Micronics.nl Sample

(1)

Piotr Matusiak

CCIE #19860

R&S, Security

C|EH, CCSI #33705

Narbik Kocharians

CCIE #12410

R&S, Security, SP

CCSI #30832

CCIE Security V4 Lab Workbook

SAMPLE Sample

(2)

ASA Firewall

LAB 1.1.

BASIC ASA CONFIGURATION 8

LAB 1.2.

BASIC SECURITY POLICY

17 LAB 1.3.

DYNAMIC ROUTING PROTOCOLS

29 LAB 1.4.

ASA MANAGEMENT 46

LAB 1.5.

STATIC NAT (8.2)

59 LAB 1.6.

DYNAMIC NAT (8.2)

67 LAB 1.7.

NAT EXEMPTION (8.2) 77

LAB 1.8.

STATIC POLICY NAT (8.2)

81 LAB 1.9.

DYNAMIC POLICY NAT (8.2) 91

LAB 1.10.

STATIC NAT (8.3+)

99 LAB 1.11.

DYNAMIC NAT (8.3+) 115

LAB 1.12.

BIDIRECTIONAL NAT (8.3+) 126

LAB 1.13.

MODULAR POLICY FRAMEWORK (MPF)

131 LAB 1.14.

FTP ADVANCED INSPECTION 138

LAB 1.15.

HTTP ADVANCED INSPECTION

146 LAB 1.16.

INSTANT MESSAGING ADVANCED INSPECTION

156 LAB 1.17.

ESMTP ADVANCED INSPECTION

159 LAB 1.18.

DNS ADVANCED INSPECTION

164 LAB 1.19.

ICMP ADVANCED INSPECTION

169 LAB 1.20.

CONFIGURING VIRTUAL FIREWALLS 175

LAB 1.21.

ACTIVE/STANDBY FAILOVER 198

LAB 1.22.

ACTIVE/ACTIVE FAILOVER

212 LAB 1.23.

REDUNDANT INTERFACES 239

LAB 1.24.

TRANSPARENT FIREWALL

246 LAB 1.25.

THREAT DETECTION 260

LAB 1.26.

CONTROLLING ICMP AND FRAGMENTED TRAFFIC 264

LAB 1.27.

TIME BASED ACCESS CONTROL

270 LAB 1.28.

QOS - PRIORITY QUEUING

276 LAB 1.29.

QOS – TRAFFIC POLICING

280 LAB 1.30.

QOS – TRAFFIC SHAPING

285 LAB 1.31.

QOS – TRAFFIC SHAPING WITH PRIORITIZATION 290

LAB 1.32.

SLA ROUTE TRACKING

296 LAB 1.33.

ASA IP SERVICES (DHCP)

303 LAB 1.34.

URL FILTERING AND APPLETS BLOCKING 310

(3)

Site-to-Site VPN

LAB 1.36.

BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS)

326 LAB 1.37.

BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS)

352 LAB 1.38.

BASIC SITE TO SITE VPN WITH NAT (IOS-IOS)

369 LAB 1.39.

IOS CERTIFICATE AUTHORITY

385 LAB 1.40.

SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA)

396 LAB 1.41.

SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS)

410 LAB 1.42.

SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) 420

LAB 1.43.

SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA)

440 LAB 1.44.

SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING)

461 LAB 1.45.

SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS) 475

LAB 1.46.

SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA)

484 LAB 1.47.

SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS)

LAB 1.48.

GRE OVER IPSEC

550 LAB 1.49.

DMVPN PHASE 1

567 LAB 1.50.

DMVPN PHASE 2 (WITH EIGRP)

584 LAB 1.51.

DMVPN PHASE 2 (WITH OSPF)

603 LAB 1.52.

DMVPN PHASE 3 (WITH EIGRP)

623 LAB 1.53.

DMVPN PHASE 3 (WITH OSPF)

643 LAB 1.54.

DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD)

667 LAB 1.55.

DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) 697

LAB 1.56.

GET VPN (PSK)

738 LAB 1.57.

GET VPN (PKI) 760

LAB 1.58.

GET VPN COOP (PKI) 779

Remote Access VPN

LAB 1.59.

CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS)

LAB 1.60.

CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA)

LAB 1.61.

CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK) 831

LAB 1.62.

CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) 841

LAB 1.63.

CONFIGURING SSL VPN (IOS)

865 LAB 1.64.

CONFIGURING SSL VPN (ASA)

882 LAB 1.65.

ANYCONNECT 3.0 BASIC SETUP

895 LAB 1.66.

ANYCONNECT 3.0 ADVANCED FEATURES 912

LAB 1.67.

EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION 922

Advanced VPN Features

(4)

LAB 1.69.

IPSEC STATIC VTI

967 LAB 1.70.

IKE ENCRYPTED KEYS

976 LAB 1.71.

IPSEC DYNAMIC VTI 981

LAB 1.72.

REVERSE ROUTE INJECTION (RRI) 991

LAB 1.73.

CALL ADMISSION CONTROL FOR IKE

1008

LAB 1.74.

IPSEC LOAD BALANCING (ASA CLUSTER) 1016

Content Security - IPS

LAB 2.1.

SENSOR INITIALIZATION

6 LAB 2.2.

PROMISCUOUS MODE

20 LAB 2.3.

INLINE MODE 36

LAB 2.4.

INLINE VLAN PAIR MODE (ON-A-STICK)

46 LAB 2.5.

SIGNATURE TUNING 53

LAB 2.6.

CUSTOM HTTP SIGNATURE 62

LAB 2.7.

CUSTOM STRING TCP SIGNATURE 69

LAB 2.8.

CUSTOM ATOMIC IP SIGNATURE

78 LAB 2.9.

META SIGNATURE

86 LAB 2.10.

BLOCKING AND RATE LIMITING

98 LAB 2.11.

RULES 133

LAB 2.12.

ANOMALY DETECTION

148 LAB 2.13.

VIRTUAL SENSORS 156

LAB 2.14.

EVENT SUMMARIZATION

166 LAB 2.15.

APPLICATION INSPECTION AND LOGGING 181

Content Security - WSA

LAB 2.16.

WSA BOOTSTRAPPING (OPTIONAL) 196

LAB 2.17.

DNS AND ROUTING CONFIGRATION 206

LAB 2.18.

WSA IDENTITIES AND ACCESS POLICIES

212 LAB 2.19.

ACTIVE DIRECTORY INTEGRATION 223

LAB 2.20.

