Scribd Logo
Upload

Welcome to Scribd!

  • ASA Firewall Lab PDF

    Uploaded by

    Vikas Jotshi
    43 views5 pages

    Original Title

    123230920-ASA-Firewall-Lab.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    43 views5 pages

    ASA Firewall Lab PDF

    Uploaded by

    Vikas Jotshi

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    IPSec over GRE Tunnel:

    Advantages:

     Will create a logical virtual interface between the two routers that the traffic will appear to flow across
     Allows us to run a IGP routing protocol
     Allows Multicast Routing
     Encrypted Traffic going through the Internet

    Pre-Configuration:

     ASA
    !
    interface GigabitEthernet0
    ip address 100.100.100.2 255.255.255.0
    nameif outside
    security-level 0
    no shutdown
    !
    !
    interface GigabitEthernet2
    ip address 10.10.10.1 255.255.255.252
    nameif inside
    security-level 100
    no shutdown

     Corp
    !
    interface FastEthernet 0/0
    ip address 10.10.10.2 255.255.255.252
    no shutdown
    interface FastEthernet 0/1
    ip address 10.10.11.1 255.255.255.252
    no shutdown

     Branch
    !
    interface FastEthernet 0/0
    ip address 100.100.100.10 255.255.255.0
    no shutdown
    !
    interface FastEthernet 0/1
    ip address 10.10.14.1 255.255.255.252
    no shutdown

     ASA
    !
    interface GigabitEthernet1
    no nameif
    security-level 0
    no ip address
    no shut
    !
    interface GigabitEthernet1.1
    nameif DMZ
    security-level 50
    ip address 20.20.20.1 255.255.255.0

     SW1
    vlan database
    vlan 10 name DMZ
    exit
    conf t
    !
    no ip routing
    !
    int fa1/0
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface range FastEthernet 1/1 - 2
    switchport mode access
    switchport access vlan 10
    !
    ip default-gateway 20.20.20.1

     SW2
    !
    vlan database
    vlan 2 name Sales
    vlan 3 name Finance
    exit
    conf t
    !
    interface FastEthernet 1/0
    switchport mode access
    switchport access vlan 2
    spanning-tree portfast
    !
    interface FastEthernet 1/1
    switchport mode access
    switchport access vlan 3
    spanning-tree portfast
    !
    interface vlan 2
    ip address 10.10.12.1 255.255.255.0
    no shut
    !
    interface vlan 3
    ip address 10.10.13.1 255.255.255.0
    no shut
    !
    interface FastEthernet 0/0
    ip address 10.10.11.2 255.255.255.252
    no shut
    !
    ip dhcp excluded-address 10.10.12.1 10.10.12.9
    !
    ip dhcp pool VLAN2
    network 10.10.12.0 /24
    default-router 10.10.12.1
    dns-server 8.8.8.8
    !
    ip dhcp excluded-address 10.10.13.1 10.10.13.9
    !
    ip dhcp pool VLAN3
    network 10.10.13.0 /24
    default-router 10.10.13.1
    dns-server 8.8.8.8

     SW3
    !
    vlan database
    vlan 2 name Accounting
    vlan 3 name Management
    exit
    conf t
    !
    interface FastEthernet 1/0
    switchport mode access
    switchport access vlan 2
    spanning-tree portfast
    !
    interface FastEthernet 1/1
    switchport mode access
    switchport access vlan 3
    spanning-tree portfast
    !
    interface vlan 2
    ip address 10.10.15.1 255.255.255.0
    no shut
    !
    interface vlan 3
    ip address 10.10.16.1 255.255.255.0
    no shut
    !
    interface FastEthernet 0/0
    ip address 10.10.14.2 255.255.255.252
    no shut
    !
    ip dhcp excluded-address 10.10.15.1 10.10.15.9
    !
    ip dhcp pool VLAN2
    network 10.10.15.0 /24
    default-router 10.10.15.1
    dns-server 8.8.8.8
    !
    ip dhcp excluded-address 10.10.16.1 10.10.16.9
    !
    ip dhcp pool VLAN3
    network 10.10.16.0 /24
    default-router 10.10.16.1
    dns-server 8.8.8.8

    Advantages:

     Will create a logical virtual interface between the two routers that the traffic will appear to flow across
     Allows us to run a IGP routing protocol
     Allows Multicast Routing
     Encrypted Traffic going through the Internet

