0 Caution - Cisco...CCIE Security Lab Workbook Volume II Solutions Guide Version 5.0 Lab 5 Copyright...

CCIE Security Lab Workbook Volume II Solutions Guide Version 5.0 Lab 5

Copyright © 2009 Internetwork Expert www.INE.com- 1 -

Task 1.1 ASA1:

Caution

Make sure to convert the firewall to transparent mode first and then configure it; otherwise all configurations will be lost and you’ll waist precious time.

! ! First convert the firewall from routed mode to transparent mode ! firewall transparent

! hostname Rack1ASA1

! ! Configure the interfaces with appropriate security levels and nameif ! interface Ethernet0/0 nameif outside no shut interface Ethernet0/1 nameif inside no shut

! ! Configure the management ip address needed so the firewall ! can actually forward traffic; configure default-route ! ip address 162.1.38.12 255.255.255.0 route outside 0 0 162.1.38.3

! ! Enable ssh access to the firewall ! domain-name INE.com crypto key generate rsa general-keys modulus 1024

! ! Allow ssh access from anywhere since there are no specific ! restrictions ! ssh 0 0 inside ssh 0 0 outside



Task 1.1 Verification

Note

Check basic connectivity and ssh into the firewall from both R3 and SW1 using default username/password of pix/cisco. Do NOT create other users as the task doesn’t specify it.

Rack1ASA1# show firewall Firewall mode: Transparent

Rack1ASA1# ping 162.1.38.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 162.1.38.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


Rack1R3#ssh -l pix 162.1.38.12

Password: Type help or '?' for a list of available commands. Rack1ASA1> en Password: Rack1ASA1#

Rack1SW1#ssh -l pix 162.1.38.12

Password: Type help or '?' for a list of available commands. Rack1ASA1> en Password: Rack1ASA1#

Task 1.2 ASA2:

hostname Rack1ASA2

! ! Configure sub-interfaces as per the diagram ! interface Ethernet0/0 no shutdown ! interface Ethernet0/0.113



vlan 113 nameif outside ip address 162.1.113.2 255.255.255.0 interface Ethernet0/1 no shut interface Ethernet0/1.100 vlan 100 nameif inside ip address 192.10.1.2 255.255.255.0

! ! Configure OSPF on the inside interface and EIGRP on the outside. ! Although it’s not mentioned in the task it is best practices ! to be as specific as possible using the “network” statements. ! router eigrp 100 no auto-summary network 162.1.113.13 255.255.255.255 ! router ospf 1 network 192.10.1.13 255.255.255.255 area 51

! ! Configure mutual redistribution between EIGRP and OSPF. For ! redistribution into OSPF put in the “subnets” keyword since there are ! classless subnets redistributed; also redistribute it as metric type ! E1 so that path cost is added to the final cost. When redistributing ! into EIGRP,remember we need either a “seed metric”, either a specific ! metric for redistributed routes. Since the task does not specify ! any, we’ll use the more specific one ! router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 router ospf 1 redistribute eigrp 100 metric-type 1 subnets




Note

Verify basic IP connectivity. Verify EIGRP and OSPF neighbors. Configrm that routes are learned from OSPF, EIGRP and that redistribution takes place as required in the task.


Rack1ASA2# ping 162.1.113.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 162.1.113.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 m

Rack1ASA2# show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface 150.1.6.6 1 FULL/DR 0:00:30 192.10.1.6 inside

Rack1ASA2# show eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 162.1.113.1 Et0/0.113 14 00:29:06 1 200 0 3

Rack1ASA2# show route inside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is not set

C 192.10.1.0 255.255.255.0 is directly connected, inside O 150.1.6.6 255.255.255.255 [110/11] via 192.10.1.6, 0:29:13, inside

Rack1ASA2# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area



N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is not set

D 162.1.13.0 255.255.255.0 [90/2170368] via 162.1.113.1, 0:30:42, outside C 162.1.113.0 255.255.255.0 is directly connected, outside

Rack1R1#show ip route eigrp D EX 192.10.1.0/24 [170/284160] via 162.1.113.2, 00:29:08, FastEthernet0/0 150.1.0.0/16 is variably subnetted, 2 subnets, 2 masks D EX 150.1.6.6/32 [170/284160] via 162.1.113.2, 00:29:08, FastEthernet0/0

Rack1R6#show ip route ospf 162.1.0.0/24 is subnetted, 2 subnets O E1 162.1.13.0 [110/21] via 192.10.1.2, 00:32:09, FastEthernet0/0 O E1 162.1.113.0 [110/21] via 192.10.1.2, 00:32:09, FastEthernet0/0

Task 1.3

Caution

Make sure that the NAT id used for PAT is smaller than the NAT id used for dynamic NAT. This is because the “network” statement used in dynamic NAT matches any subnet including 192.10.x.0/24 used for PAT. Thus, in order to change the matching preference you have to adjust the NAT identifiers.

ASA2:

! ! Configure PAT for inside 192.10.x.0/24 subnet ! nat (inside) 1 192.10.1.0 255.255.255.0 global (outside) 1 interface

! ! Configure dynamic NAT for all other networks reachable via inside ! nat (inside) 2 0.0.0.0 0.0.0.0 global (outside) 2 162.1.113.128-162.1.113.191 netmask 255.255.255.192




Note

Verify that subnet 192.10.x.0/24 gets port address translated using ASA outside interface IP address. Verify that other subnets reachable via inside get dynamic NAT translated using the specified range.

Rack1R6#telnet 162.1.113.1 Trying 162.1.113.1 ... Open

User Access Verification

Password: Rack1R1>en Password: Rack1R1#show users Line User Host(s) Idle Location 0 con 0 idle 14:49:02 * 66 vty 0 idle 00:00:00 162.1.113.13

Interface User Mode Idle Peer Address

Rack1ASA2# show conn 5 in use, 9 most used TCP outside 162.1.113.1:23 inside 192.10.1.6:64799, idle 0:01:10, bytes 461, flags UIO

Rack1ASA2# show xlate state portmap 1 in use, 1 most used PAT Global 162.1.113.13(59258) Local 192.10.1.6(64799)



Rack1R6#telnet 162.1.113.1 /source-interface loopback 0 Trying 162.1.113.1 ... Open


Password: Rack1R1>en Password: Rack1R1#show users Line User Host(s) Idle Location 0 con 0 idle 00:01:14 * 66 vty 0 idle 00:00:00 162.1.113.174

Interface User Mode Idle Peer Address

Rack1ASA2# show conn 5 in use, 9 most used TCP outside 162.1.113.1:23 inside 150.1.6.6:56999, idle 0:02:53, bytes 456, flags UIO Rack1ASA2# show xlate 1 in use, 1 most used Global 162.1.113.174 Local 150.1.6.6



Task 1.4

Caution

All requirements for this task lead us to object-groups. While this may be true, be aware that from version 8.x we have a new type of object-group called service so we can group different services. Also to use the minimum amount of configuration lines we need to use the service-object tcp-udp, instead of using 2 lines, one for TCP and one for UDP.

ASA2:

! ! Create the object-groups ! object-group service SRV_VLAN100 service-object tcp-udp service-object icmp echo

object-group network NET_VLAN100 network-object host 192.10.1.120 network-object host 192.10.1.130 network-object host 192.10.1.140

! ! Create and apply the access-list inbound on the inside interface ! access-list INSIDE_IN extended deny object-group SRV_VLAN100 object-group NET_VLAN100 any access-list INSIDE_IN extended permit ip any any access-group INSIDE_IN in interface inside


Note

For verification we need to make sure that only required traffic is prohibited from passing through the firewall. We can either configure the Test PC in VLAN 100 or temporarily modify the IP address of R6 to one of the restricted hosts in VLAN 100.

Rack1R6#show running-config interface fastEthernet 0/0 | i ip ip address 192.10.1.6 255.255.255.0 Rack1R6#telnet 162.1.113.1 Trying 162.1.113.1 ... Open




Password: Rack1R1>

Rack1R6#show running-config interface FastEthernet 0/0 | i ip ip address 192.10.1.120 255.255.255.0 Rack1R6#telnet 162.1.113.1 Trying 162.1.113.1 ... % Connection refused by remote host

Rack1ASA2# show asp drop frame acl-drop Flow is denied by configured rule (acl-drop) 1

Last clearing: Never

Rack1R6#traceroute 162.1.113.1

Type escape sequence to abort. Tracing the route to 162.1.113.1

1 * * * 2 * * * 3 * *

Rack1ASA2# show asp drop frame acl-drop Flow is denied by configured rule (acl-drop) 10

Last clearing: Never

Rack1R6#ping 163.1.113.1 re 2

Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 163.1.113.1, timeout is 2 seconds: .. Success rate is 0 percent (0/2)



Task 1.5

Note

While this may seem a simple task and it is, pay attention. Most common mistake when configuring DHCP service on ASA is not being specific. The task says to enable/configure the service for the inside users. This means that at the end of each command we need to specify the interface inside option; without it the parameters take effect for all DHCP enabled interfaces.

ASA2:

! ! Configure the dhcp server parameters and enable the server ! dhcpd address 192.10.1.64-192.10.1.127 inside dhcpd dns 192.10.1.200 192.10.1.201 interface inside dhcpd ping_timeout 100 interface inside dhcpd domain INE.com interface inside dhcpd enable inside


Note

For verification we put the TestPC in VLAN100 and configure it for DHCP.

Rack1ASA2#logging enableRack1ASA2#logging buffered debug Rack1ASA2#debug dhcpd packet

debug dhcpd packet enabled at level 1 Rack1ASA2# DHCPD: Server msg received, fip=ANY, fport=0 on inside interface DHCPD: DHCPDISCOVER received from client 0100.0c29.6a1c.aa on interface inside. DHCPD: Sending DHCPOFFER to client 0100.0c29.6a1c.aa (192.10.1.64). DHCPD: Including FQDN option name 'sc09-xp.INE.com' rcode1=0, rcode2=0 flags=0x0

DHCPD: Total # of raw options copied to outgoing DHCP message is 0. DHCPD: creating ARP entry (192.10.1.64, 000c.296a.1caa). DHCPD: unicasting BOOTREPLY to client 000c.296a.1caa (192.10.1.64). DHCPD: Server msg received, fip=ANY, fport=0 on inside interface DHCPD: DHCPREQUEST received from client 0100.0c29.6a1c.aa. DHCPD: Sending DHCPACK to client 0100.0c29.6a1c.aa (192.10.1.64). DHCPD: Including FQDN option name 'sc09-xp.INE.com' rcode1=0, rcode2=0 flags=0x0



DHCPD: Total # of raw options copied to outgoing DHCP message is 0. DHCPD: creating ARP entry (192.10.1.64, 000c.296a.1caa). DHCPD: unicasting BOOTREPLY to client 000c.296a.1caa (192.10.1.64).

Rack1ASA2#show dhcpd binding

IP address Hardware address Lease expiration Type

192.10.1.64 0100.0c29.6a1c.aa 3509 seconds Automatic

Rack1ASA2# show dhcpd state Context Configured as DHCP Server Interface inside, Configured for DHCP SERVER Interface outside, Not Configured for DHCP

Task 1.6

Caution

This task is simple as well, but be aware that EtherType access-list are connectionless. This means that, for our case, if we need to allow MPLS packets flow bi-directional (inside to outside and outside to inside) we need to apply the ethertype access-list inbound on both interfaces. EtherType access-list doesn’t follow the security-level principle as routed access-list do, like traffic is by default allowed from higher-security level to lower security-level.

