Packet Tracer - Lab 1 : Basic

switch setup
Introduction
A new switch just purchased from Cisco contains no default configuration in it. You need to
configure the switch with setup mode using the setup mode or from scratch using the command line
interface (CLI) before connecting it in your network environment. As a Cisco certified technician, it is
very important to know the basic Cisco switch configuration commands to improve the
performances and the security of your internetwork.

Lab instructions
This lab will test your ability to configure basic settings such as hostname, motd banner, encrypted
passwords, and terminal options on a Packet Tracer 6.2 simulated Cisco Catalyst switch.

1. Use the local laptop connect to the switch console.

2. Configure Switch hostname as LOCAL-SWITCH

3. Configure the message of the day as "Unauthorized access is forbidden"

4. Configure the password for privileged mode access as "cisco". The password must be md5
encrypted

5. Configure password encryption on the switch using the global configuration command

6. Configure CONSOLE access with the following settings :

- Login enabled
- Password : ciscoconsole

- History size : 15 commands

- Timeout : 6'45''
- Synchronous logging

6. Configure TELNET access with the following settings :

- Login enabled
- Password : ciscotelnet
- History size : 15 commands
- Timeout : 8'20''
- Synchronous logging

7. Configure the IP address of the switch as 192.168.1.2/24 and it's default gateway IP
(192.168.1.1).

8. Test telnet connectivity from the Remote Laptop using the telnet client.

Network diagram

Solution
Configure Switch hostname as LOCAL-SWITCH
hostname LOCAL-SWITCH

Configure the message of the day as "Unauthorized access is forbidden"

banner motd #
Unauthorized access is forbidden#

Configure the password for privileged mode access as "cisco". The password must be md5
encrypted
enable secret cisco

Configure password encryption on the switch using the global configuration command
service password-encryption

Configure CONSOLE access [...]

line con 0
password ciscoconsole
logging synchronous
login
history size 15
exec-timeout 6 45

Configure TELNET access [...]

line vty 0 15
exec-timeout 8 20
password ciscotelnet
logging synchronous
login
history size 15

Configure the IP address of the switch as 192.168.1.2/24 and it's default gateway IP
(192.168.1.1).
interface Vlan1
ip address 192.168.1.2 255.255.255.0
ip default-gateway 192.168.1.1

Packet Tracer lab 2 : Interfaces

configuration
This lab will test your ability to configure speed, duplex, and vlan settings on a cisco switch
interfaces.
1. Connect to Switch0 using console interface and configure each Switch0 fastethernet switchport
for operation. Correct settings are :
- Port type : access port
- Speed : 100 Mbit/s

- Duplex mode : Full Duplex

- Autonegotiation disabled

2. PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check switch
configuration.
TIP : How many broadcast domains are there in this network ?

3. Choose the right cable to connect :

- Switch0 gigabitethernet 1/1 to Switch1 gigabitethernet 1/1
- Switch1 gigabitethernet 1/2 to Switch2 gigabitethernet 1/2

4. Configure those two links as trunk lines without using trunk negotiation between switches

Network diagram

<img
src=/images/labs/lab2-networkdiagram.png alt="Packet Tracer 5.3 - Switch interfaces configuration
lab network diagram" title="Packet Tracer 5.3 - Switch interfaces configuration lab network diagram"
style="border: 1px solid black;" border=0 />

Solution
Connect to Switch0 using console interface and configure each Switch0 fastethernet
switchport for operation.
Switch(config)#interface FastEthernet0/1

switchport mode access

duplex full
speed 100
Switch(config)#interface FastEthernet0/2
switchport mode access
duplex full
speed 100
Switch(config)#interface FastEthernet0/3
switchport mode access
duplex full
speed 100
Switch(config)#interface FastEthernet0/4
switchport mode access
duplex full
speed 100

PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check switch
configuration.
Switch(config)#interface FastEthernet0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 1

Choose the right cable to connect :

- Switch0 gigabitethernet 1/1 to Switch1 gigabitethernet 1/1

- Switch1 gigabitethernet 1/2 to Switch2 gigabitethernet 1/2

<img
src=/images/labs/lab2-networkdiagram-solution.png alt="Packet Tracer 5.3 - Switch interfaces
configuration lab solution" title="Packet Tracer 5.3 - Switch interfaces configuration lab solution"
style="border: 1px solid black;" border=0 />

Configure those two links as trunk lines without using trunk negotiation between switches
On every interface that has to be configured for trunk operation, configure the following settings

Switch(config)#interface GigabitEthernet1/X
Switch(config-if)#switchport mode trunk

Verify interface operational mode using the "show interface GigabitEthernet1/X switchport
command" :
Name: Gig1/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none

Another usefull ios command is "show interfaces trunk" :

Switch#sh interfaces trunk
Port
Gig1/2

Port
Gig1/2

Mode
on

Encapsulation Status
802.1q

Vlans allowed on trunk

1-1005

trunking

Native vlan
1

Port
Gig1/2

Port
Gig1/2

Vlans allowed and active in management domain

1

Vlans in spanning tree forwarding state and not pruned

1

Packet Tracer lab 3 : VLAN and

VTP
The aim of this lab is to check your ability to configure VTP and VLAN on a small network of four
switches. This lab will help you to prepare your ICND1 exam.
1.Configure the VTP-SERVER switch as a VTP server

2.Connect to the 3 other switches and configure them as VTP clients.

