My lab begins with making sure the network setup is correct. This will allow the ASAv in the GNS3 lab environment to communicate with other devices as well as out to the WAN. I'm using vmnet8 in my lab with the following configurations:
- Subnet IP: 192.168.14.0
- Subnet mask: 255.255.255.0
- Gateway IP: 192.168.14.2
In the design below you will see 3 switches, 1 ASAv and 1 cloud topology. The setup expands as my posts on the ASAv progresses. But for now our main focus is the ASAv and Cloud1.
Once the devices have been placed onto the topology, Cloud1 can be configured by right clicking and select properties. Under the Ethernet interfaces tab, enable "Show special Ethernet interfaces" This allows VMWare Network Adapter VMnet8 to be selected from the drop down and added to the list below. Delete all other interfaces so only VMWare Network Adapter VMNet8 is in the configuration for Ethernet interfaces as shown:
The ASAv is next to be configured. We will need to specify that the ASAv will be connected with multiple devices. So, under the network tab, adapters is configured to 4.
I've found out that the naming convention for my nodes do not match between what GNS3 shows and my command line. I troubleshooted this out by guess and check to see how the routes communicated. This seems like a common problem with other people labbing with VIRL images on GNS3. The node names on GNS3 just need to be changed so there won't be any confusion on what interface you're actually configuring.
(Above are the default GNS3 node names)
(Above are the new node names that match my CLI)
Now it's time to power on the ASAv and configure terminal. You do this by right clicking the ASAv for power on and opening the command line. Also, when going to enable/privilege mode, there are no passwords upon initial boot, so just press enter.
enable
conf t
From here we'll switch to interface modes to provide security levels, interface names, ip, and enabling.
ASAs have stateful inspection by default. This means that traffic from interfaces of lower security levels can't go through interfaces of higher security levels, unless they where first requested from higher security levels. In this case the outside interface which points to the internet, by default, can only enter the inside interface, where the LAN resides, if traffic was first requested by the LAN to the internet. The magic happens by giving the outside interface, security-level 0, and the inside interface, security-level 100.
int gig 0/0
security-level 0
nameif outside
ip address 192.168.14.130 255.255.255.0
no shutdown
exit
int gig 0/1
security-level 100
nameif inside
ip address 10.1.0.250 255.255.255.0
no shutdown
exit
Now we'll configure routing for named interfaces. As noted earlier, we have gateway 192.168.14.2 to the outside interface. This is a private IP in a lab, but should be public in reality. If the configurations where made correctly, the route should allow ASAv to successfully reach the internet. My ping proves that mine does - the ASAv successfully communicates to the outside world (WAN) from a GNS3 simulation.
route outside 0.0.0.0 0.0.0.0 192.168.14.2
route inside 10.0.0.0 255.0.0.0 10.1.0.1
ping 8.8.8.8
Finally, don't forget the write command to save the configuration. We'll use this lab again to build out the rest of ASAv as we expand the environment.
write
No comments:
Post a Comment