I just want you to know that I’m a Cyber Security student and working on my network architecture project. I’m stuck when configuring ASA and your video helps a lot. Thank you so much and keep up the good work.
Thank you for this series of videos. I'm learning ASA after just completing the CCNA. Seems like a good next step. You're an excellent educator. Sláinte!
Hi Greg South, Thanks for these awesome Videos I am your 1000th Subscriber on RUclips Love from India., your way of explaining is very Good and easy to understand. Please upload CCNA security Videos Complete Playlist from Scratch.
Hi Rajeev, thanks for your comment and also for being my 1000 subscriber. :) Glad you like the content. I have on my to-do list to create more videos soon... I'll keep in mind your idea of CCNA security videos. All the very best. Thanks - Greg
can you please demonstrate how did you set up the inicial network equipment? and, why did you choos this approach for structuring the network (especialy the edge router's config) also, can you please show how to incorporate more subnets within the Firewall's VLAN 1 apart from that, you are briliant, thank you for the nice tutorials
Hi @George Z In this exercise, I used a the following Cisco Packet Tracer file. You can find it at the following link: - bit.ly/38o8Dxf In this link, I've also uploaded the exercise file that outlines the scenario in more detail. To incorporate more vlans: use the command ‘interface vlan x (x being the number you wish to create) - just a heads up on this, what you may find with creating more vlans you will likely encounter an error if you try and name the vlan - this issue is because of license restrictions on the ASA. With regards to the edge router(router R1), this is configured with a public IP address on it’s G0/0 interface (think of this like the ISP’s router) so that we could configure a default static route on the ASA outside interface to essentially enable the ASA to reach external networks. I hope it helps. Greg
hi does the MPF have (insect icmp) have to be done for every type of traffic for the ASA to allow it through, so for example if i wanted to allow web traffic would i add one to "inspect http"? Thanks, good videos too
Hi Rob, you are correct. If you were to add a web server for example off Router 1 interface (configure up with ip add, subnet mask, default gateway), you should be able to ping (from PC-B) once you have added the inspect icmp rule. However, you would NOT be able to access the web server from PC-B until you added an inspect http rule. Best way of understanding this is to give it a go! Good luck and thanks for the feedback, Greg
hello i have a problem with the asa. i have an outside vlan with the security level of 0 and inside vlan with security level of 100. I have done the inspection but it still doesn’t work. Please note that the outside interface of the ASA is connected to a router that have a nat dynamic. Could you give me any recommendation to solve my problem. Thank you
Hi there, my advice here would be to run through the exercise again (particularly focusing on page 8 of PDF) to run through creation of class-map, policy-map and service-policy - missing any of these steps will likely mean the ICMP traffic will not be able to pass through the ASA and return traffic allowed. Best of luck with it.
Hi - can start with inside interface but really admin choice - keep in mind bigger picture on what your goals are - eg protecting inside pcs & allowing restricted access to dmz
Great staff! I realized at one point that you must have configured a static route between the R2 and the ASA to allow the icmp reply back to the ASA. I have a question even though it might seem silly: You said that Packet tracer does not have and MPF policy in place by default. I assume that giving the PT represents a simulation, of Cisco devices, this is also true in the real configuration environment? If not, do you know what ASA series already have MPF implemented by deafult? Many thanks again, very informative videolessons Joe
Hi @namastenewzealand733 - my advice here would be to first double check you've applied the correct IP addresses to both inside and outside interfaces of the ASA. Then check the NAT config e.g. ASA(config)# object network inside-net ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0 ASA(config-network-object)# nat (inside,outside) dynamic interface ASA(config-network-object)# end Finally, use the simulation tool in Packet Tracer to ping from an inside PC to R2 to check to see the source IP address before it leaves the ASA and after it leaves (you should be able to see the address change from a private one 192.168.x.x to the public address 209.165.200.226). Hope this helps and best of luck with it. Greg
Nice video. If you encounter "policy-map/policy-map of different type exists", you need to enter no policy-map global_policy to delete the policy first
hi Mr. Greg South! i love watching your videos it is very educational! but i encountered an error along the way in configuring the firewall, when i tried to ping the firewall from outside pc (just like yours), its get stuck on its connected router. What should i do to reach the firewall ? cause i can't reach the dmz, again because the icmp gets stuck on its connected router. I hope you answer my question thank you sir !
