CCIE Security Tutorial

(1)

CCIE Security Techtorial

TECCCIE-3001

Agenda

Section Topic

1 CCIE®_{Program Overview} 2 CCIE®_{Security Overview} 2 CCIE Security Overview

3 Core Knowledge Section Overview

4 Implement secure networks using Cisco ASA Firewalls

5 Implement secure networks using Cisco IOS Firewalls

6 Implement secure networks using Cisco VPN solutions

7 Configure Cisco IPS to mitigate network threats

8 Implement Identity Management

9 Implement Control Plane & Management Plane Security

10 Configure Advanced Security

11 Identify and Mitigate Network Attacks

(2)

Disclaimer

Not all the topics discussed today appear on every exam

For time reasons, we’re unable to discuss every feature and topic possible on the exam

Section 1

(3)

CCIEs Worldwide

Most highly respected IT certification for more than 15 years

Industry standard for validating expert skills and experiencey g p p

More than 20,000 CCIEs worldwide—less than 3% of all professionals certified by Cisco

Demonstrate strong commitment and investment to networking career, life-long learning, and dedication to remaining an active CCIE

New Certification Logos

The Learning@Cisco organization is pleased to introduce new logos for its Cisco Career Certification

https://cisco.hosted.jivesoftware.com/docs/DOC-3813

Program.

The logos were designed with input from the Cisco certified community, and represent the prestige and dedication defined by the program.

Effective January 12, 2009, all certificates and plaques include the new logos

include the new logos.

Certified individuals can access and download the logos by logging into the Certifications Tracking System at: www.cisco.com/go/certifications/login

(4)

New Certification Logos

Overview: CCIE Tracks

Routing and Switching

• Core networking cert

Security • Introduced 2002 13% f b ki Voice • Introduced 2003 16% f b ki • Core networking cert

• 64% of all bookings • Labs in all regions, all

worldwide locations

• 13% of bookings

• Labs in Beijing, Hong Kong, Brussels, RTP, San Jose, Sydney, Dubai, Bangalore and Tokyo

Service Provider Networks

• Introduced 2002

• 16% of bookings • Labs in Brussels, San

Jose, RTP, Sydney and Tokyo Storage Networking • Introduced 2004 • 1% of bookings Wireless • Introduced 2009 • Labs in Brussels and San Introduced 2002

• 6% of bookings • Labs in Brussels, Beijing,

Hong Kong, RTP, Sao Paulo, Sydney • 1% of bookings

• Labs in Brussels and RTP

Available in Six Technical Specialties

• Labs in Brussels and San Jose

(5)

CCIE Information Worldwide

Total of Worldwide CCIEs: 19,134*

Total of Routing and Switching CCIEs: 16,727 Total of Security CCIEs: 2,147

Multiple Certifications

Many CCIEs Have Gone on to Pass the Certification Exams In Additional Tracks Becoming a “Multiple Total of Service Provider CCIEs: 1,182

Total of Storage Networking CCIEs: 140

Total of Voice CCIEs: 901

Exams In Additional Tracks, Becoming a Multiple CCIE.” Below Are Selected Statistics on CCIEs Who Are Certified in More Than One Track

Total with Multiple Certifications

Worldwide: 1,974

Total of Routing and Switching and

Security CCIEs: 739

Total of Routing and Switching and

Service Provider CCIEs: 496

*Updated 23-Feb-2009

Total of Routing and Switching and Storage Networking CCIEs: 35 Total of Routing and Switching and Voice

CCIEs: 258

Total with 3 or More Certifications 316

http://www.cisco.com/web/learning/le3/ccie/certified_ccies/worldwide.html

CCIE Exam Development Process

Cisco Business Units/ Technology Groups Input Sought From:

Reaching out to Extended Team Ensures Exam Is Realistic

CCIE [Track] Program Manager

Cisco Standard Architectures (AVVID, SAFE)

Advisory Subject Matter Experts

Technical Support

TAC Cases

Technical Bulletins, Best Practices, Whitepapers

Team Ensures Exam Is Realistic and Relevant Content Advisory Group CCIE Program Input: Feedback: Exam Objectives and CCIE Written and

Lab Blueprints

Enterprise Technical Advisory Board

Focus Groups/Customer Sessions

CCIE Field Surveys

(6)

Certification Process

CCIEs must pass two exams

The written qualification exam has

The written qualification exam has 100 multiple-choice questions

The lab exam is what makes CCIE different.The full-day, hands-on lab exam tests the ability to configure and troubleshoot equipment

Not all lab exams are offered at all lab locations

Step 1: CCIE Written Exam:

#350-018

Available worldwide at any Pearson VUE testing facility for ~$350

USD. Costs may vary due to exchange rates and local taxes (VAT GST)

(VAT, GST)

Two-hour exam with 100 multiple-choice questions

Closed book; no outside reference materials allowed

Pass/fail results are available immediately following the exam; the passing score is set by statistical analysis and is subject to periodic change

W iti i d f fi l d d t t k th

Waiting period of five calendar days to retake the exam

Candidates who pass a CCIE written exam must wait a minimum of six months before taking the same number exam

From passing written, candidate “must” take first lab exam attempt within 18 months

(7)

Step 2: CCIE Lab Exam

Available in select Cisco locations for $1,400 USD, adjusted for exchange rates and local taxes where applicable, not including travel and lodging

Eight-hour exam requires working configurations and troubleshooting to demonstrate expertise

Cisco documentation available via Cisco Web; no personal materials of any kind allowed in lab

Minimum score of 80% to pass

Scores can be viewed normally online within 48 hours and failing score reports indicate areas where

additional study may be useful

Section 2

(8)

CCIE Security Overview

Security is one of the fastest-growing areas in the industry

Information security is on top agendato all organizations

There is an ever-growing demand for Security professionals in the industry

The CCIE Security certification was introduced in 2002 and has evolved into one of the industry’s most

respectedhigh-level security certifications

Just around2,200CCIE Security worldwide

Security

Advanced Technology Market Growth

Market and Job Specialization

Companies are dedicating job roles now and expecting to increase the trend within 5 years

Voice Security Wireless Gr ow th Security

From 46% dedicated now to 80% in 5 years

Voice

From 40% now to 69% in 5 years

Wireless

From 39% now to 66% in 5 years

Time

(9)

CCIE Security Written Exam

v2.0

CCIE Security Written Exam

Covers networking theory related to:

General Networking General Networking Security Protocols Application Protocols Security Technologies

Cisco Security Appliances and Apps Cisco Security Management

Cisco Security General Security Solutions Security General

(10)

CCIE Security Written Exam

The CCIE Security v2.0 written examstrengthens coverage of technologies critical to highly-secure

v2.0

enterprise networks

Topicssuch as ASA, IPS, NAC/ATD, CS-MARS, IPv6, security policies and standards are added to test candidates on the security technologies and best practices in use today

Note:Candidates who have passed v2 0 written exam

Note:Candidates who have passed v2.0 written exam can schedule their Lab for v3.0. There is no additional requirement to schedule v3.0 lab exam.