    Configuration GRE Tunnel:

    Step 1: Create OSPF routing process:

     CORP(config)# router ospf 123


    CORP(config-router)# network 192.168.1.0 0.0.0.255 area 0

     BRANCH(config)# router ospf 123


    BRANCH(config-router)# network 10.1.1.0 0.0.0.255 area 0

    Step 2: Configure layer 3 tunnel interfaces:

     CORP(config)# interface tunnel 0


    CORP(config-if)# tunnel source f0/0
    CORP(config-if)# tunnel destination 192.168.137.10
    CORP(config-if)# ip address 10.10.1.1 255.255.255.252
    CORP(config-if)# tunnel path-mtu-discovery
    CORP(config-if)# ip ospf mtu-ignore

     BRANCH(config)# interface tunnel 0


    BRANCH(config-if)# tunnel source f0/0
    BRANCH(config-if)# tunnel destination 192.168.137.2
    BRANCH(config-if)# ip address 10.10.1.2 255.255.255.252
    BRANCH(config-if)# tunnel path-mtu-discovery
    BRANCH(config-if)# ip ospf mtu-ignore
    Verify:

     CORP# ping 10.10.1.2

    Step 3: Update OSPF Network Statements:

     CORP(config)# router ospf 123


     CORP(config-router)# network 10.10.1.0 0.0.0.3 area 0

     BRANCH(config)# router ospf 123


     BRANCH(config-router)# network 10.10.1.0 0.0.0.3 area 0

    Verify:

     CORP# show ip ospf neighbor

    Configure IPSec:

    Step 1: Define Traffic to be encrypted

     CORP(config)# ip access-list extended IPSEC-TRAFFIC


    CORP(config-ext-nacl)# remark VPN Traffic
    CORP(config-ext-nacl)# permit gre host 192.168.137.2 host 192.168.137.10

     BRANCH(config)# ip access-list extended IPSEC-TRAFFIC


    BRANCH(config-ext-nacl)# remark VPN Traffic
    BRANCH(config-ext-nacl)# permit gre host 192.168.137.10 host 192.168.137.2

    Step 2: Phase 1: Isakmp policy

     CORP(config)# crypto isakmp policy 1


    CORP(config-isakmp)# authentication pre-share
    CORP(config-isakmp)# encryption aes 128
    CORP(config-isakmp)# hash sha
    CORP(config-isakmp)# group 2

     BRANCH(config)# crypto isakmp policy 1


    BRANCH(config-isakmp)# authentication pre-share
    BRANCH(config-isakmp)# encryption aes 128
    BRANCH(config-isakmp)# hash sha
    BRANCH(config-isakmp)# group 2

    Step 3: Define Shared Secret

     CORP(config)# crypto isakmp key 0 CISCO address 192.168.137.10

     BRANCH(config)# crypto isakmp key 0 CISCO address 192.168.137.2

    Step 4: Phase 2: IPSec transform set

     CORP(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac


    CORP(cfg-crypto-trans)# mode tunnel

     BRANCH(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac


    BRANCH(cfg-crypto-trans)# mode tunnel

    Step 5: Create crypto-map

     CORP(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp


    CORP(config-crypto-map)# description to BRANCH
    CORP(config-crypto-map)# match address IPSEC-TRAFFIC
    CORP(config-crypto-map)# set peer 192.168.137.10
    CORP(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL

     BRANCH(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp


    BRANCH(config-crypto-map)# description to CORP
    BRANCH(config-crypto-map)# match address IPSEC-TRAFFIC
    BRANCH(config-crypto-map)# set peer 192.168.137.2
    BRANCH(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL

    Step 6: Apply crypto-map to interfaces

     CORP(config)# interface f0/0


    CORP(config-if)# crypto map CRYPTO-MAP
     CORP(config-if)# interface tunnel 0
    CORP(config-if)# crypto map CRYPTO-MAP

     BRANCH(config)# interface f0/0


    BRANCH(config-if)# crypto map CRYPTO-MAP
     BRANCH(config-if)# interface tunnel 0
    BRANCH(config-if)# crypto map CRYPTO-MAP

    Step 7: Verification

    CORP# show ip ospf neighbor


    CORP# show crypto ipsec sa
    CORP# ping 10.10.1.2 repeat 50

    You might also like