Hi Markpotsie, glad you found my videos helpful. Without seeing your network my advice would be to troubleshoot one step at a time- use verification commands such as ‘show ip route’ on each router - does it show the destination route? Also use the simulation tool to help see how far the packet is travelling- best of luck
HI Manav, Click the following link - bit.ly/38o8Dxf - there is the sample file available for download so you can try this yourself. It contains the Configuring ASA Basic Settings exercise file and Cisco Packet Tracer file. Best of luck, Greg
Hi Jean, I included Packet Tracer file with part one. All other routers IP addresses can be found by accessing router and running the command ‘show ip interface brief’
Thank you, I am currently doing my Final Year project in networks and systems support. I am using your set up as a template for my build. which requires a DMZ outward facing server, with an ASA firewall in a sandbox environment. I have done it in a physical form, but due to equipment constraints, and safety requirements, instead of 3 routers, i have just one, and PC b has to be on a trunk since it can not be physically on the ASA side of the lab we are working in, and vlan 2 between the ASA and isp router has to travel via Trunked switches. Not sure if you can attend the open day at Bradford College on the 25th. tutors have asked us to which industry experts we would like to attend.
I spent forever trying to figure out why I couldn't ping through the ASA after the first video while the answer was at the start of this one all along.
When I am testing the packet is not returning from R2 back to the ASA, it says the destinaton ip is unknown. This happens even after configuring outside route. R1 works well but not the R2 plz help !!!
Hi Greg, I am build a Site to Site VPN on Packet Tracer with an ASA5506 Behind the edge routers on both sites Having built this in the real world I am having all sorts of issues with it on packet tracer
Hi there, my advice here would be to run through the exercise again (particularly focusing on page 8 of PDF) to run through creation of class-map, policy-map and service-policy - missing any of these steps will likely mean the ICMP traffic will not be able to pass through the ASA. Best of luck.
Hi @lastmoment7906 - sorry the sound isn't great on this - when i create more videos in the future I'll experiment more with this to try and improve. Thanks for your comments. All the very best. Greg
Hi @Mohammed - I connect the ASA to R1 using a static route. Commands and original network topology can be found in the following link: bit.ly/38o8Dxf All the best, Greg
By the end of the exercise you should be able to. Have you tried to troubleshoot e.g. can you ping from PC-C (this should work at the beginning of the exercise). Pinging from PC-B, you will need to have already configured a number of settings on ASA e.g. NAT and default policy map. In addition, default route and inside and outside interfaces will need to be setup correctly too. All the best with it. Greg
@user-xj4jw4zc2r - this may be useful - Configuring an ASA Firewall on Cisco Packet Tracer Click the following link - bit.ly/38o8Dxf for Configuring ASA Basic Settings exercise file and Cisco Packet Tracer file.
best explanation of NAT and routing I've seen. Thank you.
Thanks for the feedback @kroy5555
I just want you to know that I’m a Cyber Security student and working on my network architecture project. I’m stuck when configuring ASA and your video helps a lot. Thank you so much and keep up the good work.
Thanks for the feedback and really pleased to hear the video helped 👍
@@GregSouth I am a cyber security student as well and I do appreciate your videos and the support you're giving to us. God bless you.
Were you in your final year?
@@jean-lucpicard5510 yes I graduated now and working for MSP company. I don't use this software a lot, but it's good to know the basic.
Thank you for this series of videos. I'm learning ASA after just completing the CCNA. Seems like a good next step. You're an excellent educator. Sláinte!
Hey Alex! Thanks for the feedback and glad the videos are helping. Good luck with your studies
Not all heroes wear capes. Some upload videos on RUclips for students in distress ... THANK YOU
Hi Rocio, thanks for the feedback and really pleased videos helped
Excellent videos mate. Thanks a million.
Hey
@SCMcDonLon- glad the videos helped and thanks for the feedback! Greg
Hi Greg South, Thanks for these awesome Videos I am your 1000th Subscriber on RUclips Love from India., your way of explaining is very Good and easy to understand. Please upload CCNA security Videos Complete Playlist from Scratch.