Security Written Exam:

Sample Question 1

A. Prevents DoS attacks based on ARP spoofing

B Prevents DoS attacks based on IP source spoofing Which Is a Benefit of Implementing RFC-2827?

B. Prevents DoS attacks based on IP source spoofing

C. Prevents DoS attacks based on MAC spoofing

D. Prevents leaking of Private Internet address space

E. Prevents leaking of Special-Use IPv4 Addresses

(11)

Security Written Exam:

Sample Question 2

A SSH

Which One of the Secure Access Methods Below Can CS-MARS Use to Get Configuration Information from an Adaptive Security Appliance (ASA)?

A. SSH B. SFTP C. SCP D. SSL E. HTTPS Answer is A E. HTTPS New v3.0

(12)

CCIE Security Lab Exam

Candidates build a secure network to a series of supplied specifications

The point values for each question are shown on the exam

Some questions depend upon completion of previous parts of the network

Report any suspected equipment issues to the proctor as soon as possible; adjustments cannot be made once the exam is over

Beijing RTP

Brussels

Security Lab Exam: Locations

Tokyo

+

San Jose Hong Kong

Sydney

NineWorldwide CCIE Lab Locations for Security

(13)

Security Lab Exam: Changes

The CCIE Security Lab exam content was revised and implemented worldwide on 20th April 2009, to include

New v3.0

some of the current trends and technologies in the security industry

New topicsand hardware and software upgradeshave been introduced

End-of-Life deviceswere also removed;

PIX500 d VPN3000 d

PIX500 and VPN3000 were removed

Routers were replaced with ISR series models Catalyst 3550 Switches were replaced with 3560

Security Lab Exam: Equipment

and Software Versions

New v3.0 Lab May Test Any Feature That Can Be

Configured on the Equipment and Cisco IOS Versions Listed Below, or on the CCIE Website; More Recent VersionsMayBe Installed in the

Cisco Integrated Services Routers (ISR) series running Cisco IOS version 12.4T

Cisco Catalyst 3560 series switches running 12.2SE

Cisco ASA 5500 series Firewalls running version 8.x

More Recent Versions MayBe Installed in the Lab, But You Won’t Be Tested on Them

Cisco IPS 4240 Appliance Sensor running version 6.x

Cisco Secure ACS version 4.1

Test PC for Testing and Troubleshooting

(14)

Security Lab Exam: Blueprint

1. Implement secure networks using Cisco ASA Firewalls

New v3.0

2. Implement secure networks using Cisco IOS Firewalls

3. Implement secure networks using Cisco VPN solutions

4. Configure Cisco IPS to mitigate network threats

5 Implement Identity Management solutions

5. Implement Identity Management solutions

6. Implement Control Plane & Management Plane Security

7. Configure Advanced IOS Security

8. Identify and Mitigate Network Attacks

Security Lab Exam: Pre-Configuration

Basic IP addressing, hostname, passwords The Routers and Switches in Your Topology Are Preconfigured With:

Switching: Trunking, VTP, VLANs

WAN: Frame Relay DLCI mappings, HDLC, PPP

Routing: OSPF, RIP, EIGRP, BGP

All pre-configured passwords are ‘cisco’

Occasionally, security devices may also have some

DoNotChange Any Pre-Configuration on Any Devices Unless Explicitly Stated in a Question

pre-configuration. If not, candidate is required to initialize all security devices

(15)

Security Lab Exam: Sample Topology

Context 2 Context 1 BB2 BB1 ASA Multi-Context with Failover ACS vs0 vs1 BB3 FR TEST PC PPP

Security Lab Exam: Rack and PC Access

CCIE Lab Remote Location CCIE Lab Central Location Cisco Intranet CCIE BB BB1 Rack CommSrv Candidate PC Remote GW Router Central GW Router NIC1 NIC2 BB2 TEST PC

Remote Desktop Enabled on NIC1

(16)

Security Lab Exam:

The Equipment in Rack

The equipment on the rack assigned to you is physically cabled and should notbe tampered with.

Before starting the exam, confirm working order of all devices in your rack

During the exam, if any device is locked or inaccessible for any reason, you must recover it

When finishing the exam, ensure all devices are

accessible for the grading proctor Any devices that are accessible for the grading proctor. Any devices that are not accessible for grading; can not be marked and may cause you to lose substantial points

Security Lab Exam: Grading

Proctors grade all lab exams

Automatic tools aid proctors with simple grading tasks

Automatic tools are never solely responsible for lab exam grading—proctors are

Proctors complete grading of the exam and submits the final score within 48 hours

No Partial creditawarded on questions

Points are awarded for working solutionsonly

(17)

Summary

1. Firewalls (ASA and IOSFW)

2 VPNs

Topics Covered in the Exam:

2. VPNs

3. Intrusion protection

4. Identity authentication

5. Router plane protection

6. Advanced IOS security technologies

7. Mitigation techniques to respond to network attacks

Section 3

(18)

Core Knowledge Section—Overview

Cisco CCIE team has implemented a new type of question format to the CCIE Security Lab exam called–

Core Knowledge Section a.k.a. Interview Section.

In addition to the live configuration scenarios,

candidates will be asked a series of open-ended short-answer questions, covered from the lab exam blueprint.

No new topicsare being added.

The new short-answer questions will be randomly

selected for each candidate every day

Core Knowledge Section—Why

One of the primary goals to introduce the new Core

K l d S ti i i t i it d

Why Are You Adding Short-Answer Questions to the CCIE Lab Exam?

Knowledge Section is maintain exam security and integrityand ensure only qualified candidates achieve certification.

The questions will be designed to validate concepts, theory, architecture and fundamental knowledge of products and protocols.

(19)

Core Knowledge Section—Format

Candidates will be asked four open-endedquestions, computer-delivered, drawn from a pool of questions based on the material covered on the lab exam blueprint.

Core Knowledge section format will not be multiple-choicetype questions.

Candidates will be required to type out their answers, which typically requirefive words or less

which typically require five words or less.

Candidates cannot use Cisco Documentation.

No changesare being made to the lab exam blueprint or to the length of the lab exam.

Core Knowledge Section—Time

Candidates are allowed a maximum of 30 minutesto complete the questions. The 30 minutes is inclusive in the total lengthof the lab exam.

The total length of the CCIE lab exam will remain eight hours.