USER AUTHENTICATION

228 LAB 2.21.

CUSTOM URL CATEGORIES 243

LAB 2.22.

DECRYPTION POLICIES

249 LAB 2.23.

BANDWIDTH AND FILE TYPE LIMITS 255

LAB 2.24.

APPLICATION VISIBILITY AND CONTROL

260 LAB 2.25.

WEB REPUTATION AND DVS 265

(5)

Identity Management - ACS

LAB 2.27.

ACS BOOTSTRAPPING

281 LAB 2.28.

SETUP AAA CLIENTS 290

LAB 2.29.

USER AUTHENTICATION AND AUTHORIZATION (IOS)

300 LAB 2.30.

LOCAL USER AUTHENTICATION AND AUTHORIZATION USING AAA (IOS) 306

LAB 2.31.

TACACS+ USER AUTHENTICATION (IOS)

318 LAB 2.32.

TACACS+ AUTHENTICATION AND AUTHORIZATION (IOS) 336

LAB 2.33.

ACCOUNTING USING TACACS+ AND RADIUS (IOS) 357

LAB 2.34.

IOS AUTHENTICATION PROXY

367 LAB 2.35.

AUTHENTICATION PROXY ON ASA 386

LAB 2.36.

ACS EXTERNAL IDENTITY STORE

395 Identity Management - ISE

LAB 3.1.

ISE INSTALLATION (OPTIONAL)

9 LAB 3.2.

GENERATE AND INSTALL A CERTIFICATE 19

LAB 3.3.

ADMINISTRATIVE ACCESS TO ISE 28

LAB 3.4.

INTEGRATION WITH ACTIVE DIRECTROY

33 LAB 3.5.

CONFIGURE ISE FOR MAB

38 LAB 3.6.

CONFIGURE MAC WHITELIST 48

LAB 3.7.

MAB WITH VLAN AUTHORIZATION 53

LAB 3.8.

WINDOWS 7 AD INTEGRATION (OPTIONAL) 61

LAB 3.9.

CONFIGURE WIRED 802.1X 64

LAB 3.10.

WIRED 802.1X VLAN ASSIGNMENT 89

LAB 3.11.

CONFIGURE WIRELESS 802.1X

99 LAB 3.12.

LOCAL WEB AUTHENTICATION (LWA) FOR WIRED 121

LAB 3.13.

CENTRAL WEB AUTHENTICATION (CWA) FOR WIRED

136 LAB 3.14.

CENTRAL WEB AUTHENTICATION (CWA) FOR WIRELESS 151

LAB 3.15.

CONFIGURE ISE FOR GUEST ACCESS

165 LAB 3.16.

CONFIGURE ISE PROFILER 176

LAB 3.17.

ANYCONNECT NAM 186

LAB 3.18.

MACSEC SWITCH-TO-HOST 195

LAB 3.19.

MACSEC SWITCH-TO-SWITCH

203 IOS Advanced Security

LAB 3.20.

BASIC ROUTER SECURITY 211

LAB 3.21.

STANDARD NAMED ACCESS LIST

220 LAB 3.22.

CONTROLLING TELNET ACCESS AND SSH 223

LAB 3.23.

EXTENDED ACCESS LIST IP AND ICMP

229 LAB 3.24.

EXTENDED ACCESS LIST OSPF & EIGRP

235

(6)

LAB 3.25.

EXTENDED ACCESS LIST WITH ESTABLISHED

239 LAB 3.26.

DYNAMIC ACCESS LIST

242 LAB 3.27.

REFLEXIVE ACCESS-LISTS 252

LAB 3.28.

ACCESS-LIST AND TIME-RANGE

258 LAB 3.29.

CONFIGURING BASIC CBAC 264

LAB 3.30.

CONFIGURING ADVANCED CBAC

266 LAB 3.31.

CONFIGURING CBAC & JAVA BLOCKING

273 LAB 3.32.

CONFIGURING PAM 275

LAB 3.33.

ZONE BASED POLICY FIREWALL (ZFW)

277 LAB 3.34.

IMPLEMENTING SECURITY RFCS

311 LAB 3.35.

USING MQC AS A FILTERING TOOL 315

LAB 3.36.

BLACKHOLE ROUTING USING PBR 322

LAB 3.37.

CONFIGURING NAT 326

LAB 3.38.

NAT WITH OVERLAPPING NETWORKS

336 LAB 3.39.

NAT TCP LOAD BALANCING 342

LAB 3.40.

STATEFUL HIGH AVAILABILITY NAT 345

LAB 3.41.

NAT VIRTUAL INTERFACE

355 LAB 3.42.

TCP INTERCEPT

361 LAB 3.43.

CONFIGURING NBAR 365

LAB 3.44.

CONFIGURING NETFLOW

371 LAB 3.45.

CONFIGURING IOS IPS

376 Control and Management Plane Security

LAB 3.46.

CPU PROTECTION MECHANISMS

389 LAB 3.47.

DISABLING UNNECESSARY SERVICES

395 LAB 3.48.

CONFIGURING SNMP 401

LAB 3.49.

CONFIGURING SYSLOG

409 LAB 3.50.

CONFIGURING NTP 414

LAB 3.51.

PROTOCOL AUTHENTICATION AND ROUTE FILTERING

419 LAB 3.52.

CONTROL PLANE POLICY (COPP)

433 Network Attacks

LAB 3.53.

PROTECTING AGAINST FRAGMENTATION ATTACKS

442 LAB 3.54.

PROTECTING AGAINST MALICIOUS IP OPTION USAGE

447 LAB 3.55.

PROTECTING AGAINST NETWORK MAPPING

454 LAB 3.56.

PROTECTING AGAINST DOS ATTACKS USING CAR 458

LAB 3.57.

PREVENTING PORT REDIRECTION ATTACKS

460 LAB 3.58.

PROTECTING AGAINST SMURF ATTACKS 462

LAB 3.59.

PORT SECURITY

465

(7)

LAB 3.61.

VLAN ACCESS LIST 476

LAB 3.62.

DHCP SNOOPING AND DYNAMIC ARP INSPECTION 480

LAB 3.63.

IP SOURCE GUARD 491

LAB 3.64.

