******************************************** Lab # 1 - Interface Configuration ******************************************** =========== ASA =========== Interface Gig 0/0 nameif Outside ip address 192.1.20.10 no shut ! Interface Gig 0/1 nameif Inside ip address 10.11.11.10 255.255.255.0 no shut ! Interface Gig 0/2 nameif DMZ-3 ip address 192.168.3.10 security-level 50 no shut ! Interface Gig 0/3 nameif DMZ-4 ip address 192.168.4.10 security-level 50 no shut ******************************************** Lab # 2 - Configuring a Default Route ******************************************** =========== ASA =========== Syntax: route [Outgoing Interface] [Network] [Mask] [Next Hop] route outside 0.0.0.0 0.0.0.0 192.1.20.2 ******************************************** Traffic Flows ******************************************** Default Characteristics: -> Traffic flows automatically from a Higher Security Level interface towards a lower security interface. This traffic is inspected and the return traffic is allowed. The Traffic is implicitly inspected for any TCP/UDP based traffic. -> Traffic flows are blocked if it they are coming from a Lower Security Level interface towards a Higher Security Level Interface. If you want the traffic to be allowed, you need to create an ACL. -> Traffic flows will not be allowed between 2 interfaces with the same security level. You can disable this rule by using the "Same-security-traffic permit inter-interface" command. This essentials disables firewall between the 2 interfaces with the same security level. -> ACL controls traffic going THRU the Firewall. It does not affect traffic destined to the firewall. -> Turning on a service will allow traffic to the firewall. -> The only service turned on by default is the ICMP service. -> You can control traffic to the firewall by using the service itself, NOT the ACL. *********************************************** Lab # 3 - Controlling ICMP to the Firewall *********************************************** Requirements: -> The ASA should be able to ping the outside networks. -> Only R2 (192.1.20.2) should be able to ping the ASA on the Outside interface. =========== ASA =========== icmp permit any echo-reply outside icmp permit host 192.1.20.2 echo outside *********************************************** Lab # 4 - Telnet Management of the Firewall *********************************************** Requirements: -> Configure a password for Telnet (Cisco@123) -> Allow Management of the firewall via Telnet from the Inside and DMZ-3 interfaces. =========== ASA =========== passwd Cisco@123 telnet 10.0.0.0 255.0.0.0 inside telnet 192.168.3.0 255.255.255.0 DMZ-3 *********************************************** Lab # 5 - Configuring a Local Authentication DB *********************************************** Requirements: -> Create a username password database based on the following: Username: Admin1 Password: Admin1 Username: Admin2 Password: Admin2 -> Authenticate Telnet Connections based on the Local Authentication DB. =========== ASA =========== username Admin1 password Admin1 username Admin2 password Admin2 ! aaa authentication telnet console LOCAL [LOCAL is case-sensitive] Note: Telnet is not allowed on an Interface with a security level of 0. *********************************************** Lab # 6 - SSH Management of the Firewall *********************************************** Requirements: -> Allow Management of the firewall via ssh from the Outside, Inside and DMZ-4 interfaces. =========== ASA =========== domain-name kbits.live crypto key generate rsa modulus 1024 ! ssh 192.1.20.0 255.255.255.0 outside ssh 10.0.0.0 255.0.0.0 inside ssh 192.168.4.0 255.255.255.0 DMZ-4 ! aaa authentication ssh console LOCAL *********************************************** Lab # 7 - Configuring OSPF on the Firewall *********************************************** =========== ASA =========== router ospf 1 router-id 0.0.0.10 network 10.11.11.0 255.255.255.0 area 0 =========== R1 =========== router ospf 1 router-id 0.0.0.1 network 10.0.0.0 0.255.255.255 area 0 *********************************************** Lab # 8 - Configuring OSPF Authentication *********************************************** =========== R1 =========== ----- Clear Text ---------- Interface E 0/0 ip ospf authentication ip ospf authentication-key Cisco123 or ----- Message Digest ---------- Interface E 0/0 ip ospf authentication message-digest ip ospf message-digest-key 11 md5 Cisco123 =========== ASA =========== ----- Clear Text ---------- Interface Gig 0/1 ospf authentication ospf authentication-key Cisco123 or ----- Message Digest ---------- Interface