[go: up one dir, main page]
Scribd
Upload
74 views5 pages

ASA Firewall Lab PDF

Uploaded by

Vikas Jotshi

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

ASA Firewall Lab PDF

Uploaded by

Vikas Jotshi
74 views5 pages

Original Title

123230920-ASA-Firewall-Lab.pdf

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
74 views5 pages

ASA Firewall Lab PDF

Uploaded by

Vikas Jotshi

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 5

IPSec over GRE Tunnel:

Advantages:

 Will create a logical virtual interface between the two routers that the traffic will appear to flow across
 Allows us to run a IGP routing protocol
 Allows Multicast Routing
 Encrypted Traffic going through the Internet

Pre-Configuration:

 ASA
!
interface GigabitEthernet0
ip address 100.100.100.2 255.255.255.0
nameif outside
security-level 0
no shutdown
!
!
interface GigabitEthernet2
ip address 10.10.10.1 255.255.255.252
nameif inside
security-level 100
no shutdown

 Corp
!
interface FastEthernet 0/0
ip address 10.10.10.2 255.255.255.252
no shutdown
interface FastEthernet 0/1
ip address 10.10.11.1 255.255.255.252
no shutdown

 Branch
!
interface FastEthernet 0/0
ip address 100.100.100.10 255.255.255.0
no shutdown
!
interface FastEthernet 0/1
ip address 10.10.14.1 255.255.255.252
no shutdown

 ASA
!
interface GigabitEthernet1
no nameif
security-level 0
no ip address
no shut
!
interface GigabitEthernet1.1
nameif DMZ
security-level 50
ip address 20.20.20.1 255.255.255.0

 SW1
vlan database
vlan 10 name DMZ
exit
conf t
!
no ip routing
!
int fa1/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface range FastEthernet 1/1 - 2
switchport mode access
switchport access vlan 10
!
ip default-gateway 20.20.20.1

 SW2
!
vlan database
vlan 2 name Sales
vlan 3 name Finance
exit
conf t
!
interface FastEthernet 1/0
switchport mode access
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet 1/1
switchport mode access
switchport access vlan 3
spanning-tree portfast
!
interface vlan 2
ip address 10.10.12.1 255.255.255.0
no shut
!
interface vlan 3
ip address 10.10.13.1 255.255.255.0
no shut
!
interface FastEthernet 0/0
ip address 10.10.11.2 255.255.255.252
no shut
!
ip dhcp excluded-address 10.10.12.1 10.10.12.9
!
ip dhcp pool VLAN2
network 10.10.12.0 /24
default-router 10.10.12.1
dns-server 8.8.8.8
!
ip dhcp excluded-address 10.10.13.1 10.10.13.9
!
ip dhcp pool VLAN3
network 10.10.13.0 /24
default-router 10.10.13.1
dns-server 8.8.8.8

 SW3
!
vlan database
vlan 2 name Accounting
vlan 3 name Management
exit
conf t
!
interface FastEthernet 1/0
switchport mode access
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet 1/1
switchport mode access
switchport access vlan 3
spanning-tree portfast
!
interface vlan 2
ip address 10.10.15.1 255.255.255.0
no shut
!
interface vlan 3
ip address 10.10.16.1 255.255.255.0
no shut
!
interface FastEthernet 0/0
ip address 10.10.14.2 255.255.255.252
no shut
!
ip dhcp excluded-address 10.10.15.1 10.10.15.9
!
ip dhcp pool VLAN2
network 10.10.15.0 /24
default-router 10.10.15.1
dns-server 8.8.8.8
!
ip dhcp excluded-address 10.10.16.1 10.10.16.9
!
ip dhcp pool VLAN3
network 10.10.16.0 /24
default-router 10.10.16.1
dns-server 8.8.8.8

Advantages:

 Will create a logical virtual interface between the two routers that the traffic will appear to flow across
 Allows us to run a IGP routing protocol
 Allows Multicast Routing
 Encrypted Traffic going through the Internet

Configuration GRE Tunnel:

Step 1: Create OSPF routing process:

