Problem with ASA. The challenge was given at Cisco Challenge Cisco Expo 2009
Independently it was not decided by any of the competitors. Try your strength too :)
So you have a fairly simple topology.
')
Suppose there is an office and data center in the network. Between them bought a dedicated line. All resources are concentrated in the data center and in the normal state of the network all packages from the OFFICE to the Internet must go through the DMZ interface leading directly to the data center (the channel must be fully encrypted). Source addresses must remain unchanged. In the case of a leased line falling, packets from the OFFICE to the data center and then on the Internet should get into the IPSec encrypted channel via the Internet to the data center. For this, the OFFICE has its own access to the Internet. The only exception is the host 192.168.1.100, which, in the event of a dedicated line falling, needs to be provided with direct access to the Internet using the address of the outside ASA OFFICE interface, but retaining the opportunity for it to work with the data center network (10.1.0.0/16) via an encrypted channel. Additionally, to protect against DoS attacks on IPSec, it is necessary to prohibit the ASA of the OFFICE to process IPSec packets from all but the address of the outside ASA data center interface.
Your task is to provide the ASA OFFICE config. It is enough to provide:
1. Description of “interesting traffic” for IPSec channels
2. Description of NAT Translation Rules
3. The way to protect against DoS attacks on IPSec
_________________________________________________________________________
If this problem was solved in 25 minutes, the applicant received a super prize :)
Shl I'm sure you decide it. Therefore, so that life does not seem like honey, decide it for two options:
A) no nat-control
B) nat-control
PS Traditionally, who only reads Habr, can register on the forum at www.anticisco.ru and respond there, in the forum section “Problems for ingenuity”
So you have a fairly simple topology.
')
Suppose there is an office and data center in the network. Between them bought a dedicated line. All resources are concentrated in the data center and in the normal state of the network all packages from the OFFICE to the Internet must go through the DMZ interface leading directly to the data center (the channel must be fully encrypted). Source addresses must remain unchanged. In the case of a leased line falling, packets from the OFFICE to the data center and then on the Internet should get into the IPSec encrypted channel via the Internet to the data center. For this, the OFFICE has its own access to the Internet. The only exception is the host 192.168.1.100, which, in the event of a dedicated line falling, needs to be provided with direct access to the Internet using the address of the outside ASA OFFICE interface, but retaining the opportunity for it to work with the data center network (10.1.0.0/16) via an encrypted channel. Additionally, to protect against DoS attacks on IPSec, it is necessary to prohibit the ASA of the OFFICE to process IPSec packets from all but the address of the outside ASA data center interface.
Your task is to provide the ASA OFFICE config. It is enough to provide:
1. Description of “interesting traffic” for IPSec channels
2. Description of NAT Translation Rules
3. The way to protect against DoS attacks on IPSec
_________________________________________________________________________
If this problem was solved in 25 minutes, the applicant received a super prize :)
Shl I'm sure you decide it. Therefore, so that life does not seem like honey, decide it for two options:
A) no nat-control
B) nat-control
PS Traditionally, who only reads Habr, can register on the forum at www.anticisco.ru and respond there, in the forum section “Problems for ingenuity”
Source: https://habr.com/ru/post/72452/
All Articles