ASA1:

! ! Disable mac-learning on both interfaces and add static mappings for ! R3 and SW2. These can be easily found by issuing “show interface ! Fa0/1 | i bia” on R3 and “show interface Vlan128 | i bia” on SW2 ! mac-learn outside disable mac-learn inside disable mac-address-table static outside 000f.8f14.ad21 mac-address-table static inside 000f.f703.3c00

! ! Create an object-group covering subnets behind ASA1’s inside and ! create access-list to allow telnet and icmp echo. Apply the access- ! list inbound on the outside interface. ! object-group network NET_INSIDE network-object 10.0.0.0 255.255.255.0 network-object 162.1.38.0 255.255.255.0 network-object host 150.1.8.8

access-list OUTSIDE_IN extended permit tcp any object-group NET_INSIDE eq telnet access-list OUTSIDE_IN extended permit icmp any object-group NET_INSIDE echo



access-group OUTSIDE_IN in interface outside

! ! Create EtherType access-lists to allow MPLS packets. Apply it ! inbound on both inside and outside interfaces ! access-list ETH_OUTSIDE_IN ethertype permit mpls-unicast access-list ETH_INSIDE_IN ethertype permit mpls-unicast ! access-group ETH_OUTSIDE_IN in interface outside access-group ETH_INSIDE_IN in interface inside

! ! Since ICMP is not a stateful protocol from the ASA perspective, for ! ping to be successful from inside to outside, we need to either ! allow ICMP echo in the OUTSIDE_IN access-list or inspect icmp. From ! a security point of view it’s recommended to do the inspection, but ! in the lab it would be wiser to ask the proctor. ! policy-map global_policy class inspection_default inspect icmp


Note

Verify that telnet/ping works from R3 to SW1 and vice-versa.

Rack1R3#ping 162.1.38.8

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 162.1.38.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms



Password: Rack1SW1>

Rack1SW1#ping 162.1.38.3

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 162.1.38.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1SW1#telnet 162.1.38.3 Trying 162.1.38.3 ... Open




Password: Rack1R3>

Task 1.7

Note

To effectively protect against MITM attacks using ARP we need to inspect the ARP replies and drop them if the ASA has no matching static mapping. This implies we need configuring arp-inspection with the “no-flood” option and creating static ARP mappings for both SW1 and R3.

ASA1:

! ! Configure ARP inspection on both interfaces with “no-flood” ! option ! arp-inspection outside enable no-flood arp-inspection inside enable no-flood

! ! Create static ARP mappings for SW1 and R3 since “no-flood” option ! has been configured previously ! arp inside 162.1.38.8 0012.0183.5900 arp outside 162.1.38.3 000f.8f14.ad21


Note

To make sure we still have connectivity between R3, SW1 and ASA1 we can clear existing dynamic ARP entries on SW1 and R3 and try pings. Also to simulate a MITM attack, we can temporarily modify the IP address on either SW1 or R3 and verify there is no connectivity and that ASA1 drops ARP replies.

Rack1ASA1# show arp-inspection interface arp-inspection miss ---------------------------------------------------- outside enabled no-flood inside enabled no-flood

Rack1R3#clear arp-cache interface fastEthernet 0/1



Rack1R3#ping 162.1.38.8

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 162.1.38.8, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/8 ms

Rack1SW1#clear arp-cache interface vlan 128 Rack1SW1#ping 162.1.38.3


Note

Make sure to remove the following configuration as it’s only for testing purposes.

Rack1ASA1(config)# logging enable Rack1ASA1(config)# logging buffered debugging Rack1ASA1# debug arp-inspection

Rack1SW1(config)# Rack1SW1(config)# interface Vlan128 Rack1SW1(config)# ip address 162.1.38.10 255.255.255.0

Rack1SW1#ping 162.1.38.3 re 2

Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 162.1.38.3, timeout is 2 seconds: .. Success rate is 0 percent (0/2)

Rack1ASA1# show logging | b ARP %ASA-3-322003: ARP inspection check failed for arp request received from host 0012.0183.5900 on interface inside. This host is advertising MAC Address 0012.0183.5900 for IP Address 162.1.38.10, which is not bound to any MAC Address



Task 1.8

ASA1:

! ! Configure logging levels as required by the task and enable ! timestamps ! logging timestamp logging console emergencies logging monitor errors logging trap debugging

! ! Configure logging to the syslog server and make sure debug messages ! don’t show on monitor session. ! logging host outside 162.1.38.175 logging debug-trace logging enable

! ! Configure the ASA to authenticate NTP and the NTP key ! ntp authentication-key 1 md5 * ntp authenticate ntp trusted-key 1

! ! Configure the NTP server ! ntp server 162.1.38.254 key 1 source outside

! ! Configure static ARP entries for the NAT on R3, so we can reach ! syslog and ntp servers. Otherwise ARP replies from R3 will be dropped ! by ASA1, since we have ARP inspection configured ! arp outside 162.1.38.254 000f.8f14.ad21 arp outside 162.1.38.175 000f.8f14.ad21

ASA2:

! ! Configure static PAT for ntp and syslog. Create an access-list to ! allow ntp and syslog traffic and apply it inbound on the outside ! interface ! static (inside,outside) udp 162.1.113.254 ntp 192.10.1.254 ntp netmask 255.255.255.255 static (inside,outside) udp 162.1.113.175 syslog 192.10.1.175 syslog netmask 255.255.255.255 ! access-list OUTSIDE_IN extended permit udp host 162.1.38.12 host 162.1.113.254 eq ntp



access-list OUTSIDE_IN extended permit udp host 162.1.38.12 host 162.1.113.175 eq syslog access-group OUTSIDE_IN in interface outside

R3: ! ! Configure static PAT for the already NAT’ed addresses of syslog and ! ntp servers ! interface FastEthernet0/1 ip nat outside ! interface Serial1/1.13 ip nat inside ! ip nat inside source static udp 162.1.113.175 514 162.1.38.175 514 ip nat inside source static udp 162.1.113.254 123 162.1.38.254 123


Note

Make sure logging is enabled and configured as required. Check NTP association and synchronization.

Rack1ASA1# show logging setting Syslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Debug-trace logging: enabled Console logging: level emergencies, 0 messages logged Monitor logging: level errors, 0 messages logged Buffer logging: disabled Trap logging: level debugging, facility 20, 19 messages logged Logging to outside 162.1.38.175 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled

Rack1ASA1# show ntp status Clock is synchronized, stratum 5, reference is 162.1.38.254 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is af49e066.d4979bbc (15:59:34.830 UTC Thu Mar 11 1993) clock offset is -1.6795 msec, root delay is 61.49 msec root dispersion is 7892.64 msec, peer dispersion is 7890.91 msec



Rack1ASA1# show ntp associations detail

162.1.38.254 configured, authenticated, our_master, sane, valid, stratum 4 ref ID 127.127.7.1, time af49e02b.72126bfa (15:58:35.445 UTC Thu Mar 11 1993) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 3, sync dist 7921.692 delay 61.49 msec, offset -1.6795 msec, dispersion 7890.91 precision 2**18, version 3 org time af49e066.cc4a4a36 (15:59:34.798 UTC Thu Mar 11 1993) rcv time af49e066.d4979bbc (15:59:34.830 UTC Thu Mar 11 1993) xmt time af49e066.c4a3f580 (15:59:34.768 UTC Thu Mar 11 1993) filtdelay = 61.49 60.23 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = -1.68 -2.27 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 15.63 16.60 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Task 2.1

Note

We are not allowed to use zone-based firewall or reflexive access-list so the only option left is CBAC

R4:

! ! Drop packets with ip options enabled and disable cdp on interface ! towards BB3. ! ip options drop interface FastEthernet0/0 no cdp enable

! ! Configure CBAC for udp and tcp traffic. Apply it outbound on the ! “outside” interface since we are told to use minimum configuration. ! Also for tcp inspection configure the “router-traffic” option so that ! tcp traffic initiated by R4, such as telnet, is inspected. This is ! because we are not allowed to permit telnet return traffic into an ! ACL but R4 should telnet BB3 ! ip inspect name CBAC tcp router-traffic ip inspect name CBAC udp



! ! Configure static NAT for server 10.4.4.100 ! interface FastEthernet0/0 ip nat outside interface FastEthernet0/1 ip nat inside ip nat inside source static 10.4.4.100 204.12.1.100

! ! Allow only TCP traffic not on port 25 towards 10.4.4.100. We ! are told to deny all other traffic so we need to explicitly do that ! and not rely on the default, implicit deny at the end of the acl ! ip access-list extended CBAC_IN permit tcp any host 204.12.1.100 neq 25 deny ip any any

! ! Apply the inspection and ACL. Do not send “administratively ! prohibited” messages for acl dropped packets means not to send icmp ! unreachables ! interface FastEthernet0/0 no ip unreachables ip access-group CBAC_IN in ip inspect CBAC out


Note

Verify that CDP is disabled on interface towards BB3 and that traffic with ip options set gets dropped. Verify that TCP and UDP traffic initiated from “inside” interfaces of R4 is allowed back in on the “outside” interface.

Rack1R4#show cdp interface fast0/1 FastEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds Rack1R4#show cdp interface fast0/0

Rack1R4#

Rack1R5#ping 162.1.45.4




Note

To test the IP options drop, we will generate extended ICMP packets with “record route” option set and make sure its getting dropped:

Rack1R5#ping Protocol [ip]: Target IP address: 162.1.45.4 Repeat count [5]: 2 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: record Number of hops [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[RV]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 162.1.45.4, timeout is 2 seconds: Packet has IP options: Total option bytes= 39, padded length=40 Record route: <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0)

Request 0 timed out Request 1 timed out Success rate is 0 percent (0/2)

Rack1R4#show ip traffic IP statistics: Rcvd: 89 total, 87 local destination 0 format errors, 0 checksum errors, 0 bad hop count 0 unknown protocol, 0 not a gateway 0 security failures, 0 bad options, 0 with options Opts: 0 end, 0 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 0 record route 0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump 0 other Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble 0 fragmented, 0 fragments, 0 couldn't fragment Bcast: 0 received, 0 sent Mcast: 60 received, 101 sent Sent: 127 generated, 0 forwarded



Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency 0 no route, 0 unicast RPF, 0 forced drop 2 options denied

Note

Since BB3 has no route back to the pod, traffic initiated from behind R4 will not generate any returning packets, but we can still see if CBAC works.

