Assignment 2: Network Configuration and Security
Goals
The purpose of this assignment is to:
1. Demonstrate an understanding of network topology setup and firewall configurations.
2. Test network security by conducting vulnerability assessments.
3. Implement and verify access control rules and Deep Packet Inspection (DPI) measures.
Software Needed:
1. GNS3 Software
2. GNS3 VM for VMware Workstation and Fusion
3. VMware Workstation Player for Windows OR VMware Fusion Player for MAC (For MAC
users, please create an account on VMware's website to start the application trial.)
4. Kali Linux Live Images
5. Request access for the images here
Topology, Steps, and Configurations:
1. Set the IP address for the loopback interface on your machine to 192.168.10.11 with a
subnet mask of 255.255.255.0.
2. In GNS3, create a new project and connect the network topology as shown. Note that all
appliances should run on the GNS3 VM except for the cloud, which should be connected
to the management interface, it has to run on the GNS3 local server.
3. Start the Cisco ASAv and wait until it is fully loaded. Enter the following commands into
the ASA CLI (Console):
ciscoasa> enable
Password: ciscocisco1
Retype password: ciscocisco1
ciscoasa# conf t
ciscoasa (config)# interface Management0/0
ciscoasa (config-if)# management-only
ciscoasa (config-if)# nameif management
ciscoasa (config-if)# security-level 0
ciscoasa (config-if)# ip address 192.168.10.10 255.255.255.0
ciscoasa (config-if)# no shutdown
ciscoasa (config-if)# asdm image boot:/asdm-7181152.bin
ciscoasa (config)# aaa authentication http console LOCAL
ciscoasa (config)# username cisco password ciscocisco privilege 15
ciscoasa (config)# http server enable
ciscoasa (config)# http 192.168.10.11 255.255.255.255 management
ciscoasa (config)# write
4. Download and install Java (search google for Java download).
5. Ensure connectivity from your local machine to the FW management IP by issuing the
command ping 192.168.10.10 in a Windows command prompt (cmd). If successful,
proceed to the next step; if not, check your loopback interface and GNS3 topology
connections.
6. Open a web browser and connect to the FW management IP using the URL
https://192.168.10.10/admin/public/index.html. Click "Install ASDM Launcher" and
follow the prompts for a successful installation.
7. On your local machine, open the “ASDM-IDM Launcher” application, enter the IP
address of the FW management interface, and the username and password you created
earlier as follows:
8. If successful, you will access the FW dashboard.
9. Return to the FW CLI interface (FW Console) and enter the following commands:
ciscoasa> enable
Password: ciscocisco1
ciscoasa# conf t
ciscoasa (config)# interface GigabitEthernet0/0
ciscoasa (config-if)# nameif inside
ciscoasa (config-if)# security-level 100
ciscoasa (config-if)# ip address 10.10.10.1 255.255.255.0
ciscoasa (config-if)# no shutdown
ciscoasa (config-if)# interface GigabitEthernet0/1
ciscoasa (config-if)# nameif outside
ciscoasa (config-if)# security-level 0
ciscoasa (config-if)# ip address dhcp setroute
ciscoasa (config-if)# no shutdown
ciscoasa (config-if)# interface GigabitEthernet0/2
ciscoasa (config-if)# nameif DMZ
ciscoasa (config-if)# security-level 50
ciscoasa (config-if)# ip address 172.16.1.1 255.255.255.0
ciscoasa (config-if)# no shutdown
ciscoasa (config-if)# write
ciscoasa (config-if)# show route
10. Ensure that the output of the last command matches the expected route information.
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.122.1, outside
C 10.10.10.0 255.255.255.0 is directly connected, inside
L 10.10.10.1 255.255.255.255 is directly connected, inside
C 172.16.1.0 255.255.255.0 is directly connected, DMZ
L 172.16.1.1 255.255.255.255 is directly connected, DMZ
C 192.168.122.0 255.255.255.0 is directly connected, outside
L 192.168.122.x 255.255.255.255 is directly connected, outside
11. Configure the IP addresses for the Inside-Host, DMZ-Host, and Kali Linux as follows
(replace 'x' with your assigned number in the bonus sheet):
● Inside-Host: IP address: 10.10.10.x, subnet mask: 255.255.255.0, default GW:
10.10.10.1
● DMZ-Host: IP address: 172.16.1.x, subnet mask: 255.255.255.0, default GW:
172.16.1.1
● Kali Linux: Leave the automatic DHCP setting as it is and check if it has obtained
an IP from the 192.168.122.0/24 range using the ifconfig command.
12. Check connectivity from each host to its corresponding interface using the Ping tool.
13. On the ASAv CLI, configure the following static NATting one-to-one rules (replace
'Inside-Host-IP' and 'DMZ-Host-IP' with the respective IPs):
ciscoasa> enable
Password: ciscocisco1
ciscoasa# conf t
ciscoasa (config)# nat (inside,outside) source static Inside-Host-IP 192.168.122.250
ciscoasa (config)# nat (DMZ,outside) source static DMZ-Host-IP 192.168.122.249
ciscoasa (config)# write
14. Your topology is now up and running. Proceed to the assignment tasks.
Assignment Tasks:
1. Demonstrate that the Inside-Host and DMZ-Host can access the internet without any
access rules configured.
2. Prove that the Kali Linux machine cannot access any port on either the Inside-Host or
DMZ-Host.
3. Configure an access rule that allows the Kali Linux machine to access the SMB ports
(port 445 and port 135) on the DMZ-Host.
4. Demonstrate that the Kali Linux machine can now access the SMB ports on the
DMZ-Host.
5. Use the Metasploit framework on the Kali Linux machine to show that the DMZ-Host is
vulnerable to the MS17-010 vulnerability.
6. Exploit the MS17-010 vulnerability on the DMZ-Host using the default Meterpreter
payload (reverse TCP) from the Kali Linux machine.
7. Show that upon successful exploitation, the DMZ-Host has initiated a connection to the
Kali Linux machine. Explain why this connection is successful even though no access rule
is configured to allow it.
8. Use the DPI capabilities of Cisco ASA to configure the following rules:
● Allow ICMP traffic across the FW.
● Filter DNS Type Field “A”.
● Filter the HTTP “get” command.
9. Provide evidence that each of the above DPI rules is working correctly.
Please follow these instructions carefully to complete your assignment. If you have any
questions or need further assistance, don't hesitate to reach out.
Good luck with your assignment!