-
Lab 17: Dynamic Routing with ASA
Task
1. Configure IP Addresses as per given in topology.
2. Configure Dynamic Routing as per given in topology. Make sure
ASA1 Router-ID is 10.10.10.10.
All routers must have router Id's as their name like 3.3.3.3 for
R3.
3. Make Sure R4 able to reach ASA1.
4. After completion of Task 3. Do possible configuration to
reach R4 to R5.
5. Make sure ASA1 and ASA2 send traffic from inside and inside1
users via PAT. ASA1 and ASA2
should be ping each other.
6. Make sure all routers ping ISP.
7. Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and
192.144.0.0/24 to communicate
10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use
isakmp key as netwaxlab.
8. Make sure R5 telnet to R7 using 4223 port. Do possible
configuration.
Figure 1 Topology
-
Lab 17: Dynamic Routing with ASA
Solution
Task 2: Configure Dynamic Routing as per given in topology. Make
sure ASA1 Router-ID is
10.10.10.10. All routers must have router Id's as their name
like 3.3.3.3 for R3.
ASA1
router ospf 100
router-id 10.10.10.10
network 192.168.1.0 255.255.255.0 area 0
network 10.0.0.0 255.255.255.0 area 0
exit
ASA2
router eigrp 200
network 192.168.101.0 255.255.255.0
network 72.5.5.0 255.255.255.0
no auto-summary
exit
R1
router ospf 100
router-id 1.1.1.1
network 192.144.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
exit
R2
router ospf 100
router-id 2.2.2.2
network 10.0.0.0 0.0.0.255 area 0
network 151.2.0.0 0.0.0.255 area 2
exit
R3
router ospf 100
router-id 3.3.3.3
network 20.0.0.0 0.0.0.255 area 3
network 192.144.0.0 0.0.0.255 area 1
exit
-
Lab 17: Dynamic Routing with ASA
R4
router ospf 100
router-id 4.4.4.4
network 20.0.0.0 0.0.0.255 area 3
exit
R5
router ospf 100
router-id 5.5.5.5
network 151.2.0.0 0.0.0.255 area 2
exit
R6
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.68.0 0.0.0.255
network 192.168.101.0
no auto-summary
exit
R7
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.78.0 0.0.0.255
network 72.5.5.0 0.0.0.255
no auto-summary
exit
R8
router eigrp 200
network 10.0.68.0 0.0.0.255
network 10.0.78.0 0.0.0.255
no auto-summary
exit
-
Lab 17: Dynamic Routing with ASA
Task 3: Make Sure R4 able to reach ASA1.
R1
router ospf 100
area 1 virtual-link 3.3.3.3
exit
R3
router ospf 100
area 1 virtual-link 1.1.1.1
exit
Task 4: After completion of Task 3. Do possible configuration to
reach R4 to R5.
both ASA's
same-security-traffic permit inter-interface
Task 5: Make sure ASA1 and ASA2 send traffic from inside and
inside1 users via PAT. ASA1 and
ASA2 should be ping each other.
ASA1
route outside 0 0 101.1.1.1
access-list NAT permit ip 192.168.1.0 255.255.255.0 any
access-list NAT permit ip 192.144.0.0 255.255.255.0 any
access-list NAT permit ip 10.0.0.0 255.255.255.0 any
access-list NAT permit ip 20.0.0.0 255.255.255.0 any
access-list NAT permit ip 151.2.0.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
ASA2
route outside 0 0 102.1.1.1
access-list NAT permit ip 192.168.101.0 255.255.255.0 any
access-list NAT permit ip 72.5.5.0 255.255.255.0 any
access-list NAT permit ip 10.0.67.0 255.255.255.0 any
access-list NAT permit ip 10.0.68.0 255.255.255.0 any
-
Lab 17: Dynamic Routing with ASA
access-list NAT permit ip 10.0.78.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
Task 6: Make sure all routers ping ISP.
ASA1
router ospf 100
default-information originate
redistribute connected
exit
ASA2
router eigrp 200
redistribute connected
redistribute static
exit
Task 7: Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24
and 192.144.0.0/24 to
communicate 10.0.78.0/24 and 192.168.101.0/24. Make sure you
need to use isakmp key as
netwaxlab.
ASA1
access-list VPN permit ip 151.2.0.0 255.255.255.0 10.0.78.0
255.255.255.0
access-list VPN permit ip 151.2.0.0 255.255.255.0 192.168.101.0
255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0
192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 10.0.78.0
255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 102.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
-
Lab 17: Dynamic Routing with ASA
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 102.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 151.2.0.0 255.255.255.0
10.0.78.0 255.255.255.0
access-list nonat extended permit ip 151.2.0.0 255.255.255.0
192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0
10.0.78.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0
192.168.101.0 255.255.255.0
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
ASA2
access-list VPN extended permit ip 10.0.78.0 255.255.255.0
151.2.0.0 255.255.255.0
access-list VPN extended permit ip 10.0.78.0 255.255.255.0
192.144.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0
151.2.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0
192.144.0.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 101.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 101.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 10.0.78.0 255.255.255.0
151.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.78.0 255.255.255.0
192.144.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0
151.2.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0
192.144.0.0 255.255.255.0
-
Lab 17: Dynamic Routing with ASA
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
Task 8: Make sure R5 telnet to R7 using 4223 port. Do possible
configuration.
ASA2
static (inside1,outside) tcp interface 4223 72.5.5.7 23
access-list OUT permit tcp host 101.1.1.2 host 102.1.1.2 eq
4223