thanks for the video and for sharing your knowledge with us. Verry well structured, the only minus is the fact that you are not using a dedicated microphone. Thank you.
Good evening, I know this video is from a few years back but I was wondering if it was possible to create Vlan's on the firewall? Or can I only do that for switches?
Hi @Arjun - It's difficult to tell why the outside VLAN is down without seeing your actual network design. Here is a couple of reasons why is could be down - is there a cable connected to Et0/0 on the ASA and is the device it's connected to powered on (interface not shutdown on router) ? Another way to solve this is to view my original network setup - Have you taken a look at the exercise file I've uploaded?This provides the original network topology. When you open this the VLAN status is already set to up, up. Hope this helps, Greg - please find link here - bit.ly/38o8Dxf
@@GregSouth hi again greg, As it turned out, I did not issue the no shutdown command on the router's side of the line. Thts why the line protocol was down. But thank you anyways, you helped me with my assignment that day ✨
Hi @blackshadow93 _ - I link in the top of the video to the Packet Tracer file with original setup - here is the link for convenience. All the best, Greg. bit.ly/38o8Dxf
Hi Jonathan, Yes, in packet tracer this can be implemented. Add two PC's, connect with a cross over cable (dashed line) - add IP address to each PC e.g. PC1-192.168.1.1 subnet mask 255.255.255.0 and PC2-192.168.1.2 subnet mask 255.255.255.0 and go into command prompt on PC1 and ping from PC1 to PC2 (e.g. ping 192.168.1.2) - you should see replies so you know you have layer 3 connectivity. Hope this helps and all the best, Greg
your teaching method is so clear and understandable . can you do a tutorial with ASA active / stand by Fail over with GNS3 (since fail over not supportive with packet tracer)
Great suggestion! Unfortunately I just don’t get the time at present to do any recordings but when I do in the future- il keep this suggestion in mind- thank you
Hi Ray, depends on the context. Packet Tracer is a great learning tool. It is a simulator and it’s a great tool in my opinion for understanding protocols(particularly for new students getting started in networking ).Excellent learning tool for ccna . Gns3 is also very useful tool - requires a little more effort to setup (need ios images etc) but also a great tool for learning and emulating networks - useful in my opinion for more detailed learning(progressing to ccnp etc)
Hi, why do you assign IP addresses to 'inside if' and 'outside' via vlans ? . why cant you assign those directly to physical interfaces ? is it possible ? thanks
Hi MK, OSPF is used on Routers R1, R2 and R3. You can check this by running 'show ip protocols' on those routers. In addition, I configure a static default route from the ASA in the videos. Hope this helps, Greg
Hi James, why would you want to do this? Initial traffic from outside to inside is untrusted and should not be passed by the firewall. The firewall is there to block / filter traffic coming from outside to inside. I show in the following video how to allow from outside to DMZ - which is better security practice. th-cam.com/video/pBW1X6r5kNM/w-d-xo.html - if you wish to allow outside to inside for testing purposes i have created a document here bit.ly/38o8Dxf and i also show the completed solution (but again this is only for Packet Tracer testing purposes and would not be recommended as I mention for the above reasons).
You are using 2 vlans, one is number 1, the default. Which ports did you trunk or how did you get the vlans communicate to eachtother if you didnt use trunk?
Hi A.J. - vlans are not set to trunk. You will notice I setup a default static route on the ASA outside interface to enable the ASA to reach external networks and additionally setup NAT. OSPF is already setup on Router 1,2,3 so traffic will be able to be routed back to the ASA. Hope this helps, Greg
Hi @Mell Luxe, unfortunately Packet Tracer and ASA specifically is limited in the amount of VLANs you can create (due to licenses) and the fact it's a simulator. My best advice here would be to create an ASA setup similar to the videos I demo and then for other sites to use a normal router and add extra functionality for security such as Access Control lists, VLANs and VPN etc etc to provide extra security in depth. Hope this helps and all the best with your project. Thanks, Greg
Noticed the nameif doesnt work, but when checking the vlan 1 with the name inside and the security-level 100 already exists in your downloadable packettracer. Is that correct?
Hi A.J, the nameif command should work under an interface. E.g. # interface vlan 1, nameif inside. Yes, by default this name of inside is already configured on a ASA 5505- I demonstrate this in the video to compare this to other interfaces such as outside and DMZ. It helps to show, the highest possible level is used by the inside interface by default. Using the trusted-untrusted terminology, this level is considered the most trusted (value of 100).
