++++++++++++++++++++++++++++++++ ASA Firewall ++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ Pre-config ++++++++++++++++++++++++++++++++ interface Management0/0 management-only nameif MGMT security-level 100 ip address 192.168.137.111 255.255.255.0 no shut ! username khawar password cisco privilege 15 ! ssh 192.168.137.0 255.255.255.0 MGMT aaa authentication ssh console LOCAL ************************************************** Lab 1 - Configuring Interfaces on a Firewall ************************************************** from netmiko import ConnectHandler hostip = input('ASA Firewall IP: ') USER = input('SSH Username: ') PASS = input('Password: ') ABC = { 'device_type': 'cisco_asa', 'ip': hostip, 'username': USER, 'password': PASS } myssh = ConnectHandler(**ABC) Interface_num = input('How many Interfaces would you like to configure: ') Interface_num = int(Interface_num) while Interface_num > 0: Interface_ID = input('Please specify the Interface to be configured: [E0, gig0/0 etc]: ') Interface_IP = input('IP Address: ') S_Mask = input('Subnet Mask: ') Nameif = input('Interface Name: ') Nameif_cmd = 'Nameif ' + Nameif Sec_Level = input('Security Level: ') Sec_level_cmd = 'Security-Level ' + Sec_Level Interface_cmd = 'Interface ' + Interface_ID IP_Address_cmd = 'IP Address ' + Interface_IP + ' ' + S_Mask config_commands = [Interface_cmd, IP_Address_cmd, Nameif_cmd, Sec_level_cmd, 'no shut'] output = myssh.send_config_set(config_commands) print(output) Interface_num -=1 Def_route = input('Would you like to configure a default route [Y/N]: ') if Def_route.lower() == 'y': next_hop = input('Please specify the Default Gateway Addres: ') def_route_int = input('Outgoing Interface: ') Def_route_cmd = 'route ' + def_route_int + ' 0 0 ' + next_hop config_commands = [Def_route_cmd] output = myssh.send_config_set(config_commands) print(output) print('-'*79) output = myssh.send_command('sh int ip brief') print(output) ************************************************** Lab 2 - Configuring Routing on a Firewall – EIGRP ************************************************** from netmiko import ConnectHandler hostip = input('ASA Firewall IP: ') USER = input('SSH Username: ') PASS = input('Password: ') ABC = { 'device_type': 'cisco_asa', 'ip': hostip, 'username': USER, 'password': PASS } myssh = ConnectHandler(**ABC) eigrpas = input('EIGRP AS #: ') routereigrp = 'router eigrp ' + eigrpas network_num = input('How many networks would you like to enable in EIGRP: ') network_num = int(network_num) while network_num > 0: network = input('Please specify the network to enable: ') S_Mask = input('Please specify the Subnet Mask for the Network: ') network_cmd = 'network ' + network + ' ' + S_Mask config_commands = [routereigrp, network_cmd] output = myssh.send_config_set(config_commands) print(output) network_num -=1 print('-'*79) input("Press ENTER to Continue") output = myssh.send_command('sh route eigrp') print(output) ************************************************** Lab 3 - Configuring Dynamic NAT on a Firewall ************************************************** from netmiko import ConnectHandler hostip = input('ASA Firewall IP: ') USER = input('SSH Username: ') PASS = input('SSH Password: ') ABC = { 'device_type': 'cisco_asa', 'ip': hostip, 'username': USER, 'password': PASS } myssh = ConnectHandler(**ABC) print('\nPool Information - Range\n') print('-' * 50) Pool_name = input('Pool Name: ') Pool_Start = input('Client Pool Start Address: ') Pool_End = input('Client Pool End Address: ') print('\nNAT Information\n') print('-' * 50) Local_subnet = input ('Specify the Local Subnet along with Mask [10.11.11.0 255.255.255.0]: ') Local_interface = input ('Local Interface: ') External_interface = input ('External Interface: ') Pool_object = 'Object network ' + Pool_name Pool_cmd = 'range ' + Pool_Start + ' ' + Pool_End Local_object = 'Object network LOCAL_SUBNET' subnet_cmd = 'subnet ' + Local_subnet nat_cmd = 'nat (' + Local_interface + ',' + External_interface + ') dynamic ' + Pool_name config_commands = [Pool_object, Pool_cmd, Local_object, subnet_cmd, nat_cmd] output = myssh.send_config_set(config_commands) print(output) print('-'*79) input("Press ENTER to finish") **************************************************** Lab 4 - Configuring Static