Rack1R5#telnet 204.12.1.254 Trying 204.12.1.254 ... % Connection timed out; remote host not responding

Rack1R5# Rack1R4#show ip inspect sessions detailHalf-open Sessions Session 844CAF00 (162.1.0.5:34592)=>(204.12.1.254:23) tcp SIS_OPENING Created 00:00:15, Last heard 00:00:13 Bytes sent (initiator:responder) [0:0] In SID 204.12.1.254[23:23]=>162.1.0.5[34592:34592] on ACL CBAC_IN

Rack1R5#traceroute 204.12.1.254

Type escape sequence to abort. Tracing the route to 204.12.1.254

1 162.1.0.3 32 msec 28 msec 32 msec 2 162.1.0.4 56 msec 56 msec 56 msec 3 * * * 4 * Rack1R5#

Rack1R4#show ip inspect sessions detail Half-open Sessions Session 844CA970 (162.1.0.5:49162)=>(204.12.1.254:33442) udp SIS_OPENING Created 00:00:14, Last heard 00:00:14 Bytes sent (initiator:responder) [0:0] In SID 204.12.1.254[33442:33442]=>162.1.0.5[49162:49162] on ACL CBAC_IN Session 844CAC38 (162.1.0.5:49161)=>(204.12.1.254:33441) udp SIS_OPENING Created 00:00:17, Last heard 00:00:17 Bytes sent (initiator:responder) [0:0] In SID 204.12.1.254[33441:33441]=>162.1.0.5[49161:49161] on ACL CBAC_IN Session 844CA3E0 (162.1.0.5:49164)=>(204.12.1.254:33444) udp SIS_OPENING Created 00:00:08, Last heard 00:00:08 Bytes sent (initiator:responder) [0:0] In SID 204.12.1.254[33444:33444]=>162.1.0.5[49164:49164] on ACL CBAC_IN Session 844CAF00 (162.1.0.5:49160)=>(204.12.1.254:33440) udp SIS_OPENING



Created 00:00:20, Last heard 00:00:20 Bytes sent (initiator:responder) [0:0] In SID 204.12.1.254[33440:33440]=>162.1.0.5[49160:49160] on ACL CBAC_IN

Note

For testing we will put the TestPC in VLAN4 and configure it with the ip address of 10.4.4.100. We then telnet into BB3 to verify that works and then telnet back to 204.12.1.100 server on remote desktop port 3389. Then we’ll telnet to the prohibited port 25 and confirm that unreachables are not being sent.


+-----------------------------------------------------------------------+ | | | Welcome to BB3. These commands are available for use at privilege 0 | | | | ping show ip bgp | | telnet show ip bgp neighbors | | traceroute show ip bgp summary | | show ip route show ip interface brief | | show ip protocols | | | | The reference configuration for this device is available at: | | http://www.internetworkexpert.com/downloads/bb3.txt | | | +-----------------------------------------------------------------------+

SC.9.9.BB3>telnet 204.12.1.100 3389 Trying 204.12.1.100, 3389 ... Open

[Connection to 204.12.1.100 closed by foreign host] SC.9.9.BB3>

SC.9.9.BB3>telnet 204.12.1.100 25 Trying 204.12.1.100, 25 ... % Connection timed out; remote host not responding

SC.9.9.BB3>

Rack1R4#show ip interface fastEthernet 0/0 | i unreach ICMP unreachables are never sent Rack1R4#

Rack1R4#show ip traffic | section ICMP ICMP statistics: Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable 0 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench 0 parameter, 0 timestamp, 0 timestamp replies, 0 info request, 0 other 0 irdp solicitations, 0 irdp advertisements



Sent: 0 redirects, 0 unreachable, 0 echo, 0 echo reply 0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0 timestamp replies 0 info reply, 0 time exceeded, 0 parameter problem 0 irdp solicitations, 0 irdp advertisements

Task 2.2

R4: ! ! Configure URL filtering, the Websense server and exclusive domains ! ip inspect name CBAC http urlfilter ip urlfilter server vendor websense 162.1.38.100 ip urlfilter source-interface Loopback0 ip urlfilter exclusive-domain permit INE.com ip urlfilter exclusive-domain permit cisco.com

! ! Create the time-range and configure the ACL to deny web traffic ! during work hours. Then apply it outbound on R4, towards BB3 ! time-range HTTP_RESTRICT periodic weekdays 7:59 to 16:59 ip access-list extended CBAC_OUT deny tcp any any eq www time-range HTTP_RESTRICT permit ip any any

interface FastEthernet0/0 ip access-group CBAC_OUT out

R6:

! ! Configure URL filtering, the Websense server and exclusive domains ! ip inspect name CBAC http urlfilter ip urlfilter server vendor websense 162.1.38.100 ip urlfilter source-interface Loopback0 ip urlfilter exclusive-domain permit INE.com ip urlfilter exclusive-domain permit cisco.com

! ! Create the time-range and configure the ACL to deny web traffic ! during work hours. Then apply it outbound on R4, towards BB3 ! time-range HTTP_RESTRICT periodic weekdays 7:59 to 16:59 ! ip access-list extended CBAC_OUT deny tcp any any eq www time-range HTTP_RESTRICT permit ip any any ! interface Serial0/0/0 ip access-group CBAC_OUT out



ip inspect CBAC out

ASA1: ! ! Configure a static route for host 10.0.0.100 ! route inside 10.0.0.100 255.255.255.255 162.1.38.8 1

! ! Create statics for host 10.0.0.100 and for R4 Loopback0 ! static (inside,outside) 162.1.38.100 10.0.0.100 netmask 255.255.255.255 static (outside,inside) 162.1.38.4 150.1.4.4 netmask 255.255.255.255

! ! Configure outside NAT for R6-Loopback0 dynamic NAT range ! nat (outside) 1 162.1.113.128 255.255.255.192 outside global (inside) 1 162.1.38.128 netmask 255.255.255.255

! ! Allow Websense traffic inbound on the outside interface. Since we ! might not know by the Websense port number we can find it out by ! issuing the “debug ip urlfilter events” on either R4 or R6: ! ! URLF:got cache idle timer event... ! URLF:Closing the socket for server (162.1.38.100:15868) ! URLF:server connecting (socket fd 0) ! URLF:received a wrong event ! access-list OUTSIDE_IN extended permit tcp host 150.1.4.4 host 162.1.38.100 eq 15868 access-list OUTSIDE_IN extended permit tcp 162.1.113.128 255.255.255.192 host 162.1.38.100 eq 15868




Note

Verify that the TCP session with Websense server has been established. Verify that port 80 is disallowed during work hours. Keep in mind that you may not have the Websense server running in the real exam.

Rack1R4#show tcp brief TCB Local Address Foreign Address (state) 8416A438 150.1.4.4.179 150.1.1.1.43647 ESTAB 84DAD248 150.1.4.4.57637 162.1.38.100.15868 ESTAB

Rack1R6#show tcp brief TCB Local Address Foreign Address (state) 484AB040 54.1.2.6.62152 54.1.2.254.179 ESTAB 484A93F0 150.1.6.6.28978 162.1.38.100.15868 ESTAB

Rack1ASA1# show xlate 3 in use, 4 most used Global 162.1.38.4 Local 150.1.4.4 Global 162.1.38.100 Local 10.0.0.100 PAT Global 162.1.38.128(6892) Local 162.1.113.152(28978) Rack1ASA1# show conn 3 in use, 4 most used TCP outside 162.1.38.4(150.1.4.4):57637 inside 10.0.0.100:15868, idle 0:00:37, bytes 0, flags UB TCP outside 162.1.38.128(162.1.113.152):28978 inside 10.0.0.100:15868, idle 0:00:50, bytes 0, flags UB

Rack1R4#show ip access-lists CBAC_OUT Extended IP access list CBAC_OUT 10 deny tcp any any eq www time-range HTTP_RESTRICT (inactive) 20 permit ip any any Rack1R4#show clock *23:08:43.410 UTC Sun Jul 19 2009

Rack1R4#clock set 10:00:00 20 Jul 2009 Rack1R4#show ip access-lists CBAC_OUT Extended IP access list CBAC_OUT 10 deny tcp any any eq www time-range HTTP_RESTRICT (active) 20 permit ip any any

Rack1R5#telnet 204.12.1.254 80 Trying 204.12.1.254, 80 ... % Destination unreachable; gateway or host down

Rack1R4#show ip access-lists interface fastEthernet 0/0 out Extended IP access list CBAC_OUT out 10 deny tcp any any eq www time-range HTTP_RESTRICT (active) (1 match) 20 permit ip any any



Task 3.1

Note

This is a classic LAN-to-LAN IPSec tunnel, however only one end (ASA2) should be able to initiate the connections. This means we need dynamic crypto on the other end.

R6: ! ! Configure R6 as NTP master ! ntp master 5

! ! Configure HTTP server for CA and configure the CA sever as well. ! ip http server crypto pki server CA issuer-name cn=CA, ou=CCIE, o=INE grant auto database url flash: no shutdown

R3:

! ! Create ISAKMP policy. Modify the DH group to match the default one in ! crypto isakmp policy 10 auth rsa-sig encr 3des hash md5 group 2

! ! Enable NTP synchronization with R6 ! ntp server 162.1.113.6 source Serial1/1.13

! ! Create the proxy ACL and transform-set ! ip access-list extended VLAN3_TO_VLAN113 permit ip 10.35.35.0 0.0.0.255 162.1.113.0 0.0.0.255 ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

! ! Since only ASA should be capable of initiating the tunnel, we need to ! configure a dynamic crypto-map in R3 !



crypto dynamic-map MYDYNAMIC 10 set transform-set 3DES_MD5 match address VLAN3_TO_VLAN113 ! crypto map MYMAP 10 ipsec-isakmp dynamic MYDYNAMIC ! interface Serial1/1.13 crypto map MYMAP

! ! Authenticate and enroll with the CA ! ip domain-name INE.com crypto pki trustpoint CA enrollment url http://162.1.113.6:80 crypto ca authenticate CA crypto key generate rsa general-keys modulus 512 crypto ca enroll CA

Do you want to continue with re-enrollment? [yes/no]: yes % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.

Password: Re-enter password:

% The subject name in the certificate will include: Rack1R3.INE.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.

CRYPTO_PKI: Certificate Request Fingerprint MD5: 70E0C773 C51C83CE B9DAD6E3 34931F39 CRYPTO_PKI: Certificate Request Fingerprint SHA1: E7F774C8 985DB4D3 C183AD55 4FCEAD5A FD95B19F %PKI-6-CERTRET: Certificate received from Certificate Authority



ASA2: ! ! Enable ISAKMP on the outside interface and configure the ISAKMP ! policy ! crypto isakmp enable outside crypto isakmp policy 10 authentication rsa-sig encryption 3des hash md5 group 2

! ! Configure NTP synchronization with R6 ! ntp server 192.10.1.6 source inside

! ! Configure the proxy ACL and the transform-set ! access-list VLAN113_TO_VLAN3 extended permit ip 162.1.113.0 255.255.255.0 10.35.35.0 255.255.255.0 crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

! ! Tie the pieces into the crypto map ! crypto map MYMAP 10 match address VLAN113_TO_VLAN3 crypto map MYMAP 10 set peer 162.1.13.3 crypto map MYMAP 10 set transform-set 3DES_MD5 crypto map MYMAP interface outside

! ! Allow ASA to initiate the tunnel using certificate based- ! authentication ! crypto map MYMAP 10 set trustpoint CA

! ! Authenticate the CA and enroll with it ! crypto ca trustpoint CA enrollment url http://192.10.1.6:80 crypto key generate rsa general-keys modulus 512 crypto ca authenticate CA crypto ca enroll CA

! ! Configure the tunnel-group and specify the trust-point for ! certificate validation ! tunnel-group 162.1.13.3 type ipsec-l2l tunnel-group 162.1.13.3 ipsec-attributes peer-id-validate cert trust-point CA



! ! Create a route for VLAN3 to trigger the IPSec process ! route outside 10.35.35.0 255.255.255.0 162.1.113.1 1

! ! Permit U-turn for VPN traffic on the outside interface ! same-security-traffic permit intra-interface

! ! Configure static PAT for NTP and Certificate Enrollment from R3 to ! R6. Then permit traffic through the firewall in the outside access- ! list ! static (inside,outside) udp 162.1.113.6 ntp 192.10.1.6 ntp netmask 255.255.255.255 static (inside,outside) tcp 162.1.113.6 www 192.10.1.6 www netmask 255.255.255.255 access-list OUTSIDE_IN extended permit udp host 162.1.13.3 host 162.1.113.6 eq ntp access-list OUTSIDE_IN extended permit tcp host 162.1.13.3 host 162.1.113.6 eq www

R1:

! ! Configure the route to VLAN3 towards ASA2 so traffic from VLAN113 to ! VLAN 3 flows through the tunnel ! ip route 10.35.35.0 255.255.255.0 162.1.113.13


Note

Verify that R3 can’t initiate the tunnel. Verify packets flow through the tunnel once ASA2 initiates it.