Great videos! I'm currently shopping for a midrange firewall and I'm most comfortable with Palo Altos but they are going to be way to expensive at current mid size company. I would like to find a good upgrade from the Sonic Firewall TZ400 Series that has central management in a GUI suitable for about 100-150 people. ANyone have any suggestions? There's so many options but its like I'd have to call each company becuase some you just buy the box and maybe RMA support and some your forced into licensing. Even if I could determine the best Gen 7 Sonic Firewall to go with for that 100-150 user base would be great. (Currently on Gen6 Sonic Wall TZ400W) I'm inheriting all of this and my boss is great and know a decent amount but we are kinda walking tight ropes with price and scalibility and we heard the Dream Wall might not be good option for Mid Range.
Hi @xtrax9 - did you use the 5506 ASA instead? This doesn't have vlan 1 and 2 (in Packet Tracer 8.2). Note: the one that I configure in these videos is a 5505 ASA. This by default (in Packet Tracer 8.2) will have both vlan 1 (inside) and vlan 2 (outside) configured by default - they will also have ports assigned to them initially. You can see this by issuing the 'ciscoasa#show switch vlan' command - hope this helps, Greg
Hi Thank you.... Your videos have helped me a lot but I'm facing problem with my final year project more specifically asa policy inspections.... icmp, http, dns, ftp, VoIP etc.
Hi Ibrahim, glad they helped - if you can understand this example using ICMP - I believe you will be fine to do more policy inspections such as the one's you mention...good luck with your project and thanks for watching. Greg
Bonjour, Depuis la La France Thank you very much for the labs and TP. It helps us a lot. I really appreciate With you all these concepts become understandable excellent teaching, many thanks Please also provide the basic files This allows us to get to the point Thank you Regards
Hi @Juan - sorry just seeing your comment now. Not sure if you saw this but I have the original exercise file uploaded if this helps in any way. All the best, Greg - please find link here - bit.ly/38o8Dxf
Hello Richard Madden, I was wondering if you have the router configurations for this packet tracer? You can copy and paste them here as a reply. I would greatly appreciate it. I have been in the network field for over 8 years and if one doesn't use their knowledge constantly, you lose it! Beautiful set of videos my friend. Keep up the good work.
Hi there, thanks for the feedback. The link for the original file, configuring an ASA Firewall on Cisco Packet Tracer is here - bit.ly/38o8Dxf - hope this helps. All the best, Greg
Hi there - yes this is possible but remember typical role of a firewall is to block traffic from an untrusted network coming into a more trusted network
Hi @Steven A, you may notice if you try to create more SVI (Switched Virtual Interfaces) on the ASA e.g. int vlan 10 and then try naming the interface using 'nameif' command you will get an error regarding the license. ASA doesn't allow configuring more than 2 interfaces with naeif and without a 'no forward' command...Another strategy you may use is to connect a layer 3 switch directly to e.g. VLAN 1 on the ASA. You can then use the layer 3 switch to create as many vlans as you wish and use the L3 Switch to do inter-vlan routing etc. If you need to route out to the Internet you can add the necessary routes from the Layer 3 Switch and subsequent routes out of the ASA (to the internet). Hope this helps, Greg
@@GregSouth hi i have the same issue, i tried multilayer swh method, like FW inside to L3 swh port24 n prts1,2,3 to 3 diff L@ swhs n i configured L3 swh as dhcp to assign 10.10.10.0,10.10.10.20.0,10.10.30.0/24 ip assign for L@ swh end devices. then i did FW inside ip 10.10.50.1/24-sec lvl 100, now if i ping from L2 PC to L2 PC diff vlans,still it pings, but i cant ping FW inside 10.10.50.1 from 10.10.10.3-PC. it failed to move from L# swh. so I trblsht as L# to FW link f0/24 as no swhport and gave ip 10.10.50.2 same subnet as FW IN, n then it passes pkt to FW, but no return frm firewall, again I added a static route to the 10.10.50.2 L#3 swhs link to FW [any ip,any subnet to 10.10.50.2], bt still cant ping the FW inside link from PC. can u help pls? i dont know what I am missing. do i need to add [swhprt trunk encap dot1q on L3 link to FW]?
hi i found it, it worked, i just have to add static route to my internal networks in ASA [route inside 10.10.10.0 255.255.255.0 10.10.50.2] here 50.2 is my L# swhs f0/24 port-no swhport ip addrs which connects ASA on 50.1] , now gonna try the remainning outside nw. thanx anyway
If you need to change the inside interface IP you will have to remove the nameif inside from the interface and re add it. Thanks for this video tho. Very informative and detail.
