Jump to content

Recommended Posts

4 Questions in ASA Section:

 

1. ASA1 Initialization

2. ASA2 Initialization

3. ASA2 NAT

4. ZBF on R3

 

 

 

Problems .

 

 

1. ASA1 Initialization

a. 2 Context with 2 Interfaces each , nothing mentioned about Redundant Interface. but the question says use unique mac address for each context interface. ???? Big Confusion.

 

2. ASA2 Initialization

a. Question says there is partial configuration, but there is NOTHING ..... so u loose marks

 

3. ASA2 NAT

a. Double NAT on both ASA for WebServer traffic (80,443) ... no issues

 

4. ZBF on R3

a. confusion on which interface is Internal and external ..... wrong configuration causes OSPF problems.

Share this post


Link to post
Share on other sites

For ZBF ... Look at this .......

 

 

146616.jpg

 

 

 

The following situations exist:

Hidden Content

    Give reaction to this post to see the hidden content.
Traffic flows freely between interfaces E0 and E1 because they are members of the same security zone (Z1).

 

Hidden Content

    Give reaction to this post to see the hidden content.
If no policies are configured, traffic will not flow between any other interfaces (for example, E0 and E2, E1 and E2, E3 and E1, and E3 and E2).

 

Hidden Content

    Give reaction to this post to see the hidden content.
Traffic can flow between E0 or E1 and E2 only when an explicit policy permitting traffic is configured between zone Z1 and zone Z2.

 

Hidden Content

    Give reaction to this post to see the hidden content.
Traffic can never flow between E3 and E0/E1/E2 because E3 is not part of any security zone.

Edited by imran050

Share this post


Link to post
Share on other sites

For question related to asa2 partial configuration.

 

 

Do no clear config all, because they are hidden fault in the VPN which can be seen only by running following commands

Show run all tunnel-grou

Sh run all group-policy

 

 

For question about asa1 just use Mac address auto and you are fine. It's almost similar to Yusuf Bhaiji lab1

Share this post


Link to post
Share on other sites

whats the use of mac address auto when i am using all 4 interface having 4 unique mac addresses?? makes no sense

 

regarding the pre-config , there is nothing in preconfig in ASA1. ask the proctor to confirm it. if single mode change it to multi all config gets flushed. if its already in multi mode then i dont think any preconfig will be there... we dont have any vpn terminatinng on asa so any tuning in default tunnel or group policy will not do any harm.

Share this post


Link to post
Share on other sites

Asa2 is single context wrouted mode firewall. Anyone appearing in the lab can confirm with the show run all commands for the difference in tunnel group and group policy with the other Asa.

Share this post


Link to post
Share on other sites

This Unique Mac address assignment is a hint that firewall needs "redundant interface"

Have you check vb of Pcl?

How can you assume it has to be redundant interface,

in VD+ when redundant interfaces was asked it was clearly mentioned in the question and box was made with details .....

In the Diagram it would be clear that 2 interfaces are made redundant.

Plus the pre-cfg on SW would be trunk , not access .....

 

I don't feel that it needs redundant interface .... but don't know why people are loosing marks.

Share this post


Link to post
Share on other sites

 

How can you assume it has to be redundant interface,

in VD+ when redundant interfaces was asked it was clearly mentioned in the question and box was made with details .....

In the Diagram it would be clear that 2 interfaces are made redundant.

Plus the pre-cfg on SW would be trunk , not access .....

 

I don't feel that it needs redundant interface .... but don't know why people are loosing marks.

 

IMran

At times the diagrams are logical and not physical. Different pplmat Cisco have developed differ labs so the diagram's scheme appear different as well. Anyways....

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...