CCNA Security Lab 9.3.1.1: Configuring ASA Basic Settings and Firewall Using CLI

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone this is CCNA security lab 9 3 1 1 configuring a si basic settings & firewall and this is our topology we have 3 VLAN VLAN 1 is inside zone VLAN 2 is outside zone and VLAN 3 is DMZ your company has one location connected to an ISP router one represents a CPE device managed by the ISP router 2 represents an intermediate internet router router 3 represents an ISP that connects an administrator from a network management company who has been hired to remotely manage your network the aasa' is an edge CPE security device that connects the internal corporate network and DMZ to the ISP while providing net and DHCP services to inside hosts the a sa will be configured for management by an administrator on the internal network and by the remote administrator layer-3 VLAN interfaces provide access to the three areas created in the activity inside outside and DMZ the ISP assigned the public IP address space of two zero nine point one six five point two zero zero point two two four slash twenty nine which will be used for address translation on the a si now we'll verify connectivity PCC can ping any router interface but PCC is unable to ping PCB or the DMZ server next we use the command show version to determine various aspects of this a si device as you see the version of this device is 8.4 and device manager version is six point four we can also see all features supported by the space license we can use the command show file system to display the aasa' file system and there are two prefixes supported we can use both to display the contents of flash memory it returned the same result now we'll configure the hostname and domain name and configure the enable mode password and set the date and time then we configure the inside and outside interfaces VLAN 1 is inside zone with security level 100 VLAN 2 is outside zone with security level 0 ok we'll use some show commands to check the configurations all right they are all correctly so PCB should be able to ping to the a si but it is unable to ping to outsize Network I'll use simulation mode to show you how the packet is transferred as you see the packet is dropped by the a si because we're not configure default route and net now we'll configure a static default route for the a si and verify the static default route is in the a sa routing table so the a si should be able to ping the router one next we'll configure address translation using pet and network objects [Music] okay now the pink packet sent from PCB to outside Network can go through the a si but the packet replied is blocked so we have to configure the default inspection policy to allow ICMP we create the class map policy map and add the inspection of ICMP traffic to the policy map now PCB can ping to the outside Network you next step we'll configure a DHCP address pool DNS server and enable it on the aasa' inside interface then PCB can receives IP addressing information next we'll configure triple-a to use the local database for authentication and configure remote access to the aasa' like a router we generate an RSA key pair which is required to support SSH connections but you can see the a sa device has RSA keys already so we enter no when prompted to replace them we configure the a sa to allow SSH connections from any host on the inside zone and from the remote management host is PCC okay we'll verify the SSH connection from outside and inside they are all success next we'll configure DMZ with VLAN three where the public access web server will reside because the server does not need to initiate communication with the inside zone so we disable forwarding to interface VLAN one we'll use some show commands to check the configurations next we configure static net to the DMZ server using a network object finally we configure an ACL to allow access to the DMZ server from the internet we permit ICMP and TCP traffic port 80 to allow web access and we apply the ACL to the aasa' outside interface in the in direction because the packet tracer is not support to successfully test outside access to the dmz web server so the successful testing for this section is not required we're done all part of this activity and we got 100% thank you for watching [Music]

Info

Channel: Cisco Packet Tracer Labs

Views: 137,553

Rating: undefined out of 5

Keywords: Cisco Packet Tracer Lab, CCNA Security Lab, ASA, PT activity 9.3.1.1, firewall, CCNA Security

Id: Jni0aQZY33Y

Channel Id: undefined

Length: 15min 54sec (954 seconds)

Published: Wed Jan 11 2017