PROTECTING AGAINST BROADCAST STORMS

495 LAB 3.65.

PROTECTING SPANNING-TREE PROTOCOL 497

(8)

(9)

(10)

(11)

Advanced

CCIE SECURITY v4

LAB WORKBOOK

Site-to-Site VPNs

Narbik Kocharians

CCIE #12410

R&S, Security, SP

Piotr Matusiak

CCIE #19860

R&S, Security

www.MicronicsTraining.com

(12)

LAB 2.1. DMVPN Phase 1

Lab Setup

 R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12

 R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay

point-to-point manner

 R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay

point-to-point manner

 Configure Telnet on all routers using password “cisco”

 Configure default routing on R1, R4 and R5 pointing to the R2

IP Addressing

Device

Interface

IP address

R1

Lo0

F0/0

192.168.1.1/24

10.1.12.1/24

(13)

R2

F0/0

S0/1/0.25

S0/1/0.24

10.1.12.2/24

10.1.25.2/24

10.1.24.2/24

R4

Lo0

S0/0/0.42

192.168.4.4/24

10.1.24.4/24

R5

Lo0

S0/1/0.52

192.168.5.5/24

10.1.25.5/24

Task 1

Configure Hub-and-Spoke GRE tunnels between R1, R4 and R5, where R1

is acting as a Hub. Traffic originated from every Spoke’s loopback

interface should be transmitted securely via the Hub to the other spokes.

You must use EIGRP dynamic routing protocol to let other spokes know

about protected networks. Use the following settings when configuring

tunnels:

• Tunnel Parameters

o IP address: 172.16.145.0/24

o IP MTU: 1400

o Tunnel Authentication Key: 12345

• NHRP Parameters

o NHRP ID: 12345

o NHRP Authentication key: cisco123

o NHRP Hub: R1

• Routing Protocol Parameters

o EIGRP 145

Encrypt the GRE traffic using the following parameters:

• ISAKMP Parameters

o Authentication: Pre-shared

o Encryption: 3DES

o Hashing: SHA

o DH Group: 2

(14)

o Pre-Shared Key: cisco123

• IPSec Parameters

o Encryption: ESP-3DES

o Authentication: ESP-SHA-HMAC



Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by

Cisco in late 2000. This technology has been developed to address needs for

automatically created VPN tunnels when dynamic IP addresses on the spokes

are in use.

In GRE over IPSec (described in the previous lab) both ends of the connection

must have static/unchangeable IP address. It is possible however, to create

many GRE Site-to-Site tunnels from company’s branches to the Headquarters.

This is pure Hub-and-Spoke topology where all branches may communicate

with each other securely through the Hub.

In DMVPN may have dynamic IP addresses on the spokes, but there must be

static IP address on the Hub. There is also an additional technology used to let

the hub know what dynamic IP addresses are in use by the spokes. This is

NHRP (Next Hop Resolution Protocol) which works like ARP but for layer 3. All

it does is building a dynamic database stored on the hub with information about

spokes’ IP addresses. Now the Hub knows IPSec peers and can build the

tunnels with them.

The Hub must be connected to many spokes at the same time so there was

another issue to solve: how to configure the Hub to not have many Tunnel

interfaces (each for Site-to-Site tunnel with spoke). The answer is: use GRE

multipoint type of tunnel, where we do not need to specify the other end of the

tunnel statically.

That being said, there are three DMVPN mutations called phases:

 Phase 1: simple Hub and Spoke topology were dynamic IP addresses on

the spokes may be used

 Phase 2: Hub and Spoke with Spoke to Spoke direct communication

allowed

 Phase 3: Hub and Spoke with Spoke to Spoke direct communication

allowed with better scalability using NHRP Redirects

All above phases will be described in more detail in the next few labs.

Configuration

(15)

Step 1

R1 configuration.

First we need ISAKMP Policy with pre-shared key configured. Note that in DMVPN we need to configure so-called “wildcard PSK” because there may be many peers. This is why more common sulution in DMVPN is to use certificates and PKI. In DMVPN Phase 1 there is no need for wildcard PSK as there is only Hub to Spoke tunnel, so that we know the peers.

R1(config)#crypto isakmp policy 1 R1(config-isakmp)#encr 3des

R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2

R1(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)# mode transport

The “mode transport” is used for decreasing IPSec packet size (an outer IP header which is present in tunnel mode is not added in the transport mode).

R1(cfg-crypto-trans)#crypto ipsec profile DMVPN R1(ipsec-profile)#set transform-set TSET

R1(ipsec-profile)#exi

There is only one interface Tunnel on every DMVPN router. This is because we use GRE multipoint type of the tunnel.

R1(config)#interface Tunnel0

R1(config-if)#ip address 172.16.145.1 255.255.255.0 R1(config-if)#ip mtu 1400

Maximum Transmission Unit is decreased to ensure that DMVPN packet would not exceed IP MTU set on non-tunnel IP

interfaces – usually a 1500 bytes (When “transport mode” is used then DMVPN packet consists of original IP Packet, GRE header, ESP header and outer IPSec IP header. If oryginal IP packet size is close to the IP MTU set on real IP interface then adding GRE and IPSec headers may lead to exceeding that value)

R1(config-if)#ip nhrp authentication cisco123 R1(config-if)#ip nhrp map multicast dynamic R1(config-if)#ip nhrp network-id 12345

The Hub works as NHS (Next Hop Server). The NHRP configuration on the Hub is straight forward. First, we

(16)

need NHRP network ID to identify the instance and authenticate key to secure NHRP registration. There is a need for NHRP static mapping on the Hub. The Hub must be able to send down all multicast traffic so that dynamic routing protocols can distribute routes between spokes. The line “ip nhrp map multicast dynamic” simply tells the NHRP server to replicate all multicast traffic to all dynamic entries in the NHRP table (entries with flag “dynamic”).

R1(config-if)#no ip split-horizon eigrp 145

Since we use EIGRP between the Hub and the Spokes, we need to disable Split Horizon for that protocol to be able to send routes gathered from one Spoke to the other Spoke. The Split Horizon rule says: “information about the routing is never sent back in the direction from which it was

received”. This is basic rule for loop prevention.

R1(config-if)#tunnel source FastEthernet0/0 R1(config-if)#tunnel mode gre multipoint R1(config-if)#tunnel key 12345

R1(config-if)#tunnel protection ipsec profile DMVPN

A regular GRE tunnel usually needs source and destination of the tunnel to be specified. However in the GRE

multipoint tunnel type, there is no need for a destination. This is because there may be many destinations, as many Spokes are out there. The actual tunnel destination is derived form NHRP database.

The tunnel has a key for identification purposes, as there may be many tunnels on one router and the router must know what tunnel the packet is destined to.