Hi Rajeev, thanks for your comment and also for being my 1000 subscriber. :) Glad you like the content. I have on my to-do list to create more videos soon... I'll keep in mind your idea of CCNA security videos. All the very best. Thanks - Greg
Amazing explanation
Glad you liked it
thanks a lot, inspection policies you made at last they made packets able to come back, but still don t understand how it works
I have some urls in comments section where can look up more information on these
can you please demonstrate how did you set up the inicial network equipment?
and, why did you choos this approach for structuring the network (especialy the edge router's config)
also, can you please show how to incorporate more subnets within the Firewall's VLAN 1
apart from that,
you are briliant, thank you for the nice tutorials
Hi @George Z
In this exercise, I used a the following Cisco Packet Tracer file. You can find it at the following link: - bit.ly/38o8Dxf
In this link, I've also uploaded the exercise file that outlines the scenario in more detail.
To incorporate more vlans: use the command ‘interface vlan x (x being the number you wish to create) - just a heads up on this, what you may find with creating more vlans you will likely encounter an error if you try and name the vlan - this issue is because of license restrictions on the ASA.
With regards to the edge router(router R1), this is configured with a public IP address on it’s G0/0 interface (think of this like the ISP’s router) so that we could configure a default static route on the ASA outside interface to essentially enable the ASA to reach external networks.
I hope it helps.
Greg
@@GregSouth
Thank you Greg
you are the best
hi does the MPF have (insect icmp) have to be done for every type of traffic for the ASA to allow it through, so for example if i wanted to allow web traffic would i add one to "inspect http"? Thanks, good videos too
Hi Rob, you are correct. If you were to add a web server for example off Router 1 interface (configure up with ip add, subnet mask, default gateway), you should be able to ping (from PC-B) once you have added the inspect icmp rule. However, you would NOT be able to access the web server from PC-B until you added an inspect http rule. Best way of understanding this is to give it a go! Good luck and thanks for the feedback, Greg
This is a beneficial video for me thank you.
Glad it was helpful!
Thank you so much!
nice explanation, i like your vids
😊👍 I learned a lot
hello i have a problem with the asa. i have an outside vlan with the security level of 0 and inside vlan with security level of 100. I have done the inspection but it still doesn’t work. Please note that the outside interface of the ASA is connected to a router that have a nat dynamic. Could you give me any recommendation to solve my problem. Thank you
Hi there, my advice here would be to run through the exercise again (particularly focusing on page 8 of PDF) to run through creation of class-map, policy-map and service-policy - missing any of these steps will likely mean the ICMP traffic will not be able to pass through the ASA and return traffic allowed. Best of luck with it.
BEST EXPLANATION ON THE NET
Thank you, Great Video 👍
Glad you liked it @niteshtelang4743
Great labs, both 1 and 2. Quick question, what interface does this lab start with?
Hi - can start with inside interface but really admin choice - keep in mind bigger picture on what your goals are - eg protecting inside pcs & allowing restricted access to dmz
Great staff! I realized at one point that you must have configured a static route between the R2 and the ASA to allow the icmp reply back to the ASA. I have a question even though it might seem silly: You said that Packet tracer does not have and MPF policy in place by default. I assume that giving the PT represents a simulation, of Cisco devices, this is also true in the real configuration environment? If not, do you know what ASA series already have MPF implemented by deafult?
Many thanks again, very informative videolessons
Joe
I’ll try test with real hardware and let you know Joe - currently it’s very difficult with lockdown but really appreciate your feedback, Greg
Bless you man.
Hi even after doing the NAT on firewall it still shows me the translate_hits=0. how can I fix this problem ?
Hi @namastenewzealand733 - my advice here would be to first double check you've applied the correct IP addresses to both inside and outside interfaces of the ASA.
Then check the NAT config e.g.
ASA(config)# object network inside-net
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
ASA(config-network-object)# end
Finally, use the simulation tool in Packet Tracer to ping from an inside PC to R2 to check to see the source IP address before it leaves the ASA and after it leaves (you should be able to see the address change from a private one 192.168.x.x to the public address 209.165.200.226). Hope this helps and best of luck with it. Greg
@@GregSouth Thanks for your reply. I will do the configuration again and hopefully it will work this time.
Nice video.
If you encounter "policy-map/policy-map of different type exists", you need to enter
no policy-map global_policy
to delete the policy first
Hi @pang dv - thanks for watching and also the additional info
hi Mr. Greg South! i love watching your videos it is very educational! but i encountered an error along the way in configuring the firewall, when i tried to ping the firewall from outside pc (just like yours), its get stuck on its connected router. What should i do to reach the firewall ? cause i can't reach the dmz, again because the icmp gets stuck on its connected router. I hope you answer my question thank you sir !
