As promised, here is my 1st attempt at a vlog entry.  Hopefully, the 1.5Mbps Internet connection and the server are adequate enough to display the 1Mb video.  If not, I’m sure you’ll let me know.  Also, if you find viewing the video is unbearable, try downloading it.

Prerequisites:

-Download the bbb-basic-asa file if you would like to try this lab in GNS3.

-For Windows users, don’t forget to use BES to limit the pemu.exe instance from taking up your CPU resources.  For Linux users, use cpulimit to control pemu.

-Remember to adjust the idle-pc values for your workstation.

Mini-lab Requirement:

Your company firewall has 3 interfaces; one is connected to the Internet, one is connected to the internal network, and one is connected to the DMZ.  You’ve been asked to configure the firewall as follows: your external interface resides on 172.16.194.0/24 (VLAN172) and can access the Internet through R0; your internal interface resides on 10.194.1.0/24 (VLAN10) and can access company resources through R1; and your DMZ resides on 192.168.194.0/24 (VLAN192) and can access web servers through R2.  All interfaces on the ASA should be configured as .41.  The IP addresses for each router interface connected to the firewall is as follows: R0 is .40, R1 is .1, and R2 is .2.

Is that vague enough?  Probably not.  In fact, depending on how diligent your business unit or client may be, you may receive a project with that level of detail.  In order to properly deliver a configuration, you need to learn to read between the lines.  Hopefully, I can master Wink enough where I can get more mini-labs up on this site that will help train your thought process for these type of activities.

Before clicking on the link below, take a shot at configuring this in notepad, dynamips, or your home lab.

bbb-basic-asa

As you go through the answer video, take note at the verification steps I took for each task.  After configuring an interface, I immediately ran a show command to verify I had typed the information in correctly.  Also, to test the end-to-end connectivity I ran a simple ping test to the far ends of the firewall.

Notes:

-If you’ve ever configured a FastEthernet, GigabitEthernet, or TenGigabitEthernet sub-interface before, you would notice that configuring them for an ASA is quite similar to a router.

-The nameif command lets you assign a name to an interface.

-The security-level command allows us to define the levels of trust for each firewall interface.  The higher the number, traffic off the interface is trusted (i.e. Default for inside is 100).  The lower the number, the traffic off the interface is not trusted (i.e. Default for outside is 0).  When accessing from a higher security to a lower security level, nat and global commands or static commands must be present.  When accessing from a lower security level to a higher security level, static and access-list commands must be present.  **Interfaces with the same security level cannot communicate with each other.**