### username hainm password hainm username hainm attributes service-type remote-access ####Verify ASA###### ciscoasa# show vpn-sessiondb anyconnect TASK 5: VPN site-to-site PHA 1: TREN FIREWALL crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group lifetime 3600 exit crypto ikev1 enable outside crypto isakmp identity address tunnel-group 100.100.100.2 type ipsec-l2l tunnel-group 100.100.100.2 ipsec-attributes ikev1 pre-shared-key key1234 access-list LAN1-to-LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac PHA 2: crypto crypto crypto crypto crypto TREN FIREWALL map MY_CRYPTO_MAP map MY_CRYPTO_MAP map MY_CRYPTO_MAP map MY_CRYPTO_MAP map MY_CRYPTO_MAP 10 match address LAN1-to-LAN2 10 set peer 100.100.100.2 10 set ikev1 transform-set MY_TRANSFORM_SET 10 set security-association lifetime seconds 3600 interface outside ... hainm attributes service-type remote-access ####Verify ASA# ##### ciscoasa# show vpn- sessiondb anyconnect TASK 5: VPN site-to-site PHA 1: TREN FIREWALL crypto ikev1 policy 10 authentication pre-share...#######Tạo POOL IP gán cho user VPN# ######### ip local pool VPN_ POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0 #######Chỉ dải mạng LAN mà user VPN gọi vào########## access-list ALLOW-ACCESS-LAN... #######Tạo tunnel vpn gắn với policy vừa tạo########## tunnel-group MY_TUNNEL type remote-access tunnel-group MY_TUNNEL general-attributes default-group-policy ANYCONNECT_POLICY address-pool VPN_ POOL