Rack1R3#ping 162.1.113.1 source 10.35.35.3

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 162.1.113.1, timeout is 2 seconds: Packet sent with a source address of 10.35.35.3 ..... Success rate is 0 percent (0/5) Rack1R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status

IPv6 Crypto ISAKMP SA



Rack1R1#ping 10.35.35.3

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.35.35.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 88/91/93 ms Rack1R1#

Rack1ASA2# show crypto isakmp sa

Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1

1 IKE Peer: 162.1.13.3 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Rack1ASA2#

Rack1ASA2# show crypto ipsec sa interface: outside Crypto map tag: MYMAP, seq num: 10, local addr: 162.1.113.13

access-list VLAN113_TO_VLAN3 permit ip 162.1.113.0 255.255.255.0 10.35.35.0 255.255.255.0 local ident (addr/mask/prot/port): (162.1.113.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.35.35.0/255.255.255.0/0/0) current_peer: 162.1.13.3

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: 162.1.113.13, remote crypto endpt.: 162.1.13.3

path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: F60C0F9E

inbound esp sas: spi: 0xA5FE61A0 (2784911776) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 53248, crypto-map: MYMAP sa timing: remaining key lifetime (kB/sec): (4373999/3534)



IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0xF60C0F9E (4127985566) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 53248, crypto-map: MYMAP sa timing: remaining key lifetime (kB/sec): (4373999/3534) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001

Rack1R5#show ntp status Clock is synchronized, stratum 6, reference is 162.1.113.6 nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**18 reference time is CE0F48DD.AD5DFDA8 (19:49:49.677 UTC Mon Jul 20 2009) clock offset is 0.4681 msec, root delay is 92.85 msec root dispersion is 0.85 msec, peer dispersion is 0.14 msec

Rack1ASA2# show ntp status Clock is synchronized, stratum 6, reference is 192.10.1.6 nominal freq is 99.9984 Hz, actual freq is 99.9983 Hz, precision is 2**6 reference time is ce0f472a.55982fae (19:42:34.334 UTC Mon Jul 20 2009) clock offset is 1.4515 msec, root delay is 1.33 msec root dispersion is 18.01 msec, peer dispersion is 16.13 msec

Task 3.2

ASA2: ! ! Enable SSLVPN on the outside interface, specify the AnyConnect client ! location and enable it ! webvpn port 443 enable outside tunnel-group-list enable svc image flash:/anyconnect-win-2.3.0254-k9.pkg svc enable

! ! Create the Split-Tunnel list ! access-list SPLIT_TUNNEL standard permit 192.10.1.0 255.255.255.0 access-list SPLIT_TUNNEL standard permit 150.1.6.0 255.255.255.0

! ! Create a group-policy called SSLVPN and enable SVC as the tunneling ! protocol !



group-policy SSLVPN internal group-policy SSLVPN attributes vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL

! ! Create an address pool for remote clients ! ip local pool SSLVPN 192.168.0.1-192.168.0.254 mask 255.255.255.0

! ! Configure RRI redistribution into OSPF ! router ospf 1 redistribute static subnets

! ! Configure the tunnel-group ! tunnel-group SSLVPN type remote-access tunnel-group SSLVPN general-attributes default-group-policy SSLVPN address-pool SSLVPN tunnel-group SSLVPN webvpn-attributes group-alias SSLVPN enable authentication aaa

! ! Create username/password for SSL access ! username SSLUSER password CISCO username SSLUSER attributes group-lock value SSLVPN

! ! Configure the allowed ssl encryption algorithm !

ssl encryption rc4-md5 ! ! Configure NAT exemption for VPN traffic ! access-list NAT-EXEMPTION permit ip 150.1.6.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list NAT-EXEMPTION permit ip 192.10.1.0 255.255.255.0 192.168.0.0 255.255.255.0 nat (inside) 0 access-list NAT_EXEMPTION

! ! Configure access-list Bypass for VPN connectionssv ? ! sysopt connection permit-vpn



Task 3.3 ASA2: ! ! Allow NTP and Certificate Enrollment traffic through ASA2 ! access-list OUTSIDE_IN extended permit udp host 162.1.0.5 host 162.1.113.6 eq ntp access-list OUTSIDE_IN extended permit udp host 162.1.0.4 host 162.1.113.6 eq ntp access-list OUTSIDE_IN extended permit tcp host 162.1.0.5 host 162.1.113.6 eq www access-list OUTSIDE_IN extended permit tcp host 162.1.0.4 host 162.1.113.6 eq www

R3: ! ! Configure the IPSEC profile ! crypto ipsec profile DMVPN set transform-set 3DES_MD5 set pfs group2

! ! Configure new Loopback interface ! interface Loopback2 ip address 192.168.3.3 255.255.255.0

! ! Configure the Tunnel on the HUB ! interface Tunnel0 ip address 100.100.100.3 255.255.255.0 no ip redirects ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 1 no ip split-horizon eigrp 1 tunnel source Serial1/0.2345 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN

! ! Enable EIGRP AS 1 on the DMVPVN cloud and advertise Loopback2 ! router eigrp 1 network 100.100.100.3 0.0.0.0 network 192.168.3.3 0.0.0.0 no auto-summary



R4:

! ! Configure NTP synchronization with R6 ! ntp server 162.1.113.6 source serial 0/0.2345

! ! Configure CA trustpoint, authenticate and enroll with it ! crypto pki trustpoint CA enrollment url http://162.1.113.6:80ip domain-name INE.com crypto ca authenticate CA crypto ca enroll CA

! ! Configure ISAKMP policy to match the one on R3 but modify the ! lifetime as the task implies. There is no need to configure another ! ISAKMP policy on R3 since lifetime gets negotiated and the lower ! value will win ! crypto isakmp policy 10 encr 3des hash md5 group 2 lifetime 43200

! ! Configure IPSec transform-set and the IPSec profile ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac crypto ipsec profile DMVPN set transform-set 3DES_MD5 set pfs group2

! ! Create the new Loopback2 interface ! interface Loopback2 ip address 192.168.4.4 255.255.255.0

! ! Configure the Tunnel interface ! interface Tunnel0 ip address 100.100.100.4 255.255.255.0 no ip redirects ip nhrp authentication cisco ip nhrp map multicast 162.1.0.3 ip nhrp map 100.100.100.3 162.1.0.3 ip nhrp network-id 1 ip nhrp nhs 100.100.100.3 tunnel source Serial0/0.2345 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN




R5: ! ! Configure NTP synchronization with R6 ! ntp server 162.1.113.6 source serial 0/0.2345

! ! Configure CA trustpoint, authenticate and enroll with it ! crypto pki trustpoint CA enrollment url http://162.1.113.6:80ip domain-name INE.com crypto ca authenticate CA crypto ca enroll CA

! ! Configure ISAKMP policy to match the one in R3 but modify the ! lifetime as the task implies. There is no need to configure another ! ISAKMP policy on R3 since lifetime gets negotiated and the lower ! value will win ! crypto isakmp policy 10 encr 3des hash md5 group 2 lifetime 43200

! ! Configure IPSec transform-set and the IPSec profile ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac crypto ipsec profile DMVPN set transform-set 3DES_MD5 set pfs group2

! ! Create the new Loopback2 interface ! interface Loopback2 ip address 192.168.5.5 255.255.255.0

! ! Configure the Tunnel interface ! interface Tunnel0 ip address 100.100.100.5 255.255.255.0 no ip redirects ip nhrp authentication cisco



ip nhrp map multicast 162.1.0.3 ip nhrp map 100.100.100.3 162.1.0.3 ip nhrp network-id 1 ip nhrp nhs 100.100.100.3 tunnel source Serial0/0.2345 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN



Rack1R3#show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1097 162.1.0.3 162.1.0.4 ACTIVE 3des md5 rsig 2 11:59:48 Engine-id:Conn-id = SW:97

1096 162.1.0.3 162.1.0.5 ACTIVE 3des md5 rsig 2 11:57:33 Engine-id:Conn-id = SW:96

IPv6 Crypto ISAKMP SA

Rack1R3#show ip eigrp neighbors 1 IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms)Cnt Num 1 100.100.100.4 Tu0 13 00:02:02 114 5000 0 9 0 100.100.100.5 Tu0 11 00:03:57 112 5000 0 9

Rack1R3#show ip route eigrp 1 D 192.168.4.0/24 [90/297372416] via 100.100.100.4, 00:03:25, Tunnel0 D 192.168.5.0/24 [90/297372416] via 100.100.100.5, 00:05:02, Tunnel0

Rack1R3#show crypto ipsec sa peer 162.1.0.4

interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 162.1.0.3

protected vrf: (none) local ident (addr/mask/prot/port): (162.1.0.3/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (162.1.0.4/255.255.255.255/47/0)



current_peer 162.1.0.4 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 59, #pkts encrypt: 59, #pkts digest: 59 #pkts decaps: 61, #pkts decrypt: 61, #pkts verify: 61 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 162.1.0.3, remote crypto endpt.: 162.1.0.4 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0.2345 current outbound spi: 0x6E90E3CF(1854989263)

inbound esp sas: spi: 0x2CE5636A(753230698) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 39, flow_id: 39, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4530045/3351) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x6E90E3CF(1854989263) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 40, flow_id: 40, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4530045/3351) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Rack1R3#ping 192.168.5.5 source loopback 2

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds: Packet sent with a source address of 192.168.3.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 112/113/116 ms Rack1R3#ping 192.168.4.4 source loopback 2

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.3.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 112/113/116 ms



Task 4.1

Note

We need to configure R1 with both RADIUS and TACACS+ support; RADIUS for authentication and TACACS+ for command authorization and accounting.