Finally, we must encrypt the traffic. This is done by using IPSec Profile attached to the tunnel. I recommend to leave that command aside for a while when configuring DMVPN and add it to the configuration once we know the tunnels work fine. DMVPN may work without any encryption, so no worries.

R1(config-if)#exi

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Tunnel0 has changed its state to “UP”. ISAKMP protocol is enabled and operates on the router.

R1(config)#router eigrp 145

R1(config-router)#network 172.16.145.0 0.0.0.255 R1(config-router)#network 192.168.1.0

R1(config-router)#no auto-summary R1(config-router)#exi

(17)

Finally we need a routing protocol over the tunnel. Remember, this protocol will be used to carry the info about networks behind the Spokes (or Hub). Be careful when configuring it as there is a chance to get into “recursive loop”. This means we shouldn’t use the same dynamic routing protocol instance for prefixes available over the tunnel and to achieve underlaying connectivity between Hub and Spokes.

Step 2

R5 configuration.

R5 is our first Spoke. Again, we need ISAKMP Policy configuration and PSK.

R5(config)#crypto isakmp policy 1 R5(config-isakmp)# encr 3des

R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2

R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi

The tunnel interface configuration is slightly different on the Spoke than on the Hub. This is because the Spoke works as NHRP Client to the Hub (NHS). Most of belove commands have been described already.

R5(config-if)# ip address 172.16.145.5 255.255.255.0 R5(config-if)# ip mtu 1400

R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172.16.145.1 10.1.12.1 R5(config-if)# ip nhrp network-id 12345

R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.16.145.1

NHRP Client configuration. We need our Spoke to register in NHS, so that we need to configure the following:

 NHRP authentication key – to authenticate successfully to the NHS

 NHRP Network ID – to be authenticated to correct NHS instance

(18)

it should treat the registered spokes’ IP address as valid

 NHS – IP address of NHRP Server; note this is its Private (tunnel) IP address. To resolve this address to the Public (Physical) IP address of the NHS, we need the last command which is:

 NHRP static mapping – to resolve NHS’ Physical IP address

This mapping is very important as it causes the Spoke to initiate the GRE tunnel to the Hub. Without this the Spoke has no clue how to register to the NHS.

R5(config-if)# tunnel source Serial0/1/0.52 R5(config-if)# tunnel destination 10.1.12.1 R5(config-if)# tunnel key 12345

R5(config-if)# tunnel protection ipsec profile DMVPN

The tunnel configuration is also different. On the Spoke there is no reason for using GRE multipoint tunnel mode. This is because there is only one tunnel (Spoke to Hub) in DMVPN Phase 1. Hence, we are obligated to provide both: source and destination of the tunnel.

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)#exi R5(config)#router eigrp 145 R5(config-router)# network 172.16.145.0 0.0.0.255 R5(config-router)# network 192.168.5.0 R5(config-router)# no auto-summary R5(config-router)#ex

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.1 (Tunnel0) is up: new adjacency

R5(config-router)#exi

The router has established EIGRP adjancency through the tunnel. Note that the adjancency has been established with the DMVPN hub (172.16.145.1).

Step 3

R4 configuration.

The beauty of this technology is that there is exactly the same configuration on all Spokes!

(19)

R4(config-isakmp)# encr 3des

R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2

R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi

R4(config-if)# ip address 172.16.145.4 255.255.255.0 R4(config-if)# ip mtu 1400

R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172.16.145.1 10.1.12.1 R4(config-if)# ip nhrp network-id 12345

R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.16.145.1 R4(config-if)# tunnel source Serial0/0/0.42 R4(config-if)# tunnel destination 10.1.12.1 R4(config-if)# tunnel key 12345

R4(config-if)# tunnel protection ipsec profile DMVPN

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)#exi R4(config)#router eigrp 145 R4(config-router)# network 172.16.145.0 0.0.0.255 R4(config-router)# network 192.168.4.0 R4(config-router)# no auto-summary

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.1 (Tunnel0) is up: new adjacency

R4(config-router)#exi

Verification

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route

(20)

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.12.2 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.145.0 is directly connected, Tunnel0

D 192.168.4.0/24 [90/27008000] via 172.16.145.4, 00:00:17, Tunnel0 D 192.168.5.0/24 [90/27008000] via 172.16.145.5, 00:00:55, Tunnel0

Spokes have sent updates about their networks (loopback interfaces) to the Hub. Now Hub must send that information down to the other Spokes. The Hub may do that as long as Split Horizon rule is disabled for the routing protocol. 10.0.0.0/24 is subnetted, 1 subnets

C 10.1.12.0 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 10.1.12.2

R1#sh ip nhrp

172.16.145.4/32 via 172.16.145.4

Tunnel0 created 00:00:33, expire 00:05:26 Type: dynamic, Flags: unique registered NBMA address: 10.1.24.4

172.16.145.5/32 via 172.16.145.5

Tunnel0 created 00:01:08, expire 00:04:51 Type: dynamic, Flags: unique registered NBMA address: 10.1.25.5

NHRP database displayed on the DMVPN hub. Note that “sh ip nhrp” shows mapping between Tunnel0 ip address and ip address of Serial interface which is used for reaching the tunnel endpoint. The entries in NHRP database on the hub are dynamic (dynamically obtained from the spokes).

R1#sh ip eigrp neighbor

IP-EIGRP neighbors for process 145

H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 172.16.145.4 Tu0 11 00:00:38 10 1362 0 3 0 172.16.145.5 Tu0 11 00:01:16 29 1362 0 3

EIGRP adjacency established with the spokes.

R1#sh ip eigrp interface

IP-EIGRP interfaces for process 145

Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Tu0 2 0/0 19 6/227 80 0 Lo0 0 0/0 0 0/1 0 0

(21)

IPv4 Crypto ISAKMP SA

dst src state conn-id status 10.1.12.1 10.1.25.5 QM_IDLE 1001 ACTIVE 10.1.12.1 10.1.24.4 QM_IDLE 1002 ACTIVE

R1#sh crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 10.1.12.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0)

Local and remote identities used for the tunnel. Note that GRE protocol is transported in the tunnel (IP protocol 47). It is automatically achieved by assigning IPSec profile to the tunnel interface (configuring crypto ACLs is no longer needed)

current_peer 10.1.24.4 port 500 PERMIT, flags={origin_is_acl,}

#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

Note that traffic is going through the tunnel established between the hub (R1) and the spoke (R4).

#pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.24.4 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x97564348(2539012936) PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x2A3D155F(708646239)

transform: esp-3des esp-sha-hmac , in use settings ={Transport, }

conn id: 2003, flow_id: NETGX:3, sibling_flags 80000006, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4568792/3536) IV size: 8 bytes

replay detection support: Y Status: ACTIVE

(22)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x97564348(2539012936)

Outbound SPI (Security Parameter Index) has been negotiated. outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0)

Local and remote identities used for tunnel established between hub (R1) and one of the spokes (R5).

current_peer 10.1.25.5 port 500 PERMIT, flags={origin_is_acl,}

#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34 #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29 #pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.25.5 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x423D37C6(1111308230) PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xE65FFF26(3865050918)

(23)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x423D37C6(1111308230)

outbound ah sas:

outbound pcp sas:

R4#sh ip route

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

C 172.16.145.0 is directly connected, Tunnel0 C 192.168.4.0/24 is directly connected, Loopback0

D 192.168.5.0/24 [90/28288000] via 172.16.145.1, 00:03:22, Tunnel0 10.0.0.0/24 is subnetted, 1 subnets

C 10.1.24.0 is directly connected, Serial0/0/0.42

D 192.168.1.0/24 [90/27008000] via 172.16.145.1, 00:03:22, Tunnel0 S* 0.0.0.0/0 [1/0] via 10.1.24.2

The networks of R1 and R5 loopbacks are present in the R4’s routing table. These networks are reachable through the hub (R1) over the DMVPN network.

R4#sh ip route 192.168.5.0

Routing entry for 192.168.5.0/24

Known via "eigrp 145", distance 90, metric 28288000, type internal Redistributing via eigrp 145

(24)

Last update from 172.16.145.1 on Tunnel0, 00:03:34 ago Routing Descriptor Blocks:

* 172.16.145.1, from 172.16.145.1, 00:03:34 ago, via Tunnel0

Next hop IP address followed by the information source (R1 – the hub) Route metric is 28288000, traffic share count is 1

Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit Reliability 255/255, minimum MTU 1400 bytes

Loading 1/255, Hops 2

R4#sh ip cef 192.168.5.0

192.168.5.0/24

nexthop 172.16.145.1 Tunnel0

The CEF entries displayed for R5 loopback network. This indicates an IP address of next hop which have to be used for reaching 192.168.5.0/24.

R4#sh ip nhrp

172.16.145.1/32 via 172.16.145.1

Tunnel0 created 00:04:04, never expire Type: static, Flags:

NBMA address: 10.1.12.1

The NHRP database entries displayed. This shows the mapping between hub’s tunnel interface IP address and hub’s real interface IP address through which the tunnel endpoint is reachable. Note that NHRP database entries related to the hub are static and never expires (the hub must be always reachable for the spoke and cannot be dynamic).

R4#sh crypto isakmp sa

dst src state conn-id status 10.1.12.1 10.1.24.4 QM_IDLE 1001 ACTIVE

This indicates that ISAKMP tunnel is established and active (QM_IDLE means that ISAKMP SA is authenticated and Quick Mode – IPSec Phase 2 is fininshed.

interface: Tunnel0

local ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) current_peer 10.1.12.1 port 500

PERMIT, flags={origin_is_acl,}

(25)

#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68 #pkts compressed: 0, #pkts decompressed: 0

IPSec proxy IDs on the spoke indicates that traffic between tunnel endpoint will be encrypted/decrypted. Also, packet counters are incrementing as there are routing updates crossing the tunnel.

local crypto endpt.: 10.1.24.4, remote crypto endpt.: 10.1.12.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0.42

current outbound spi: 0x2A3D155F(708646239) PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x97564348(2539012936)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2A3D155F(708646239)

outbound ah sas:

outbound pcp sas:

R4#pi 192.168.5.5 so lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds: Packet sent with a source address of 192.168.4.4

(26)

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms

Now ping the other spoke using its loopback IP address as source. This should simulate end-to-end connectivity through the DMVPN network.

Note: No new ISAKMP SA or NHRP mappings created.

R4#sh ip nhrp

172.16.145.1/32 via 172.16.145.1

The same bunch of commands should be run on the other spoke.

R5#sh ip route

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

C 172.16.145.0 is directly connected, Tunnel0

D 192.168.4.0/24 [90/28288000] via 172.16.145.1, 00:01:24, Tunnel0 C 192.168.5.0/24 is directly connected, Loopback0

C 10.1.25.0 is directly connected, Serial0/1/0.52

D 192.168.1.0/24 [90/27008000] via 172.16.145.1, 00:02:02, Tunnel0 S* 0.0.0.0/0 [1/0] via 10.1.25.2 R5#sh ip cef 192.168.4.0 192.168.4.0/24 nexthop 172.16.145.1 Tunnel0 R5#sh ip nhrp 172.16.145.1/32 via 172.16.145.1

(27)

interface: Tunnel0

local ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) current_peer 10.1.12.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40 #pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46 #pkts compressed: 0, #pkts decompressed: 0

local crypto endpt.: 10.1.25.5, remote crypto endpt.: 10.1.12.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0.52

current outbound spi: 0xE65FFF26(3865050918) PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x423D37C6(1111308230)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE65FFF26(3865050918)

(28)

outbound ah sas:

outbound pcp sas:

R5#pi 192.168.4.4 so lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.5.5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/40 ms

Note: No new ISAKMP SA or NHRP mappings created.

R5#sh ip nhrp

172.16.145.1/32 via 172.16.145.1

(29)

Advanced

CCIE SECURITY v4

LAB WORKBOOK

Content Security

WSA

Narbik Kocharians

CCIE #12410

R&S, Security, SP

Piotr Matusiak

CCIE #19860

R&S, Security

www.MicronicsTraining.com

(30)

Logical Topology for WSA labs

WSA is connected to the network using two interfaces:

• P1 – data interface, placed in VLAN 30 (ASA DMZ)

(31)

LAB 2.2. Transparent Proxy with ASA

Objectives

This lab shows how integrate WSA with ASA to do transparen proxy services

for users.

IP Addressing and devices

Device

Interface

IP address

WSA

M1

P1

10.1.10.80/24

10.1.30.80/24

R1

Lo0

E0/0

E0/1

1.1.1.1/32

10.1.10.1/24

172.31.1.1/24

ASA

0/0 (outside)

0/1 (inside)

0/2 (dmz)

100.2.2.10/24

10.1.10.10/24

10.1.30.10/24

R2

Lo0

E0/0

2.2.2.2/32

100.2.2.2/24

WinXP

NIC

10.1.10.50/24

Win7

NIC

10.1.10.104/24

AD

NIC

172.31.1.200/24

Task

Reconfigure WSA to provide Transparent Proxy services to all users. THE

WSA should use it’s M1 interface and talk to ASA using WCCP v2 protocol.

