SNRS CCSP 2.1

71

CCSP™ Lab Workbook v2.2 Securing Networks with ASA

INDEX

Module 01: Configuring IOS FIREWALL

Lab 01: Classic IOS Firewall (CBAC)…………………………………………. 04

Lab 02: Zone Based Policy IOS Firewall (ZFW)……….…………………….. 05

Module 02: Routing Protocols on the Security Appliance

Lab 01: Configure RIP…………………………………………………………… 19

Lab 02: Configure OSPF…………..……………………………………………. 24

Lab 03: Configure EIGRP……………………………………………………….. 28

Lab 04: Configure Redistribution……………………………………………….. 32

Module 03: NAT on the Security Appliance

Lab 01: Configure Dynamic NAT and PAT……………………………………. 35

Lab 02: Configure Static NAT and PAT……………………………………….. 42

Lab 03: Configure Dynamic Policy NAT………………………………………. 48

Lab 04: Configure Static Policy NAT and PAT……………………………….. 55

Lab 05: Configure Identity NAT, NAT Exemption, NAT Control……………. 60

Module 04: Object Grouping

Lab 01: Configuring Object Grouping………………………………………….. 66

Module 05: Application Inspection and Filtering

Lab 01: Application Aware Inspection…………………………………………. 70

Lab 02: URL Filtering……………………………………………………………. 73

Lab 03: Malicious Active Code Filtering……………………………………….. 75

Module 06: Context and Failover on the Security Appliance

Lab 01: Firewall Contexts………………………………………………………. 78

Lab 02: Failover - Active/Standby……………………………………………… 87

Lab 03: Failover - Active/Active……………………………………………….... 98

Module 07: Transparent Firewall

© Netmetric Infosolutions (P) Limited – Hyderabad, IN www.netmetric-solutions.com

71


Lab 01: Configure Layer 2 Transparent Firewall………………………………. 107

Module 08: VPN on the Security Appliance

Lab 01: IPSec VPN Site to Site Tunnel…………………………………………. 110


71


MODULE 01: Configuring IOS FIREWALL

Lab 01: Classic IOS Firewall (CBAC)…………………………………………. 04

Lab 02: Zone Based Policy IOS Firewall (ZFW)……….………………………. 05


71


LAB 01 Classic IOS Firewall (CBAC)

R1

F0/0

F 0/0Internet

Host A

F 0/1

External Network

Internal Network

Task 1:Configure the interfaces with the following information

Host IP Address InterfaceR1 192.168.1.1/24 f 0/0R1 10.0.1.1/24 f 0/1Internet 192.168.1.2/24 f0/0Host A 10.0.1.10/24 ethernet

Task 2: Configure CBAC on router R1 to inspect icmp, telnet, ftp, http, smtp, tcp, udp, and dns traffic going from Host A to Internet.

Task 3: Verify the CBAC configured on R1 by intitiating the respective traffic between Host A and Internet Router.


Step1: Configure the initial configs on Router “R1” as per the table.

R1#configure terminalR1(config)#interface f0/0R1(config-if)#ip address 192.168.1.1 255.255.255.0


71


R1(config-if)#no shutdownR1(config-if)#exitR1(config)#interface f0/1R1(config-if)#ip address 10.0.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exit

Step2: Configure the initial configs on Router “Internet” as per the table.

Internet# configure terminalInternet(config)#interface f0/0Internet(config-if)#ip address 192.168.1.2 255.255.255.0Internet(config-if)#no shutdownInternet(config-if)#exitInternet(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

Task 2: Configure CBAC on router R1 to inspect icmp, telnet, ftp, http, smtp, tcp, udp, and dns traffic going from Host A to Internet.

Step1: Configure the inspection rules with name myfw to inspect icmp, telnet, ftp, http, smtp, tcp, udp and dns on router R1.

R1(config)#ip inspect name myfw icmpR1(config)#ip inspect name myfw telnetR1(config)#ip inspect name myfw ftpR1(config)#ip inspect name myfw httpR1(config)#ip inspect name myfw smtpR1(config)#ip inspect name myfw tcpR1(config)#ip inspect name myfw udpR1(config)#ip inspect name myfw dns

Step2: Check the configured inspection rules on R1.

R1#show ip inspect name myfwInspection name myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 dns alert is on audit-trail is off timeout 30


71


Step3: Configure the IP ACL to denying any IP traffic.

R1(config)#access-list 101 deny ip any any

Step4: Check the configured ACL.

R1#show access-lists 101Extended IP access list 101 10 deny ip any anyR1#

Step5: Now Apply the ACL 101 and the inspection rule myfw to either f0/0 or f0/1 interface of router R1 in the following direction as shown in the config.

NOTE: - Apply CBAC inspection to inbound traffic when configuring CBAC on an internal

interface.- Apply CBAC inspection to outbound traffic when configuring CBAC on an external

interface.

Step5.1: CBAC configured on internal interface f0/1.

R1(config)#interface f0/1R1(config-if)#ip inspect myfw inR1(config-if)#ip access-group 101 outR1(config-if)#exit

Step5.2: Check the Configuration on the interface.

R1#show ip inspect interfacesInterface Configuration Interface FastEthernet0/1 Inbound inspection rule is myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10


71


ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 dns alert is on audit-trail is off timeout 30 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is 101

(OR)

Step5.1: CBAC configured on external interface f0/0.

R1(config)#interface f0/0R1(config-if)#ip inspect myfw outR1(config-if)#ip access-group 101 inR1(config-if)#exit

Step5.2: Check the Configuration on the interface.