Well-prepared candidates should be able to answer the questions in 15 minutes or less and move immediately to the configuration section

(20)

Core Knowledge Section—Scoring

The Core Knowledge section is scored Pass/Fail and every candidate will be required to passin order to achieve CCIE certification.

A candidate must answer at least three of the four

short-answer questions correctly to Pass the Core Knowledge section, which will be indicated with a 100% mark on the score report.

If a candidate answers fewer than three correctly the

If a candidate answers fewer than three correctly, the Core Knowledge section will be marked 0%, indicating a Fail. A 0% does not necessarily indicate the

candidate answered all the questions incorrectly.

1 2 3

Core Knowledge Section—Sample Q1

Initiator Responder Header Header SA Header Header Key Nonce HeaderSA Header 4 6 5

MSG 1: Initiator offers acceptable encryption and authentication algorithms (3DES, MD5, RSA)—i.e. the transform-set

MSG 2: Responder presents acceptance of the proposal (or not)

MSG 3: Initiator Diffie Helman key and nounce (key value is usually a number of 1024 bit l th) Initiator Responder Header Header [Cert] ID Sig HeaderNonce Key Header HeaderSig ID [Cert] Header bit length)

MSG 4: Responder Diffie Helman key and nounce

MSG 5: Initiator signature, ID and keys (maybe cert), i.e. authentication data MSG 6: Responder signature, ID and keys (maybe cert)

Which ISAKMP mode is shown above? Answer = Main Mode

(21)

Conditions for IPS signature to fire:

Version: IPv4 Protocol: TCP Port Destination: 21 String:”CWD~root”

Core Knowledge Section—Sample Q2

Hacker

Fire alarm if packet is an IPv4 TCP packet destined for port 21

@IP Dest. 10.0.0.1 Dest Port: 21

first Segment TCP xxxCWDyyy

@IP Dest. 10.0.0.1 Dest: 21

last Segment TCP yyyootzzz FTP

server @IP

@IP Dest. 10.0.0.1 Dest Port: 21

sec Segment TCP Yyy~ryyy

Target

and contains the string “CWD~root” 10.0.0.1

Which type of pattern matching must be used to mitigate this multi-vector attack?

Answer = Stateful Pattern Matching

Section 4

Implement Secure Networks Using Cisco ASA Firewalls

(22)

Exam Objectives

Perform basic firewall Initialization

Configure device management

C fi dd t l ti ( t l b l t ti )

Configure address translation (nat, global, static)

Configure ACLs

Configure IP routing

Configure object groups

Configure VLANs

Configure filtering

Configure failover

Configure Layer 2 Transparent Firewall

Configure security contexts (virtual firewall)

Configure Modular Policy Framework

Configure Application-Aware Inspection

Configure high availability solutions

Configure QoS policies

Firewall—Defined

A firewall is a security device which is configured to permit, deny or proxy data connections set by the

i ti ' it li Fi ll ith b

organization's security policy. Firewalls can either be hardware or software based

A firewall's basic task is to control trafficbetween computer networks with different zones of trust

Today’s firewalls combine multilayer stateful packet inspectionand multiprotocol application inspection

Source: Wikipedia (www.wikipedia.com)

Virtual Private Network (VPN) services and Intrusion Prevention Services (IPS) have been combined with the firewall inspection engine(s)

Despite these enhancements, the primary role of the firewall is to enforce security policy

(23)

Cisco ASA Firewall

Basic Overview

Firewall Design—Modes of Operation

Routed Mode

There Are a Variety of Choices When Designing a Firewall Deployment

Is the traditional mode of the firewall that acts as a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. Two or more interfaces that separate L3 domains. Transparent Mode

Is where the firewall acts as a bridge functioning mostly at Layer2, that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devicesp

Single Mode

Is the regular basic firewall Multi-context Mode

(24)

Interface and Security Levels

Inside Interface always has a security level of 100. Most Secure level

Outside Interface always has a security level of 0. Least Secure level

Multiple perimeter networks can exist. Use DMZ Interface. Security levels between 1–99

Initializing Cisco ASA

Firewall Mode (Router vs. Transparent)

Single vs Multiple Context

Single vs. Multiple Context

Enable/Allocate interfaces

Assign IP address for each active Interface

Un-shut Interfaces

Configure Address Translation (optional)

(25)

VLAN Interface

Virtual LANs (VLANs) are used to create separate broadcast domains within a single switched network

You can configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN

ASA supports 802.1q, allowing it to send and receive traffic for multiple VLANs on a single interface

Routing Protocols

ASA supports RIP, OSPF and EIGRProuting protocols

Practice clear text and MD5 authentication

Practice route filtering and summarization for protocols

Running multiplerouting protocols concurrently on the same Firewall is now supported

Routing protocol in multi-context mode is not supported use static routes instead

(26)

Address Translation

Dynamic translations are built using:

Network Address Translation (NAT) Subject to NAT-Control

Network Address Translation (NAT)

(one-to-one mapping)

or

Port Address Translation (PAT)

(many-to-one mapping)

Static translations are built using:

St ti d

Static command

(create permanent mapping between a local IP address and a global IP address)

Policy NAT

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses(or ports) in an access list

Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports

With policy NAT, you can create multiple static

statements that identify the same local address as long statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement

Use an access listwith the static command to enable policy NAT

(27)

Object Grouping

Used for simplifying complex access control policies. Object grouping provides a way to reduce the number of access rule entries required to describe complex security policies

Following types of objects:

Protocol—group of IP protocols. It can be one of the following keywords; icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol including ICMP TCP and UDP use the keyword ip protocol, including ICMP, TCP, and UDP, use the keyword ip. Service—group of TCP or UDP port numbers assigned to different services

icmp-type—group of ICMP message types to which you permit or deny access

Network—group of hosts or subnets

Basic Feature Summary:

Practice Them All

Address Translation Source/Destination NAT AAA Object Grouping VLAN RIP OSPF EIGRP Syslog j p g DHCP PPPoE URL Filtering IDS SSH Failover TCP Intercept Java Filtering ActiveX Filtering SNMP NTP Packet Capture Packet Tracer

(28)

Cisco ASA Firewall

Advanced Features

Advanced Features—Important

1. Virtual Firewall (Security Contexts)

2 Transparent Firewall

2. Transparent Firewall

3. Firewall High Availability (HA)

4. Modular Policy Framework (MPF)

(29)

Advanced Features—Important

5. No NAT-Control

Virtual Firewall

Virtualizationprovides a way to create multiple firewalls in the same physical chassis

Virtual Firewall—when a single Firewall device can support multiple contexts

A context defines connected networks and the policies that the Firewall enforces

Virtual FW allows a device to

Virtual FW allows a device to enforce many (up to 100s) policies between different networks

(30)

Virtual Firewall on ASA

Context = a virtual firewall

All virtualized firewalls must define a System context and an Admin

Admin context:

Remote root access and access to all contexts A B C Admin (mandatory) y context at a minimum System context: Virtual Firewall contexts

There is no policy inheritancebetween contexts

The system space uses the admin context for network connectivity; system space creates other contexts

System context:

Physical ports assigned

Virtual Firewall:

Multiple Security Context

Configuration

Changing single mode to Multiple Mode:

mode {single | multiple}

To Show system or Context information:

From the system execution space:

show context [[name] [detail] | count]

From a context execution space:

show context [detail]

To specify contexts’ configuration file:

config-url url

Where URL can be flash/Disk/ftp server/http server

T ll t h i l/VLAN i t f t th t t

To allocate physical/VLAN interfaces to the contexts

context {context name} allocate-interface Ethernet0 allocate-interface Ethernet1

Accessing the contexts:

changeto {system | context name}

context [name] - Changes to the context with the specified name. system - Changes to the system execution space.