Very well spoken and explained, learnt more in 19 minutes than I have from my lecturer over 9 lectures!
Hi, thanks for your comment and glad the video helped. All the best, Greg
This is really good, you're teaching people your knowledge for free and in a really well explained way, thank you for this!
You’re welcome Jordan-thanks for the feedback!
Trying to re-create this on PT. are the Serial cables DCE or DTE?
Nevermind I see the clock symbol.
thanks for the video and for sharing your knowledge with us. Verry well structured, the only minus is the fact that you are not using a dedicated microphone. Thank you.
Hi @@adrianspataru1408 - thank you! I'll try to improve the sound quality in future - thanks for your feedback.
I like this tutorial. explains clearly and very in detail . feel like in a class. thanks
Glad it was helpful!
Good evening, I know this video is from a few years back but I was wondering if it was possible to create Vlan's on the firewall? Or can I only do that for switches?
hi greg, thanks for what you are doing
My outside vlan's status shows down, how should I "up" it?
Hi @Arjun - It's difficult to tell why the outside VLAN is down without seeing your actual network design. Here is a couple of reasons why is could be down - is there a cable connected to Et0/0 on the ASA and is the device it's connected to powered on (interface not shutdown on router) ? Another way to solve this is to view my original network setup - Have you taken a look at the exercise file I've uploaded?This provides the original network topology. When you open this the VLAN status is already set to up, up. Hope this helps, Greg - please find link here - bit.ly/38o8Dxf
@@GregSouth hi again greg,
As it turned out, I did not issue the no shutdown command on the router's side of the line. Thts why the line protocol was down.
But thank you anyways, you helped me with my assignment that day ✨
@@arjunadityarastogi2118 - pleased that you spotted the issue and got it fixed. Well done
There are any chance to get the base of the project (all the devices connected)? So i can follow you step by step in your lessons?
Hi @blackshadow93 _ - I link in the top of the video to the Packet Tracer file with original setup - here is the link for convenience. All the best, Greg. bit.ly/38o8Dxf
@@GregSouth thanks a lot Greg, and compliments for those video!
Very useful tuto. Is there a way of connecting more than 2 PCs without a switch ?
Hi Jonathan, Yes, in packet tracer this can be implemented. Add two PC's, connect with a cross over cable (dashed line) - add IP address to each PC e.g. PC1-192.168.1.1 subnet mask 255.255.255.0 and PC2-192.168.1.2 subnet mask 255.255.255.0 and go into command prompt on PC1 and ping from PC1 to PC2 (e.g. ping 192.168.1.2) - you should see replies so you know you have layer 3 connectivity. Hope this helps and all the best, Greg
your teaching method is so clear and understandable . can you do a tutorial with ASA active / stand by Fail over with GNS3 (since fail over not supportive with packet tracer)
Great suggestion! Unfortunately I just don’t get the time at present to do any recordings but when I do in the future- il keep this suggestion in mind- thank you
packet tracer , nowadays, still good ? for all network devices including cloud engineering versus GNS3 ?
Hi Ray, depends on the context. Packet Tracer is a great learning tool. It is a simulator and it’s a great tool in my opinion for understanding protocols(particularly for new students getting started in networking ).Excellent learning tool for ccna . Gns3 is also very useful tool - requires a little more effort to setup (need ios images etc) but also a great tool for learning and emulating networks - useful in my opinion for more detailed learning(progressing to ccnp etc)
@@GregSouth ok i understand Well. Thank yor for your effort in answer.
Hi, why do you assign IP addresses to 'inside if' and 'outside' via vlans ? . why cant you assign those directly to physical interfaces ? is it possible ? thanks
which routing topology is being used?
Hi MK, OSPF is used on Routers R1, R2 and R3. You can check this by running 'show ip protocols' on those routers. In addition, I configure a static default route from the ASA in the videos. Hope this helps, Greg
@@GregSouth Thanks a lot that was helpful
How do i ping or access devices behind the firewall ( from outside to inside)?
