When configuring EIGRP on the firewall, keep in mind to omit the word ip from the commands.

Prerequisites:

-Refer to my Basic ASA - VLANs and IP Addresses posting

Mini-lab Requirement:

Your ASA needs to be aware of the DMZ network behind R2.  Make sure R2 is the only device that can securely send or receive routing updates with the firewall.

Here’s the video:

bbb-basic-asa-eigrp

Notes:

-EIGRP is not supported in multi-context mode.

-When configuring the network command on a PIX or ASA, you will need to define the subnet mask and not the wildcard.

-The passive-interface command for EIGRP is supported on the firewall unlike OSPF.

This is very similar to the last lab that I posted.  When configuring OSPF on the firewall, keep in mind to omit the word ip from the commands.

Prerequisites:

-Refer to my Basic ASA - VLANs and IP Addresses posting

Mini-lab Requirement:

Your ASA needs to be aware of the DMZ network behind R2.  Make sure R2 is the only device that can securely send or receive routing updates with the firewall.

Here’s the video:

bbb-basic-asa-ospf

Notes:

-OSPF is not supported in multi-context mode.

-When configuring the network command on a PIX or ASA, you will need to define the subnet mask and not the wildcard.

-The passive-interface command is unsupported on the firewall.  You will need to depend on the neighboring router to control sending/receiving of updates.

-If you would like to verify that you didn’t fat finger the password on the ASA, you can use the more system:running-config | i md5 command to see what you typed.

Those of you who are familiar with configuring RIP on the routers should have an easier time running through this lab.  When configuring RIP on the firewall, keep in mind to omit the word ip from the commands.

Prerequisites:

-Refer to my Basic ASA - VLANs and IP Addresses posting

Mini-lab Requirement:

Your ASA needs to be aware of the inside network behind R1.  Make sure R1 is the only device that can securely send or receive routing updates with the firewall.

Here’s the video:

bbb-basic-asa-rip

Notes:

-Originally, I had attempted to configure this lab using 7200s running on 12.3, but ran into a strange issue where the ASA was unable to securely send/receive routing updates from R1.  How did I determine things weren’t working?  I didn’t receive the route on the firewall because the log kept stating an invalid authentication.  After toying around with capturing debugs and rebuilding interfaces, I decided to rebuild the lab using 3725s on 12.4.

As promised, here is my 1st attempt at a vlog entry.  Hopefully, the 1.5Mbps Internet connection and the server are adequate enough to display the 1Mb video.  If not, I’m sure you’ll let me know.  Also, if you find viewing the video is unbearable, try downloading it.

Prerequisites:

-Download the bbb-basic-asa file if you would like to try this lab in GNS3.

-For Windows users, don’t forget to use BES to limit the pemu.exe instance from taking up your CPU resources.  For Linux users, use cpulimit to control pemu.

-Remember to adjust the idle-pc values for your workstation.

Mini-lab Requirement:

Your company firewall has 3 interfaces; one is connected to the Internet, one is connected to the internal network, and one is connected to the DMZ.  You’ve been asked to configure the firewall as follows: your external interface resides on 172.16.194.0/24 (VLAN172) and can access the Internet through R0; your internal interface resides on 10.194.1.0/24 (VLAN10) and can access company resources through R1; and your DMZ resides on 192.168.194.0/24 (VLAN192) and can access web servers through R2.  All interfaces on the ASA should be configured as .41.  The IP addresses for each router interface connected to the firewall is as follows: R0 is .40, R1 is .1, and R2 is .2.

Is that vague enough?  Probably not.  In fact, depending on how diligent your business unit or client may be, you may receive a project with that level of detail.  In order to properly deliver a configuration, you need to learn to read between the lines.  Hopefully, I can master Wink enough where I can get more mini-labs up on this site that will help train your thought process for these type of activities.

Before clicking on the link below, take a shot at configuring this in notepad, dynamips, or your home lab.

bbb-basic-asa

As you go through the answer video, take note at the verification steps I took for each task.  After configuring an interface, I immediately ran a show command to verify I had typed the information in correctly.  Also, to test the end-to-end connectivity I ran a simple ping test to the far ends of the firewall.

Notes:

-If you’ve ever configured a FastEthernet, GigabitEthernet, or TenGigabitEthernet sub-interface before, you would notice that configuring them for an ASA is quite similar to a router.

-The nameif command lets you assign a name to an interface.

-The security-level command allows us to define the levels of trust for each firewall interface.  The higher the number, traffic off the interface is trusted (i.e. Default for inside is 100).  The lower the number, the traffic off the interface is not trusted (i.e. Default for outside is 0).  When accessing from a higher security to a lower security level, nat and global commands or static commands must be present.  When accessing from a lower security level to a higher security level, static and access-list commands must be present.  **Interfaces with the same security level cannot communicate with each other.**