R1: ! ! Enable aaa. Configure a list with no authentication for console to ! avoid lockouts and the default with radius+ local fallback ! aaa new-model aaa authentication login CONSOLE none aaa authentication login default group radius local

! ! Configure tacacs+ accounting. Configure local username/password ! aaa accounting commands 15 default start-stop group tacacs+ username ADMIN password CISCO

! ! Configure console for no authentication ! line console 0 login authentication CONSOLE

! ! Configure tacacs and radius servers with different source interfaces ! so the AAA server can differentiate it ! tacacs-server host 162.1.38.100 key cisco ip tacacs source-interface Loopback0 radius-server host 162.1.38.100 key cisco ip radius source-interface Serial 0/0.13

ASA1: ! ! Since ASA1 splits the routing domain, we need static xlates for both ! R1’1 loopback and the Serial interface so that SW1 can reach them ! static (outside,inside) 162.1.38.1 150.1.1.1 netmask 255.255.255.255 static (outside,inside) 162.1.38.113 162.1.13.1 netmask 255.255.255.255

! ! Allow tacacs and radius to flow across ASA1’s outside interface ! access-list OUTSIDE_IN extended permit udp host 162.1.13.1 host 162.1.38.100 eq radius access-list OUTSIDE_IN extended permit tcp host 150.1.1.1 host 162.1.38.100 eq tacacs



AAA Server:

Step 1:

Add R1 as a RADIUS AAA Client:

Network Configuration | AAA Clients: Add/Edit | Submit + Apply



Step 2:

Add R1 as TACACS+ AAA Client:




Step 3:

Add a New User to the ACS:

User Setup | Add/Edit [ADMIN] | [Password=CISCO]




Note

Simulate connections to the AAA server and verify authentication using local database

Rack1R1#test aaa group radius server 162.1.38.100 ADMIN CISCO legacy Attempting authentication test to server-group radius using radius User was successfully authenticated.

Rack1R1#test aaa group tacacs+ ADMIN CISCO legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.



Username: ADMIN Password:

Rack1R1>en Password: Rack1R1#conf t Rack1R1(config)#interface fastEthernet 0/0 Rack1R1(config-if)#end Rack1R1#exit

[Connection to 150.1.1.1 closed by foreign host]



AAA Server:

Check User Authentication Logs:

Report and Activity | Passed Authentications | Passed Authentications Active.csv



Verify Command Accounting:

Reports and Activity | TACACS+ Administration | TACACS+ Administration Active.csv

Rack1R1#conf t Enter configuration commands, one per line. End with CNTL/Z. Rack1R1(config)#interface serial 0/0.13 Rack1R1(config-subif)#shutdown Rack1R1(config-subif)#end Rack1R1#telnet 150.1.1.1 Trying 150.1.1.1 ... Open



Rack1R1>en Password: Rack1R1#



Task 4.2

Note

Configure R5 for dynamic lock-and-key access-lists. Enable listening on port 7005 for the proprietary application. Make necessary changes in ASA1.

R5: ! ! Enable aaa. Configure a list with no authentication for console to ! avoid lockouts and the default with tacacs+ ! aaa new-model aaa authentication login CONSOLE none aaa authentication login default group tacacs+

! ! Configure TACACS+ to authorize exec shell (e.g. autocommands)! aaa authorization exec default group tacacs+

! ! Dynamic ACL to control access to server! ip access-list extended PROTECT_SERVER dynamic SERVER permit tcp any host 162.1.55.100 eq 4550 deny tcp any host 162.1.55.100 eq 4550 permit ip any any

! ! Set up TACACS+ server ! tacacs-server host 162.1.38.100 key cisco ip tacacs source-interface Loopback 0 ! interface Serial 0/1 ip access-group PROTECT_SERVER in ! interface Serial 0/0.2345 ip access-group PROTECT_SERVER in ! line console 0 login authentication CONSOLE

! ! Enable the router to listen on port 7005 for telnet connections ! line vty 4 rotary 5



ASA1: static (outside,inside) 162.1.38.5 150.1.5.5 netmask 255.255.255.255 access-list OUTSIDE_IN extended permit tcp host 150.1.5.5 host 162.1.38.100 eq tacacs

AAA Server:

Step 1:

Add R5 as a TACACS+ AAA Client:




Step 2:

Add APP user, enable service shell and specify the autocommand:

User Setup | Add/Edit [APP] | [Password=CISCO]




Note

Verify connectivity to the AAA server. Telnet and on port 7005 and authenticate; next, verify that you may connect through on port 4550. Check the AAA server authentication logs.

Rack1R5#test aaa group tacacs+ APP CISCO legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.

Rack1R3#telnet 162.1.55.100 4550 Trying 162.1.55.100, 4550 ... % Destination unreachable; gateway or host down

Rack1R5#show ip access-lists Extended IP access list PROTECT_SERVER 10 Dynamic SERVER permit tcp any host 162.1.55.100 eq 4550 20 deny tcp any host 162.1.55.100 eq 4550 (3 matches) 30 permit ip any any (356 matches)

Rack1R3#telnet 150.1.5.5 7005 Trying 150.1.5.5, 7005 ... Open

Username: APP Password:

[Connection to 150.1.5.5 closed by foreign host]

Rack1R3#telnet 162.1.55.100 4550 Trying 162.1.55.100, 4550 ... % Connection timed out; remote host not responding

Rack1R5#show ip access-lists Extended IP access list PROTECT_SERVER 10 Dynamic SERVER permit tcp any host 162.1.55.100 eq 4550 permit tcp host 162.1.0.3 host 162.1.55.100 eq 4550 (6 matches) 20 deny tcp any host 162.1.55.100 eq 4550 (3 matches) 30 permit ip any any (505 matches)



AAA Server

Step 1

Check User Authentication Logs

Report and Activity | Passed Authentications | Passed Authentications Active.csv



Task 4.3

Note

This task is for TACACS+ privilege level assignment. Configure R3 for TACACS+ and permit some commands to be accessible from privilege level7. Make necessary changes on ASA1.

R3: ! ! Prevent console lockouts ! aaa new-model aaa authentication login CONSOLE none aaa authentication login default group tacacs+

! ! Authorize exec privilege levels with TACACS+! aaa authorization exec default tacacs+

! ! Permit some privilege 15 commands at level 7! privilege exec level 7 configure terminal privilege configure all level 7 snmp-server

! ! Configure the tacacs server ! tacacs-server host 162.1.38.100 key cisco ip tacacs source-interface Loopback 0

! ! Apply the list with no authentication on the console ! line console 0 login authentication CONSOLE



ASA1: ! static (outside,inside) 162.1.38.103 150.1.3.3 netmask 255.255.255.255 access-list OUTSIDE_IN extended permit tcp host 150.1.3.3 host 162.1.38.100 eq tacacs

AAA Server:

Step 1:

Add R3 as a TACACS+ AAA Client:




Step 2:

Add New User:

User Setup | Add/Edit [USER1] | [Password=CISCO] TACACS+ Settings: [Shell(exec)], [+ Privilege Level = 7]



Repeat the procedure for USER2, setting Privilege Level to 0 this time.

User Setup | Add/Edit [USER2] | User Setup [Password = CISCO] TACACS+ Settings: [Shell(exec)], [Privilege Level = 0]



Task 4.3 Verifications

Note

Verify connectivity with the AAA server. Verify privilege level assignment via the TACACS+ server and confirm that necessary commands are available on privilege level 7.

Rack1R3#test aaa group tacacs+ USER1 CISCO legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.

Rack1R3#test aaa group tacacs+ USER2 CISCO legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.


Username: USER1 Password:

Rack1R3#show privilege Current privilege level is 7 Rack1R3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Rack1R3(config)#? Configure commands: beep Configure BEEP (Blocks Extensible Exchange Protocol) call Configure Call parameters default Set a command to its defaults end Exit from configure mode exit Exit from configure mode help Description of the interactive help system netconf Configure NETCONF no Negate a command or set its defaults sasl Configure SASL snmp-server Modify SNMP engine parameters

Rack1R3(config)#snmp-server ? chassis-id String to uniquely identify this chassis community Enable SNMP; set community string and access privs contact Text for mib object sysContact context Create/Delete a context apart from default drop Silently drop SNMP packets enable Enable SNMP Traps engineID Configure a local or remote SNMPv3 engineID file-transfer File transfer related commands group Define a User Security Model group host Specify hosts to receive SNMP notifications ifindex Enable ifindex persistence location Text for mib object sysLocation packetsize Largest SNMP packet size



queue-length Message queue length for each TRAP host source-interface Assign an source interface system-shutdown Enable use of the SNMP reload command tftp-server-list Limit TFTP servers used via SNMP trap SNMP trap options trap-source Assign an interface for the source address of all traps trap-timeout Set timeout for TRAP message retransmissions user Define a user who can access the SNMP engine view Define an SNMP MIB view



Rack1R3>? Exec commands: <1-99> Session number to resume disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system logout Exit from the EXEC



Task 4.4

Pitfall

We need to configure R3 to do command authorization with the TACAC+ server. For that purpose, we create a command authorization set in the AAA server, being careful not to break the previous section’s requirements. Therefore, in the command authorization set we need to specify not just commands for this task (debug ip rip & undebug all), but also the commands required by the previous task (configure terminal & all snmp-server commands).

R3: ! ! Authorize & Account level 7 commands with TACACS+ ! aaa authorization commands 7 default group tacacs+ aaa accounting commands 7 default start-stop group tacacs+

! ! This is required to authorize config-mode commands ! aaa authorization config-commands

! ! Make the commands “visible” at level 7 ! They will be sent to TACACS+ for detailed authorization! privilege exec all level 7 undebug privilege exec all level 7 debug

AAA Server:

Step 1:

Create shell-command authorization set for USER1:

Shared Profile Components | Shell Command Authorization Sets | Add [USER1]

Unmatched commands = Deny

Add Commands:

cmd = “configure” , args = “permit terminal” cmd = “debug” , args = “permit ip rip” cmd = “undebug” , args = “permit all” cmd = “snmp-server”, Permit Unmatched args



Step 2:

Assign the shell-command authorization set to USER1

User Setup | Add/Edit [USER1] | TACACS+ Setting: Shell Command Authorization Set = USER1




Note

Verify that USER1 can configure both debug ip rip and undebug allcommands and the snmp-server commands from previous task. Verify that other commands are not allowed.



Rack1R3#conf t Enter configuration commands, one per line. End with CNTL/Z. Rack1R3(config)#exit Rack1R3#debug ip rip RIP protocol debugging is on

Rack1R3#undebug all All possible debugging has been turned off

Rack1R3#debug ip ospf adj Command authorization failed.

Rack1R3#conf t Rack1R3(config)#? Configure commands: beep Configure BEEP (Blocks Extensible Exchange Protocol) call Configure Call parameters default Set a command to its defaults end Exit from configure mode exit Exit from configure mode help Description of the interactive help system netconf Configure NETCONF no Negate a command or set its defaults sasl Configure SASL snmp-server Modify SNMP engine parameters

Rack1R3(config)# Rack1R3(config)#snmp-server enable traps cpu



AAA Server:

Check the command logging:

Reports and Activity | TACACS+ Administration | TACACS+ Administration Active.csv



Task 4.5 R4: aaa new-model aaa authentication login CONSOLE none aaa authentication login default group tacacs+

! ! Enable TACACS+ command authorization for privilege level 12 ! aaa authorization commands 12 default group tacacs+

! ! Make sure configuration mode commands and exec are authorized as well ! aaa authorization config-commands aaa authorization exec default group tacacs+

! ! Make some privileged commands visible at level 12 ! privilege exec level 12 configure terminal privilege exec level 12 show running-config privilege exec level 12 show running-config interface privilege configure all level 12 interface

! ! We move the “hostname” command down to level 12, thus permitting ! it to be in the running-config for the user. However, TACACS+ ! will deny any attempts to change the hostname ! privilege configure level 12 hostname privilege interface level 12 shutdown privilege interface level 12 no shutdown ! tacacs-server host 162.1.38.100 key cisco ip tacacs source-interface Loopback0 ! line console 0 login authentication CONSOLE

ASA1: access-list OUTSIDE_IN extended permit tcp host 150.1.4.4 host 162.1.38.100 eq tacacs



AAA Server:

Step 1:

Add R4 as TACACS+ AAA Client:




Step 2:

Create a new shell command authorization set named “NOC”:

Shared Profile Components | Shell Command Authorization Sets | Add

Deny Unmatched Commands and Add the following:

Cmd = “configure” , Args = “permit terminal” Cmd = “interface” , Check “Permit unmatched Args” Cmd = “no” , Args = “permit shutdown” Cmd = “show” , Args = “permit running-config” Cmd = “shutdown” , Check ”Permit unmatched Args”



Step 3:

Create a user NOC and assign shell command authorization set to it: User Setup | Add/Edit [NOC] | User Setup; [Password = CISCO]



Step 4:

Modify the Privilege Level for the new user.

