Issue 19 ASA [Firewall] Integrated Topology 01/23 Update SLTechnology News&Howtos

Issue 19 ASA [Firewall] Integrated Topology

2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Experimental purpose:

1.VLAN interworking

2.VRRP

3. Private network PAT accesses public network [address translation to 119.1.1.0 Universe 29 network segment]

4. Publish Web server for external network access

The steps of the experiment:

Configure each switch:

SW1: create vlan1 [included with switch], vlan2, vlan100

Interface GigabitEthernet0/0/1 port link-type access port def vlan 1 interface GigabitEthernet0/0/12 port link-type trunk port trunk allow-pass vlan 2 to 4094 interface GigabitEthernet0/0/13 port link-type trunk port trunk allow-pass vlan 2 to 4094

SW2: create vlan1 [included with switch], vlan2, vlan100, vlan3

Interface GigabitEthernet0/0/1 port link-type access port default vlan 2 interface GigabitEthernet0/0/2 port link-type access port default vlan 3 interface GigabitEthernet0/0/12 port link-type trunk port trunk allow-pass vlan 2 to 4094 interface GigabitEthernet0/0/23 port link-type trunk port trunk allow-pass vlan 2 to 4094

SW3: create vlan1 [included with switch], vlan2, vlan100, vlan4

Interface GigabitEthernet0/0/1 port link-type access port default vlan 100 interface GigabitEthernet0/0/2 port link-type access port default vlan 4 interface GigabitEthernet0/0/13 port link-type trunk port trunk allow-pass vlan 2 to 4094 interface GigabitEthernet0/0/23 port link-type trunk port trunk allow-pass vlan 2 to 4094

Configure VRRP:SW3 as primary VRRP and SW2 as backup VRRP

SW3:interface Vlanif1 ip address 192.168.1.250 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.1.254\\ configure virtual gateway IP vrrp vrid 1 priority 150\\ configure priority vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 100\\ configure link tracking to reduce priority by 100 Interface Vlanif2 ip address 192.168.2.250 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.2.254\\ configure virtual gateway IP vrrp vrid 2 priority 150\\ configure priority vrrp vrid 2 track interface GigabitEthernet0/0/2 reduced 100\\ configure link tracking to reduce priority by 100 interface Vlanif100 ip Address 192.168.100.253 255.255.255.0 vrrp vrid 100 virtual-ip 192.168.100.254\\ configure the virtual gateway IP vrrp vrid 100 priority 150\\ configure priority vrrp vrid 100 track interface GigabitEthernet0/0/2 reduced 100\\ configure link tracking to make it down by 100 SW2:interface Vlanif1 Ip address 192.168.1.253 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.1.254\\ configure the virtual gateway IP interface Vlanif2 ip address 192.168.2.253 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.2.254\\ configure the virtual gateway IP interface Vlanif100 ip address 192.168.100.250 255.255.255. 0 vrrp vrid 100 virtual-ip 192.168.100.254\\ configure virtual gateway IP

Configure OSPF:SW3:ospf 1 router-id 3.3.3.3

Area 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.100.0 0.0.0.255 network 192.168.4.0 0.0.0.255 SW2:ospf 1 router-id 2.2.2.2 Area 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 interface Vlanif3 ip address 192.168.3.1 255.255.255.0 interface Vlanif4 Ip address 192.168.4.1 255.255.255.0

Configure firewall [ASA]: interface GigabitEthernet0

Nameif inside1 security-level 100 ip address 192.168.4.254 255.255.255.0 interface GigabitEthernet1 nameif inside2 security-level 100 ip address 192.168.3.254 255.255.255.0 interface GigabitEthernet2 nameif outside Security-level 0 ip address 200.8.8.1 255.255.255.252

Configure the firewall next hop:

Route inside1 192.168.1.0 255.255.255.0 192.168.4.1route inside1 192.168.2.0 255.255.255.0 192.168.4.1route inside1 192.168.100.0 255.255.255.0 192.168.4.1

Configure ISP:interface GigabitEthernet0/0/0

Ip address 200.8.2 255.255.255.252\\ configure IP [subnet is 30 bits] interface GigabitEthernet0/0/1 ip address 200.9.254 255.255.255.0\\ configure IP default route: ip route-static 0.0.0.0 0.0.0.0 200.8.8.1

Configure the firewall to ISP next hop:

Route outside 200.9.9.0 255.255.255.0 200.8.8.2

The firewall sets ACL [enables the public network to access the web service of the internal network]:

Access-list out-to-in permit tcp host 200.9.9.2 host 192.168.100.1 eq 80

Call ACL:

Access-group out-to-in in interface outside

NAT address translation [translating private addresses to public addresses 119.1.1.0 + 29]:

Object network vlan1\\ configure vlan1 NAT subnet 192.168.1.0 255.255.255.0 nat (inside1,outside) dynamic 119.1.1.1 quit object network vlan2\\ configure vlan2 NAT subnet 192.168.2.0 255.255.255.0 nat (inside1 Outside) dynamic 119.1.1.2 quit object network vlan100\\ configure vlan100 NAT subnet 192.168.100.0 255.255.255.0 nat (inside1,outside) dynamic 119.1.1.3 quit

Client IP:

Client1:192.168.1.1 255.255.255.0 Client2:192.168.2.1 255.255.255.0 Server-web:192.168.100.1 255.255.255.0 Client3:200.9.9.2 255.255.255.0 Server-ftp:200.9.9.1 255.255.255.0

The result verifies:

1vlan interworking

2VRRP [now the virtual gateway IP of ping]

3 the PAT of the internal network accesses the public network [the address will be translated into the network segment of 119.1.1.0 + 29]

4 publish Web server for public network access [Client3 is a public network client]

Experimental topology diagram [red dot indicates that the signal is unstable, not unopened, and the data can be passed]:

Thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.