Hi James, why would you want to do this? Initial traffic from outside to inside is untrusted and should not be passed by the firewall. The firewall is there to block / filter traffic coming from outside to inside. I show in the following video how to allow from outside to DMZ - which is better security practice. th-cam.com/video/pBW1X6r5kNM/w-d-xo.html - if you wish to allow outside to inside for testing purposes i have created a document here bit.ly/38o8Dxf and i also show the completed solution (but again this is only for Packet Tracer testing purposes and would not be recommended as I mention for the above reasons).
You are using 2 vlans, one is number 1, the default. Which ports did you trunk or how did you get the vlans communicate to eachtother if you didnt use trunk?
Hi A.J. - vlans are not set to trunk. You will notice I setup a default static route on the ASA outside interface to enable the ASA to reach external networks and additionally setup NAT. OSPF is already setup on Router 1,2,3 so traffic will be able to be routed back to the ASA. Hope this helps, Greg
Hi, What is I have many vlans inside of the internal network? how would I configure it? I need help with my project. Is there any way to contact you?
Hi @Mell Luxe, unfortunately Packet Tracer and ASA specifically is limited in the amount of VLANs you can create (due to licenses) and the fact it's a simulator. My best advice here would be to create an ASA setup similar to the videos I demo and then for other sites to use a normal router and add extra functionality for security such as Access Control lists, VLANs and VPN etc etc to provide extra security in depth. Hope this helps and all the best with your project. Thanks, Greg
Noticed the nameif doesnt work, but when checking the vlan 1 with the name inside and the security-level 100 already exists in your downloadable packettracer. Is that correct?
Hi A.J, the nameif command should work under an interface. E.g. # interface vlan 1, nameif inside. Yes, by default this name of inside is already configured on a ASA 5505- I demonstrate this in the video to compare this to other interfaces such as outside and DMZ. It helps to show, the highest possible level is used by the inside interface by default. Using the trusted-untrusted terminology, this level is considered the most trusted (value of 100).
Great videos! I'm currently shopping for a midrange firewall and I'm most comfortable with Palo Altos but they are going to be way to expensive at current mid size company. I would like to find a good upgrade from the Sonic Firewall TZ400 Series that has central management in a GUI suitable for about 100-150 people. ANyone have any suggestions? There's so many options but its like I'd have to call each company becuase some you just buy the box and maybe RMA support and some your forced into licensing. Even if I could determine the best Gen 7 Sonic Firewall to go with for that 100-150 user base would be great. (Currently on Gen6 Sonic Wall TZ400W) I'm inheriting all of this and my boss is great and know a decent amount but we are kinda walking tight ropes with price and scalibility and we heard the Dream Wall might not be good option for Mid Range.
Thanks for the feedback on my videos Patrick and hope you made some progress with your shopping for a firewall. All the best, Greg
I dont have vlan 1 and 2 on my firewall default configuration
Hi @xtrax9 - did you use the 5506 ASA instead? This doesn't have vlan 1 and 2 (in Packet Tracer 8.2). Note: the one that I configure in these videos is a 5505 ASA. This by default (in Packet Tracer 8.2) will have both vlan 1 (inside) and vlan 2 (outside) configured by default - they will also have ports assigned to them initially. You can see this by issuing the 'ciscoasa#show switch vlan' command - hope this helps, Greg
Thank you for this video series, you're an absolute lifesaver.
Happy to hear that! Glad videos helped Rudi
is it possible to make vlans for my internal network, while having the vlans for my firewall?
Hi, should not be any issue - have you tried setting up a layer 3 switch and then connecting this to firewall?
@@GregSouth Is it possible to email you about a problem i have with the nwtwork, mine keeps failing, i dont know why
I was asking myself why have you assigned .226 to the outside interface on the asa then next thing you answered my question! Good video!
Bro where is part 5, i can not access DMZ from internet, when a 7200 router is in between asa firewall and that 7200 cisco router is connected to IPS
Hi
Thank you.... Your videos have helped me a lot but I'm facing problem with my final year project more specifically asa policy inspections.... icmp, http, dns, ftp, VoIP etc.
Hi Ibrahim, glad they helped - if you can understand this example using ICMP - I believe you will be fine to do more policy inspections such as the one's you mention...good luck with your project and thanks for watching. Greg
Thank you so much, you helped me to finish my graduation project.
Glad I could help!
@@GregSouth Using this as my Final Year Project at college.
Bonjour, Depuis la La France
Thank you very much for the labs and TP. It helps us a lot.
