Simple corporate network configuration using ASA
Model:
Require:
– Configure trunking and access between LAN switches and core switches (you determine the appropriate mode)
– Configure int vlan 100 and 200 on coresw, and configure VRRP:
Coresw1 primary VLAN 100
Coresw2 primary VLAN 200
– Configure LACP between ASA and sw_WAN, and set the IP of ASA Po1 to 10.1.2.10
– Put the int e0/0 of coresw1 and coresw2 into vlan 300, access mode, then put the int vlan 300 of IP 10.1.2.1 and 10.1.2.2 into the model
– Configure NAT overload on the ASA to the internet-connected NAT ranges 192.168.1.0 and 192.168.2.0
– Cloud Internet is vmnet8 (eve’s cloud 0)
Verify:
Ping 8.8.8.8 from ASA OK
Pinging 8.8.8.8 from VPC is normal
Configuration:
sw_LAN5:
Interface Ethernet 0/0
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/1
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/2
Switch port access VLAN 100
Switch port mode access
sw_LAN6:
Interface Ethernet 0/0
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/1
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/2
Switch port access VLAN 200
Switch port mode access
!
core_sw1:
Interface Ethernet 0/0
Switch port access VLAN 300
Switch port mode access
!
Interface Ethernet 0/1
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/2
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface VLAN100
IP address 192.168.1.10 255.255.255.0
vrrp 1 ip 192.168.1.1
VRRP 1 priority 110
!
Interface VLAN200
IP address 192.168.2.10 255.255.255.0
vrrp 1 ip 192.168.2.1
!
Interface VLAN300 ##UpwardASA
IP address 10.1.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.2.10 ###Route via ASA
core_sw2:
Interface Ethernet 0/0
Switch port access VLAN 300
Switch port mode access
!
Interface Ethernet 0/1
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/2
Switch port trunking allows VLAN 100,200
Switch port trunk encapsulation dot1q
switch port mode trunking
!
Interface Ethernet 0/3
!
Interface VLAN100
IP address 192.168.1.20 255.255.255.0
vrrp 1 ip 192.168.1.1
!
Interface VLAN200
IP address 192.168.2.20 255.255.255.0
vrrp 1 ip 192.168.2.1
VRRP 1 priority 110
!
Interface VLAN300 ##UpwardASA
IP address 10.1.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.2.10 ###Route via ASA
Sw_WAN:
Set all ports to access mode vlan 300
Add 2 ports e0/0 and e0/1 to LACP
as a:
Download version ASA 8 to configure LACP
########LACP############
Interface Ethernet 0
Channel Group 1 Active Mode
!
Ethernet interface 1
Channel Group 1 Active Mode
!
interface port channel 1
name internal
Security level 100
IP address 10.1.2.10 255.255.255.0
!
Ethernet interface 2
foreign name
Security level 0
IP address 192.168.200.10 255.255.255.0
!
#######Configure NAT overload##########
Target network LAN1
Subnet 192.168.1.0 255.255.255.0
Object network LAN2
Subnet 192.168.2.0 255.255.255.0
Target network LAN1
!
nat (INSIDE,outside) dynamic interface
Object network LAN2
nat (INSIDE,outside) dynamic interface
########Allow ICMP pings to the network########
Policy map global_policy
Class check default value
check icmp
##########Route to LAN range###########
Route internal 192.168.1.0 255.255.255.0 10.1.2.1
Route internal 192.168.2.0 255.255.255.0 10.1.2.2
#########Internet Routing###########
Routes other than 0.0.0.0 0.0.0.0 192.168.200.50
Verify:
Pinging from VPC to 8.8.8.8 works fine
===================
Show NAT on ASA
showxlate
Xem tiếp...