(31)

Virtual Firewall:

Multiple Security Context

hostname ASA enable password cisco no mac-address auto !

admin-context admin !

context admin Sample Configuration: System Context

! interface Ethernet0/0 speed auto duplex auto ! interface Ethernet0/0.30 vlan 30 ! interface Ethernet0/0.40 vlan 40 ! allocate-interface Ethernet0/0 config-url flash:/admin.cfg ! context custA allocate-interface Ethernet0/0.30 allocate-interface Ethernet0/1 config-url flash:custA.cfg ! context custB allocate-interface Ethernet0/0.40 interface Ethernet0/1 speed auto duplex auto ! interface Ethernet0/2 speed auto duplex auto ! allocate-interface Ethernet0/2 config-url flash:custB.cfg System Context

The context is not operational until the

config-url command has been entered.

Virtual Firewall:

Multiple Security Context

ASA# changeto context custA ASA/ tA# h

ASA/custA# changeto context custB ASA/ tB# h

Context CustA Context CustB

Inside a Context

ASA/custA# show run <..>

hostname custA enable password cisco ! interface Ethernet0/0.30 nameif outside security-level 0 ip address 172.16.30.1 255.255.255.0 ! interface Ethernet0/1

ASA/custB# show run <..>

hostname custB enable password cisco ! interface Ethernet0/0.40 nameif outside security-level 0 ip address 172.16.40.1 255.255.255.0 ! interface Ethernet0/2 interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !

ASA/custA# changeto system ASA# interface Ethernet0/2 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 !

ASA/custB# changeto system ASA#

(32)

Advanced Features—Important

5. No NAT-Control

Transparent Firewall Mode (L2 Firewall)

Transparent Firewalls have the capability of operating at layer 2—same level as a bridge

This Firewall is “transparent” to the data

IP addresses (the network) on either side of the Firewall are the same

Same subnetexists on inside and outside, different VLANson inside and outside

NATis now supported in Transparent Firewall (v8.0 on the ASA)

VPN traffic terminating on the firewall is not supported with the exception of management traffic ONLY

(33)

Transparent Firewall

Backbone Router Vlan 20 Vlan 30 9 HSRP, VRRP, GLBP

9 OSPF, EIGRP, RIP, etc. 9 PIM, multicast traffic 9 BPDUs, IPX, MPLS 10.1.1.2 224.0.0.x 10.1.1.2 10.1.1.3 OK if ACL permits

Routers can establish routing protocols adjacencies through the firewall

Protocols such as HSRP, VRRP, GLBP can cross the firewall

Multicast streams can also traverse the firewall

Non-IP traffic can be allowed (IPX, MPLS, BPDUs)

Router

Transparent Firewall

Sample Configuration

ciscoasa# show firewall Firewall mode: Router

ciscoasa(config)# firewall transparent

Switched to transparent mode

ciscoasa(config)# ip address 10.1.1.254 255.255.255.0 ciscoasa(config)# interface Ethernet0

ciscoasa(config-if)# nameif outside ciscoasa(config-if)# security-level 0 ciscoasa(config-if)#no shut

ciscoasa(config-if)# no shut

ciscoasa(config)# interface Ethernet1 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# no shutdown

ciscoasa(config)# access-list 101 permit icmp any any ciscoasa(config)# access-group 101 in interface outside

(34)

Advanced Features—Important

5. No NAT-Control

New HA Feature—Interface Redundancy

Compatible with all firewall modes (routed/transparent and single/multiple) and all HA

interface Redundant1

member-interface GigabitEthernet0/1 member-interface GigabitEthernet0/2 no nameif

single/multiple) and all HA deployments (A/A and A/S)

When the active physical interface fails, traffic fails to the standby physical interface and routing adjacencies,

connection, and auth state won’t need to be relearned.

no security-level no ip address ! interface Redundant1.4 vlan 4 nameif inside security-level 100 ip address 172.16.10.1 255.255.255.0 !

Feature available on ASA5510 and above.

Sub-interfaces (dot1q) need to be built on top of the logical redundant interface, not physical member interfaces.

! interface Redundant1.10 vlan 10 nameif outside security-level 0 ip address 172.16.50.10 255.255.255.0

(35)

New HA Feature—Route Tracking

Method for tracking the availability of static routes with the ability to install a backup route should the primary route fail

Commonly used for static default routes, often in a dual ISP environment

Uses ICMP echo replies to monitor the availability of a target host, usually the next hop gateway

Can only be used in single routed mode

asa(config)# sla monitor 1234

asa(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside

asa(config-sla-monitor-echo)# frequency 3

asa(config)# sla monitor 1234 life forever start-time now asa(config)# track 1 rtr 1234 reachability

asa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1

Firewall HA Failover: Basics

Active/standby vs. primary/ secondary

Stateful failover (optional)

A failover only occurs when either FW

determines the standby FW is healthier than the active FW Active Unit Standby Unit LAN FO Stateful

Both FWs swap MAC and IP addresses when a failover occurs

Level 1 syslogs will give reason of failover

(36)

Firewall HA—Active/Standby FO

Supported on all ASA models

ASA only supports LAN Based failover (no LAN Based failover (no serial cable).

Both platforms must be

identicalin software, licensing, memory and interfaces

Not recommended to share the state and failover link, use a dedicated link for each

Preferably these cables will be connected into the same switch with no hosts

Not recommended to use a direct connection between firewalls (i.e. straight through or X-over)

Firewall HA: Active/Active FO

Supported on all platforms except the ASA5505 ASA5505 Requires virtualization (multi-context) which requires additional licensing

Use FO Group command

Requires FO (AA) or contexts q ( ) UR license No load-balancing or load-sharing support today

(37)

Firewall HA: A/A Failover with

Asymmetric Routing Support

A/A ASR mode adds support for asymmetric traffic flows though an A/A system

Internet

though an A/A system.