TACACS+ Settings: [+Shell(exec)] , [+Privilege Level = 12]




Rack1R4#test aaa group tacacs+ NOC CISCO legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.



Username: NOC Password:

Rack1R4#show privilege Command authorization failed.

Rack1R4#show running-config Building configuration...

Current configuration : 1410 bytes ! ! hostname Rack1R4 ! boot-start-marker boot-end-marker ! ! ! ! ! interface Loopback0 ip address 150.1.4.4 255.255.255.0 ! interface Loopback2 ip address 192.168.4.4 255.255.255.0 ! interface Tunnel0 ip address 100.100.100.4 255.255.255.0 no ip redirects ip nhrp authentication cisco ip nhrp map multicast 162.1.0.3 ip nhrp map 100.100.100.3 162.1.0.3 ip nhrp network-id 1 ip nhrp nhs 100.100.100.3 tunnel source Serial0/0.2345 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address 204.12.1.4 255.255.255.0 ip access-group CBAC_IN in ip access-group CBAC_OUT out



no ip unreachables ip inspect CBAC out ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable

Rack1R4#conf t Rack1R4(config)#hostname test Command authorization failed.

Rack1R4(config)#interface loopback2 Rack1R4(config-if)#shutdown Rack1R4(config-if)#no shutdown

Rack1R4(config-if)#ip address 5.5.5.5 255.255.255.0 Command authorization failed.

Task 5.1

R2: ! ! Enable authentication globally under the OSPF process and the ! authentication key under the interface ! router ospf 1 area 2345 authentication interface Serial0/0.2345 ip ospf authentication-key cisco

R3: ! ! Enable authentication globally under the OSPF process and set the ! authentication key under the interface ! router ospf 1 area 2345 authentication interface Serial1/0.2345 ip ospf authentication-key cisco

R4: ! ! Enable authentication globally under the OSPF process and the ! authentication key under the interface. Altough simple authentication ! is enabled globally the interface MD5 authentication will take ! precedence as is more specific ! router ospf 1 area 2345 authentication interface Serial0/0.2345 ip ospf authentication-key cisco interface Serial0/1 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco



R5: ! ! Enable authentication globally under the OSPF process and the ! authentication key under the interface. Altough simple authentication ! is enabled globally the interface MD5 authentication will take ! precedence as is more specific ! router ospf 1 area 2345 authentication ! interface Serial0/0.2345 ip ospf authentication-key cisco ! interface Serial0/1 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco


Rack1R5#show ip os neighbor

Neighbor ID Pri State Dead Time Address Interface 150.1.3.3 0 FULL/ - 00:01:49 162.1.0.3 Serial0/0.2345 150.1.4.4 0 FULL/ - 00:00:38 162.1.45.4 Serial0/1

Rack1R5#show ip ospf interface serial 0/1 Serial0/1 is up, line protocol is up Internet Address 162.1.45.5/24, Area 2345 Process ID 1, Router ID 150.1.5.5, Network Type POINT_TO_POINT, Cost: 9999 Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 3 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 150.1.4.4 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1

Rack1R5#show ip ospf interface serial 0/0.2345 Serial0/0.2345 is up, line protocol is up Internet Address 162.1.0.5/24, Area 2345 Process ID 1, Router ID 150.1.5.5, Network Type POINT_TO_MULTIPOINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 oob-resync timeout 120



Hello due in 00:00:18 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 3/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 2 Last flood scan time is 0 msec, maximum is 5 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 150.1.3.3 Suppress hello for 0 neighbor(s) Simple password authentication enabled

Rack1R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface 150.1.5.5 0 FULL/ - 00:01:54 162.1.0.5 Serial1/0.2345 150.1.2.2 0 FULL/ - 00:01:47 162.1.0.2 Serial1/0.2345 150.1.4.4 0 FULL/ - 00:01:54 162.1.0.4 Serial1/0.2345

Rack1R3#show ip ospf interface serial 1/0.2345 Serial1/0.2345 is up, line protocol is up Internet Address 162.1.0.3/24, Area 2345 Process ID 1, Router ID 150.1.3.3, Network Type POINT_TO_MULTIPOINT, Cost: 781 Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 oob-resync timeout 120 Hello due in 00:00:25 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 3, maximum is 5 Last flood scan time is 0 msec, maximum is 5 msec Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 150.1.5.5 Adjacent with neighbor 150.1.2.2 Adjacent with neighbor 150.1.4.4 Suppress hello for 0 neighbor(s) Simple password authentication enabled



Task 5.2 R1: router bgp 100 no neighbor 162.1.0.4 remote-as 200 no neighbor 162.1.0.4 ebgp-multihop 1 no neighbor 162.1.0.4 next-hop self neighbor 150.1.4.4 remote-as 200 neighbor 150.1.4.4 update-source Loopback0 neighbor 150.1.4.4 ttl-security hops 2 neighbor 150.1.4.4 next-hop-self

R4: router bgp 200 no neighbor 162.1.13.1 remote-as 100 no neighbor 162.1.13.1 ebgp-multihop 1 no neighbor 162.1.13.1 next-hop-self neighbor 150.1.1.1 remote-as 100 neighbor 150.1.1.1 update-source Loopback0 neighbor 150.1.1.1 ttl-security hops 2 neighbor 150.1.1.1 next-hop self

Task 5.2 Verification Rack1R1#show ip bgp neighbors 150.1.4.4 | section TTL Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255

Rack1R4#show ip bgp neighbors 150.1.1.1 | section TTL Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255

Task 5.3

R6:

! ! Configure thresholds as specified and enable the ! respective SNMP traps ! process cpu threshold type total rising 75 interval 10 falling 30 interval 10 memory free low-watermark processor 5000 snmp-server enable traps cpu snmp-server enable traps memory

! ! Configure logging to the AAA server but use TCP for transport ! logging host 162.1.38.100 transport tcp



ASA1: ! ! Allow TCP syslog traffic from R6 to reach the AAA server ! access-list OUTSIDE_IN extended permit tcp 162.1.113.128 255.255.255.192 host 162.1.38.100 eq 601

Task 5.4

Caution

The feature works only with local or AAA authentication and not with line password authentication.

R6: ! ! Configure the access-list for exemption from blocking ! access-list 1 permit 192.10.1.0 0.0.0.255

! ! Configure the feature as required ! login block-for 600 attempts 3 within 60 login quiet-mode access-class 1 login on-failure log every 5 login delay 3 ! ! Create a local username/password and enable local authentication on ! VTY lines ! username cisco password cisco line vty 0 988 login local




Note

Try failing login authentication 3 times in the given 60 seconds. Verify that logins are blocked except from sources in list 1 as the router enter quiet mode.

Rack1R6#telnet 150.1.6.6 /source-interface Loopback0 Trying 150.1.6.6 ... Open


Username: c Password: % Login invalid


Username: c Password:

%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 21 secs, [user: c] [Source: 150.1.6.6] [localport: 23] [Reason: Login Authentication Failed - BadUser] [ACL: 1] at 20:23:01 UTC Tue Jul 21 2009 [Connection to 150.1.6.6 closed by foreign host]

Rack1R6#telnet 150.1.6.6 Trying 150.1.6.6 ... % Connection refused by remote host

Note

While in the quite mode of 600 seconds verify that logins sourced from subnet 192.10.1.0/24 are allowed

Rack1R6#show login A login delay of 3 seconds is applied. Quiet-Mode access list 1 is applied. Every 5 failed login is logged.

Router enabled to watch for login Attacks. If more than 3 login failures occur in 60 seconds or less, logins will be disabled for 600 seconds.

Router presently in Quiet-Mode. Will remain in Quiet-Mode for 483 seconds. Restricted logins filtered by applied ACL 1.





Username: cisco Password: Rack1R6>en Password: Rack1R6#

Rack1R6#show login failures Total failed logins: 6 Detailed information about last 50 failures

Username SourceIPAddr lPort Count TimeStamp c 150.1.6.6 23 6 20:23:01 UTC Tue Jul 21 2009

Note

Try 2 more failed logins to verify that the 5th one gets logged on the console.










%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: c] [Source: 192.10.1.6] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 20:30:57 UTC Tue Jul 21 2009


Task 5.4

Note

We configure IP source tracking feature to back-track the attack to its source..

R3: ! ! Configure and limit the number of tracked addresses to 100 ! ip source-track 162.1.55.100 ip source-track address-limit 100






Note

Assign the TestPC to VLAN55 for verification purposes.

Rack1R5#ping 162.1.55.100


Rack1R4#ping 162.1.55.100


Rack1R3#ping 162.1.55.100


Rack1R5#show ip source-track 162.1.55.100 Address SrcIF Bytes Pkts Bytes/s Pkts/s 162.1.55.100 Se0/0.2345 1500 15 14 0

Task 6.1

Note

The task prompts us to use virtual sensors in order to split policy configuration. Also, we need static NAT entries in ASA1/ASA2 to manage the IPS sensor.

! ! Perform basic sensor initialization ! ips# setup

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt.



Default settings are in square brackets '[]'.

Current Configuration:

service host network-settings host-ip 1.1.1.1/24,1.1.1.254 host-name ips telnet-option disabled ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service event-action-rules rules0 overrides override-item-status Enabled risk-rating-range 90-100 exit exit

Setup Configuration last modified: Mon

Continue with configuration dialog?[yes]: yes Enter host name[ips]: Rack1IPS Enter IP interface[1.1.1.1/24,1.1.1.254]: 192.10.1.10/24,192.10.1.13 Enter telnet-server status[disabled]: Enter web-server port[443]: 80 Modify current access list?[no]: yes Current access list entries: No entries Permit: 192.10.1.0/24 Permit: 162.1.38.100/32 Permit: Modify system clock settings?[no]: Modify interface/virtual sensor configuration?[no]: Modify default threat prevention settings?[no]:

The following configuration was entered.

service host network-settings host-ip 192.10.1.10/24,192.10.1.13 host-name Rack1IPS telnet-option disabled



access-list 162.1.38.100/32 access-list 192.10.1.0/24 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 80 exit service event-action-rules rules0 overrides override-item-status Enabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup.

