The document describes the steps to configure dynamic routing, site-to-site VPN, and network access between devices in a lab topology. The tasks include: 1) Configuring IP addresses and dynamic routing protocols on routers and firewalls, 2) Establishing connectivity between all devices, 3) Implementing NAT and VPN services on the firewalls to allow communication between specified subnets, and 4) Opening a non-standard port for remote access between two routers via one of the firewalls.

1. Lab 17: Dynamic Routing with ASA
Task
1. Configure IP Addresses as per given in topology.
2. Configure Dynamic Routing as per given in topology. Make sure ASA1 Router-ID is 10.10.10.10.
All routers must have router Id's as their name like 3.3.3.3 for R3.
3. Make Sure R4 able to reach ASA1.
4. After completion of Task 3. Do possible configuration to reach R4 to R5.
5. Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1 and ASA2
should be ping each other.
6. Make sure all routers ping ISP.
7. Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to communicate
10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key as netwaxlab.
8. Make sure R5 telnet to R7 using 4223 port. Do possible configuration.
Figure 1 Topology

2. Lab 17: Dynamic Routing with ASA
Solution
 Task 2: Configure Dynamic Routing as per given in topology. Make sure ASA1 Router-ID is
10.10.10.10. All routers must have router Id's as their name like 3.3.3.3 for R3.
ASA1
router ospf 100
router-id 10.10.10.10
network 192.168.1.0 255.255.255.0 area 0
network 10.0.0.0 255.255.255.0 area 0
exit
ASA2
router eigrp 200
network 192.168.101.0 255.255.255.0
network 72.5.5.0 255.255.255.0
no auto-summary
exit
R1
router ospf 100
router-id 1.1.1.1
network 192.144.0.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
exit
R2
router ospf 100
router-id 2.2.2.2
network 10.0.0.0 0.0.0.255 area 0
network 151.2.0.0 0.0.0.255 area 2
exit
R3
router ospf 100
router-id 3.3.3.3
network 20.0.0.0 0.0.0.255 area 3
network 192.144.0.0 0.0.0.255 area 1
exit

3. Lab 17: Dynamic Routing with ASA
R4
router ospf 100
router-id 4.4.4.4
network 20.0.0.0 0.0.0.255 area 3
exit
R5
router ospf 100
router-id 5.5.5.5
network 151.2.0.0 0.0.0.255 area 2
exit
R6
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.68.0 0.0.0.255
network 192.168.101.0
no auto-summary
exit
R7
router eigrp 200
network 10.0.67.0 0.0.0.255
network 10.0.78.0 0.0.0.255
network 72.5.5.0 0.0.0.255
no auto-summary
exit
R8
router eigrp 200
network 10.0.68.0 0.0.0.255
network 10.0.78.0 0.0.0.255
no auto-summary
exit

4. Lab 17: Dynamic Routing with ASA
 Task 3: Make Sure R4 able to reach ASA1.
R1
router ospf 100
area 1 virtual-link 3.3.3.3
exit
R3
router ospf 100
area 1 virtual-link 1.1.1.1
exit
 Task 4: After completion of Task 3. Do possible configuration to reach R4 to R5.
both ASA's
same-security-traffic permit inter-interface
 Task 5: Make sure ASA1 and ASA2 send traffic from inside and inside1 users via PAT. ASA1 and
ASA2 should be ping each other.
ASA1
route outside 0 0 101.1.1.1
access-list NAT permit ip 192.168.1.0 255.255.255.0 any
access-list NAT permit ip 192.144.0.0 255.255.255.0 any
access-list NAT permit ip 10.0.0.0 255.255.255.0 any
access-list NAT permit ip 20.0.0.0 255.255.255.0 any
access-list NAT permit ip 151.2.0.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
ASA2
route outside 0 0 102.1.1.1
access-list NAT permit ip 192.168.101.0 255.255.255.0 any
access-list NAT permit ip 72.5.5.0 255.255.255.0 any
access-list NAT permit ip 10.0.67.0 255.255.255.0 any
access-list NAT permit ip 10.0.68.0 255.255.255.0 any

5. Lab 17: Dynamic Routing with ASA
access-list NAT permit ip 10.0.78.0 255.255.255.0 any
nat (inside) 1 access-list NAT
nat (inside1) 1 access-list NAT
global (outside) 1 interface
 Task 6: Make sure all routers ping ISP.
ASA1
router ospf 100
default-information originate
redistribute connected
exit
ASA2
router eigrp 200
redistribute connected
redistribute static
exit
 Task 7: Enable Site-2-Site VPN on ASA's and permit 151.2.0.0/24 and 192.144.0.0/24 to
communicate 10.0.78.0/24 and 192.168.101.0/24. Make sure you need to use isakmp key as
netwaxlab.
ASA1
access-list VPN permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list VPN permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 102.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset

6. Lab 17: Dynamic Routing with ASA
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 102.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 151.2.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 151.2.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 10.0.78.0 255.255.255.0
access-list nonat extended permit ip 192.144.0.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
ASA2
access-list VPN extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp key netwaxlab address 101.1.1.2
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map CMAP 10 set transform-set tset
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set peer 101.1.1.2
crypto isakmp enable OUTSIDE
crypto map CMAP interface outside
access-list nonat extended permit ip 10.0.78.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.78.0 255.255.255.0 192.144.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 151.2.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.144.0.0 255.255.255.0

7. Lab 17: Dynamic Routing with ASA
nat (inside1) 0 access-list nonat
nat (inside) 0 access-list nonat
 Task 8: Make sure R5 telnet to R7 using 4223 port. Do possible configuration.
ASA2
static (inside1,outside) tcp interface 4223 72.5.5.7 23
access-list OUT permit tcp host 101.1.1.2 host 102.1.1.2 eq 4223