All links between swiches must be configured as trunk lines.

3.Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"

4.Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"

5. Check propagation on all switches of the VTP domain.

Network diagram

<img
src=/images/labs/lab3-networkdiagram.png border=0 />

Solution
Configure the VTP-SERVER switch as a VTP server
VTP-SERVER(config)#vtp mode server
Verify the VTP configuration using the "show vtp status command"
VTP-SERVER#show vtp status
VTP Version

:2

Configuration Revision

:4

Maximum VLANs supported locally : 255

Number of existing VLANs

:7

VTP Operating Mode

: Server

VTP Domain Name

: TESTDOMAIN

VTP Pruning Mode

VTP V2 Mode
VTP Traps Generation
MD5 digest

: Disabled
: Disabled
: Disabled
: 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11

Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41

Local updater ID is 192.168.1.1 on interface Vl1 (lowest numbered VLAN interface found)

Connect to the 3 other switches and configure them as VTP clients.

All links between swiches must be configured as trunk lines.
VTP-CLIENT3(config)#vtp mode client
Verify the VTP configuration using the "show vtp status command"
VTP-CLIENT3#sh vtp status
VTP Version

:2

Configuration Revision

:4

Maximum VLANs supported locally : 255

Number of existing VLANs

:7

VTP Operating Mode

: Client

VTP Domain Name

: TESTDOMAIN

VTP Pruning Mode

VTP V2 Mode

: Disabled
: Disabled

VTP Traps Generation

MD5 digest

: Disabled
: 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11

Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41

Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"

1. Configure each link between switches as a trunk line
interface GigabitEthernet1/1
switchport mode trunk

interface GigabitEthernet1/2
switchport mode trunk

2.On the server :

VTP-SERVER(config)#vtp domain TESTDOMAIN
VTP-SERVER(config)#vtp password cisco

3.On each client :

VTP-CLIENT1(config)#vtp password cisco
VTP-CLIENT1(config)#vtp domain TESTDOMAIN

Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"
On the VTP server switch, configure the following commands
VTP-SERVER(config)#vlan 10
VTP-SERVER(config-vlan)#name STUDENTS
VTP-SERVER(config)#vlan 50
VTP-SERVER(config-vlan)#name SERVERS

Check propagation on all switches of the VTP domain.

Use the "show vlan brief" on each switch to check propagation of the 2 VLANS.

VTP-SERVER#show vlan brief

VLAN Name

Status

Ports

---- -------------------------------- --------- ------------------------------1

default

active

10 STUDENTS
50 SERVERS
1002 fddi-default
1003 token-ring-default
1004 fddinet-default
1005 trnet-default

Fa0/1, Fa0/2, Fa0/3, Fa0/4, [...]

active
active
active
active
active
active

Packet Tracer lab 4 : Port security

Introduction
A growing challenge for network administrators is to be able to control who is allowed - and who
isn't - to access the organization's internal network. This access control is mandatory for critical
infrastructure protection in your network. It is not on public parts of the network where guest users
should be able to connect.
Port security is a Cisco feature implemented in Catalyst switches which will help network engineers
in implementing network security on network boundaries. In its most basic form, the Port Security
feature writes the MAC address of the device connected to the switch edge port and allows only that
MAC address to be active on that port. If any other MAC address is detected on that port, port
security feature shutdown the switch port. The switch can be configured to send a SNMP trap to a
network monitoring solution to alert that the port is disabled for security reasons.

Lab instructions
This lab will test your ability to configure port security on Cisco TM 2960 switch interfaces.

1. Configure port security on interface Fa 0/1 of the switch with the following settings :
- Port security enabled
- Mode : restrict
- Allowed mac addresses : 3
- Dynamic mac address learning.

2. Configure port security on interface Fa 0/2 of the switch with the following settings :
- Port security enabled
- Mode : shutdown
- Allowed mac addresses : 3
- Dynamic mac address learning.

3. Configure port security on interface Fa 0/3 of the switch with the following settings :
- Port security enabled
- Mode : protect
- Static mac address entry : 00E0.A3CE.3236

4. From LAPTOP 1 :
Try to ping 192.168.1.2 and 192.168.1.3. It should work.
Try to ping 192.168.1.4 and 192.168.1.5. It should work.

5. Connect ROGUE laptop to the hub.

Try to ping 192.168.1.1. It should work.
Try to ping 192.168.1.4. It should fail.

Network diagram

<img src=/images/labs/lab4-networkdiagram.png border=0 alt="Packet Tracer 5.3 - Port security lab

network diagram" title="Packet Tracer 5.3 - Port security lab network diagram" style="border: 1px
solid black;"/>

Solution
Coming soon

Packet Tracer - Lab 6 : Basic

router setup
Lab instructions
The aim of this lab is to test your ability to perform a basic router setup. You have 15 minutes to
complete this simulation.
1. Configure correctly the LAPTOP terminal software and connect to the router console.
2. Configure the router hostname to "GATEWAY"
3. Configure the enable password and secret to "cisco"
4. Configure password encryption for this router
5. Configure the console access :
- Login : yes
- Password : "cisco"
- History : 10 commands
- Logging synchronous
- Timeout : 2 minutes 45 seconds.

Network diagram

<img src=/images/labs/lab6topology.jpg alt="Packet Tracer 6.2 basic router setup lab topology"/>

Solution
1. Configure the laptop terminal software
The terminal software in not correctly configured on the laptop. You have to change the settings to
9600 / 8 / None / 1 to connect to the router's console. Remerber this tip as it could help you answer
CCENT questions or achieve CCENT simlet.

<img src=/images/labs/lab6-terminalconfig.jpg alt="Terminal settings for console access on a ciscco

router"/>

2. Configure the router' name

Router>enable
Router#configure tterminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname GATEWAY

3. Configure the enable password and secret to "cisco"

GATEWAY(config)#enable password cisco
GATEWAY(config)#enable secret cisco

4. Configure password encryption for this router

GATEWAY(config)#service password-encryption

5. Configure the console access

GATEWAY(config)#line console 0
GATEWAY(config-line)#password cisco
GATEWAY(config-line)#login
GATEWAY(config-line)#logging synchronous
GATEWAY(config-line)#exec-timeout 2 45
GATEWAY(config-line)#history size 10

Packet Tracer lab 11 : HDLC

configuration
Lab instructions
This lab will test your ability to configure HDLC on a serial link. Practicing this labs will help you to
get ready for your CCNA certification exam.

1. Use the connected laptops to find the DCE and DTE routers. You can connect to the routers
using CLI.
2. Configure the routers with the following parameters :
- Clock : 250000
- HDLC link between the routers
- DCE IP : 192.168.10.5/30
- DTE IP : 192.168.10.6/30
3. Check IP connectivity between the two routers using the ping command.

Network diagram

<img
src=/images/labs/lab11-networkdiagram.png border=0 alt="Packet Tracer 5.3 - HDLC configuration
lab network diagram" title="Packet Tracer 5.3 - HDLC configuration lab network diagram"
style="border: 1px solid black;"/>

Packet lab 12 : PPP configuration

Lab instructions

This lab will test your ability to configure PPP on a serial link. Practicing this labs will help you to get
ready for your CCNA certification exam.
1. Use the connected laptops to find the DCE and DTE routers. You can connect to the routers
using CLI.
2. Configure the routers with the following parameters :
- Clock : 250000
- PPP link between the routers
- DCE IP : 192.168.10.5/30
- DTE IP : 192.168.10.6/30
3. Check IP connectivity between the two routers using the ping command.

Network diagram

<img
src=/images/labs/lab12-networkdiagram.png border=0 alt="Packet Tracer 5.3 - PPP configuration
lab network diagram" title="Packet Tracer 5.3 - PPP configuration lab network diagram"
style="border: 1px solid black;"/>

Packet Tracer lab 16 : Clientless

SSL VPN
Network diagram

<img src=/images/labs/lab16-networkdiagram.png border=0 alt="Packet Tracer 6.1 - ASA 5505

clientless SSL VPN network diagram" title="Packet Tracer 6.1 - ASA 5505 clientless SSL VPN
network diagram"/>

Lab instructions
SSL VPN technology can be configured in three ways :

Thin Client VPN

SSL VPN Client

Clientless SSL VPN (WebVPN)

Clientless SSL VPN is a technology allowing limited but secure access to internal network
ressources from any location using a web browser. No specific VPN client is needed, a remote user
only needs an SSL-enabled web browser to access http- or https-enabled web servers on the
internal network. This technology is available on ASA 5505 firewall and has been implemented in
Packet Tracer 6.1 network simulator.

Firewall configuration to apply in this lab:

Outside IP : 192.168.1.1/24
Inside IP : 192.168.2.1/24
User login : test
User password : test.test
Website IP : site 1

Solution
1. Create the bookmark site1 to the URL http://192.168.2.3 on the ASA 5505 firewall
2. Apply the following configuration to the firewall :
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
webvpn
enable outside

object network LAN

subnet 192.168.2.0 255.255.255.0
!
object network LAN
nat (inside,outside) dynamic interface
!
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value site1
username test password D35rLrqYJOMRHDCX encrypted
username test attributes
vpn-group-policy group1
!
!

Packet Tracer lab 17 - Site to site

IPSEC VPN with ASA 5505
Network diagram

<img src=/images/labs/lab17-ipsecvpn-asa.jpg alt="Packet Tracer 6.1 lab 17 - ASA 5505 site to site
IPSEC VPN network diagram" title="Packet Tracer 6.1 lab 17- ASA 5505 site to site IPSEC VPN
network topology" width=738 border=0 height=492 />

Lab download
Lab
name :
Difficulty
:
Price :
Link :

Lab 17 - Site to site IPSEC VPN with ASA 5505

Medium
Free
<img style="float: left;"

src=/images/download_icon.png alt="Download
packet tracer 6.1 site-to-site ipsec vpn lab"
width=25 height=25 />

Lab instructions
This lab will show you how to configure site-to-site IPSEC VPN using the new Packet Tracer 6.1
ASA 5505 firewall. By default, the ASA 5505 firewall denies the traffic entering the outside interface
if no explicit ACL has been defined to allow the traffic. This default behaviour helps protecting the
enterprise network from the internet during the VPN configuration.
In this lab, a small branch office will be securely connected to the enterprise campus over the
internet using a broadband DSL connection. Not routing protocol traffic is needed between the two
sites.

Campus addressing scheme :

Campus IP addresses : 172.16.0.0/17

DC : 172.16.0.0/18
Users : 172.16.64.0/20
DMZ : 172.16.96.0/21
Network devices : 172.16.252.0/23
L3 P2p links : 172.16.254.0/24

Branch office 1 IP subnet : 172.16.129.0/24

Enterprise internet IP addresses : 134.95.56.16/28

IPSEC VPN configuration to apply :

ESP Encryption : AES-256

AH hash algorithm : SHA
Pre shared key : SHAREDSECRET

Solution
ASA configuration
Campus network - ASA 5505 IPSEC VPN headend device configuration .
interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!

access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object

BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object
BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object
PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK
object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!

The ENTERPRISE_PRIVATE-TRAFFIC access-group is important to allow the IP traffic through the

firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the ASA if this
access-list is not configured and applied to the inside vlan interface.

Branch office n1 - ASA 5505 remote device configuration

interface Vlan1
nameif inside
security-level 100
ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object
CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object
CAMPUS_NETWORK

access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object

PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK
object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!

Check the IPSEC tunnel establishment using show

commands

Use show crypto isakmp sa to shows the Internet Security Association Management Protocol
(ISAKMP) security associations (SAs) built between the two firewalls. and show crypto ipsec sa to
check IPSEC security associations and monitor encrypted traffic statistics
ASA-CAMPUS-VPN#show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 134.95.56.18
Type

: L2L

Rekey : no

Role

: Initiator

State : QM_IDLE

There are no IKEv2 SAs

ASA-CAMPUS-VPN#show crypto ipsec sa

interface: outside
Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK

local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/6/0)
remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/6/0)
current_peer 134.95.56.18
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 0, #recv errors 0

local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0

path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
current inbound spi: 0x04B729EA(1669731117)

inbound esp sas:

spi: 0x04B729EA(79112682)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6386132D(1669731117)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK

local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/1/0)
remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/1/0)
current_peer 134.95.56.18
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 1, #recv errors 0

local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0

path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
current inbound spi: 0x04B729EA(1669731117)

inbound esp sas:

spi: 0x04B729EA(79112682)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2007, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6386132D(1669731117)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001

Packet Tracer lab 18 : ASA 5505

DMZ configuration
Network diagram

Lab instructions
Coming soon

ASA 5505 license limitations

The ASA 5505 firewall provided in Packet Tracer 6.1.1 is shipped with the basic licence bundle. The
content of this licence package is displayed below :
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Problem with DMZ creation :

The ASA 5505 is configured by default with 2 vlans :

VLAN 1 : Inside VLAN (interfaces E0/1 -> E0/7)

VLAN 2 : Outside VLAN (interface E0/0)

If you try to configure a third vlan to host your DMZ,the ASA device will return the following error
because of the limited licence :

ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a
"no forward" command on this interface or on 1 interface(s) with nameif already configured.

Explanation :
You have to limit communications between two vlan interfaces to make the creation of the third vlan
interface possible. This can be done for example using the command no forward interface vlan 1
on the "interface vlan 3" to deny communications betwen the inside network and the DMZ

The "security plus" licence bundle which remove this limitation is not available in Packet Tracer 6.1.1
simulator.

Lab Solution
Coming soon

Packet Tracer lab 19 - DPI with

ASA 5505
Network diagram

vvg