Welcome to this series where we will cover CCNA Security topics using Cisco Packet Tracer in our labs. Some related topics have already been covered on the Intense School site so you should consider taking a look at those first. For a guide on the Packet Tracer labs already on the site, you can check out. In this lab, we will be dealing with the Cisco Adaptive Security Appliance (ASA). Starting with Packet Tracer version 6.1.1, the Cisco ASA (5505) has been added as a device so we can now use this for our lab. An introduction to the Cisco ASA has already been covered in, so you may want to read that article first. Verify your configuration and make sure you can ping all the connected devices from the Cisco ASA.

Free Packet Tracer courses teach basics in visualizing and configuring networking devices. Multiple hands-on activities focus on everyday examples including. Collection of lcd/led television repair tips v4.0.

Lab Solutions Task 1: Hostname and Domain Name We use the hostname command to configure the hostname on a Cisco ASA just like we do on the Cisco IOS. However unlike on the Cisco IOS, we use the domain-name command to configure a domain name on the Cisco ASA. Note: On the Cisco IOS, the equivalent command is ip domain-name.

Actually, many of the commands that have “ip” on the Cisco IOS do not have “ip” on the Cisco ASA. Examples include show route as opposed to show ip route and route as opposed to ip route. Hostname PKT-ASA domain-name example.com Task 2: VLAN 1 Settings By default, VLAN 1 has already been created on the Cisco ASA 5505 and it has been named “inside” with a security level of 100. Therefore, the only change we need to make here is the IP address. However, if you try to change the IP address of that VLAN interface, you will get an error message: “ Interface address is not on same subnet as DHCP pool. ERROR: ip address command failed“.

The problem is that there is a default DHCP configuration on the ‘inside’ interface as shown below: dhcpd address 192.168.1.5-192.168.1.35 inside dhcpd enable inside One way to go about it will be to remove only the DHCP pool or to remove the entire DHCP configuration since the task doesn’t say anything about DHCP. After removing the configuration, you can then change the IP address. No dhcpd address 192.168.1.5-192.168.1.35 inside no dhcpd enable inside! Interface Vlan1 ip address 10.0.0.1 255.255.255.0 Task 3: VLAN 2 Settings VLAN 2 also exists in the default configuration of the Cisco ASA 5505 and it has been named “outside” with a security level of 0. However, IP address is enabled via DHCP so we need to change that to a static configuration.

Interface Vlan2 ip address 192.0.2.1 255.255.255.0 Task 4: Setup VLAN 3 This one is a bit tricky because of the license that comes with the ASA 5505 on Packet Tracer, i.e. Base License. With the Base License on the ASA 5505, you can only create two active VLANs and a third restricted VLAN. The third VLAN is restricted because you can only configure it to initiate traffic to only one other VLAN. You don’t have this restriction with a Security Plus license.

Note: An active VLAN is one configured with the nameif command. As such, if we try to configure VLAN 3 and add the nameif command, we will get the following message: “ ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a “no forward” command on this interface or on 1 interface(s) with nameif already configured.” Therefore, like the error message states, we need to use the no forward command on one of the active interfaces. In our case, the task specifies that the dmz interface does not need to initiate connections to the inside, therefore our configuration will be as follows: interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 172.16.10.1 255.255.255.0! Task 5: Interface Assignment The ASA 5505 comes with switchport (L2) interfaces and the way to assign them to security zones is to assign them to the corresponding VLAN for that security zone. By default, Ethernet0/0 is already assigned to VLAN 2 (outside) and all other interfaces belong to VLAN 1. Therefore, we just need to assign Ethernet0/2 to VLAN 3: interface Ethernet0/2 switchport access vlan 3 Task 6: Verification This last sub-task is about verifying our configuration so far. We can begin by looking at the VLAN configuration and VLAN assignment for the interfaces using the show switch vlan command: We can also check the IP settings on the ASA’s interfaces using the show interface ip brief command (as opposed to show ip interface brief on the Cisco IOS): Finally, we will ping the following devices connected to the Cisco ASA on its different interfaces: 10.0.0.100 (Inside User), 172.16.10.100 (Web Server) and 192.168.10.100 (Outside_RTR): Cool, our configuration works!