 CORP(config)# router ospf 123


CORP(config-router)# network 192.168.1.0 0.0.0.255 area 0

 BRANCH(config)# router ospf 123


BRANCH(config-router)# network 10.1.1.0 0.0.0.255 area 0

Step 2: Configure layer 3 tunnel interfaces:

 CORP(config)# interface tunnel 0


CORP(config-if)# tunnel source f0/0
CORP(config-if)# tunnel destination 192.168.137.10
CORP(config-if)# ip address 10.10.1.1 255.255.255.252
CORP(config-if)# tunnel path-mtu-discovery
CORP(config-if)# ip ospf mtu-ignore

 BRANCH(config)# interface tunnel 0


BRANCH(config-if)# tunnel source f0/0
BRANCH(config-if)# tunnel destination 192.168.137.2
BRANCH(config-if)# ip address 10.10.1.2 255.255.255.252
BRANCH(config-if)# tunnel path-mtu-discovery
BRANCH(config-if)# ip ospf mtu-ignore
Verify:

 CORP# ping 10.10.1.2

Step 3: Update OSPF Network Statements:

 CORP(config)# router ospf 123


 CORP(config-router)# network 10.10.1.0 0.0.0.3 area 0

 BRANCH(config)# router ospf 123


 BRANCH(config-router)# network 10.10.1.0 0.0.0.3 area 0

Verify:

 CORP# show ip ospf neighbor

Configure IPSec:

Step 1: Define Traffic to be encrypted

 CORP(config)# ip access-list extended IPSEC-TRAFFIC


CORP(config-ext-nacl)# remark VPN Traffic
CORP(config-ext-nacl)# permit gre host 192.168.137.2 host 192.168.137.10

 BRANCH(config)# ip access-list extended IPSEC-TRAFFIC


BRANCH(config-ext-nacl)# remark VPN Traffic
BRANCH(config-ext-nacl)# permit gre host 192.168.137.10 host 192.168.137.2

Step 2: Phase 1: Isakmp policy

 CORP(config)# crypto isakmp policy 1


CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)# encryption aes 128
CORP(config-isakmp)# hash sha
CORP(config-isakmp)# group 2

 BRANCH(config)# crypto isakmp policy 1


BRANCH(config-isakmp)# authentication pre-share
BRANCH(config-isakmp)# encryption aes 128
BRANCH(config-isakmp)# hash sha
BRANCH(config-isakmp)# group 2

Step 3: Define Shared Secret

 CORP(config)# crypto isakmp key 0 CISCO address 192.168.137.10

 BRANCH(config)# crypto isakmp key 0 CISCO address 192.168.137.2

Step 4: Phase 2: IPSec transform set

 CORP(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac


CORP(cfg-crypto-trans)# mode tunnel

 BRANCH(config)# crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac


BRANCH(cfg-crypto-trans)# mode tunnel

Step 5: Create crypto-map

 CORP(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp


CORP(config-crypto-map)# description to BRANCH
CORP(config-crypto-map)# match address IPSEC-TRAFFIC
CORP(config-crypto-map)# set peer 192.168.137.10
CORP(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL

 BRANCH(config)# crypto map CRYPTO-MAP 1 ipsec-isakmp


BRANCH(config-crypto-map)# description to CORP
BRANCH(config-crypto-map)# match address IPSEC-TRAFFIC
BRANCH(config-crypto-map)# set peer 192.168.137.2
BRANCH(config-crypto-map)# set transform-set TRANS-SET-GRE-TUNNEL

Step 6: Apply crypto-map to interfaces

 CORP(config)# interface f0/0


CORP(config-if)# crypto map CRYPTO-MAP
 CORP(config-if)# interface tunnel 0
CORP(config-if)# crypto map CRYPTO-MAP

 BRANCH(config)# interface f0/0


BRANCH(config-if)# crypto map CRYPTO-MAP
 BRANCH(config-if)# interface tunnel 0
BRANCH(config-if)# crypto map CRYPTO-MAP

Step 7: Verification

CORP# show ip ospf neighbor


CORP# show crypto ipsec sa
CORP# ping 10.10.1.2 repeat 50

You might also like