Networking, Security & Cloud Knowledge

Saturday, August 9, 2014

SETUP and Configure ASA 5520 on GNS3


ASA on GNS3 – STEP by STEP TUTORIAL

Requriment / system used:

Laptop & Destop (XP, dual core, 1Gb RAM, GNS)


Sotware:

1.       GNS3 : GNS3-0.8.7-all-in-one.exe

2.       Two file neede to configure GNS with ASA. (asa842-initrd.gz & asa842-vmlinuz)

1.       ASA software : asa847-k8.bin

2.       ASDM : asdm-671.bin

3.       JAVA : JAVA SE 6 (JavaSetup7u65.exe)

4.       Setting for Quemu

a.      Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

b.      Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

*********************************************************************************
Setup diagram


Laptop 10.10.10.10     10.10.10.1-gig0 (inside)  ASA - gig 1 (outside) 192.168.1.100  Desktop


 Task 1: permit icmp from inside to outside

 CLI:
class-map icmp
   mathc   match default-inspection-traffic
   policy-map inside-policy

class icmp
    inspect icmp

service-policy inside-policy interface inside


GUI: configuration à  Firewall à Service Policy Rules



*********************************************************************************
 Task 2 : nat inside host with static nat (global ip 20.20.20.20)

 CLI:
 no access-group outside_access_in in interface outside

object network DESKTOP
      host 192.168.1.10

object network LAPTOP
      host 10.10.10.10

object network NATPOOL20
       host 20.20.20.20

 nat (inside,outside) 1 source static LAPTOP NATPOOL20 destination static DESKTOP DESKTOP

 Note: 1 = <1-2147483647>  Position of NAT rule within before auto section

verification:



GUI : CONFIGURATION à FIREWALL à NAT RULES  à   ADD


******************************************************************************
Task 3 permit ping from outside (192.168.1.10) host to inside host (natted address 20.20.20.20)

CLI:
object network DESKTOP
       host 192.168.1.10

object network LAPTOP
       host 10.10.10.10


access-list outside_access_in line 1 remark Allow ping from outside 192.168.1.10  to inside 10.10.10.10.

access-list outside_access_in line 2 extended permit ip object DESKTOP object LAPTOP

access-group outside_access_in in interface outside


GUI:




**********************************************************************************