• Multiple networks share same Internet lines or same devices transparently
• VRF-aware IPSec VPN tunnel

Example 1:
Router running VRF-aware Zone-Based Firewall

Network Setup

                                         Internet
                                             |
                                             |
                                          Router
                                             *
                                             *  Trunk
                                             *
                                  Switch with Multiple VLAN

When The Network Design Fits

Scenario 1
There are multiple tenants within the same building that share the same switch, same router, and same Internet line. From each tenant's perspective, there is a dedicated Internet connection and dedicated network only for them. This means that they cannot see other tenant's network, even though all tenants share the same equipments and the same Internet line.

Scenario 2
There is single tenant within the same building. The tenant has multiple networks; which are Public, Private, DMZ, and Lab. Due to security policy, there must be total separation between all networks. From each network's perspective, there is a dedicated Internet connection and dedicated network only for them. This means that each network cannot see or talk to others, even though all networks share the same equipments and the same Internet line.

Note that there might be other scenarios that the network design fits. However the previous two scenarios should be sufficient for illustration sake.

Objectives
* To have multiple networks on all equipments (in this case, the switch and the router)
* Each network cannot see other networks
* All networks share the same Internet line
* There must be decent firewall implemented on the router for security

Solution
Deploy VRF-aware CBAC or Zone-Based Firewall

Implementation
* Trunk the router and the switch
* Create VLAN on the switch
* Create sub-interfaces on the router
* Assign IP address on each sub-interface
* Each sub-interface IP address will be default gateway of each respective VLAN
* Assign each network its own VLAN
* Assign each VLAN its own VRF label
* Implement the VRF-aware CBAC or Zone-Based Firewall as indicated above

Sample Configuration

Cisco IOS VRF-aware Zone-Based Firewall

version 12.4
!
ip cef
!
ip vrf acct
!
ip vrf arch
!
ip vrf atty
!
class-map type inspect match-any out-cmap
 match protocol http
 match protocol https
 match protocol ftp
 match protocol smtp
 match protocol ftp
!
class-map type inspect match-all pub-arch-cmap
 match access-group 121
 match protocol ftp
!
class-map type inspect match-all pub-acct-cmap
 match access-group 122
 match protocol http
!
class-map type inspect pub-atty-mail-cmap
match access-group 123
 match protocol smtp
!
class-map type inspect pub-atty-web-cmap
 match access-group 124
 match protocol http 
!
policy-map type inspect arch-pub-pmap
 class type inspect out-cmap
  inspect
!
policy-map type inspect acct-pub-pmap
 class type inspect out-cmap
  inspect
!
policy-map type inspect atty-pub-pmap
 class type inspect out-cmap
  inspect
!
policy-map type inspect pub-arch-pmap
 class type inspect pub-arch-cmap
  inspect
!
policy-map type inspect pub-acct-pmap
 class type inspect pub-acct-cmap
  inspect
!
policy-map type inspect pub-atty-pmap
 class type inspect pub-atty-mail-cmap
  inspect
 class type inspect pub-atty-web-cmap
  inspect
!
policy-map type inspect pub-self-pmap
 class class-default
  drop log
!
zone security arch
zone security acct
zone security atty
zone security public
zone-pair security arch-pub source arch destination public
 service-policy type inspect arch-pub-pmap
zone-pair security acct-pub source acct destination public
 service-policy type inspect acct-pub-pmap
zone-pair security atty-pub source atty destination public
 service-policy type inspect atty-pub-pmap
zone-pair security pub-arch source public destination arch
 service-policy type inspect pub-arch-pmap
zone-pair security pub-acct source public destination acct
 service-policy type inspect pub-acct-pmap 
zone-pair security pub-atty source public destination atty
 service-policy type inspect pub-atty-pmap 
zone-pair security pub-self source public destination self
 service-policy type inspect pub-self-pmap
!
!
interface FastEthernet0/0
 description Facing Internet
 ip address 1.0.0.2 255.255.255.252
 ip nat outside
 zone-member security public
 ip virtual-reassembly
 speed auto
 no cdp enable
!
interface FastEthernet0/1
description Trunk to Switch
 no ip address
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.171
description Acct Network
 encapsulation dot1Q 171
 ip vrf forwarding acct
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 zone-member security acct
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1.172
description Arch Network
 encapsulation dot1Q 172
 ip vrf forwarding arch
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 zone-member security arch
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1.173
description Atty Network
 encapsulation dot1Q 173
 ip vrf forwarding atty
 ip address 10.1.2.1 255.255.255.0
 ip nat inside
 zone-member security atty
 ip virtual-reassembly
 no cdp enable
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1
ip route vrf acct 0.0.0.0 0.0.0.0 1.0.0.1 global
ip route vrf arch 0.0.0.0 0.0.0.0 1.0.0.1 global
ip route vrf atty 0.0.0.0 0.0.0.0 1.0.0.1 global
!
ip nat pool Global-acct 1.0.1.1 1.0.1.1 netmask 255.255.255.0 add-route
ip nat pool Global-arch 1.0.2.1 1.0.2.1 netmask 255.255.255.0 add-route
ip nat pool Global-atty 1.0.3.1 1.0.3.1 netmask 255.255.255.0 add-route
ip nat inside source list 10 pool Global-acct vrf acct overload
ip nat inside source list 20 pool Global-arch vrf arch overload
ip nat inside source list 30 pool Global-atty vrf atty overload
!
! The following static NAT translations allow access from the internet to 
! servers in each VRF.  Be sure the static translations correlate to “inspect” 
! statements in in the Zone Firewall configuration, the internet-facing list.
! Note that the ACLs used in the firewall correspond to the end-host address, not 
! the NAT Outside address
!
ip nat inside source static tcp 10.1.2.2 21 1.0.2.2 21 vrf arch extendable
ip nat inside source static tcp 10.1.2.3 25 1.0.1.2 25 vrf acct extendable
ip nat inside source static tcp 10.1.2.4 25 1.0.3.2 25 vrf atty extendable
ip nat inside source static tcp 10.1.2.5 80 1.0.3.3 80 vrf atty extendable
!
access-list 10 remark NAT for Network acct
access-list 10 remark 10.1.2.0 0.0.0.255
access-list 20 remark NAT for Network arch
access-list 20 remark 10.1.2.0 0.0.0.255
access-list 30 remark NAT for Network atty
access-list 30 remark 10.1.2.0 0.0.0.255
!
access-list 121 remark Arch Network FTP server
access-list 121 permit ip any host 10.1.2.2
access-list 122 remark Acct Network Mail server
access-list 122 permit ip any host 10.1.2.3
access-list 123 remark Atty Network Mail server
access-list 123 permit ip any host 10.1.2.4
access-list 124 remark Atty Network Web server
access-list 124 permit ip any host 10.1.2.5
!
! Disable CDP
!
no cdp run
!
end
 

Switch

vlan 1,171-173
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 171
switchport mode access
!
interface FastEthernet0/2
description LAN 2
switchport access vlan 172
switchport mode access
!
interface FastEthernet0/3
description LAN 3
switchport access vlan 173
switchport mode access
!
interface FastEthernet0/12
description Trunk to Router
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,171-173
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
 

Discussions and More Sample Configurations

Cisco IOS Firewall Classic and Zone-Based Virtual Firewall Application Configuration Example

Example 2:
Router, ASA, and Switch with VRF, Multiple Context, and Trunking

Let's say there is a T1/E1 circuit you need to dedicate only for Production network and there is a separate DSL/Cable/Wireless connection only for Internet access. Typically the T1/E1 circuit is used only for server connectivity and internal usage and the DSL/Cable/Wireless is for vendor or business partner that need access to Internet only without the need of accessing Production network. Following is the network design.

                     T1/E1 circuit        DSL/Cable/Wireless
                            |                       |
                            |                       |
                           T1/E1 and DSL/Cable/Wireless
                                      router
                                         *
                                         *  Trunk to ASA
                                         *                     Outside
                             ASA on Multiple Context mode
                                         *                     Inside
                                         *  Trunk to Switch
                                         *
                                      Switch

Objectives
* To have multiple networks on all equipments (in this case; the switch, the ASA, and the router)
* There are three networks in place which are Production, Internet Only, and admin
* The Production network is for server connectivity and internal usage
* The Internet-Only network is for vendor or business partner that need access to Internet only without the need of accessing Production network
* The admin network is for general network administration purpose
* Each network (Production, Internet Only, and admin) cannot see other networks
* All networks share the same equipment
* Production network only uses T1/E1 and can never use the DSL/Cable/Wireless at anytime
* Internet-Only network only uses DSL/Cable/Wireless and can never use the T1/E1 at anytime
* Admin network does not need Internet access and is just for general network administration
* There must be dedicated firewall implemented for each network as security measure