Gig 0/1 ospf authentication message-digest ospf message-digest-key 11 md5 Cisco123 *********************************************** Lab # 9 - Configuring EIGRP on the Firewall *********************************************** =========== ASA =========== router eigrp 123 network 192.168.3.0 network 192.168.4.0 =========== R3 =========== router eigrp 123 network 192.168.3.0 network 10.0.0.0 =========== R4 =========== router eigrp 123 network 192.168.4.0 network 10.0.0.0 *********************************************** Lab # 10 - Configuring EIGRP Authentication *********************************************** =========== R3 =========== key chain ABC key 11 key-string Cisco123 ! Interface E 0/0 ip authentication mode eigrp 123 md5 ip authentication key-chain eigrp 123 ABC =========== R4 =========== key chain ABC key 11 key-string Cisco123 ! Interface E 0/0 ip authentication mode eigrp 123 md5 ip authentication key-chain eigrp 123 ABC =========== ASA =========== Interface Gig 0/2 authentication mode eigrp 123 md5 authentication key eigrp 123 Cisco123 key-id 11 ! Interface Gig 0/3 authentication mode eigrp 123 md5 authentication key eigrp 123 Cisco123 key-id 11 *********************************************** Lab # 11 - Configuring BGP with Authentication *********************************************** =========== R2 =========== router bgp 200 network 199.1.1.0 network 200.1.1.0 neighbor 192.1.20.10 remote-as 1000 neighbor 192.1.20.10 password Cisco123 neighbor 192.1.20.10 default-originate =========== ASA =========== router bgp 1000 address-family ipv4 unicast neighbor 192.1.20.2 remote-as 200 neighbor 192.1.20.2 password Cisco123 neighbor 192.1.20.2 activate *********************************************** Lab # 12 - Configuring Route Redistribution *********************************************** =========== ASA =========== router ospf 1 redistribute bgp 1000 subnets redistribute eigrp 123 subnets ! router eigrp 123 default-metric 10 10 10 10 10 redistribute ospf 1 redistribute bgp 1000 ! router bgp 1000 address-family ipv4 unicast redistribute ospf 1 redistribute eigrp 123 *********************************************** Lab # 13 - Configuring an ACL *********************************************** =========== ASA =========== access-list OUTSIDE extended permit tcp host 192.1.20.2 host 10.11.11.1 eq telnet access-list OUTSIDE extended permit tcp any host 192.168.3.11 eq www access-list OUTSIDE extended permit tcp any host 192.168.3.11 eq https access-list OUTSIDE extended permit tcp any host 192.168.3.13 eq smtp access-list OUTSIDE extended permit udp any host 192.168.3.12 eq domain access-list OUTSIDE extended permit tcp 199.1.1.0 255.255.255.0 host 192.168.3.3 eq ssh access-list OUTSIDE extended permit tcp 199.1.1.0 255.255.255.0 host 192.168.3.3 eq telnet access-list OUTSIDE extended permit icmp 200.1.1.0 255.255.255.0 10.4.4.0 255.255.255.0 ! access-group OUTSIDE in interface Outside ******************************************** Lab 14 - Initializing a transparent firewall ******************************************** ----- ASA ----- firewall transparent ! Interface gig0/0 nameif Outside security-level 0 bridge-group 1 no shut ! Interface gig0/1 nameif Outside security-level 100 bridge-group 1 no shut ! Interface bvi 1 ip address 192.1.10.10 255.255.255.0 ******************************************** Lab 15 - Configuring ACLs ******************************************** ----- ASA ----- Requirement: R1 should be able to Telnet and Ping R2 & R3 access-list OUTSIDE permit tcp host 192.1.10.1 host 192.1.10.2 eq 23 access-list OUTSIDE permit tcp host 192.1.10.1 host 192.1.10.3 eq 23 access-list OUTSIDE permit icmp host 192.1.10.1 host 192.1.10.2 access-list OUTSIDE permit icmp host 192.1.10.1 host 192.1.10.3 ! access-group OUTSIDE in interface Outside ************************************************** Lab 16 - Configuring Routing Protocols thru a L2F ************************************************** ----- ASA ----- access-list OUTSIDE permit eigrp host 192.1.10.1 host 192.1.10.2 access-list OUTSIDE permit eigrp host 192.1.10.1 host 192.1.10.3 access-list OUTSIDE permit eigrp host 192.1.10.1 host 224.0.0.10 ! access-list INSIDE permit ip any any access-group INSIDE in interface inside ************************************************** Lab 17 - Configuring an ethertype ACL ************************************************** Requirement: Allow MPLS Unicast Routing & IPX traffic thru the firewall ----- ASA ----- access-list ABC ethertype permit ipx access-list ABC ethertype permit mpls-unicast access-group ABC in interface Outside access-group ABC in interface Inside