A/A ASR is enabled by adding multiple A/A units to the same ASR Group.

If traffic returns via ISP-B which does not contain state info so packets are forwarded to the other member of the

ISP-A

.1 .4 .2 .3

ISP-B

to the other member of the ASR group

Inside Network B-1 Inside Network B-2 Logical1-A Logical2-S Logical1-S Logical2-A

Inside Network

.1 .4 .2 .3

Advanced Features—Important

(38)

Modular Policy Framework (MPF)

Rules

All of My Flows Were Treated Pretty Much the Same

Rules

Inside

_Outside

Granular and Flexible Policies Rules about Rules about

HTTP

Rules

Rules about

FTP

Modular Policy Framework (MPF)

There is a growing need to provide greater granularity

andflexibility in configuring network policies

For example, the ability to include destination IP

address as one of the criteria to identify traffic for Network Address Translation, or the ability to create a timeout configuration that is specific to a particular TCP application, as opposed to the current timeout scheme which applies a timeout value to all TCP applications, etc.

(39)

Modular Policy Framework (MPF)

MPF features are derived from QoS as implemented in Cisco IOS; not all features have been carried across though MPF is built on three related CLI commands …

class-map—This command identifies the traffic that needs a specific type of control. Class-maps have specific names which tie them into the policy-map

policy-map—This command describes the actions to be taken on the traffic described in the class-map. Class-maps are listed by name under the appropriate policy-map. Policy-maps have specific names too which

i h i h i li

tie them into the service-policy

service-policy—This command describes where the traffic should be intercepted for control. Only one service-policy can exist per interface. An additional service-policy, “global-service-policy,” is defined for traffic and general policy application. This policy applies to traffic on all interfaces

Modular Policy Framework (MPF)

Understand how show service-policy command works

Example shows using the flow keyword; the policies

Example shows using the flow keyword; the policies that the ASA would apply to that flow. You can use this to check that your service policy configuration will provide the services you want for specific connections.

ASA1# show service-policy flow tcp host 0.0.0.0 host YY.YY.1.1 eq 80 Global policy:

Service-policy: global_policy Class-map: WebServer

Match: access-list WebServer

Access rule: permit tcp any host YY.YY.1.1 eq www Action:

(40)

Advanced Features—Important

5. Application Firewall

6. NAT-Control

NAT Control

The security appliance has always been a device supporting, even requiring Network Address Translation

(NAT) f i fl ibilit d it

(NAT) for maximum flexibility and security.

Introduced in v7.0 is NAT as an option. Specifying NAT-CONTROL specifies the requirement to use NAT for outside communications

To enableNAT control, use the nat-controlcommand in global configuration mode

To disableNAT control, which allows inside hosts to communicate with outside networks without configuring a NAT rule, use the command, no nat-controlin global configuration mode

(41)

NAT Control

Syntax nat-control nat-control

Configuration

The nat-control statement is valid in routed firewall mode and in single and multiple security context mode.

Nonew NAT functionality is provided with this feature.

All existing NAT functionality remains the same.

NAT Control

Consider … NAT-CONTROL (v6.3 behavior)

All traffic leaving a firewall from a higher to lower security All traffic leaving a firewall from a higher to lower security interface requires a NAT/GLOBAL pair

All traffic entering a firewall from a lower to higher security requires a STATIC/ACCESS-LIST pair

All other traffic is dropped

Consider … NO NAT-CONTROL (v7.0 behavior)

All t ffi l i fi ll f hi h t l it

All traffic leaving a firewall from a higher to lower security interface moves freely

All traffic entering a firewall from a lower to higher security only requires an ACCESS-LIST

NAT/GLOBAL pairs are needed only for traffic requiring address translation

(42)

Troubleshooting Firewall

Firewall Troubleshooting Tools

Understanding the packet flow

Syslog

Debug commands

Show commands

(43)

Understanding the Packet Flow

To effectively troubleshoot a problem, one must first understand the packet path through the network

Attempt to isolate the problem down to a single device

Then perform a systematic walk of the packet path through the device to determine where the problem could be

For problems relating to the ASA, always:

Determine the flow: SRC IP, DST IP, SRC port, DST port, and protocol

Determine the interfaces through which the flow passes Note: All Firewall Issues Can Be Simplified to Two Interfaces (Ingress and Egress) and the Rules Tied to Both

1. Receive Packet 2. Ingress Interface 3. Existing Connection? 4. Permit by Inbound ACL Y No Yes 1 3 4 Existing Conn Recv Pkt Ingress Interface 2 No D

Packet Processing Flow Diagram

ACL Permit

y on Interface?

5. Match Translation Rule (NAT, Static)

6. NAT Embedded IP and Perform Security Checks/ Randomize Sequence Number 7. NAT IP Header

8. Pass Packet to Outgoing Interface

9. Layer 3 Route Lookup? Yes Yes Yes 5 6 7 NAT IP Drop No Drop No Drop L7 NAT Sec Checks Match xlate

10. Layer 2 Next Hop? 11. Transmit Packet Yes Yes Drop Drop Xmit Pkt 9 10 11 Egress Interface Header 8 Egress Interface No No

Once the Device and Flow Have Been

Identified, Walk the Path of the Packet Through the Device

L3 Route

L2 Addr

(44)

Translation and NAT Order of Operations

1. nat 0 access-list (nat-exempt) 2. Match existing xlates

3. Match static commands (first match)

a. Static NAT with and without access-list b. Static PAT with and without access-list

First Ma

t

4. Match nat commands

a. nat <id> access-list (first match)

b. nat <id> <address> <mask> (best match) i. If the ID is 0, create an identity xlate ii. Use global pool for dynamic NAT iii. Use global pool for dynamic PAT

tch

Syslog

Threedifferent syslog destinations:

Trap—Syslog server Trap Syslog server

Console—Serial console port Monitor—Telnet sessions

“Log Host” defines ASA interface, IP address, protocol and port for syslog server

Syslog standard protocol is UDP, port is 514 Note: ASA supports syslog over TCP (port 514)

Don’t forget “Logging On” to enable syslog

(45)

Logging Levels and Events

Log

Level Alert Event Messages

0 Emergencies Not used, only for RFC compliance 1 Alerts Mostly failover-related events

2 Critical Denied packets/connections

3 Errors AAA failures, CPU/memory issues, routing issues, some VPN issues

4 Warnings Denied conns due to ACL, IDS events, fragmentation OSPF errors fragmentation, OSPF errors 5 Notifications User and Session activity and firewall

configuration changes

6 Informational ACL logging, AAA events, DHCP activity, TCP/UDP connection and teardown 7 Debugging Debug events, TCP/UDP request handling,

