Task
 |
| Topology |
- Configure IP Addresses as per given in topology.
- Configure Dynamic Routing as per given in topology. Make sure ASA1 Router-ID is 10.10.10.10. All routers must have router Id's as their name like 3.3.3.3 for R3.
- Make Sure R4 able to reach ASA1.
- After completion of Task 3. Do possible configuration to reach R4 to R5.
- Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1 and ASA2 should be ping each other.
- Make sure all routers ping ISP.
- Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to communicate 10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key as netwaxlab.
- Make sure R5 telnet to R7 using 4223 port. Do possible configuration.
Solution
Task 2: Configure Dynamic Routing as per given in topology. Make sure ASA1 Router-ID is 10.10.10.10. All routers must have router Id's as their name like 3.3.3.3 for R3.
On ASA1
========
router ospf 100
router-id 10.10.10.10
network 192.168.1.0 255.255.255.0 area 0
network 10.0.0.0 255.255.255.0 area 0
exit
On ASA2
========
router eigrp 200
network 192.168.101.0 255.255.255.0
network 72.5.5.0 255.255.255.0
no auto-summary
exit
On R1
=====
router ospf 100
router-id 1.1.1.1
network 192.144.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
exit
On R2
=====
router ospf 100
router-id 2.2.2.2
network 10.0.0.0 0.0.0.255 area 0
network 151.2.0.0 0.0.0.255 area 2
exit
On R3
=====
router ospf 100
router-id 3.3.3.3
network 20.0.0.0 0.0.0.255 area 3
network 192.144.0.0 0.0.0.255 area 1
exit
On R4
=====
router ospf 100
router-id 4.4.4.4
network 20.0.0.0 0.0.0.255 area 3
exit
On R5
=====
router ospf 100
router-id 5.5.5.5
network 151.2.0.0 0.0.0.255 area 2
exit
On R6
=====
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.68.0 0.0.0.255
network 192.168.101.0
no auto-summary
exit
On R7
=====
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.78.0 0.0.0.255
network 72.5.5.0 0.0.0.255
no auto-summary
exit
On R8
=====
router eigrp 200
network 10.0.68.0 0.0.0.255
network 10.0.78.0 0.0.0.255
no auto-summary
exit
Task 3: Make Sure R4 able to reach ASA1.
On R1
=====
router ospf 100
area 1 virtual-link 3.3.3.3
exit
On R3
=====
router ospf 100
area 1 virtual-link 1.1.1.1
exit
Task 4: After completion of Task 3. Do possible configuration to reach R4 to R5.
On both ASA's.
=============
same-security-traffic permit inter-interface
Task 5: Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1 and ASA2 should be ping each other.
On ASA1
=======
route outside 0 0 101.1.1.1
access-list NAT permit ip 192.168.1.0 255.255.255.0 any
access-list NAT permit ip 192.144.0.0 255.255.255.0 any
access-list NAT permit ip 10.0.0.0 255.255.255.0 any
access-list NAT permit ip 20.0.0.0 255.255.255.0 any
access-list NAT permit ip 151.2.0.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
On ASA2
=======
route outside 0 0 102.1.1.1
access-list NAT permit ip 192.168.101.0 255.255.255.0 any
access-list NAT permit ip 72.5.5.0 255.255.255.0 any
access-list NAT permit ip 10.0.67.0 255.255.255.0 any
access-list NAT permit ip 10.0.68.0 255.255.255.0 any
access-list NAT permit ip 10.0.78.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
Task 6: Make sure all routers ping ISP.
On ASA1
=======
router ospf 100
default-information originate
redistribute connected
exit
On ASA2
=======
router eigrp 200
redistribute connected
redistribute static
exit
Task 7: Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to communicate 10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key as netwaxlab.
On ASA1
=======
access-list VPN permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list VPN permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 102.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 102.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
On ASA2
=======
access-list VPN extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 101.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 101.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
Task 8: Make sure R5 telnet to R7 using 4223 port. Do possible configuration.
On ASA2
=======
static (inside1,outside) tcp interface 4223 72.5.5.7 23
access-list OUT permit tcp host 101.1.1.2 host 102.1.1.2 eq 4223
On ASA1
========
router ospf 100
router-id 10.10.10.10
network 192.168.1.0 255.255.255.0 area 0
network 10.0.0.0 255.255.255.0 area 0
exit
On ASA2
========
router eigrp 200
network 192.168.101.0 255.255.255.0
network 72.5.5.0 255.255.255.0
no auto-summary
exit
On R1
=====
router ospf 100
router-id 1.1.1.1
network 192.144.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
exit
On R2
=====
router ospf 100
router-id 2.2.2.2
network 10.0.0.0 0.0.0.255 area 0
network 151.2.0.0 0.0.0.255 area 2
exit
On R3
=====
router ospf 100
router-id 3.3.3.3
network 20.0.0.0 0.0.0.255 area 3
network 192.144.0.0 0.0.0.255 area 1
exit
On R4
=====
router ospf 100
router-id 4.4.4.4
network 20.0.0.0 0.0.0.255 area 3
exit
On R5
=====
router ospf 100
router-id 5.5.5.5
network 151.2.0.0 0.0.0.255 area 2
exit
On R6
=====
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.68.0 0.0.0.255
network 192.168.101.0
no auto-summary
exit
On R7
=====
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.78.0 0.0.0.255
network 72.5.5.0 0.0.0.255
no auto-summary
exit
On R8
=====
router eigrp 200
network 10.0.68.0 0.0.0.255
network 10.0.78.0 0.0.0.255
no auto-summary
exit
Task 3: Make Sure R4 able to reach ASA1.
On R1
=====
router ospf 100
area 1 virtual-link 3.3.3.3
exit
On R3
=====
router ospf 100
area 1 virtual-link 1.1.1.1
exit
Task 4: After completion of Task 3. Do possible configuration to reach R4 to R5.
On both ASA's.
=============
same-security-traffic permit inter-interface
Task 5: Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1 and ASA2 should be ping each other.
On ASA1
=======
route outside 0 0 101.1.1.1
access-list NAT permit ip 192.168.1.0 255.255.255.0 any
access-list NAT permit ip 192.144.0.0 255.255.255.0 any
access-list NAT permit ip 10.0.0.0 255.255.255.0 any
access-list NAT permit ip 20.0.0.0 255.255.255.0 any
access-list NAT permit ip 151.2.0.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
On ASA2
=======
route outside 0 0 102.1.1.1
access-list NAT permit ip 192.168.101.0 255.255.255.0 any
access-list NAT permit ip 72.5.5.0 255.255.255.0 any
access-list NAT permit ip 10.0.67.0 255.255.255.0 any
access-list NAT permit ip 10.0.68.0 255.255.255.0 any
access-list NAT permit ip 10.0.78.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
Task 6: Make sure all routers ping ISP.
On ASA1
=======
router ospf 100
default-information originate
redistribute connected
exit
On ASA2
=======
router eigrp 200
redistribute connected
redistribute static
exit
Task 7: Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to communicate 10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key as netwaxlab.
On ASA1
=======
access-list VPN permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list VPN permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 102.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 102.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
On ASA2
=======
access-list VPN extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 101.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 101.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
Task 8: Make sure R5 telnet to R7 using 4223 port. Do possible configuration.
On ASA2
=======
static (inside1,outside) tcp interface 4223 72.5.5.7 23
access-list OUT permit tcp host 101.1.1.2 host 102.1.1.2 eq 4223
Great Post !Free Online Skill Test, e Tutorial, Video Tutorial & Training on CCNA,CCNP & CCIE-
ReplyDeleteHub4tech.com