I really appreciate
With you all these concepts become understandable
excellent teaching, many thanks
Please also provide the basic files
This allows us to get to the point
Thank you
Regards
Thank you - files are below videos usually in first video - all the best , Greg
Great free training man
Glad you like it and thanks for the feedback Ahmed!
hey friend could you help me with my topology it is not working I am doing the same as yours.
Hi @Juan - sorry just seeing your comment now. Not sure if you saw this but I have the original exercise file uploaded if this helps in any way. All the best, Greg - please find link here - bit.ly/38o8Dxf
Hello Richard Madden, I was wondering if you have the router configurations for this packet tracer? You can copy and paste them here as a reply. I would greatly appreciate it. I have been in the network field for over 8 years and if one doesn't use their knowledge constantly, you lose it! Beautiful set of videos my friend. Keep up the good work.
Hi there, thanks for the feedback. The link for the original file, configuring an ASA Firewall on Cisco Packet Tracer is here - bit.ly/38o8Dxf - hope this helps. All the best, Greg
@@GregSouth thank you Greg. I appreciate it my friend.
great video lesson bro, subscribed
Thanks Mouv! Glad video helped.
Hai....Is it possible to ping from outside to inside?
Hi there - yes this is possible but remember typical role of a firewall is to block traffic from an untrusted network coming into a more trusted network
I don't know why I ping 192.168.1.1 at last . There response request time out. please help me.
What if the LAN network has multiple VLAN's?
Hi @Steven A, you may notice if you try to create more SVI (Switched Virtual Interfaces) on the ASA e.g. int vlan 10 and then try naming the interface using 'nameif' command you will get an error regarding the license. ASA doesn't allow configuring more than 2 interfaces with naeif and without a 'no forward' command...Another strategy you may use is to connect a layer 3 switch directly to e.g. VLAN 1 on the ASA. You can then use the layer 3 switch to create as many vlans as you wish and use the L3 Switch to do inter-vlan routing etc. If you need to route out to the Internet you can add the necessary routes from the Layer 3 Switch and subsequent routes out of the ASA (to the internet). Hope this helps, Greg
@@GregSouth hi i have the same issue, i tried multilayer swh method, like FW inside to L3 swh port24 n prts1,2,3 to 3 diff L@ swhs n i configured L3 swh as dhcp to assign 10.10.10.0,10.10.10.20.0,10.10.30.0/24 ip assign for L@ swh end devices. then i did FW inside ip 10.10.50.1/24-sec lvl 100, now if i ping from L2 PC to L2 PC diff vlans,still it pings, but i cant ping FW inside 10.10.50.1 from 10.10.10.3-PC. it failed to move from L# swh. so I trblsht as L# to FW link f0/24 as no swhport and gave ip 10.10.50.2 same subnet as FW IN, n then it passes pkt to FW, but no return frm firewall, again I added a static route to the 10.10.50.2 L#3 swhs link to FW [any ip,any subnet to 10.10.50.2], bt still cant ping the FW inside link from PC. can u help pls? i dont know what I am missing. do i need to add [swhprt trunk encap dot1q on L3 link to FW]?
hi i found it, it worked, i just have to add static route to my internal networks in ASA [route inside 10.10.10.0 255.255.255.0 10.10.50.2] here 50.2 is my L# swhs f0/24 port-no swhport ip addrs which connects ASA on 50.1] , now gonna try the remainning outside nw. thanx anyway
Thank you sir for this tutorial. Can you pls provide PKT file ?
Glad you liked it. Yes, Packet Tracer file it is provided here. bit.ly/38o8Dxf
This is a beneficial video for me thank you.
Glad it was helpful!
quality Content 👌
Level 1 teaching, thanks. I couldn’t finish it though. Too much of talking. It’s good for someone on level 1. Keep it up
Hi @watora_mari - Glad it helped! There are other parts to this (that follow on from part one) if it helps. All the very best. Greg
Thank you so... Much ❤.
thank you keep going
"Some of my configuration is already being done here" (min 7.05) ????
Apologies-should have said - some config already completed here - as you can see these videos are far from rehearsed! Hope this helps
THANK YOU !!!
Nice.
thank you
nice
On the rooter.
When I saw the topology I knew I was out of my league. Bye
209th like
I want to change the Ip on the inside interface. How do I go aout doing that?
If you need to change the inside interface IP you will have to remove the nameif inside from the interface and re add it. Thanks for this video tho. Very informative and detail.