IPSEC and SSL VPN connection information

Network

Debug ICMP Trace

Ping

Valuable tool used to troubleshoot connectivity issues Provides interface and translation information to quickly

determine flow

E h li t b li itl itt d th h ACL

ICMP echo-requestfrom inside:10.1.1.2 to 198.133.219.25ID=3239 seq=4369 length=80 ICMP echo-request: translating inside:10.1.1.2to outside:209.165.201.22

ICMP echo-replyfrom outside:198.133.219.25to 209.165.201.22 ID=3239 seq=4369 length=80 ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2

Example of debug icmp trace output

(46)

fw# show traffic

Show Traffic

The Show Traffic Command Displays the Traffic

Received and Transmitted out Each Interface of the ASA

outside:

received (in 124.650 secs):

295468 packets 167218253 bytes

2370 pkts/sec 1341502 bytes/sec

transmitted (in 124.650 secs):

260901 packets 120467981 bytes

<..> inside:

received (in 124.650 secs):

261478 packets 120145678 bytes

transmitted (in 124.650 secs):

294649 packets 167380042 bytes

Show Local-Host

A local-host entry is created for any source IP on a higher security level interface

fw# show local-host

Interface inside: 1131 active, 2042 maximum active, 0 denied local host: <10.1.1.9>,

TCP connection count/limit = 1/unlimited TCP embryonic count = 0

TCP intercept watermark = 50

UDP connection count/limit = 0/unlimited

It groups the xlates, connections, and AAA information together

Very useful for seeing the connections terminating on servers

UDP connection count/limit = 0/unlimited AAA:

user 'cisco' at 10.1.1.9, authenticated (idle for 00:00:10) absolute timeout: 0:05:00

inactivity timeout: 0:00:00 Xlate(s):

Global 172.18.124.69 Local 10.1.1.9 Conn(s):

(47)

Show Xlate and Show Xlate Debug

show xlate [global|local <ip1[-ip2]> [netmask <mask>]] [gport |lport <port1[-port2]>] [debug]

fw# show xlate

2 in use, 2381 most used

Global 172.18.124.68 Local 10.1.1.9

PAT Global 172.18.124.65(1024) Local 10.9.9.3(11066)

fw# show xlate debug

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,g p y

o - outside, r - portmap, s - static

NAT from inside:10.1.1.9 to outside:172.18.124.68 flags - idle 0:02:03 timeout 3:00:00

TCP PAT from inside:10.9.9.3/11066 to outside:172.18.124.65/1024 flags r idle 0:00:08 timeout 0:00:30

fw# show conn Idle Time, Bytes Transferred Connection Flags

Show Conn and Show Conn Detail

TCP out 198.133.219.25:23 in 10.9.9.3:11068 idle 0:00:06 Bytes 127 flags UIO UDP out 172.18.124.1:123 in 10.1.1.9:123 idle 0:00:13 flags –

fw# show conn detail 2 in use, 64511 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

“detail” Adds Interface Names

B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, M - SMTP data, m - SIP media, O - outbound data,

P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up

TCP outside:198.133.219.25/23 inside:10.9.9.3/11068 flags UO UDP outside:172.18.124.1/123 inside:10.1.1.9/123 flags

(48)

-Outbound Connection Inbound Connection

Connection Flags: Quick Reference

TCP Flags FW Flags SYN SYN+ACK ACK Inbound Data Outbound Data FIN FIN+ACK saA A U UI UIO Uf UfFR TCP Flags FW Flags SYN SYN+ACK ACK Inbound Data Outbound Data FIN FIN+ACK saAB aB UB UIB UIOB UBF UBfFr Outside Inside Client Server Outside Inside Server Client

ACK UfFRr ACK UBfFRr

capture <capture-name> [access-list <acl-name>] [buffer <buf-size>] [ethernet-type <type>] [interface <if-name>] [packet-length <bytes>]

Packet Capture

Capture sniffs packets on an interface that match

Capture sniffs packets on an interface that match an ACL

Traffic can be captured both before and after it passes through the ASA

Key steps:

Create an ACL that will match interesting traffic

Define the capture and bind it to an access-list and interface View the capture on the ASA, or copy it off in pcap format

Outside Inside

(49)

packet-tracer input [src-interface] [protocol] [SrcAddr] [SrcPort] [DstAddr] [DstPort] detailed

Packet Tracer

Packet tracer command was introduced in v7 2

Packet-tracer command was introduced in v7.2

In addition to capturing packets, you can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly. This tool lets you do the following:

Debug all packet drops in a production network.

V if th fi ti i ki i t d d

Verify the configuration is working as intended.

Show all rules applicable to a packet, along with the CLI commands that caused the rule addition.

Show a time line of packet changes in a data path. Inject tracer packets into the data path.

Packet Tracer (Cont.)

The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance.

For example; run packet-tracer to verify NAT translation for any host accessing web server 198.133.219.25/80, then the source is translated to YY.YY.5.21.

ASA# packet-tracer input inside tcp 0.0.0.0 1025 198.133.219.25 80 <...> Phase: 6 Type: NAT Type: NAT Subtype: Result: ALLOW Config:

nat (inside) 1 access-list policynat nat-control

match ip inside 0.0.0.0 255.255.255.255 outside 198.133.219.25 255.255.255.255 dynamic translation to pool 1 (YY.YY.5.21)

translate_hits = 1, untranslate_hits = 0 Additional Information:

Dynamic translate 10.1.1.1/1025 to YY.YY.5.21/1024 using netmask 255.255.255.255 <...>

(50)

Section 5

Implement Secure Networks Using Cisco IOS Firewalls

Exam Objectives

Configure Zone-Based Firewall

Configure CBAC

Configure Layer 2 Transparent Firewall

Configure Flexible Packet Matching

Configure URL Filtering

Configure Audit

Configure Auth Proxy

Configure PAM

Configure access control

Configure performance tuning

(51)

Cisco IOS Firewall Overview

Stateful filtering

Advanced Layer 3–7 Firewall

Advanced Firewall

Application inspection (Layer 3 through Layer 7)

Application control—Application Layer Gateway (ALG) engines with wide range of protocols and applications

Built-in DoS protection capabilities

Supports deployments with Virtualization (VRFs), y ( ) transparent mode and stateful failover

IPv6 support

http://www.cisco.com/go/iosfw

Cisco IOS Zone-Based Policy

Firewall (ZFW)

(52)

Zone-Based Policy Firewall (ZFW)

Introduced in Cisco IOS v12.4(6)T, where the CBAC model is being replaced with the new configuration model that uses ZFW

Allows grouping of physical and virtual interfaces into zones

Firewall policies are applied to traffic traversing zones

Simple to add or remove interfacesand integrate into firewall policy

This new feature was added mainly to overcome the limitationsof the CBAC that was employing stateful inspection policy on an interface based model The limitation was that all traffic passing interface-based model. The limitation was that all traffic passing through the interface was subject to the same inspection policy, thereby limiting the granularity and policy enforcement particularly in scenarios where multiple interfaces existed.

With ZFW, stateful inspection can now be applied on a zone-based model. Interfaces are assigned to zones, and policy inspection is applied to traffic moving between zones.

Zone-Based Policy Firewall (ZFW)—

Security Zones and Policy

Security Zones establish the security boundaries of the network where traffic is subjected to policy restrictions as it crosses to another region within the network

another region within the network.

By default, traffic between the zones is blocked unless an explicit policy dictates the permission.

DMZ Public-DMZ _Policy DMZ-Private Policy Private-DMZ Policy Public Zone DMZ Zone Untrusted Trusted Private-Public Policy Internet Public Zone Private Zone

(53)

Zone-Based Policy Firewall (ZFW)—

Supported Features and New Syntax

Supported Features

Stateful Inspection

Application Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP URL filtering

Per-policy parameter Transparent firewall

VRF-aware firewall (Virtual Firewall)

ZFW doesnotuse the classical CBAC ip inspect ZFW does notuse the classical CBAC ip inspect

command set.

ZFW policies are configured with the new Cisco Policy Language (CPL),which employs a hierarchical structure to define inspection for network protocols and the groups of hosts to which the inspection will be applied.

Zone-Based Policy Firewall (ZFW)—

Configuration Example

class-map type inspect match-any services match protocol tcp

!

Define Services Inspected by Policy policy-map type inspect firewall-policy

class type inspect services inspect

!

zone security private zone security public !

interface fastethernet 0/0 zone-member securityprivate

Configure Firewall Action for Traffic

Define Zones

A i I t f t

zone-member security private !

interface fastethernet 0/1 zone-member security public !

zone-pair security private-public source private destination public

service-policy type inspect firewall-policy _{Establish Zone Pair, and}

Apply Policy Assign Interfaces to

(54)

Cisco IOS Context-Based Access

Control (CBAC)

CBAC Overview

Cisco router performs traffic filtering, traffic inspection, sends alerts, and tracks audit trails

Traffic filtering

Protocol filtering based on application-layer session information. Filters packets originating in sessions from either the protected or non-protected networks, but only forwards traffic originating from protected network

Traffic inspection p

Inspects packets at a firewall interface and manages state information of TCP/UDP sessions. State information is used to create temporary openings in access lists to permit return traffic. Inspection helps prevent DoS attacks

(55)

Creating an Inspection Rule

An inspection rule specifies each application-layer protocol that is to be inspected by CBAC

Typically, only one inspection rule is defined

Inspection rule can be applied to the interface on an inbound or outbound basis

One inspection rule per interface

CBAC: Configuration Example

Access Control List (ACL) on the outside interface stops everything

access-list 101 deny ip any any log-input interface Serial0 description outside ip access-group 101 in Secured Network Unsecured Network CBAC

ip inspect name MYFW tcp ip inspect name MYFW udp interface Serial0

description outside ip inspect MYFW out

Inspected traffic will open up temporary access for return traffic

s0 e0

Internet

ACL 101 Inspect

Temporary Access Opened to Permit Matching Return Traffic (Stateful Cisco IOSFW)

(56)

Cisco IOS Layer 2 Transparent Firewall

Layer 2 Transparent Firewall

Introduces “stealth firewall” capability

No IP address associated with firewall (nothing to attack) No need to renumber or break up IP subnetsp

IOS Router is bridging between the two “halves” of the network Use Case: Firewall Between Wireless and Wired LANs

Both “wired” and wireless segments are in same subnet 192.168.1.0/24

VLAN 1 is the “private” protected network.

Wireless is not allowed to access wired LAN

192.168.1.3 Fa 0/0 VLAN 1 Wireless Transparent Firewall 192.168.1.2 Internet

(57)

Layer 2 Transparent Firewall—

Configuration Example

Security Zone Policy:

zone-pair security zone-policysource wired destination wireless

i li t i t fi ll li

Classification:

class-map type inspect match-any protocols match protocol dns

service-policy type inspect firewall-policy !

interface VLAN 1 description private interface bridge-group 1

zone-member security wired !

interface VLAN2 description public interface match protocol https

match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp

Security Policy:

policy-map type inspectfirewall-policy

bridge-group 1

zone-member security wireless Layer2 Configuration: bridge configuration bridge irb

bridge 1 protocol ieee bridge 1 route ip policy-map type inspect firewall-policy

class type inspect protocols Inspect

Security Zones: zone security wired zone security wireless

(58)

URL Filtering

Control employee access to entertainment sites during work hours

Internet Usage Control

Control downloads of objectionable or offensive material, limit liabilities

Cisco IOS supports static whitelist and blacklist URL filtering External filtering servers such as Websense, Smartfilter can

be used at the corporate office, with Cisco IOS static lists as backupp Internet Web Surfing Branch Office Blocked Getwww.badsites.com

URL Filtering (Web Access Control)

URL Filtering Options

Allowed Get www.cisco.com Get www.badsites.com Get www.cisco.com Get www.badsites.com

9

Black/white lists

Third-party filter server

N2H2 Websense SmartFilter

(59)

Section 6

Implement Secure Networks Using Cisco VPN Solutions

Exam Objectives

Configure IPsec LAN-to-LAN (IOS/ASA)

Configure SSL VPN (IOS/ASA)

Configure Dynamic Multipoint VPN (DMVPN)

Configure Group Encrypted Transport (GET) VPN

Configure Easy VPN (IOS/ASA)

Configure CA (PKI)

Configure Remote Access VPN

Configure Cisco Unity Client

Configure Clientless WebVPN

Configure AnyConnect VPNConfigure AnyConnect VPN

Configure XAuth, Split-Tunnel, RRI, NAT-T

Configure High Availability

Configure QoS for VPN

Configure GRE, mGRE

Configure L2TP

(60)

This Section Is Divided into Six Parts:

1. IPsec

2 Dynamic Multipoint VPN (DMVPN)

2. Dynamic Multipoint VPN (DMVPN)

3. Group Encrypted Transport (GET) VPN

4. Easy VPN

5. SSL VPN

6. PKI (IOS CA Server)

IPSec

Part 1:

(61)

Data Security Assurance Model (CIA)

Network Security

Benefit Ensures identity Confidentiality Benefit

Ensures data privacy

Benefit Ensures data Integrity Authentication Ensures identity of originator or recipient of data Shuns Impersonation Replay

Ensures data privacy

Shuns Sniffing Replay Ensures data is unaltered during transit Shuns Alteration Replay

What Is IPsec?