Solution
Deploy VRF, Multiple Context, and Trunking

Implementation
* Trunk router FastEthernet0/0 port and ASA Outside port
* Create three VLAN within the trunk as Outside networks where 1st VLAN is for Production, 2nd VLAN is for Internet Only, and 3rd VLAN is for admin
* Connect T1/E1 to router Serial0/0 port and connect DSL/Cable/Wireless to router FastEthernet0/1 port
* Trunk ASA Inside port and Switch
* Create three VLAN within the trunk as Inside networks where 1st VLAN is for Production, 2nd VLAN is for Internet Only, and 3rd VLAN is for admin
* Set some switch ports for Production network, some switch ports for Internet Only, and some switch ports for admin
* Setup Multiple Context on the ASA consists of Production Context, InternetOnly Context, and admin Context
* Each context will be dedicated firewall for each network; i.e. Production Context is dedicated (virtual) firewall for Production network
* Set Outside and Inside network for Production Context, InternetOnly Context, and admin Context
* The ASA Production Context does NAT/PAT where the router does NAT/PAT for InternetOnly Context
* No NAT/PAT necessary for admin Context

Sample Configuration

Router

version 12.4
!
ip cef
!
ip vrf admin
!
ip vrf Production
!
ip vrf InternetOnly
!
interface FastEthernet0/0
description Trunk to ASA
 no ip address
 duplex full
 speed 100
 no cdp enable
!
interface FastEthernet0/0.1
description Production
 encapsulation dot1Q 3
 ip vrf forwarding Production
 ip address 1.1.1.65 255.255.255.248
 no cdp enable
!
interface FastEthernet0/0.2
description Internet Only
 encapsulation dot1Q 8
 ip vrf forwarding InternetOnly
 ip address 192.168.1.76 255.255.255.248
 ip nat inside
 no cdp enable
!
interface FastEthernet0/0.3
description Admin
 encapsulation dot1Q 10
 ip vrf forwarding admin
 ip address 192.168.0.17 255.255.255.248
 no cdp enable
!
interface FastEthernet0/1
description Cable - Internet Only
 ip vrf forwarding InternetOnly
 ip address dhcp
 ip nat outside
 no cdp enable
!
interface Serial0/0
description T1 - Production
 ip vrf forwarding Production
 ip address 1.0.0.2 255.255.255.252
 no cdp enable
!
ip route vrf Production 0.0.0.0 0.0.0.0 1.0.0.1
ip route vrf InternetOnly 0.0.0.0 0.0.0.0 dhcp
!
ip nat inside source list 10 interface FastEthernet0/1 vrf InternetOnly overload
!
access-list 10 remark NAT for Internet-Only users
access-list 10 permit 172.17.180.0 0.0.0.255
!
no cdp run
!
end
 

System Context

ASA Version 7.2(3) <system>
!
hostname asasystem
domain-name yourdomain.com
enable password ***** encrypted
no mac-address auto
!
interface Ethernet0/0
 description Outside
 speed 100
 duplex full
!
interface Ethernet0/0.1
 vlan 3
!
interface Ethernet0/0.2
 vlan 8
!
interface Ethernet0/0.3
 vlan 10
!
interface Ethernet0/1
 description Inside
 speed 100    
 duplex full
!
interface Ethernet0/1.1
 vlan 7
!
interface Ethernet0/1.2
 vlan 180
!
interface Ethernet0/1.3
 vlan 11
!
interface Ethernet0/2
 description Reserved for DMZ
 speed 100
 duplex full
!
interface Ethernet0/3
!
interface Management0/0
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
no failover
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
  description Management
  allocate-interface Ethernet0/0.3 Outside_Management 
  allocate-interface Ethernet0/1.3 Inside_Management 
  config-url disk0:/admin.cfg
!
context Production
  description Production
  allocate-interface Ethernet0/0.1 Outside_Production 
  allocate-interface Ethernet0/1.1 Inside_Production 
  config-url disk0:/production.cfg
!
context InternetOnly
  description Internet Only
  allocate-interface Ethernet0/0.2 Outside_InternetOnly 
  allocate-interface Ethernet0/1.2 Inside_InternetOnly 
  config-url disk0:/internetonly.cfg
!
username admin password ****** encrypted privilege 15
prompt hostname context 
Cryptochecksum **************
: end
 

Admin Context

ASA Version 7.2(3) <context>
!
hostname asaadmin
domain-name yourdomain.com
enable password ***** encrypted
names
!
interface Outside_Management
 nameif outside
 security-level 0
 ip address 192.168.0.18 255.255.255.248
!
interface Inside_Management
 nameif inside
 security-level 100
 ip address 172.17.0.4 255.255.255.0
!
passwd ****** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
dns server-group DefaultDNS
 domain-name yourdomain.com
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group service Nachi_Worm tcp-udp
 port-object eq 707
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
access-list nonat extended permit ip any any log 
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any log 
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.17 1
route inside 10.0.0.0 255.0.0.0 172.17.0.1 1
route inside 172.16.0.0 255.240.0.0 172.17.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
 reactivation-mode depletion deadtime 3
 max-failed-attempts 4
aaa-server TACACS+ host 172.17.200.231
 key *******
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting serial console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command privilege 15 TACACS+
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet timeout 5
ssh 172.17.105.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh 10.4.5.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
username admin password ***** encrypted privilege 15
Cryptochecksum *******
: end
 

