Technology MiniLab ASA part I.
This Mini Lab focuses on various Cisco ASA technologies and its part of DENYIPs CCIE Security technology minilab
If you have any question or suggestion feel free to post in the discussion or contact me on milsir(at)gmail.com
Lab is based on following setup
Following HW is needed :
1x Cisco ASA or PIX
1x Switch dot1q capable
4x Router with at least one Ethernet interface
Dynamips can be use as well – I tried both LAB and Dynamips for Dynamips I used following NET file
[localhost:7200]
workingdir = C:\path to your working directory
[2621]]
image = C:\path to your IOS
ram = 92
idlepc = your idle PC
[[Router R1]]
model = 2621
Fa0/0 = S1 1
[[Router R2]]
model = 2621
Fa0/0 = S1 2
[[Router R3]]
model = 2621
Fa0/0 = S1 3
[[Router R4]]
model = 2621
Fa0/0 = S1 4
[[ethsw S1]]
1 = access 10
2 = access 20
3 = access 30
4 = access 40
5 = dot1q 1
6 = dot1q 1
[pemu localhost]
[[525]]
serial=<removed>
key=<removed>
image = path to yout PIX image
[[fw FW1]]
e0 = S1 5
e1 = S1 6
TASKS
TASK1 – Addressing and basic connectivity
Configure interface (sub-interface) of FW in following way
e1.10 – nameif R10, VLAN10, security level 10, IP 10.10.10.1
e1.20 – nameif R20, VLAN20, security level 20, IP 10.10.20.1
e0.30 – nameif R30, VLAN30, security level 30, IP 10.10.30.1
e0.40 – nameif R40, VLAN40, security level 40, IP 10.10.40.1
Configure IP addressing of routers according drawing (including loopbacks)
R40 interface is DHCP client… Configure R30 to be DHCP server for this router.. make sure this interface will be always assigned IP 10.10.40.2
TASK2 – routing , ACL
Delete all static routers and run RIP v2 between all devices, propagate all networks including loopbacks, use MD5 authentication .. Permit ICMP between all routers and verify connectivity with ping (you should be able to ping all loopbacks from all routers) , use only one line in your ACL
TASK3 – SSH access
Enable SSH with local authentication on all routers do not use domain command on routers , enable SSH access through firewall
TASK4 – NAT control
On firewall enable NAT-control .. Configure FW to allow access like without NAT control (ping, ssh)
SOLUTIONS
TASK1 Solution
You need create vlans 10,20,30,40 on switch , assign vlans membership for routers R10,R20,R30,R40 and configure do1q trunks for ASA port
ASA configuration interface Ethernet0/0 no nameif no security-level no ip address ! ! For me is good to use nameif like R20, R30 and not traditional ! inside, outside, dmz - It helps me think out of the box interface Ethernet0/0.30 vlan 30 nameif R30 security-level 30 ip address 10.10.30.1 255.255.255.0 ! interface Ethernet0/0.40 vlan 40 nameif R40 security-level 40 ip address 10.10.40.1 255.255.255.0 ! interface Ethernet0/1 no nameif no security-level no ip address ! interface Ethernet0/1.10 vlan 10 nameif R10 security-level 10 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/1.20 vlan 20 nameif R20 security-level 20 ip address 10.10.20.1 255.255.255.0 !R40 will get DHCP IP from R30 so dhcp relay needs to be !configured dhcprelay server 10.10.30.2 R30 dhcprelay enable R40 dhcprelay setroute R40 dhcprelay timeout 60 R3 configuration ! create pool for R40 use client-identifier for reservation !(client-identifier uses 01 prefix for ethernet + client MAC) ip dhcp pool R40 host 10.10.40.2 255.255.255.0 client-identifier 0100.e01e.7dc7.61 interface Ethernet0/0 ip address 10.10.30.2 255.255.255.0 ! Static route for R40 network is needed ip route 10.10.40.0 255.255.255.0 10.10.30.1 R40 configuration ! IP on interface will be DHCP and client-id e0/0 is sent ! it didn't work for me without client-id command interface Ethernet0/0 ip address dhcp client-id Ethernet0/0 ! Static route for R30 network is needed ip route 10.10.30.0 255.255.255.0 Ethernet0/0
TASK2 Solution
ASA configuration ! rip authentication on all subinterfaces interface Ethernet0/0.30 vlan 30 nameif R30 security-level 30 ip address 10.10.30.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id 1 ! interface Ethernet0/0.40 vlan 40 nameif R40 security-level 40 ip address 10.10.40.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id ! interface Ethernet0/1.10 vlan 10 nameif R10 security-level 10 ip address 10.10.10.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id 1 ! interface Ethernet0/1.20 vlan 20 nameif R20 security-level 20 ip address 10.10.20.1 255.255.255.0 rip authentication mode md5 rip authentication key cisco key_id 1 ! !RIP configuration on ASA router rip network 10.0.0.0 version 2 no auto-summary !For allowing of outside communication i created one object group ! with all IPs (interface IP + loopback IP) object-group network ROUTERS network-object host 10.10.10.2 network-object host 10.10.20.2 network-object host 10.10.30.2 network-object host 10.10.40.2 network-object host 192.168.10.1 network-object host 192.168.20.1 network-object host 192.168.30.1 network-object host 192.168.40.1 !and permitted ICMP between those IPs access-list Routers_in extended permit icmp object-group ROUTERS object-group ROUTERS !and applied on interface access-group Routers_in in interface R10 access-group Routers_in in interface R20 access-group Routers_in in interface R30 ROUTER3 configuration ! router rip configuration router rip version 2 network 10.0.0.0 network 192.168.30.0 no auto-summary ! router key chain configuration key chain ccie key 1 key-string cisco ! router rip authenication on interface configuration interface Ethernet0/0 ip address 10.10.30.2 255.255.255.0 ip rip authentication mode md5 ip rip authentication key-chain ccie
TASK3 Solution
ROUTER3 configuration !Its not actually ASA task... !thanks to Francois for the idea for this taskcrypto key generate rsa general-keys label TEST username admin password 0 cisco line vty 0 4 login local transport input ssh ASA Configuration ! add line to ACL to permit SSH communication access-list Routers_in extended permit tcp object-group ROUTERS object-group ROUTERS eq ssh
TASK4 Solution
! enable nat control and create static mapping ! to allow traffic between interfaces
nat-control
static (R40,R30) 10.10.40.2 10.10.40.2 netmask 255.255.255.255
static (R40,R20) 10.10.40.2 10.10.40.2 netmask 255.255.255.255
static (R40,R10) 10.10.40.2 10.10.40.2 netmask 255.255.255.255
static (R30,R20) 10.10.30.2 10.10.30.2 netmask 255.255.255.255
static (R30,R10) 10.10.30.2 10.10.30.2 netmask 255.255.255.255
static (R20,R10) 10.10.20.2 10.10.20.2 netmask 255.255.255.255
It was a nice attempt – i’m a ccie wannabie, i started with your labs… keep posting
Thanks