********************************************************* Lab # 1 - Configuring the Base Network with Routing ********************************************************* =========== ASA =========== Interface Gig 0/0 nameif Outside ip address 192.1.20.10 no shut ! Interface Gig 0/1 nameif Inside ip address 10.11.11.10 255.255.255.0 no shut ! Interface Gig 0/2 nameif DMZ-3 security-level 50 ip address 192.168.3.10 no shut ! Interface Gig 0/3 nameif DMZ-4 security-level 50 ip address 192.168.4.10 no shut ! route Outside 0 0 192.1.20.2 ! router ospf 1 router-id 0.0.0.10 network 10.11.11.0 255.255.255.0 area 0 network 192.168.3.0 255.255.255.0 area 0 network 192.168.4.0 255.255.255.0 area 0 =========== R1 =========== Interface Loopback 0 ip address 10.1.1.1 255.255.255.0 ip ospf network point-to-point ! Interface Loopback 10 ip address 10.10.10.1 255.255.255.0 ip ospf network point-to-point ! Interface Loopback 11 ip address 10.111.111.1 255.255.255.0 ip ospf network point-to-point ! Router ospf 1 router-id 0.0.0.1 network 10.0.0.0 0.255.255.255 area 0 ! ip route 0.0.0.0 0.0.0.0 10.11.11.10 =========== R3 =========== Interface Loopback 0 ip address 10.3.3.3 255.255.255.0 ip ospf network point-to-point ! Router ospf 1 router-id 0.0.0.3 network 10.0.0.0 0.255.255.255 area 0 network 192.168.3.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 192.168.3.10 =========== R4 =========== Interface Loopback 0 ip address 10.4.4.4 255.255.255.0 ip ospf network point-to-point ! Router ospf 1 router-id 0.0.0.4 network 10.0.0.0 0.255.255.255 area 0 network 192.168.4.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 192.168.4.10 ********************************************************* Lab # 2 - Dynamic NAT ********************************************************* Requirement: Configure the ASA to translate the 10.1.1.0/24 network to a public range of 192.1.20.51-192.1.20.250 =========== ASA =========== object network POOL-A range 192.1.20.51 192.1.20.250 ! object network NET-10.1.1.0 subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic POOL-A Verification Commands: -------------------------- Show nat detail - Displays the NAT Configuration show xlate - Displays the current Translation Table ********************************************************* Lab # 3 - Dynamic PAT ********************************************************* Requirement: Configure the ASA to translate the 10.10.10.0/24 network to a public IP of 192.1.20.251 =========== ASA =========== object network PAT-IP host 192.1.20.251 ! object network NET-10.10.10.0 subnet 10.10.10.0 255.255.255.0 nat (inside,outside) dynamic PAT-IP Requirement: Configure the ASA to translate the 10.111.111.0/24 network to a public IP of the Outside (Interface PAT) =========== ASA =========== object network NET-10.111.111.0 subnet 10.111.111.0 255.255.255.0 nat (inside,outside) dynamic interface ********************************************************* Lab # 4 - Static NAT ********************************************************* Requirement: Translate the following IP's on DMZ-3 to the corresponding Public IP's WWW - 192.168.3.11 - 192.1.20.21 DNS - 192.168.3.12 - 192.1.20.22 MAIL- 192.168.3.13 - 192.1.20.23 R3 - 192.168.3.3 - 192.1.20.24 Allow the appropriate NAT Entries: =========== ASA =========== object network WWW1 host 192.168.3.11 nat (DMZ-3,Outside) static 192.1.20.21 ! object network DNS1 host 192.168.3.12 nat (DMZ-3,Outside) static 192.1.20.22 ! object network MAIL1 host 192.168.3.13 nat (DMZ-3,Outside) static 192.1.20.23 ! object network R3 host 192.168.3.3 nat (DMZ-3,Outside) static 192.1.20.24 ! access-list OUTSIDE permit tcp any host 192.168.3.11 eq 80 access-list OUTSIDE permit tcp any host 192.168.3.11 eq 443 access-list OUTSIDE permit udp any host 192.168.3.12 eq 53 access-list OUTSIDE permit tcp any host 192.168.3.13 eq 25 access-list OUTSIDE permit tcp any host 192.168.3.3 eq 23 access-list OUTSIDE permit icmp any host 192.168.3.3 ! access-group OUTSIDE in interface Outside ********************************************************* Lab # 5 - Destination NAT ********************************************************* Requirement: Translate 199.1.1.1 (MF) to 192.168.3.80 on the DMZ-3 interface. Configure R3 as a Non-routing Device =========== R3 =========== no ip route 0.0.0.0 0.0.0.0 no router ospf 1 =========== ASA =========== object network MF host 199.1.1.1 nat (Outside,DMZ-3) static 192.168.3.80 ********************************************************* Lab # 6 - Static PAT ********************************************************* Requirement: Translate the following IP's on DMZ-4 to a single IP of 192.1.20.25 WWW - 192.168.4.11 - 192.1.20.25 (TCP/80) DNS - 192.168.4.12 - 192.1.20.25 (UDP/53) MAIL- 192.168.4.13 - 192.1.20.25 (TCP/25) R3 - 192.168.4.4 - 192.1.20.25 (TCP/23) Allow the appropriate NAT Entries: =========== ASA =========== object network WWW2 host 192.168.4.11 nat (DMZ-4,Outside) static 192.1.20.25 service tcp 80 80 ! object network DNS2 host 192.168.4.12 nat (DMZ-4,Outside) static 192.1.20.25 service udp 53 53 ! object network MAIL2 host 192.168.4.13 nat (DMZ-4,Outside) static 192.1.20.25 service tcp 25 25 ! object network R4 host 192.168.4.4 nat (DMZ-4,Outside) static 192.1.20.25 service tcp 23 2399 ! access-list OUTSIDE permit tcp any host 