Enter your selection[2]: 2 Configuration Saved. *03:12:34 UTC Tue Jul 21 2009 Modify system date and time?[no]: no

! ! Disable the HTTPS service ! ips# conf t ips(config)# service web-serverips(config-web)# enable-tls falsei ps(config-web)# exit Apply Changes?[yes]: yesips(config)#

! ! Configure VLAN groups ! ips# conf t ips(config)# service interface ips(config-int)# physical-interface gigabitethernet0/0 ips(config-int-phy)# admin-state enabled ips(config-int-phy)# subinterface-type vlan-group ips(config-int-phy-vla)# subinterface 1 ips(config-int-phy-vla-sub)# vlans range 666 ips(config-int-phy-vla-sub)# exit ips(config-int-phy-vla)# subinterface 2 ips(config-int-phy-vla-sub)# vlans range 113 ips(config-int-phy-vla-sub)# exit ips(config-int-phy-vla)# exit ips(config-int-phy)# exit ips(config-int)# exit



Apply Changes?[yes]: yes

! ! Configure virtual-sensors and map VLAN groups ! ips(config)# service analysis-engine ips(config-ana)# virtual-sensor vs0 ips(config-ana-vir)# physical-interface gigabitEthernet0/0 subinterface-number 1 ips(config-ana-vir)# exit ips(config-ana)# virtual-sensor vs1 ips(config-ana-vir)# physical-interface gigabitEthernet0/0 subinterface-number 2 ips(config-ana-vir)# exit ips(config-ana)# exit Apply Changes?[yes]: yes

SW1: ! ! Since the sensing interface is on SW2 we need RSPAN session ! vlan 666 remote-span monitor session 1 source vlan 100 rx monitor session 1 destination remote vlan 666 reflector-port Gi0/1

SW2: ! ! Use the local VLAN SPAN session in SW2 to direct traffic for ! both VLANs to the sensor ! monitor session 1 source vlan 113 , 666 rx monitor session 1 destination interface fastEthernet 0/10 encapsulation dot1q

ASA1: static (outside,inside) tcp 162.1.38.10 80 162.1.113.10 80

ASA2: ! ! static (inside,outside) tcp 162.1.113.10 80 192.10.1.10 80 access-list OUTSIDE_IN extended permit tcp host 162.1.38.100 host 162.1.113.10 eq 80



Task 6.1 Verification ips(config)# service analysis-engine ips(config-ana)# show settings global-parameters ----------------------------------------------- ip-logging ----------------------------------------------- max-open-iplog-files: 20 <defaulted> ----------------------------------------------- ----------------------------------------------- virtual-sensor (min: 1, max: 255, current: 2) ----------------------------------------------- <protected entry> name: vs0 ----------------------------------------------- description: default virtual sensor <defaulted> signature-definition: sig0 <protected> event-action-rules: rules0 <protected> anomaly-detection ----------------------------------------------- anomaly-detection-name: ad0 <protected> operational-mode: detect <defaulted> ----------------------------------------------- physical-interface (min: 0, max: 999999999, current: 1) ----------------------------------------------- name: GigabitEthernet0/0 subinterface-number: 1 default: 0 ----------------------------------------------- ----------------------------------------------- logical-interface (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- inline-TCP-session-tracking-mode: virtual-sensor <defaulted> ----------------------------------------------- name: vs1 ----------------------------------------------- description: <defaulted> signature-definition: sig0 <defaulted> event-action-rules: rules0 <defaulted> anomaly-detection ----------------------------------------------- anomaly-detection-name: ad0 <defaulted> operational-mode: detect <defaulted> ----------------------------------------------- physical-interface (min: 0, max: 999999999, current: 1) ----------------------------------------------- name: GigabitEthernet0/0 subinterface-number: 2 default: 0 ----------------------------------------------- ----------------------------------------------- logical-interface (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- inline-TCP-session-tracking-mode: virtual-sensor <defaulted> -----------------------------------------------



-----------------------------------------------

ips(config)# service interface ips(config-int)# show settings physical-interfaces (min: 0, max: 999999999, current: 2) ----------------------------------------------- <protected entry> name: GigabitEthernet0/0 ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: enabled default: disabled duplex: auto <defaulted> speed: auto <defaulted> default-vlan: 0 <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- vlan-group ----------------------------------------------- subinterface (min: 1, max: 255, current: 2) ----------------------------------------------- subinterface-number: 1 ----------------------------------------------- description: <defaulted> vlans ----------------------------------------------- range: 666 ----------------------------------------------- ----------------------------------------------- subinterface-number: 2 ----------------------------------------------- description: <defaulted> vlans ----------------------------------------------- range: 113 ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- <protected entry> name: GigabitEthernet0/1 <defaulted> ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: disabled <protected> duplex: auto <defaulted> speed: auto <defaulted> default-vlan: 0 <protected>



alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- subinterface-type ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- command-control: GigabitEthernet0/1 <protected> inline-interfaces (min: 0, max: 999999999, current: 0) ----------------------------------------------- ----------------------------------------------- bypass-mode: auto <defaulted> interface-notifications ----------------------------------------------- missed-percentage-threshold: 0 percent <defaulted> notification-interval: 30 seconds <defaulted> idle-interface-delay: 30 seconds <defaulted> -----------------------------------------------



Note

Make sure you can access the IPS sensor via HTTP and start the IDM:



Note

You may want to enable the IPS Signature 2004 in order to test if the IPS actually receives the spanned traffic.


Rack1ASA2# ping 192.10.1.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Rack1ASA2#



Task 6.2

! ! Tune the existing signature in the new sig1 signature set.! Rack1IPS# conf t Rack1IPS(config)# service signature-definition sig1 Rack1IPS(config-sig)# signatures 2150 0 Rack1IPS(config-sig-sig)# engine atomic-ip Rack1IPS(config-sig-sig-ato)# event-action log-victim-packets Rack1IPS(config-sig-sig-ato)# event-action request-block-host Rack1IPS(config-sig-sig-ato)# exit Rack1IPS(config-sig-sig)# status Rack1IPS(config-sig-sig-sta)# enabled true Rack1IPS(config-sig-sig-sta)# exit Rack1IPS(config-sig-sig)# exit Rack1IPS(config-sig)# exit Apply Changes?[yes]: yes

! ! Assign the new set to vs1 ! Rack1IPS# conf t Rack1IPS(config)# service analysis-engine Rack1IPS(config-ana)# virtual-sensor vs1 Rack1IPS(config-ana-vir)# signature-definition sig1 Rack1IPS(config-ana-vir)# exit Rack1IPS(config-ana)# exit Apply Changes?[yes]: yes

! ! Configure the access-profile for the ASA and add it as a blocking ! device ! Rack1IPS# conf t Rack1IPS(config)# service network-access Rack1IPS(config-net)# user-profiles ASA2 Rack1IPS(config-net-use)# password Enter password[]: cisco Re-enter password: cisco Rack1IPS(config-net-use)# exit Rack1IPS(config-net)# firewall-devices 192.10.1.13 Rack1IPS(config-net-fir)# communication ssh-3des Rack1IPS(config-net-fir)# nat-address 162.1.113.10 Rack1IPS(config-net-fir)# profile-name ASA2 Rack1IPS(config-net-fir)# exit Rack1IPS(config-net)#exit Apply Changes:?[yes] : yes



Note

Configure ASA2 to allow ssh connections coming from IPS management interface. Add ASA2’s SSH public key to the IPS known hosts database.

ASA2:

! ! Allow ssh connections coming from IPS ! ssh 192.10.1.10 255.255.255.255 inside




Note

For verification generate large ICMP packets off ASA2 across both inside and outside interfaces and verify that only the outside attackers are shunned.

Rack1ASA2# ping 162.1.113.1 size 2000 Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 162.1.113.1, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) Rack1ASA2# show shun shun (outside) 162.1.113.1 0.0.0.0 0 0 0 Rack1ASA2# ping 192.10.1.6 size 2000 Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 192.10.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms Rack1ASA2# show shun shun (outside) 162.1.113.1 0.0.0.0 0 0 0

Rack1ASA2# show ssh sess

SID Client IP Version Mode Encryption Hmac State Username 0 192.10.1.10 1.5 - 3DES - SessionStarted pix



Task 6.3

Note

We need to create a “String TCP” signature and match on the message that IOS routers give when a failed authentication takes place. The message is “% Login invalid”. Make sure to create the signature in sig0, the signature definition for the VS corresponding to the inside of ASA2. Change the default block duration from 15 minutes.

! ! Configure the signature to match packets coming “from the service”. ! Specify the event-count to be 4 in interval 60 for the signature to ! fire ! Rack1IPS(config)# service signature-definition sig0 Rack1IPS(config-sig)# signatures 60001 0 Rack1IPS(config-sig-sig)# engine string-tcp Rack1IPS(config-sig-sig-str)# event-action request-block-host Rack1IPS(config-sig-sig-str)# service-ports 23 Rack1IPS(config-sig-sig-str)# direction from-service Rack1IPS(config-sig-sig-str)# regex-string ..Login.invalid Rack1IPS(config-sig-sig-str)# exit Rack1IPS(config-sig-sig)# event-counter Rack1IPS(config-sig-sig-eve)# event-count 4 Rack1IPS(config-sig-sig-eve)# specify-alert-interval yes Rack1IPS(config-sig-sig-eve-yes)# alert-interval 60 Rack1IPS(config-sig-sig-eve-yes)# exit Rack1IPS(config-sig-sig-eve)# exit Rack1IPS(config-sig-sig)# exit Rack1IPS(config-sig)# exit Apply Changes?[yes]: yes




Note

For verification we’ll telnet from R6 to BB1 and then telnet back to R6 with wrong username/password combination 4 times in 60 seconds. Then we’ll look for the “shun” installed in ASA2 and check the blocked hosts in the IPS.


+-----------------------------------------------------------------------+ | | | Welcome to BB2. These commands are available for use at privilege 0 | | | | ping show ip bgp | | telnet show ip bgp neighbors | | traceroute show ip bgp summary | | show ip route show ip interface brief | | show ip protocols | | | | The reference configuration for this device is available at: | | http://www.internetworkexpert.com/downloads/bb2.txt | | | +-----------------------------------------------------------------------+

SC.9.9.BB2>telnet 192.10.1.6 Trying 192.10.1.6 ... Open


Username: c Password: % Login invalid SC.9.9.BB2>telnet 192.10.1.6 Trying 192.10.1.6 ... Open









Rack1ASA2# show shun shun (inside) 192.10.1.254 0.0.0.0 0 0 0

Rack1ASA2# show ssh sess

SID Client IP Version Mode Encryption Hmac State Username 0 192.10.1.10 1.5 - 3DES - SessionStarted pix

IDM:



Task 6.4

Note

It’s important to understand from the task that the anomaly detection feature should be enabled only for the inside interface of the ASA. So we need to create an additional anomaly detection policy called ad1 and assign it to vs1 virtual sensor. Then anomaly detection tuning for this task will be done on ad0, which is by default assigned to vs0.

IDM:

Step 1:

Navigate to Anomaly Detection then click the Add button and give the name ad1 to the new policy.



Step 2:

Navigate to Virtual Sensors select Edit and then select vs1. Assign the ad1 policy to vs1.



Note

Configure the zones next. Select ad0, configure the Internal Zone with the 192.10.1.0/24 subnet; then go to TCP protocol and modify the threshold for port 3389; After that, modify histogram thresholds for UDP port 135



Note

Add RFC 1918 addresses range to the “Illegal” zone.