Production Context

ASA Version 7.2(3) <context>
!
hostname asaprod
domain-name yourdomain.com
enable password ***** encrypted
names
dns-guard
!
interface Outside_Production
 nameif outside
 security-level 0
 ip address 1.1.1.66 255.255.255.248
!
interface Inside_Production
 nameif inside
 security-level 100
 ip address 172.16.3.240 255.255.0.0
!
passwd ****** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
dns server-group DefaultDNS
 domain-name yourdomain.com
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group network ProdINSIDE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
object-group network IT
 network-object 172.17.105.0 255.255.255.0
object-group network Internet_Routers
 network-object host 1.1.1.65
object-group network OUTSIDE
 network-object Internet_Routers
object-group network Special_Subnets
 group-object IT
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service Nachi_Worm tcp-udp
 port-object eq 707
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark allow certain people send pop3 and smtp mail
access-list inside extended permit tcp object-group Special_Subnets any object-group Mail_Services 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any 
access-list nonat extended permit ip object-group ProdINSIDE object-group OUTSIDE 
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 1.1.1.67
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.65 1
route inside 10.0.0.0 255.0.0.0 172.16.0.1 1
route inside 172.16.0.0 255.240.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
 reactivation-mode depletion deadtime 3
 max-failed-attempts 4
aaa-server TACACS+ host 172.17.200.231
 key ******
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
telnet timeout 5
ssh 172.17.105.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh 10.4.5.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
username admin password ******* encrypted privilege 15
Cryptochecksum:00000000000000000000000000000000
: end
 

InternetOnly Context

ASA Version 7.2(3) <context>
!
hostname asapublic
domain-name yourdomain.com
enable password ****** encrypted
names
dns-guard
!
interface Outside_InternetOnly
 nameif outside
 security-level 0
 ip address 1.1.1.74 255.255.255.248
!
interface Inside_InternetOnly
 nameif inside
 security-level 100
 ip address 172.17.180.1 255.255.255.0
!
passwd ****** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded. 
banner motd Use of this system is your express consent to such monitoring and recording. 
banner motd 
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
dns server-group DefaultDNS
 domain-name yourdomain.com
object-group protocol TCP-UDP
 protocol-object tcp
 protocol-object udp
object-group network gotomypc.com
 network-object host 66.151.158.177
object-group network Vendor_Subnet
 network-object 172.17.180.0 255.255.255.0
object-group service Zincite_Virus tcp-udp
 port-object eq 1034
object-group service Sasser_Worm tcp
 port-object eq 5554
 port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
 port-object eq 81
object-group service Dameware tcp-udp
 port-object eq 6129
object-group service Mail_Services tcp
 port-object eq smtp
 port-object eq pop3
object-group service IM_Virus tcp-udp
 port-object eq 5001
object-group service MS_Ports tcp-udp
 port-object eq 135
 port-object range 137 139
 port-object eq 445
 port-object eq 593
object-group service Kerberos tcp-udp
 port-object eq 4444
object-group service Nachi_Worm tcp-udp
 port-object eq 707
object-group network ProdINSIDE
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
access-list InternetOnly remark Permitable Subnet to go out
access-list InternetOnly extended permit ip object-group Vendor_Subnet any 
access-list inside remark Deny traffic to Production
access-list inside extended deny ip any object-group ProdINSIDE 
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi_Worm 
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerberos 
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Ports 
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Virus 
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zincite_Virus 
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm 
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagle.O_Virus 
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com 
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Dameware 
access-list inside remark allow certain people send pop3 and smtp mail
access-list inside extended permit tcp object-group Vendor_Subnet any object-group Mail_Services 
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services 
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any 
access-list outside remark Permitable Traffic To Enter From The Internet
access-list outside extended permit icmp any any 
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging facility 19
logging device-id hostname
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list InternetOnly
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.76 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
no snmp-server location
no snmp-server contact
service resetoutside
telnet timeout 5
ssh 1.1.1.64 255.255.255.224 outside
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
username admin password ***** encrypted privilege 15
Cryptochecksum:00000000000000000000000000000000
: end
 

Switch

vlan 1,7,11,180
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/2
description LAN 2
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 3
switchport access vlan 180
switchport mode access
!
interface FastEthernet0/12
description Trunk to Router
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,11,180
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Admin
ip address 172.17.0.5 255.255.255.0
!
 

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2009-12-02 09:37:03

Cisco documentation

VRF-lite Based Group Encrypted Transport VPN
Cisco IOS GETVPN Solution Deployment Guide

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2009-12-02 09:46:44