Task
 |
| Topology |
- Configure IP Address as per given in topology.
- Make sure ICMP open for all networks in ASA's.
- Configure PAT on both ASA.
- Make sure ASA1 and ASA2 ping each other.
- Configure Site-to-Site VPN over ASA. Make sure both 192.168.1.2 and 192.168.2.2 ping each other. Use Nat exemption for VPN traffic.
Solution
Task 2: Make sure ICMP open for all networks in ASA's.
On both ASA's
==============
access-list ICMP permit icmp any any
access-group ICMP in interface outside
Task 3: Configure PAT on both ASA.
On ASA 1
========
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
On ASA2
=======
nat (inside) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface
Task 4: Make sure ASA1 and ASA2 ping each other.
On ASA 1
========
route outside 0 0 101.1.1.1
On ASA 2
========
route outside 0 0 102.1.1.1
Task 5: Configure Site-to-Site VPN over ASA. Make sure both 192.168.1.2 and 192.168.2.2 ping each other. Use Nat exemption for VPN traffic.
On ASA 1
========
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key cisco address 102.1.1.100
crypto ipsec transform-set tset esp-3des esp-sha-hmac
exit
access-list VPN permit ip host 192.168.1.100 host 192.168.2.100
exit
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 102.1.1.100
exit
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
NAT Exemption
=============
access-list nonat permit ip host 192.168.1.2 host 192.168.2.2
nat (inside) 0 access-list nonat
On ASA 2
========
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key cisco address 101.1.1.100
crypto ipsec transform-set tset esp-3des esp-sha-hmac
exit
access-list VPN permit ip host 192.168.2.100 host 192.168.1.100
exit
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 101.1.1.100
exit
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
NAT Exemption
=============
access-list nonat permit ip host 192.168.2.2 host 192.168.1.2
nat (inside) 0 access-list nonat
On both ASA's
==============
access-list ICMP permit icmp any any
access-group ICMP in interface outside
Task 3: Configure PAT on both ASA.
On ASA 1
========
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
On ASA2
=======
nat (inside) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface
Task 4: Make sure ASA1 and ASA2 ping each other.
On ASA 1
========
route outside 0 0 101.1.1.1
On ASA 2
========
route outside 0 0 102.1.1.1
Task 5: Configure Site-to-Site VPN over ASA. Make sure both 192.168.1.2 and 192.168.2.2 ping each other. Use Nat exemption for VPN traffic.
On ASA 1
========
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key cisco address 102.1.1.100
crypto ipsec transform-set tset esp-3des esp-sha-hmac
exit
access-list VPN permit ip host 192.168.1.100 host 192.168.2.100
exit
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 102.1.1.100
exit
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
NAT Exemption
=============
access-list nonat permit ip host 192.168.1.2 host 192.168.2.2
nat (inside) 0 access-list nonat
On ASA 2
========
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key cisco address 101.1.1.100
crypto ipsec transform-set tset esp-3des esp-sha-hmac
exit
access-list VPN permit ip host 192.168.2.100 host 192.168.1.100
exit
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 101.1.1.100
exit
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
NAT Exemption
=============
access-list nonat permit ip host 192.168.2.2 host 192.168.1.2
nat (inside) 0 access-list nonat
Great Post !Free Online Skill Test, e Tutorial, Video Tutorial & Training on CCNA,CCNP & CCIE-
ReplyDeleteHub4tech.com