Note

We are told to configure the Ethernet segments on the outside of the firewall as external subnets. By default all subnets, unless assigned to Internal/Illegal zone are included in the External zone. Thus, in order to remove the AAA server’s VLAN from External zone we would need to add it to the Internal zone.

as



Task 6.5

R6: ! ! Specify the IPS signature location. ! ip ips config location flash:ips

! ! Enable IOS basic set of signatures ! ip ips signature-category category ios_ips basic retired false category all retired true

! ! Disable signature 3106 ! ip ips signature-definition signature 3106 0 status retired true

! ! Tune ICMP echo and ICMP echo-reply signatures to produce high ! security alerts ! ip ips signature-definition signature 2000 0 alert-severity high signature 2004 0 alert-severity high

! ! Enable SDEE events reporting ! ip ips notify SDEE

! ! Set TVR to maximum for subnet 192.10.1.0/24 ! ip ips event-action-rules target-value high target-address 192.10.1.0/24

! ! Inspect packets only for subnet 162.1.0.0/16. Apply inspection ! inbound on connection to BB1 ! ip access-list standard IPS permit 162.1.0.0 0.0.255.255 ip ips name IPS list IPS interface Serial0/0/0 ip ips IPS in




Rack1R6#show ip ips configuration

IPS Signature File Configuration Status Configured Config Locations: flash:ips/ Last signature default load time: 23:09:33 UTC Jul 21 2009 Last signature delta load time: 02:05:27 UTC Jul 22 2009 Last event action (SEAP) load time: 02:08:32 UTC Jul 22 2009

General SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled

IPS Signature Status Total Active Signatures: 2 Total Inactive Signatures: 1

IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name IPS acl list IPS IPS fail closed is disabled IPS deny-action ips-interface is false Interface Configuration Interface Serial0/0/0 Inbound IPS rule is IPS acl list IPS Outgoing IPS rule is not set

IPS Category CLI Configuration: Category ios_ips basic: Retire: False Category all: Retire: True



Task 7.1

Note

Configuration change logging is useful for auditing purposes. Make sure to allow syslog through ASA1.

ASA1:

! ! Allow syslog traffic originated from R4 Loopback through ASA1 ! access-list OUTSIDE_IN extended permit udp host 150.1.4.4 host 162.1.38.100 eq syslog

R4: ! ! Enable configuration change logging. ! archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys

! ! Configuration changes are forwarded to syslog as well. Configure the ! source to be Loopback0, as it already has a static NAT on ASA1 ! logging source-interface Loopback0 logging 162.1.38.100




Note

We’ll make some modifications on R4 to trigger it notify syslog and then verify connections on ASA1. We’ll configure some sensitive information like passwords and see that are not logged.

Rack1R4#show archive log config all idx sess user@line Logged command 1 1 console@console | logging enable 2 1 console@console | hidekeys 3 1 console@console | hidekeys 4 1 console@console | exit 5 1 console@console | exit 6 1 console@console |archive 7 1 console@console | log config 8 1 console@console | exit 9 1 console@console | log config 10 1 console@console | notify syslog 11 1 console@console | logging enable 12 1 console@console | logging size 1000 13 1 console@console | exit 14 1 console@console | exit 15 2 console@console |logging source-interface Loopback0 16 3 console@console |logging host 162.1.38.100 17 4 console@console |archive 18 4 console@console | log config 19 4 console@console | notify syslog contenttype plaintext 20 5 console@console |interface loopback 10 21 5 console@console | exit 22 5 console@console |no interface Loopback10 idx sess user@line Logged command

Rack1R4#configure terminal Rack1R4(config)#interface loopback 10 Rack1R4(config-if)#ip ospf authentication Rack1R4(config-if)#ip ospf authentication-key cisco Rack1R4(config)#no interface loopback 10



Rack1R4#show archive log config all idx sess user@line Logged command 1 1 console@console | logging enable 2 1 console@console | hidekeys 3 1 console@console | hidekeys 4 1 console@console | exit 5 1 console@console | exit 6 1 console@console |archive 7 1 console@console | log config 8 1 console@console | exit 9 1 console@console | log config 10 1 console@console | notify syslog 11 1 console@console | logging enable 12 1 console@console | logging size 1000 13 1 console@console | exit 14 1 console@console | exit 15 2 console@console |logging source-interface Loopback0 16 3 console@console |logging host 162.1.38.100 17 4 console@console |archive 18 4 console@console | log config 19 4 console@console | notify syslog contenttype plaintext 20 5 console@console |interface loopback 10 21 5 console@console | exit 22 5 console@console |no interface Loopback10 idx sess user@line Logged command

23 6 console@console |interface Loopback10 24 6 console@console | ip ospf authentication 25 6 console@console | ip ospf authentication-key *****

Rack1ASA1# show conn port 514 4 in use, 5 most used UDP outside 150.1.4.4:55462 inside 10.0.0.100:514, idle 0:00:28, bytes 1348, flags -



Task 7.2

Note

The only way to disable ARP is to actually filter it on the switch using a VACL. This configuration will force us to do static ARP mappings on R2 for SW1 and on SW1 for R3.

R2: ! ! Configure static ARP for SW1 VLAN27 IP address ! arp 10.7.7.1 0012.0183.5900 ARPA

SW1: ! ! Configure static ARP for R2 FastEthernet0/0 IP address ! arp 10.7.7.2 0013.c440.3980 ARPA

! ! Match ARP traffic in a MAC ACL ! mac access-list extended ARP permit any any 0x806 0x0

! ! Configure VLAN access-map to filter ARP packets and forward all other ! traffic ! vlan access-map VLAN27_FILTER 10 action drop match mac address ARP vlan access-map VLAN27_FILTER 20 action forward

! ! Apply the filter on VLAN 27 ! vlan filter VLAN27_FILTER vlan-list 27




Note

For testing purpose, we could change the IP address on either SW1 or R2 and verify that L3 to L2 resolution fails.

Rack1SW1#clear arp-cache Rack1SW1#show arp | i 10.7.7.1 Internet 10.7.7.1 - 0012.0183.5900 ARPA Vlan27





Rack1SW1#conf t Rack1SW1(config)#interface vlan 27 Rack1SW1(config-if)#ip address 10.7.7.3 255.255.255.0


Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.7.7.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Rack1R2#show arp | i 10.7.7.3 Internet 10.7.7.3 0 Incomplete ARPA



Task 7.3

Note

Since outbound filtering on R1 is not an option we stick with VACL configuration on SW2.

SW2: ! ! Match ICMP echo destined to ASA2 in an ACL ! ip access-list extended ICMP_ECHO permit icmp any host 162.1.113.13 echo

! ! Configure the access-map and drop required traffic while allowing the ! rest ! vlan access-map ICMP_ECHO_VLAN113 10 action drop match ip address ICMP_ECHO vlan access-map ICMP_ECHO_VLAN113 20 action forward

! ! Apply the VACL on VLAN 113 ! vlan filter ICMP_ECHO_VLAN113 vlan-list 113




Note

For testing we can remove the filter and verify that R1 can ping ASA1 again. Don’t forget to re-apply it back.

Rack1R1#ping 162.1.113.13 re 3

Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 162.1.113.13, timeout is 2 seconds: ... Success rate is 0 percent (0/3)

Rack1SW2#conf t Rack1SW2(config)#no vlan filter ICMP_ECHO_VLAN113 vlan-list 113

Rack1R1#ping 162.1.113.13 re 3

Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 162.1.113.13, timeout is 2 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 1/3/4 ms

Task 7.4

Note

Make sure you applied the access-class to all VTY lines in the router!

R1: ! ! Create the ACL to filter telnet and allow other management protocols ! ip access-list extended DENY_TELNET deny tcp any any eq telnet permit ip any any

! ! Apply the filter on console and all VTY lines !

line con 0 access-class DENY_TELNET out ! line vty 0 181 access-class DENY_TELNET out



Task 7.4 VerificationRack1R1#telnet 150.1.4.4 Trying 150.1.4.4 ... % Connections to that host not permitted from this terminal Rack1R1#show ip access-lists Extended IP access list DENY_TELNET 10 deny tcp any any eq telnet (1 match) 20 permit ip any any

Rack1R1#ssh -l ADMIN 150.1.4.4

[Connection to 150.1.4.4 closed by foreign host] Rack1R1#show ip access-lists Extended IP access list DENY_TELNET 10 deny tcp any any eq telnet (1 match) 20 permit ip any any (1 match)




Rack1R1>en Password: Rack1R1#telnet 150.1.4.4 Trying 150.1.4.4 ... % Connections to that host not permitted from this terminal

Rack1R1#show ip access-lists Extended IP access list DENY_TELNET 10 deny tcp any any eq telnet (2 matches) 20 permit ip any any (1 match)

Rack1R1#ssh -l ADMIN 150.1.4.4

[Connection to 150.1.4.4 closed by foreign host] Rack1R1#show ip access-lists Extended IP access list DENY_TELNET 10 deny tcp any any eq telnet (2 matches) 20 permit ip any any (2 matches)



Task 8.1

R6: ! ! Load protocol headers ! load protocol system:fpm/phdf/ip.phdf load protocol system:fpm/phdf/icmp.phdf load protocol system:fpm/phdf/tcp.phdf load protocol system:fpm/phdf/udp.phdf load protocol system:fpm/phdf/ether.phdf

! ! Configure the protocol stack for IP-in-IP ! class-map type stack match-all IP_IN_IP stack-start l2-start match field ETHER type eq 0x800 next IP match field layer 2 IP protocol eq 4 next IP match field layer 3 IP protocol eq 6 next TCP

! ! Define the traffic filter. Match on FIN and SYN bits, port 80 and the ! specified string ! class-map type access-control match-all FILTER match field TCP dest-port eq 80 match start TCP payload-start offset 0 size 64 regex ".*[pP] [rR] [oO] [bB] [eE].*" match field tcp control-bits eq 2 mask 0x3D match field tcp control-bits eq 1 mask 0x3D policy-map type access-control FILTER_TCP class FILTER drop

! ! Apply the policy on both R6 interfaces ! interface FastEthernet0/0 service-policy type access-control input FILTER_TCP ! interface Serial0/0/0 service-policy type access-control input FILTER_TCP




Rack1R6#show policy-map type access-control interface fastEthernet 0/0 input FastEthernet0/0

Service-policy access-control input: FILTER_TCP

Class-map: FILTER (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: start TCP payload-start offset 0 size 64 regex ".*[pP] [rR] [oO] [bB] [eE].*" Match: field TCP control-bits eq 2 mask 0x3D Match: field TCP control-bits eq 1 mask 0x3D Match: field TCP dest-port eq 80 drop

Class-map: class-default (match-any) 79 packets, 7060 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

Rack1R6#show policy-map type access-control interface serial 0/0/0 input

Serial0/0/0

Service-policy access-control input: FILTER_TCP

Class-map: FILTER (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: start TCP payload-start offset 0 size 64 regex ".*[pP] [rR] [oO] [bB] [eE].*" Match: field TCP control-bits eq 2 mask 0x3D Match: field TCP control-bits eq 1 mask 0x3D Match: field TCP dest-port eq 80 drop

Class-map: class-default (match-any) 479 packets, 38739 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

0 Caution - Cisco...CCIE Security Lab Workbook Volume II Solutions Guide Version 5.0 Lab 5 Copyright...

Documents

Transcript of 0 Caution - Cisco...CCIE Security Lab Workbook Volume II Solutions Guide Version 5.0 Lab 5 Copyright...