Messages exchanged between WSA and ASA should be authenticated using

‘cisco123’ shared secret. Enable Transparent proxy for http and HTTPS.

Disable CONNECT method for explicit proxy.

(32)

Configuration

Complete these steps:

Step 1 Configure WCCP on ASA.

!

access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 80

access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 443

!

wccp 90 redirect-list WCCP password cisco123

wccp interface inside 90 redirect in

!

Step 2 Reconfigure interfaces on WSA.

•

Go to Network > Interfaces and click Edit Settings… Uncheck

Restrict M1 port to appliance management services only option

and erase P1 interface configuration. Click Submit.

• Note the following message. Click Continue.

(33)

Step 2 Enable Transparent Proxy services.

•

Go to Network > Transparent Redirection and click Edit Device…

•

From the drop-down list select WCCP v2 Router and click Submit.

• Click Add Service…

• Provide name for WCCP service e.g. asa-wccp and select Dynamic

service ID option. Set the ID to 90 and associate Port Numbers of

80,443. Put 10.1.10.10 (ASA’s inside interface IP) as Router IP

Address and tick Enable Security for Service option configuring

(34)

•

Review configuration and click Commit Changes.

Step 3 Win7 client PC configuration.

• Open up web browser and go to Tools > Internet Options >

Connections > LAN Settings and uncheck Use a proxy server for

your LAN option.

(35)

Verification

• On Win7 client PC open up web browser and go to http://www.google.com.

Authenticate as user from Employees group.

// there is 401 returned by the proxy which is authentication request.

1360089008.110 0 10.1.10.104 TCP_DENIED/401 0 GET

http://proxy.micronics.local/B0000D0000N0001F0000S0000R0004/http://www.google.com/ - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> -

// after authentication the request is proceeded normally

1360089020.203 413 10.1.10.104 TCP_MISS/200 31422 GET http://www.google.com/ "MICRONICS\employee1@AD" DIRECT/www.google.com text/html ALLOW_WBRS_12-Employees-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_srch,8.2,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","-","-",608.66,0,-,"-","-"> -

• Connect to

http://www.facebook.com

. The FB is redirecting the user to HTTPS by

default, so you should get certificate error (the certificate is not trusted because it is

signed by WSA). You should be connected after accepting the certificate.

(36)

// HTTP request to facebook.com

1360089089.513 271 10.1.10.104 TCP_MISS/302 405 GET http://www.facebook.com/

"MICRONICS\employee1@AD" DIRECT/www.facebook.com text/html DEFAULT_CASE_12-Employees-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_snet,4.7,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_snet,-,"-","-","Facebook General","Facebook","-","-",11.96,0,-,"Unknown","-"> -

// TCP Connect to 443, redirected to WSA.

1360089089.703 183 10.1.10.104 TCP_MISS_SSL/200 0 TCP_CONNECT 31.13.64.23:443

"MICRONICS\employee1@AD" DIRECT/31.13.64.23 - DECRYPT_AVC_7-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_snet,4.7,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_snet,-,"-","-","Facebook General","Facebook","Encrypted","-",0.00,0,-,"-","-"> -

// check connection table on ASA – there should be NO connections from Win7 PC ASA1(config)# sh conn

11 in use, 77 most used

TCP outside 2.16.216.40:443 inside 10.1.10.80:57688, idle 0:00:07, bytes 32361, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57686, idle 0:00:07, bytes 27805, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57685, idle 0:00:07, bytes 74840, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57684, idle 0:00:07, bytes 75426, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57683, idle 0:00:08, bytes 11142, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57682, idle 0:00:08, bytes 83528, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57680, idle 0:00:14, bytes 2593, flags UfFrIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57679, idle 0:00:14, bytes 45467, flags UfFrIO TCP outside 195.12.233.137:443 inside 10.1.10.80:57666, idle 0:00:15, bytes 2548, flags UIO TCP outside 31.13.64.23:443 inside 10.1.10.80:53205, idle 0:00:17, bytes 30380, flags UIO

Check ASA WCCP commands output.

ASA1(config)# deb wccp packet

WCCP-PKT:D90: Received valid Here_I_Am packet from 10.1.10.80 w/rcv_id 00000112 WCCP-PKT:D90: Sending I_See_You packet to 10.1.10.80 w/ rcv_id 00000113

ASA1(config)# sh wccp Global WCCP information: Router information: Router Identifier: 100.2.2.10 Protocol Version: 2.0 Service Identifier: 90

Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 11464 Redirect access-list: WCCP Total Connections Denied Redirect: 0 Total Packets Unassigned: 6

(37)

Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0

ASA1(config)# sh wccp 90 detail

WCCP Cache-Engine information:

Web Cache ID: 10.1.10.80 Protocol Version: 2.0 State: Usable

Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%)

Packets Redirected: 11464 Connect Time: 00:00:18

ASA1(config)# sh wccp 90 service

WCCP service information definition: Type: Dynamic Id: 90 Priority: 240 Protocol: 6 Options: 0x00000012 --- Hash: DstIP Alt Hash: -none-

(38)

Advanced

CCIE SECURITY v4

LAB WORKBOOK

Identity Management

ACS

Narbik Kocharians

CCIE #12410

R&S, Security, SP

Piotr Matusiak

CCIE #19860

R&S, Security

www.MicronicsTraining.com

(39)

Logical Topology for ACS labs

ACS 5 is connected to the network behind Router1 and has IP address of

172.31.1.100. Default gateway should be set to R1.

(40)

LAB 2.3. ACS Bootstrapping

Objectives

This lab introduces Cisco Secure Access Control Server v5.3 and verifies

basic connectivity with other network elements.

IP Addressing and devices

Device

Interface

IP address

ACS

NIC

172.31.1.100 R1

Lo0

E0/0

E0/1

1.1.1.1/32

10.1.10.1/24

172.31.1.1/24

R2

Lo0

E0/0

2.2.2.2/32

100.2.2.2/24

WinXP

NIC

10.1.10.50/24

(41)

Task 1 – Verify ACS installation

Connect to ACS console using SSH and username/password of

admin/Micronics1. Check and note the following:

• ACS application version

• ACS daemon status

• Interface configuration

• Routing table (with default gateway)

• Clock configuration

• Timezone configuration

Configure the following:

• NTP server set to 172.31.1.1

• Connect to the GUI and install the license located on WinXP desktop

(ACS5.lic)

Configuration

Complete these steps:

Step 1

Run Putty and connect to IP address of 172.31.1.100

Step 2

Verify that ACS is installed properly

ACS5/admin# show application <name> <Description>

acs Cisco Secure Access Control System 5.3

Cisco ACS is an application installed on underlying operating system called Cisco ADE. Once you’re connected to ADE you must check what applications are installed. Then you can use application name (in our case ‘acs’) in all other commands.

Step 3

Check ACS version

ACS5/admin# show application version acs Cisco ACS VERSION INFORMATION

(42)

--- Version : 5.3.0.40

Internal Build ID : B.839.EVAL

The main version is 5.3 and the patch level is 40. The build depends on the development stage and also indicates that we use evaluation version of ACS. You can install production license or evaluation license (90 days). Remember that if the ACS was installed with 60GB disk (minimum) there will be no option to run it with no-eval license. The 60GB is a minimum value and can only be used in lab environment.

Step 4

Check status of ACS processes

ACS5/admin# show application status acs ACS role: PRIMARY

Process 'database' running Process 'management' running Process 'runtime' running Process 'view-database' running Process 'view-jobmanager' running Process 'view-alertmanager' running Process 'view-collector' running Process 'view-logprocessor' running

If there is other status than ‘running’ it means theres something wrong with a particular ACS subsystem/process. To fix that you can try to restart ACS application using ‘application stop acs’ and then ‘application start acs’. Be patient as it may take a while to start all ACS processes.

Step 5

Check interface configuration and verify IP address and netmask

ACS5/admin# show interface

eth0 Link encap:Ethernet HWaddr 00:50:56:AE:83:F6

inet addr:172.31.1.100 Bcast:172.31.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feae:83f6/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12645 errors:0 dropped:0 overruns:0 frame:0 TX packets:16627 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000

RX bytes:1105589 (1.0 MiB) TX bytes:19717105 (18.8 MiB) Interrupt:177 Base address:0x2000

(43)

Make sure that you see RX and TX packets and no error counters increasing. This is a first indicator that something can be wrong with connectivity. If you do not see eth0 interface that usually means the interface is down.

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1939218 errors:0 dropped:0 overruns:0 frame:0 TX packets:1939218 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0

RX bytes:300253955 (286.3 MiB) TX bytes:300253955 (286.3 MiB) sit0 Link encap:IPv6-in-IPv4

NOARP MTU:1480 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Step 6

Check routing table and default gateway

ACS5/admin# show ip route Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

172.31.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 172.31.1.1 0.0.0.0 UG 0 0 0 eth0

Step 7

Check basic connectivity to the gateway and to other network

elements

ACS5/admin# ping 172.31.1.1

PING 172.31.1.1 (172.31.1.1) 56(84) bytes of data.

64 bytes from 172.31.1.1: icmp_seq=0 ttl=255 time=10.0 ms 64 bytes from 172.31.1.1: icmp_seq=1 ttl=255 time=0.642 ms 64 bytes from 172.31.1.1: icmp_seq=2 ttl=255 time=0.690 ms 64 bytes from 172.31.1.1: icmp_seq=3 ttl=255 time=0.784 ms --- 172.31.1.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.642/3.049/10.083/4.061 ms, pipe 2 ACS5/admin# ping 10.1.10.10

(44)

--- 10.1.10.10 ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 3027ms

Note that you cannot reach ASA firewall at this stage. This is because the ASA has no route back to network 172.31.1.0/24. You will fix this later.

ACS5/admin# ping 10.1.10.50

PING 10.1.10.50 (10.1.10.50) 56(84) bytes of data.

64 bytes from 10.1.10.50: icmp_seq=0 ttl=127 time=0.812 ms 64 bytes from 10.1.10.50: icmp_seq=1 ttl=127 time=1.02 ms 64 bytes from 10.1.10.50: icmp_seq=2 ttl=127 time=1.02 ms 64 bytes from 10.1.10.50: icmp_seq=3 ttl=127 time=10.8 ms --- 10.1.10.50 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3009ms rtt min/avg/max/mdev = 0.812/3.429/10.860/4.291 ms, pipe 2

Step 8

Check the name server and domain configuration. Verify if DNS

works asking to resolve FQDN of acs5.micronics.local

ACS5/admin# show running-config | inc name hostname ACS5

ip domain-name micronics.local ip name-server 172.31.1.200

username admin password hash $1$Vlgou3Zx$hWKQ2lqIKFZF./OlFJ/Wi1 role admin ACS5/admin# ping 172.31.1.200

PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data. 64 bytes from 172.31.1.200: icmp_seq=0 ttl=128 time=0.551 ms 64 bytes from 172.31.1.200: icmp_seq=1 ttl=128 time=0.331 ms 64 bytes from 172.31.1.200: icmp_seq=2 ttl=128 time=0.401 ms 64 bytes from 172.31.1.200: icmp_seq=3 ttl=128 time=0.415 ms --- 172.31.1.200 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.331/0.424/0.551/0.082 ms, pipe 2 ACS5/admin# nslookup acs5.micronics.local

Trying "acs5.micronics.local"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:

;acs5.micronics.local. IN ANY ;; ANSWER SECTION:

(45)

acs5.micronics.local. 3600 IN A 172.31.1.100 Received 54 bytes from 172.31.1.200#53 in 0 ms

Step 9

Check clock and timezone configuration

ACS5/admin# show clock Sun Jan 6 12:23:45 UTC 2013 ACS5/admin# show timezone UTC

If there is a different timezone configured you can always change it to the correct value using ‘clock timezone UTC’ command in the global configurtion. To check what timezone names are available use ‘show timezones’ command.

Step 10 Configure NTP

ACS5/admin(config)# ntp server 172.31.1.1 The NTP server was modified.

If this action resulted in a clock modification, you must restart ACS. ACS5/admin(config)# exit

ACS5/admin# write mem Generating configuration... ACS5/admin# show ntp

Primary NTP : 172.31.1.200 unsynchronised

time server re-starting polling server every 64 s

remote refid st t when poll reach delay offset jitter ============================================================================ == 127.127.1.0 LOCAL(0) 10 l 42 64 7 0.000 0.000 0.002 172.31.1.1 LOCAL(1) 8 u 44 64 77 0.733 4.846 3.029

Warning: Output results may conflict during periods of changing synchronization.