Hi Markpotsie, glad you found my videos helpful. Without seeing your network my advice would be to troubleshoot one step at a time- use verification commands such as ‘show ip route’ on each router - does it show the destination route? Also use the simulation tool to help see how far the packet is travelling- best of luck
👍🔥Fire
Do you show ip configuration of every device as you gradually ahead in the video
HI Manav, Click the following link - bit.ly/38o8Dxf - there is the sample file available for download so you can try this yourself. It contains the Configuring ASA Basic Settings exercise file and Cisco Packet Tracer file. Best of luck, Greg
@@GregSouth thanks a lot sir, I appreciate that you helped me and doing such a gr8 job 👍🔥
Can you provide the ips for the other ISP routers as i'm trying re-create this.
Hi Jean, I included Packet Tracer file with part one. All other routers IP addresses can be found by accessing router and running the command ‘show ip interface brief’
Thank you, I am currently doing my Final Year project in networks and systems support. I am using your set up as a template for my build. which requires a DMZ outward facing server, with an ASA firewall in a sandbox environment. I have done it in a physical form, but due to equipment constraints, and safety requirements, instead of 3 routers, i have just one, and PC b has to be on a trunk since it can not be physically on the ASA side of the lab we are working in, and vlan 2 between the ASA and isp router has to travel via Trunked switches. Not sure if you can attend the open day at Bradford College on the 25th. tutors have asked us to which industry experts we would like to attend.
I spent forever trying to figure out why I couldn't ping through the ASA after the first video while the answer was at the start of this one all along.
Hi @captaincommando9839 I really appreciate your feedback! Thanks for watching and commenting - glad you got the answer! Thanks,Greg
hey friend could you help me with my topology it is not working I am doing the same as yours.
When I am testing the packet is not returning from R2 back to the ASA, it says the destinaton ip is unknown. This happens even after configuring outside route. R1 works well but not the R2
plz help !!!
Keep testing and don’t give up Adithya! This is where you learn the most :)
Will it be the same to configure the firewall if I'm using IPv6 addressing?
Hi there, I haven't tried this out with IPv6 but hope to create some videos in the near future using IPv6 addressing.
Hi Greg, I am build a Site to Site VPN on Packet Tracer with an ASA5506 Behind the edge routers on both sites Having built this in the real world I am having all sorts of issues with it on packet tracer
Hi there, remember Packet Tracer at end of day is a simulator and has its limitations eg no gui for ASA but I see your point
policy-map global_policy", it returns "ERROR: policy-map/policy-map of different type exists ? solution
Hi there, my advice here would be to run through the exercise again (particularly focusing on page 8 of PDF) to run through creation of class-map, policy-map and service-policy - missing any of these steps will likely mean the ICMP traffic will not be able to pass through the ASA. Best of luck.
I have rectified the sound of the video. If anyone interested let me know in comments.
Hi @lastmoment7906 - sorry the sound isn't great on this - when i create more videos in the future I'll experiment more with this to try and improve. Thanks for your comments. All the very best. Greg
how to connect head office to branch.?
Hi @Mohammed - I connect the ASA to R1 using a static route. Commands and original network topology can be found in the following link: bit.ly/38o8Dxf All the best, Greg
@@GregSouth Thanks bro
why i cant ping router 2?
By the end of the exercise you should be able to. Have you tried to troubleshoot e.g. can you ping from PC-C (this should work at the beginning of the exercise). Pinging from PC-B, you will need to have already configured a number of settings on ASA e.g. NAT and default policy map. In addition, default route and inside and outside interfaces will need to be setup correctly too. All the best with it. Greg
@@GregSouth I saw my error there's an ospf configured. I miss this one. Now it's okay.
@@mr.compnet2263 Great stuff - well done
thanks
You're welcome Danny!
you might be him
Noob Video maker, always attach source code and link to file, Really disappointed, going to give a huge dislike
Hi there - all config is available in first video of series - also pdf available with related commands. Hope this helps
@user-xj4jw4zc2r - this may be useful - Configuring an ASA Firewall on Cisco Packet Tracer
Click the following link - bit.ly/38o8Dxf for Configuring ASA Basic Settings exercise file and Cisco Packet Tracer file.
Great video loved it, thanks a lot mate
im doing the same thing on ur design and the mpf is not working 🥲🥲