Scribd
Upload
86 views7 pages

Lab 17: Dynamic Routing With ASA

1) The document describes tasks for configuring dynamic routing and site-to-site VPN between two ASA firewalls. 2) Key steps include configuring OSPF and EIGRP routing on the routers and ASAs, enabling NAT and PAT, establishing a site-to-site VPN with encryption, and allowing specific networks to communicate over the VPN tunnel. 3) Additional tasks include configuring dynamic routing so that all routers can reach the ISP, and allowing remote access to a router through the ASAs using a non-standard port number.

Uploaded by

sugapriya
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
86 views7 pages

Lab 17: Dynamic Routing With ASA

1) The document describes tasks for configuring dynamic routing and site-to-site VPN between two ASA firewalls. 2) Key steps include configuring OSPF and EIGRP routing on the routers and ASAs, enabling NAT and PAT, establishing a site-to-site VPN with encryption, and allowing specific networks to communicate over the VPN tunnel. 3) Additional tasks include configuring dynamic routing so that all routers can reach the ISP, and allowing remote access to a router through the ASAs using a non-standard port number.

Uploaded by

sugapriya
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1/ 7

Lab 17: Dynamic Routing with

ASA
Task

1. Configure IP Addresses as per given in topology.


2. Configure Dynamic Routing as per given in topology. Make sure ASA1 Router-ID is 10.10.10.10. All
routers must have router Id's as their name like 3.3.3.3 for R3.
3. Make Sure R4 able to reach ASA1.
4. After completion of Task 3. Do possible configuration to reach R4 to R5.
5. Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1 and ASA2
should be ping each other.
6. Make sure all routers ping ISP.
7. Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to communicate
10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key as netwaxlab.
8. Make sure R5 telnet to R7 using 4223 port. Do possible configuration.
Lab: Dynamic Routing with ASA
Solution
 Task 2: Configure Dynamic Routing as per given in topology. Make sure ASA1 Router-ID is
10.10.10.10. All routers must have router Id's as their name like 3.3.3.3 for R3.

ASA1

router ospf 100


router-id 10.10.10.10
network 192.168.1.0 255.255.255.0 area 0
network 10.0.0.0 255.255.255.0 area 0
exit

ASA2

router eigrp 200


network 192.168.101.0 255.255.255.0
network 72.5.5.0 255.255.255.0
no auto-summary
exit

R1

router ospf 100


router-id 1.1.1.1
network 192.144.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
exit

R2

router ospf 100


router-id 2.2.2.2
network 10.0.0.0 0.0.0.255 area 0
network 151.2.0.0 0.0.0.255 area 2
exit

R3

router ospf 100


router-id 3.3.3.3
network 20.0.0.0 0.0.0.255 area 3
network 192.144.0.0 0.0.0.255 area 1
exit
Lab : Dynamic Routing with ASA
R4

router ospf 100


router-id 4.4.4.4
network 20.0.0.0 0.0.0.255 area 3
exit

R5

router ospf 100


router-id 5.5.5.5
network 151.2.0.0 0.0.0.255 area 2
exit

R6

router eigrp 200


network 10.0.67.0 0.0.0.255
network 10.0.68.0 0.0.0.255
network 192.168.101.0
no auto-summary
exit

R7

router eigrp 200


network 10.0.67.0 0.0.0.255
network 10.0.78.0 0.0.0.255
network 72.5.5.0 0.0.0.255
no auto-summary
exit

R8

router eigrp 200


network 10.0.68.0 0.0.0.255
network 10.0.78.0 0.0.0.255
no auto-summary
exit
Lab: Dynamic Routing with ASA
 Task 3: Make Sure R4 able to reach ASA1.

R1

router ospf 100


area 1 virtual-link 3.3.3.3
exit

R3

router ospf 100


area 1 virtual-link 1.1.1.1
exit

 Task 4: After completion of Task 3. Do possible configuration to reach R4 to R5.

both ASA's

same-security-traffic permit inter-interface

 Task 5: Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1
and ASA2 should be ping each other.

ASA1

route outside 0 0 101.1.1.1

access-list NAT permit ip 192.168.1.0 255.255.255.0


any access-list NAT permit ip 192.144.0.0
255.255.255.0 any access-list NAT permit ip 10.0.0.0
255.255.255.0 any access-list NAT permit ip 20.0.0.0
255.255.255.0 any access-list NAT permit ip
151.2.0.0 255.255.255.0 any

nat (inside) 1 access-list


NAT nat (inside1) 1 access-
list NAT global (outside) 1
interface

ASA2

route outside 0 0 102.1.1.1

access-list NAT permit ip 192.168.101.0 255.255.255.0


any access-list NAT permit ip 72.5.5.0 255.255.255.0
any access-list NAT permit ip 10.0.67.0 255.255.255.0
any access-list NAT permit ip 10.0.68.0 255.255.255.0
any
access-list NAT permit ip 10.0.78.0 255.255.255.0 any

nat (inside) 1 access-list


NAT nat (inside1) 1 access-
list NAT global (outside) 1
interface

 Task 6: Make sure all routers ping ISP.

ASA1

router ospf 100


default-information originate
redistribute connected
exit

ASA2

router eigrp 200


redistribute connected
redistribute static
exit

 Task 7: Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to
communicate 10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key
as netwaxlab.

ASA1

access-list VPN permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0


access-list VPN permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0

crypto isakmp policy 1


authentication pre-share
encryption 3des
group 2
exit

crypto isakmp key netwaxlab address 102.1.1.2


crypto ipsec transform-set tset esp-3des esp-sha-hmac

crypto map CMAP 10 set transform-set tset


crypto map CMAP 10 match address
VPN crypto map CMAP 10 set peer
102.1.1.2

crypto isakmp enable OUTSIDE


crypto map CMAP interface
outside

access-list nonat extended permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0


access-list nonat extended permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (inside1) 0 access-list


nonat nat (inside) 0 access-
list nonat

ASA2

access-list VPN extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0


access-list VPN extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0

crypto isakmp policy 1


authentication pre-share
encryption 3des
group 2
exit

crypto isakmp key netwaxlab address 101.1.1.2


crypto ipsec transform-set tset esp-3des esp-sha-hmac

crypto map CMAP 10 set transform-set


tset crypto map CMAP 10 match address
VPN crypto map CMAP 10 set peer
101.1.1.2

crypto isakmp enable OUTSIDE


crypto map CMAP interface
outside

access-list nonat extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0


access-list nonat extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0
nat (inside1) 0 access-list
nonat nat (inside) 0 access-
list nonat

 Task 8: Make sure R5 telnet to R7 using 4223 port. Do possible configuration.

ASA2

static (inside1,outside) tcp interface 4223 72.5.5.7 23


access-list OUT permit tcp host 101.1.1.2 host 102.1.1.2 eq 4223

You might also like