ACS5/admin# show ntp Primary NTP : 172.31.1.1

(46)

synchronised to NTP server (172.31.1.1) at stratum 9 time correct to within 452 ms

polling server every 64 s

remote refid st t when poll reach delay offset jitter ============================================================================ == 127.127.1.0 LOCAL(0) 10 l 45 64 77 0.000 0.000 0.002 *172.31.1.1 LOCAL(1) 8 u 44 64 77 0.733 4.846 3.029

Warning: Output results may conflict during periods of changing synchronization.

NTP synchronization is very important especially when ACS is a part of Active Directory domain. If you plan to join AD then clock between Domain Controller and ACS must be synchronized. The NTP related issues are causing most problems with AD integration.

You can also check application logs when syncing with NTP.

Note that ACS may not synchronize with a source which is not reliable (the source gets time from its local clock).

ACS5/admin# show logging application | in ntp

Nov 8 11:38:05 ACS5 ntpd[29716]: ntpd [email protected] Mon Jul 28 11:03:50 EDT 2008 (1)

Nov 8 11:38:05 ACS5 ntpd: ntpd startup succeeded Nov 8 11:38:05 ACS5 ntpd[29716]: precision = 2.000 usec

Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface wildcard, 0.0.0.0#123

Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface wildcard, ::#123 Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface lo, 127.0.0.1#123 Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface eth0,

172.31.1.100#123

Nov 8 11:38:05 ACS5 ntpd[29716]: kernel time sync status 0040

Nov 8 11:38:05 ACS5 ntpd[29716]: frequency initialized 0.000 PPM from /var/lib/ntp/drift

Nov 8 11:41:20 ACS5 ntpd[29716]: synchronized to LOCAL(0), stratum 10 Nov 8 11:41:20 ACS5 ntpd[29716]: kernel time sync disabled 0041 Nov 8 11:42:23 ACS5 ntpd[29716]: synchronized to 172.31.1.1, stratum 8 Nov 8 11:42:24 ACS5 ntpd[29716]: kernel time sync enabled 0001

Step 11 Connect through the GUI and install the license. Open up web

browser (IE or FF) and enter the following URL

https://172.31.1.100/acsadmin

(47)

password to Micronics1.

• Provide a license file ACS5.lic (should be on WinXP desktop)

• Once license file is installed, the ACS is ready for further

configurtion

(48)

(49)

LAB 2.4. Setup AAA clients

Objectives

This lab shows how to configure AAA clients in ACS and perform basic

authentication using RADIUS and TACACS+ protocols.

IP Addressing and devices

Device

Interface

IP address

ACS

NIC

172.31.1.100 R1

Lo0

E0/0

E0/1

1.1.1.1/32

10.1.10.1/24

172.31.1.1/24

SW1

Vlan10

10.1.10.7/24

WinXP

NIC

10.1.10.50/24

(50)

Task 1 – Create a user in ACS internal database

Create a new user with username of student1 with a password of student123

in ACS Internal Identity Store. The user should belong to Students user

group.

Configuration

Complete these steps:

Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.

Add new entry to Device Type and Location NDGs (Network Device

Groups).

• Go to Users and Identity Stores > Identity Groups and click

Create. Add name Students under All Groups and click Submit.

• Go to Users and Identity Stores > Users and click Create. Add

new user with a name of student1 and password of student123,

select Students under Identity Groups and click Submit.

(51)

Verification

(52)

Task 2 – Adding the router as AAA client in ACS

Configure R1 router as AAA client in ACS using TACACS+ with secret key of

cisco123. Make sure the device is sourcing TACACS+ traffic from its

loopback0 interface and uses only one TCP connection for whole AAA

conversation.

The new AAA client should be added as Device Type = Routers in Location =

HQ. Configure AAA on the router and use test aaa command to verify your

solution.

Configuration

Complete these steps:

Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.

Add new entry to Device Type and Location NDGs (Network Device

Groups).

• Go to Network Resources > Network Device Groups > Location

and click Create. Add name HQ under All Locations and click

(53)

Devices can be differentiated based on their type and/or location. There are two pre-defined containers in ACS: one for location and second for type. This information can be further used in authorization policies and it is recommended to add new devices to correct categories.

Micronics.nl Sample

Piotr Matusiak

CCIE #19860

R&S, Security

C|EH, CCSI #33705

Narbik Kocharians

CCIE #12410

R&S, Security, SP

CCSI #30832

CCIE Security V4 Lab Workbook

SAMPLE Sample

Table of Contents

ASA Firewall

LAB 1.1.

BASIC ASA CONFIGURATION 8

LAB 1.2.

BASIC SECURITY POLICY

17

LAB 1.3.

DYNAMIC ROUTING PROTOCOLS

29

LAB 1.4.

ASA MANAGEMENT 46

LAB 1.5.

STATIC NAT (8.2)

59

LAB 1.6.

DYNAMIC NAT (8.2)

67

LAB 1.7.

NAT EXEMPTION (8.2) 77

LAB 1.8.

STATIC POLICY NAT (8.2)

81

LAB 1.9.

DYNAMIC POLICY NAT (8.2) 91

LAB 1.10.

STATIC NAT (8.3+)

99

LAB 1.11.

DYNAMIC NAT (8.3+) 115

LAB 1.12.

BIDIRECTIONAL NAT (8.3+) 126

LAB 1.13.

MODULAR POLICY FRAMEWORK (MPF)

131

LAB 1.14.

FTP ADVANCED INSPECTION 138

LAB 1.15.

HTTP ADVANCED INSPECTION

146

LAB 1.16.

INSTANT MESSAGING ADVANCED INSPECTION

156

LAB 1.17.

ESMTP ADVANCED INSPECTION

159

LAB 1.18.

DNS ADVANCED INSPECTION

164

LAB 1.19.

ICMP ADVANCED INSPECTION

169

LAB 1.20.

CONFIGURING VIRTUAL FIREWALLS 175

LAB 1.21.

ACTIVE/STANDBY FAILOVER 198

LAB 1.22.

ACTIVE/ACTIVE FAILOVER

212

LAB 1.23.

REDUNDANT INTERFACES 239

LAB 1.24.

TRANSPARENT FIREWALL

246

LAB 1.25.

THREAT DETECTION 260

LAB 1.26.

CONTROLLING ICMP AND FRAGMENTED TRAFFIC 264

LAB 1.27.