cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2080
Views
0
Helpful
35
Replies

Networking Project Help

daniel_growth
Level 1
Level 1

Hi All,

 

Below is a picture of my topology,

 

The file to the packet tracer is also attached. All password or logins are admin and cisco.

Capture.PNG

 

I would like DEV and Management network traffic to route through the firewall when access the corp network.

 

I have yet to configure the router and firewall as i'm not sure in what to do. 

 

My other question is VLAN 10 and 20 can not cross communicate. This is the way i want it, but should i also put ACLS to reinforce this rule as best practice?

 

Kind Regards,

 

Daniel!

Kind Regards,
Daniel Growth
35 Replies 35

Hello,

 

you need to decide what your topology is supposed to look like. All switches are layer 3 capable, do you want them to be used as such ? If so, you need to configure common subnets between the switches and the ASA. 

 

What, if any, are the requirements ?

The topology is set now. The Layer 3 switches for the DEV and Project backbone are going to act as layer 2.

 

@Georg Pauwen The requirements are that the DEV and Management connection can communicate with the Loopback located at the top of the network. This will act as a remote passage for the a team over the corporate network. 

 

I have never configured a cisco firewall before only a fortigate through GUI. 

@Leo Laohoo this is not a student project but a workplace project. I have changed the IP's and names of some systems/areas for confidentially. I have asked for support on assignments before now but this is the real thing, :)

 

 

Kind Regards,
Daniel Growth

Hello,

 

thanks for the update. I'll have a look at the file again...

Hello,

 

I have attached the revised project file. The ASA has just the most basic configuration, all traffic inbound is being alllowed.

S1 and S2 are set up as HSRP switches for all your Vlans, for redundancy. These are the only layer 3 switches now left in your network.

 

Check in how far this helps you out, and let us know if you need further assistance.

Hi Georg,
Thanks for looking into my issue. I am struggling to have anything ping at all on your revised file.
The AAA server cant be pinged from the management planes of the VSAN backbone switches.
Also the ranges used for the management section for the firewall, and router ports are 1.1.1.1, 2.2.2.2 rather than the management range for 10.10.15.0.

I appreciate the support and look forward to your reply :)
Kind Regards,
Daniel Growth

Hello,

 

I have configured your network so that the servers on the lower right corner can ping the loopback address of the Corp router. The switches do not have management IP addresses. I have added them in the attached .pkt.

Hi Georg,
On the original packet tracer file there is a vlan called mgmt. this is my management vlan and is located on all switches. I need that and the Dev vlan to ping the loop back address on the router.
I require all the IPs to fit into the already designed IP ranges. the Router int and firewall ints will need to be management which is 10.10.15.0

The VSAN/Project vlan 10.10.20.0 shouldn't be able to ping the loopback address.

Your newest version still doesnt seen to work at all for me and there are addresses such as 192 used which i can not have.

Look forward to your response!
Kind Regards,
Daniel Growth

Hello,

 

for some reason, the ASA configuration was not saved. Open the file, wait a while for everything to come up, and you should at least be able to ping 172.168.1.100 from everywhere.

Hey,
Honestly I have tried to ping that IP after waiting for ages and it wont work.
Kind Regards,
Daniel Growth

Hello,

 

the ASA does not save the configuration. Weird, and probably one of the many quirks in Packet Tracer. Here is the configuration that is needed, manually add what is missing:

 

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif inside1
security-level 100
ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.1 255.255.255.252
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
!
access-list INSIDE extended permit ip any any
!
!
access-group INSIDE in interface outside
!
!
!
!
class-map inspection_default
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
telnet timeout 5
ssh timeout 5
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 0.0.0.0 area 0
default-information originate

The config has saved and is present. It just doesn't seem to work.
I dont understand why this is:

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0

A 192 range and not 10.10.15
Kind Regards,
Daniel Growth

Hello Daniel,

 

post the running configuration of the ASA. I am not sure why Packet Tracer is not saving it. I want to check if something is missing...

 

The IP addressing is another issue. We might solve that with trunking between the L3 switches and then configuring a subinterface on the ASA...

Hi,

 

ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif inside1
security-level 100
ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 2.2.2.1 255.255.255.252
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
!
!
access-list INBOUND extended permit ip any any
!
!
!
!
!
!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 0.0.0.0 area 0
default-information originate

 

I think the issue may be on the OSPF

Kind Regards,
Daniel Growth

Hello,

 

you need to change the configuration of the ASA as indicated in my last post. I'll attach the last revision again, open it, access the ASA and change the lines marked in bold. That said, do you know how to configure the ASA ?

 

The configuration needs to look like this:

 

ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
description Link to S1
nameif inside1
security-level 100
ip address 10.10.15.20 255.255.255.224
!
interface GigabitEthernet1/3
description Link to S2
nameif inside2
security-level 100
ip address 10.10.15.21 255.255.255.224
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
security-level 0
no ip address
channel-group 1 mode on
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!

route outside 0.0.0.0 0.0.0.0 192.168.1.2

!
access-list INBOUND extended permit ip any any
!
access-group INBOUND in interface outside

!
class-map inspection_default
!
policy-map global_policy
class inspection_default
inspect icmp
!
telnet timeout 5
ssh timeout 5
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 0.0.0.0 area 0
default-information originate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco