Scribd
Upload
92 views4 pages

CCIE SECv5 LAB1 Configuration Question Set

The document provides instructions to configure multiple security devices including ASA firewalls, NGIPS, and VPN access. It describes: 1. Configuring active/standby and active/active firewall failover between ASA pairs using interface information provided in tables 2. Configuring ASA1 and ASA2 in multiple context mode with contexts C1 and C2 participating in an active/active failover group 3. Configuring ASA3 and ASA4 in a cluster with ASA3 as the master and interfaces in a port-channel 4. Configuring access policies on NGIPS to permit certain traffic 5. Configuring a clientless SSL VPN on ASA2 with given

Uploaded by

Janek Podwala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
92 views4 pages

CCIE SECv5 LAB1 Configuration Question Set

The document provides instructions to configure multiple security devices including ASA firewalls, NGIPS, and VPN access. It describes: 1. Configuring active/standby and active/active firewall failover between ASA pairs using interface information provided in tables 2. Configuring ASA1 and ASA2 in multiple context mode with contexts C1 and C2 participating in an active/active failover group 3. Configuring ASA3 and ASA4 in a cluster with ASA3 as the master and interfaces in a port-channel 4. Configuring access policies on NGIPS to permit certain traffic 5. Configuring a clientless SSL VPN on ASA2 with given

Uploaded by

Janek Podwala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

CCIE SECv5 LAB1 Configure Question Set

Section 1.1a: Configure ASA1_V and ASA11_V For Active Standby Failover

Configure ASA1_V using information from table :

Interface Name IF Security Active IP Standby IP


Level
Gi0/0 Outside 0 20.1.1.1/24 20.1.1.2/24
Gi0/1 Inside 100 10.1.11.1/24 10.1.11.2/24
M0/0 Management 100 150.1.7.53/24 150.1.7.54/24

Configure ASA1_v for EIGRP peering with R1 on interface Gi0/1 Inside. Using
Autonomous System number 12. And must use authentication mode MD5 with key-id 1
and Key String cisco.

Configure failover as mentioned below

Configure stateful failover between ASA1_V as Primary and ASA11_V as secondary


member.

NAME LAN & LINK INTERFACE ACTIVE-IP Standeby IP


FO Gi0/2 10.10.11.1/24 10.10.11.2/24

NOTE: all the interfaces be in monitered mode after implimentation.

Section 1.1b: Configure ASA2_V and ASA22_V For Active Standby Failover

Configure ASA2_V using information from table :

Interface Name IF Security Active IP Standby IP


Level
Gi0/0 Outside 0 20.1.2.1/24 20.1.2.2/24
Gi0/1 Inside 100 10.1.22.1/24 10.1.22.2/24
M0/0 Management 100 150.1.7.55/24 150.1.7.56/24

Configure ASA2_v for EIGRP peering with R1 on interface Gi0/1 Inside. Using
Autonomous System number 12. And must use authentication mode MD5 with key-id 1
and Key String cisco.

Configure failover as mentioned below

Configure stateful failover between ASA2_V as Primary and ASA22_V as secondary


member.

NAME LAN & LINK INTERFACE ACTIVE-IP Standeby IP


FO Gi0/2 10.10.22.1/24 10.10.22.2/24

NOTE: all the interfaces be in monitered mode after implimentation.

live:rahulk_ashyap
Section 1.2: Configure ASA1 and ASA2 For Active Active Failover

Configure ASA1 in multiple context mode using given information.

Context Name Config-URL Failover Interface VLAN


Group
Admin admin.cfg - M0/0 -

C1 C1.cfg 1 G0/0.1 2
G0/1.1 4
G0/2.1 6
C2 C2.cfg 2 G0/0.2 3
G0/1.2 5
G0/2.2 7

Admin Name IF Security Active IP Standby IP


Interface Level
M0/0 Management 100 150.1.7.57/24 150.1.7.58/24

CONTEXT C1

C1 Interface Name IF Security Active IP Standby IP


Level
Gi0/0.1 Inside 100 10.100.2.1 10.100.2.2
Gi0/1.1 DMZ 50 10.100.4.1 10.100.4.2
Gi0/2.1 Outside 0 10.100.6.1 10.100.6.2

1. Configure Object NAT so traffic for SRV-5 will leave from outside and
translated into outside interface.
2. Allow 192.168.10.0/24 to access SRV-5 for HTTP on port number 80 and
icmp.

CONTEXT C2

C2 Interface Name IF Security Active IP Standby IP


Level
Gi0/0.2 Inside 100 10.100.3.1 10.100.3.2
Gi0/1.2 DMZ 50 10.100.5.1 10.100.5.2
Gi0/2.2 Outside 0 10.100.7.1 10.100.7.2

1. Configure Object NAT so traffic for SRV-6 will leave from outside and
translated into outside interface.
2. Allow 192.168.11.0/24 to access SRV-6 for HTTP on port number 80 and
icmp.

live:rahulk_ashyap
Configure ASA1 & ASA2 for active-active failover using given information.

Name Interface Active IP Standby IP


LAN G0/3 10.100.201.1 10.100.201.2
LINK G0/4 10.100.202.1 10.100.202.2
ASA’s ROLE Active Standby
ASA1 PRIMARY C1 C2
ASA2 SECONDARY C2 C1

Section 1.3: Configure ASA3 and ASA4 For Clustering

Configure ASA3 and ASA4 as mentioned below make sure ASA3 will act as master
and ASA4 act as slave in clustering.

1. Interface Gi0/0 and Gi0/1 are members of channel group 1.

Configure Interface Port-channel 1 as follows

PC-Interface Name IF Security IP ADDRESS VLAN


Level
1.8 Inside 100 10.100.8.1 8
1.9 OUTSIDE 0 10.100.9.1 9
1.10 DMZ 50 10.100.10.1 10

Configure clustering as follows

Cluster management pool should be 150.1.7.60-61 and Cluster Management


address is 150.1.7.59.

Device Group Interface Address Role


ASA3 ccie Gi0/2 10.100.203.1 Master
ASA4 ccie Gi0/2 10.100.203.2 Slave

1. Configure Object NAT so traffic for SRV-6 will leave from outside and
translated into outside interface.
2. Allow 192.168.11.0/24 to access SRV-6 for HTTP on port number 80 and
icmp.

Section 1.4: Configure Access Policy on NGIPS

1. Permit EIGRP between R1 as External and R2 as Internal Zone.


2. Permit 172.16.1.0/24 to access SRV-1 and SRV-2 on HTTP 8080.
3. Permit 10.1.22.0/24 from external zone to access SRV-1 and SRV-2 on HTTP
8080.

live:rahulk_ashyap
Section 3.1 : Clientless SSL VPN between ASA2_V & PC-2

Configure Clientless SSL VPN with CA server. Candidate can assume Information
that is not provided. And configuration should match following requirements on
ASA2_V :

1. VPN access credentials should be username:ccie password:ccie


2. Connection banner should be Welcome to CCIE LAB EXAM!
3. Group Alias should be named as sslvpn

I hope the above is useful to you. Please feel free to contact me if you
need any further information or if you find any
mistake let me know [email protected]

live:rahulk_ashyap

You might also like