192.168.4.11 eq 80 access-list OUTSIDE permit udp any host 192.168.4.12 eq 53 access-list OUTSIDE permit tcp any host 192.168.4.13 eq 25 access-list OUTSIDE permit tcp any host 192.168.4.4 eq 23 ********************************************************* Lab # 7 - Manual NAT (Policy NAT) ********************************************************* Requirement # 1: Translate the 10.11.11.0/24 to a IP of 192.1.20.30 =========== ASA =========== object network NET-10.11.11.0 subnet 10.11.11.0 255.255.255.0 nat (Inside,Outside) dynamic 192.1.20.30 Requirement # 2: Translate the 10.11.11.1 to 192.1.20.31 when the destination is 199.1.1.1. Translate the 10.11.11.1 to 192.1.20.32 when the destination is 200.1.1.1. =========== ASA =========== object network R1 host 10.11.11.1 ! object network H199 host 199.1.1.1 ! object network H200 host 200.1.1.1 ! object network X1 host 192.1.20.31 ! object network X2 host 192.1.20.32 ! nat (Inside,Outside) source static R1 X1 destination static H199 H199 nat (Inside,Outside) source static R1 X2 destination static H200 H200 *********************************************************** Lab # 8 - Interface Redundancy using Redundant Interfaces *********************************************************** =========== SW2 =========== vlan 10 ! Interface range E0/0-2 switchport mode access switchport access vlan 10 =========== ASA =========== Interface E2 no shut ! Interface E3 no shut ! Interface Redundant 1 member-interface E2 member-interface E3 nameif Inside ip address 10.11.11.10 255.255.255.0 security-level 100 mac-address 0001.1111.1111 no shut Verification: show interface redundant 1 redundant-interface redundant 1 active-member e2 (Changes the Active Interface) *********************************************************** Lab # 9 - Interface Redundancy using Port-Channels *********************************************************** =========== SW1 =========== vlan 20 ! Interface range E0/1-2 channel-group 20 mode active ! Interface Port-Channel 20 switchport mode access switchport access vlan 20 ! Interface E0/0 switchport mode access switchport access vlan 20 =========== ASA =========== Interface E0 channel-group 20 mode active no shut ! Interface E1 channel-group 20 mode active no shut ! Interface Port-Channel 20 nameif Outside security-level 0 ip address 192.1.20.10 no shut ! route Outside 0 0 192.1.20.2 ! object network NET-10.11.11.0 subnet 10.11.11.0 255.255.255.0 nat (Inside,Outside) dynamic interface Verification: show port-channel summary *********************************************************** Lab # 10 - Initializing the Multi-Context Mode *********************************************************** =========== ASA =========== =============================================== 1. Change the Context to Multi-Context Mode =============================================== mode multiple -> Changes the firewall from Single Context to Multi-Context Mode. -> It reboots the devices. -> It boots into the System Context. -> The System Context is a non-usable context (Non-Data). -> It is used to configure the Data Context Resources. =============================================== 2. Bring the Physical Interfaces up =============================================== =========== ASA =========== Interface E0 no shut ! Interface E1 no shut ! Interface E2 no shut ! Interface E3 no shut =============================================== 3. Create the context and assign the resources =============================================== =========== ASA =========== context VFW-1 allocate-interface E0 allocate-interface E1 config-url flash:VFW1.cfg ! context VFW-2 allocate-interface E2 allocate-interface E3 config-url flash:VFW2.cfg *********************************************************** Lab # 11 - Configuring the Data Firewalls (VFW-1 & VFW-2) *********************************************************** =============================================== 1. Configure VFW-1 =============================================== =============== ASA - Console =============== changeto context VFW-1 ! Interface E0 nameif Outside ip address 192.1.10.11 security-level 0 no shut ! Interface E1 nameif Inside ip address 10.30.30.11 255.255.255.0 security-level 100 no shut ! route outside 0 0 192.1.10.1 ! object network POOL-A range 192.1.10.51 192.1.10.200 object network NET-10.30.30.0 subnet 10.30.30.0 255.255.255.0 nat (Inside,Outside) dynamic POOL-A ! passwd Cisco123 telnet 10.30.30.0 255.255.255.0 Inside =============================================== 2. Configure VFW-2 =============================================== ============== ASA - Console ============== changeto context VFW-2 ! Interface E2 nameif Outside ip address 192.1.20.21 security-level 0 no shut ! Interface E3 nameif Inside ip address 10.40.40.21 255.255.255.0 security-level 100 no shut ! route outside 0 0 192.1.20.2 ! object network NET-10.40.40.0 subnet 10.40.40.0 255.255.255.0 nat (Inside,Outside) dynamic 192.1.20.5 ! passwd Cisco123 telnet 10.40.40.0 255.255.255.0 Inside =============================================== 3. Configuring the Admin Context =============================================== ==================== ASA - Console ==================== changeto system ! admin-context VFW-1 =========== R3 =========== telnet 10.30.30.11 changeto system (It should Work)