NAT on a Firewall + ACL **************************************************** from netmiko import ConnectHandler hostip = input('ASA Firewall IP: ') USER = input('SSH Username: ') PASS = input('Password: ') ASA = { 'device_type': 'cisco_asa', 'ip': hostip, 'username': USER, 'password': PASS } myssh = ConnectHandler(**ASA) xlate_num = input('How many Static Translations would you like to configure: ') xlate_num = int(xlate_num) while xlate_num > 0: object_name = input('Please specify the Object Name for the Static Translation: ') private_ip = input ('Please specify the Internal Host IP: ') private_int = input('Please specify the Internal Interface: ') public_ip = input('Please specify the Public Host IP: ') public_int = input('Please specify the Public Interface: ') Object_cmd = 'object network ' + object_name host_cmd = 'host ' + private_ip nat_cmd = 'nat (' + private_int + ',' + public_int +') static ' + public_ip config_commands = [Object_cmd, host_cmd, nat_cmd] output = myssh.send_config_set(config_commands) print(output) acl_req = input('Would you like to allow access to this device[Y/N]:') if acl_req.lower() == 'y': acl_protocol = input('Specify the Protocol Allowed [TCP/UDP/ICMP/ESP]: ') acl_portnum = input('Specify the Destination Port #[23,80 etc]: ') acl_cmd = 'access-list ' + public_int + ' permit ' + acl_protocol + ' any host ' + private_ip + ' eq ' + acl_portnum config_commands = [acl_cmd] output = myssh.send_config_set(config_commands) print(output) xlate_num -=1 access_group_cmd = 'access-group ' + public_int + ' in interface ' + public_int config_commands = [access_group_cmd] output = myssh.send_config_set(config_commands) print(output) print('-'*79) output = myssh.send_command('sh nat detail') print(output) input("Press ENTER to finish") **************************************************** Lab 5 - Configuring VPNs on the ASA Firewall **************************************************** from netmiko import ConnectHandler hostip = input('ASA Firewall IP: ') USER = input('SSH Username: ') PASS = input('Password: ') ASA = { 'device_type': 'cisco_asa', 'ip': hostip, 'username': USER, 'password': PASS } myssh = ConnectHandler(**ASA) peer = input('Type the IP Address of remote peer:') print('\nPhase I Parameters\n') P1_hash = input('Specify the Phase I Hash - [MD5 | SHA]: ') P1_encryption = input('Specify the Phase I Encryption - [DES | 3DES] :') P1_group = input('Specify the Phase I DH Group: [1 | 2 | 5] : ') psk = input('Specify the Pre-shared-Key : ') print('\nPhase II Parameters\n') P2_hash = input('Specify the Phase II Hash - [MD5 | SHA]: ') P2_encryption = input('Specify the Phase II Encryption - [DES | 3DES] :') print('\nCrypto ACL Networks\n') s_network = input('Specify the source network: ') s_mask = input('Specify the source mask: ') d_network = input('Specify the Destination network: ') d_mask = input('Specify the Destination mask: ') print('\nInterface\n') int_o = input('Specify the outgoing interface name [Outside etc]: ') config_file = open('ipsec.txt', "w") config_file.write('crypto ikev1 enable Outside\n') config_file.write("!\n") config_file.write('crypto ikev1 policy 10') config_file.write("\n") config_file.write(' authentication pre-share ') config_file.write("\n") config_file.write(' hash ' + P1_hash) config_file.write("\n") config_file.write(' encryption ' + P1_encryption) config_file.write("\n") config_file.write(' group ' + P1_group) config_file.write("\n") config_file.write('!\nTunnel-group ' + peer + ' type ipsec-l2l') config_file.write('\nTunnel-group ' + peer + ' ipsec-attributes') config_file.write('\n ikev1 pre-shared-key ' + psk + '\n') config_file.write('!\ncrypto ipsec ikev1 transform-set TSET esp-' + P2_hash + '-hmac esp-' +P2_encryption + '\n') config_file.write('!\naccess-list CRYPTO-ACL permit ip ' + s_network + ' ' + s_mask + ' ' + d_network + ' ' + d_mask + '\n') config_file.write('!\ncrypto map C_MAP 10 set peer ' + peer + '\n') config_file.write('crypto map C_MAP 10 set ikev1 transform-set TSET\n') config_file.write('crypto map C_MAP 10 match address CRYPTO-ACL\n') config_file.write('!\ncrypto map C_MAP Interface ' + int_o + '\n') config_file.close() cmdfile = 'ipsec.txt' output=myssh.send_config_from_file(cmdfile) print(output) print('IPSec Configured') myssh.disconnect()