A set of security protocols and algorithms used to

secure IP data at the network layer Internet Protocol Security

IPsec provides data confidentiality (encryption),

integrity(hash), authentication (signature/certificates) of IP packets while maintaining the ability to route them through existing IP networks

(62)

IKE (Phase 1) IPsec (Phase 2)

IPsec: Building a Connection

IPsec (Phase 2) Data

Two-phase protocol:

Phase 1 exchange:two peers establish a secure, authenticated channel with which to communicate; Main modeor Aggressive mode

accomplishes a Phase 1 exchange accomplishes a Phase 1 exchange

There is also a Transaction Modein between which is used for EzVPN client scenario performing XAUTH and/or Client attributes (Mode Config)

Phase 2 exchange:security associations are negotiated on behalf of IPsec services; Quick modeaccomplishes a Phase 2 exchange Each phase has its SAs: ISAKMP SA(Phase 1)

and IPsec SA(Phase 2)

Deployment Scenarios:

(63)

Site-to-Site VPN Deployment Scenarios

Basic peer-to-peer topology

Basic site-to-site IPsec configuration Basic site to site IPsec configuration Static vs. dynamic mapping

Split tunneling consideration Filtering/Access Control Crypto ACL consideration High Availability

STEP 1—IKE Phase 1 Policy

Site-2-Site Configuration 3.2.0.0/24 3.1.0.0/24 R1 R2 2.0.0.1/30 2.0.0.2/30 IPsec IP

crypto isakmp policy 1 authentication pre-shared hash sha

encr aes 128 group 2 !

crypto isakmp key 123 address 2.0.0.2

crypto isakmp policy 1 authentication pre-shared hash sha

encr aes 128 group 2 !

(64)

STEP 2—IKE Phase 2 Policy

Site-2-Site Configuration 3.2.0.0/24 3.1.0.0/24 R1 R2 2.0.0.1/30 2.0.0.2/30 IPsec IP

crypto ipsec transform-set ts esp-aes 128 esp-sha-hmac

!

access-list 101 permit ip 3.1.0.0 0.0.0.255 3.2.0.0 0.0.0.255 !

crypto map cm 10 ipsec-isakmp set peer 2.0.0.2

t h dd 101

crypto ipsec transform-set ts esp-aes 128 esp-sha-hmac

!

access-list 101 permit ip 3.2.0.0 0.0.0.255 3.1.0.0 0.0.0.255 !

crypto map cm 10 ipsec-isakmp set peer 2.0.0.1 t h dd 101 match address 101 set transform-set ts match address 101 set transform-set ts

STEP 3—Applying the VPN Policy

Site-2-Site Configuration 3.2.0.0/24 3.1.0.0/24 R1 R2 2.0.0.1/30 2.0.0.2/30 IPsec IP interface serial 1/0 ip address 2.0.0.1 255.255.255.0 crypto map cm ! ip route 3.2.0.0 255.255.255.0 2.0.0.2 interface serial 1/0 ip address 2.0.0.2 255.255.255.0 crypto map cm ! ip route 3.1.0.0 255.255.255.0 2.0.0.1

(65)

Static vs. Dynamic Crypto Map

ISP

Static Crypto Map

crypto map vpn 10 IPSec-isakmp set peer Site_A

set transform-set … match address 101

crypto map vpn 20 IPSec-isakmp set peer Site_B

Dynamic Crypto Map

Site_A

Site B _{set transform-set …}

match address 102 Dynamic Crypto Map

crypto map vpn 10 IPSec-isamkp dynamic dynamap

crypto dynamic-map dynamap 10 set transform-set … match address … Site_B

Static vs. Dynamic Crypto Map (Cont.)

Static Crypto Map

Need to VPN peer, crypto

Dynamic Crypto Map

Only need to configure IPsec

p yp

ACL, IPsec transform-set

Use multiple crypto map instances to define multiple VPN peers

Bidirectional tunnel initiation

Requires more intensive

t d l t d

y g

transform-set,

crypto ACL is optional

One dynamic map as a template

Only the remote peer can initiate tunnel

U d h t

management, deployment and troubleshooting

Used when remote peer has dynamic IP address

Simple to manage and deploy

(66)

Split Tunneling

Definition: “Split Tunneling” Is the Ability of a Device to Forward Clear and Encrypted Traffic at the Same Time

th S I t f

over the Same Interface

In site-to-site VPN, use routing and crypto ACL to control split tunneling

Central Site Central Site

WithoutSplit Tunneling WithSplit Tunneling http://www.cisco.com/ http://www.cisco.com/

VPN Head-End VPN VPN Head-End VPN

Filtering/Access Control

When filtering at the edge there’s not much to see

IKE IKE

UDP port 500 ESP, AH

IP protocol numbers 50, 51 respectively NAT transparency-enabled

UDP port 4500

Internal access control should be implemented via the internal interface ACLs or group policy and not the crypto ACLs for performance reasons

(67)

High Availability

Common High Availability (HA) practice in conjunction with IPsec HA features

Design options

Local HA using link resiliency Local HA using HSRP and RRI Cisco IOS IPsec Stateful Failover

Geographical HA using IPsec backup peers Local/geographical HA using GRE over IPsec (dynamic routing)

Local HA Using Link Resiliency

1

Link resiliency: ISDN backup, backup Frame Relay DLCI, etc.

Choose multiple ISPs to achieve link diversity

ISPs

Use a loopback interface as the ISAKMP identity for the VPN router

Failover mechanism: backup interface, dialer watch, floating static routes

(68)

Local HA Using HSRP and RRI

(2) Router P RRI:“I can reach 10.1.1.0”

R t

(1) SA Established to Primary

Sending IKE Keepalives _{(2) Router P RRI:“I can reach 10.1.1.0”}

2 P Head-End Remote Internet 10.1.1.0/24 (3) 10.1.1.0/24 via P (8) 10.1.1.0/24 via S (5) Secondary Active

(6) New SA Established to Secondary

Sending IKE Keepalives _{(7) Router S RRI:“I Can Reach 10.1.1.0”}

= Unscheduled Immediate Memory Initialization Routine (4)

(3) 10.1.1.0/24 via P S

HSRP is enable on outside (WAN facing) interface

Cisco IOS IPsec HA enhancement features:

Allow IPsec use HSRP virtual IP as the peer address

Reverse route injection (RRI) injects IPsec remote proxy IDs into dynamic routing process

Cisco IOS IPsec Stateful Failover

3

N t

HA-1

I t l

IPsec stateful failover greatly improves failover time compared to the stateless IPSec/HSPR failure

Stateful failover for IPSec is designed to work in conjunction

Peer Net Gateway HA-2 Internal Network Internet

Stateful failover for IPSec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP).

SSO allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time.