You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
IPexpert’s CCIE Security Proctor Guide – Version 4.1 Section 13<br />
d) Enable Nat-control on the PIX.<br />
pixfirewall(config)#nat-control<br />
2.4 – Transparent Firewall (2 points)<br />
a) Configure ASA1 in transparent firewall mode for the VLANs connecting R4 and R9. Make sure<br />
that the routing protocol adjacencies between R4 and R9 work after completing this step. Do not<br />
configure contexts for this step.<br />
ciscoasa(config)#firewall transparent<br />
ciscoasa(config)#hostname ASA1<br />
ASA1(config)#int eth0/0<br />
ASA1(config-if)#no shut<br />
ASA1(config-if)#int eth0/1<br />
ASA1(config-if)#no shut<br />
ASA1(config)#int eth0/0<br />
ASA1(config-if)#nameif outside<br />
IICMP: icmp_open Entry for context 0<br />
NFO: Security level for "outside" set to 0 by default.<br />
ASA1(config-if)#int eth0/1<br />
ASA1(config-if)#nameif inside<br />
IICMP: icmp_open Entry for context 0<br />
NFO: Security level for "inside" set to 100 by default.<br />
ASA1(config)#ip address 192.1.49.55 255.255.255.0<br />
<br />
At a minimum, we need to allow OSPF and BGP traffic, and possibly ICMP echo and<br />
echo-reply for ping testing. Since we are not given any restrictions on what traffic to<br />
allow, we can just allow all IP traffic.<br />
ASA1(config)#access-list ROUTING permit ip any any<br />
ASA1(config)#access-group ROUTING in interface outside<br />
ASA1(config)#access-group ROUTING in interface inside<br />
2.5 – Contexts (2points)<br />
a) Configure ASA2 in transparent firewall mode for the VLANs connecting R5 and BB2, using<br />
contexts. Use the context name r5tobb2. Configure interfaces eth0/0 and eth0/1 for a security<br />
level of 100.<br />
<br />
Configuration for ASA2 will be similar, but we will be using contexts. Start by<br />
switching to multiple context mode.<br />
ciscoasa(config)#mode multiple<br />
WARNING: This command will change the behavior of the device<br />
WARNING: This command will initiate a Reboot<br />
Proceed with change mode? [confirm]<br />
Convert the system configuration? [confirm]<br />
Copyright IPexpert, Inc. (http://www.ipexpert.com) 2007. All Rights Reserved. 343