R1#show ip inspect interfacesInterface Configuration Interface FastEthernet0/0 Inbound inspection rule is not set Outgoing inspection rule is myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 dns alert is on audit-trail is off timeout 30 Inbound access list is 101 Outgoing access list is not set

Task 3: Verify the CBAC configured on R1 by intitiating the respective between Host A and Internet Router.

Step1: Ping from Host A to Internet router.


71


C:\Documents and Settings\netmetric> ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=1ms TTL=254Reply from 192.168.1.2: bytes=32 time=1ms TTL=254Reply from 192.168.1.2: bytes=32 time=1ms TTL=254Reply from 192.168.1.2: bytes=32 time=1ms TTL=254

Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

Step2: Check the CBAC inspection during the Ping on R1.

R1#sh ip inspect sessionsEstablished Sessions Session 63DD3718 (10.0.1.10:8)=>(192.168.1.2:0) icmp SIS_OPEN

Step3: Now try to Ping to HostA from Internet router.

Internet# ping 10.0.1.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)


71


LAB 02 Zone Based Policy IOS Firewall (ZFW)

R1

F0/0

F 0/0Internet

Host A

F 0/1

Public Zone Private Zone


Host IP Address InterfaceR1 192.168.1.1/24 f 0/0R1 10.0.1.1/24 f 0/1Internet 192.168.1.2/24 f0/0Host A 10.0.1.10/24 ethernet

Task 2: Configure ZFW on router R1 to inspect icmp, tcp and udp traffic going from Host A to Internet as per the topology diagram.

Task 3: Verify the ZFW configured on R1 by intitiating the respective traffic between Host A and Internet Router.


71



Step1: Configure the initial configs on Router “R1” as per the table.

R1#configure terminalR1(config)#interface f0/0R1(config-if)#ip address 192.168.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exitR1(config)#interface f0/1R1(config-if)#ip address 10.0.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exit

Step2: Configure the initial configs on Router “Internet” as per the table.

Internet# configure terminalInternet(config)#interface f0/0Internet(config-if)#ip address 192.168.1.2 255.255.255.0Internet(config-if)#no shutdownInternet(config-if)#exitInternet(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

Task 2: Configure ZFW on router R1 to inspect icmp, tcp and udp traffic going from Host A to Internet as per the topology diagram.

Step1: Configure the Security Zone names private and public as per the topology diagram.

R1(config)#zone security privateR1(config-sec-zone)#exitR1(config)#zone security publicR1(config-sec-zone)#exitR1(config)#

Step2: Now make the interface f0/1 of R1 as member of the configured “private” zone.

R1(config)#interface f0/0R1(config-if)#zone-member security publicR1(config-if)#exit

Step3: Now make the interface f0/0 of R1 as member of the configured “public” zone.


71


R1(config)#interface f0/1R1(config-if)#zone-member security privateR1(config-if)#exit

Step4: Check the configured Security Zones.

R1# show zone securityzone self Description: System defined zone

zone private Member Interfaces: FastEthernet0/1

zone public Member Interfaces: FastEthernet0/0

Step5: Configure the class map type inspect to match-any of the protocols i.e tcp, udp and icmp traffic with name myclass on R1.

R1(config)#class-map type inspect match-any myclassR1(config-cmap)#match protocol tcpR1(config-cmap)#match protocol udpR1(config-cmap)#match protocol icmp R1(config-cmap)#exit

Step6: Check the configuration.

R1#show class-map type inspect myclass Class Map type inspect match-any myclass (id 1) Match protocol tcp Match protocol udp Match protocol icmp

Step7: Configure the policy-map type inspect to “inspect” the selected traffic on R1 with name mypolicy.


71


R1(config)#policy-map type inspect mypolicyR1(config-pmap)#class type inspect myclassR1(config-pmap-c)#inspectR1(config-pmap-c)#exitR1(config-pmap)#exit

Step8: Check the configuration.

R1# show policy-map type inspect mypolicy Policy Map type inspect mypolicy Class myclass Inspect

Step9: Configure a security zone-pair “mypair” ,defining the path of the traffic ,where the private zone is the source and public zone is the destination.And then apply the policy-map “mypolicy” under it which is defining the policy rules i.e here its inspecting the traffic going from private zone to public zone.

R1(config)#zone-pair security mypair source private destination publicR1(config-sec-zone-pair)#service-policy type inspect mypolicyR1(config-sec-zone-pair)#exit

Step10: Check the zone-pair configuration.

R1#show zone-pair securityZone-pair name mypair Source-Zone private Destination-Zone public service-policy mypolicy

R1#show policy-map type inspect zone-pair

policy exists on zp mypair Zone-pair: mypair

Service-policy inspect : mypolicy

Class-map: myclass (match-any) Match: protocol tcp 16 packets, 448 bytes 30 second rate 0 bps


71


Match: protocol udp 29 packets, 290 bytes 30 second rate 0 bps Match: protocol icmp 1 packets, 40 bytes 30 second rate 0 bps

Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [0:26] udp packets: [0:29] icmp packets: [0:8]

Session creations since subsystem startup or last reset 46 Current session counts (estab/half-open/terminating) [0:27:0] Maxever session counts (estab/half-open/terminating) [0:45:0] Last session created 00:00:18 Last statistic reset never Last session creation rate 46 Maxever session creation rate 46 Last half-open session total 27

Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes

Task 3: Verify the ZFW configured on R1 by intitiating the respective traffic between Host A and Internet Router

Step1: Ping from Host A to Internet router.

C:\Documents and Settings\netmetric> ping 192.168.1.2





71


Step2: Now try to Ping to HostA from Internet router.

Internet# ping 10.0.1.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds:.....Success rate is 0 percent (0/5)


71


MODULE 02: Implementing VPNs

Lab 01: Configure site-site IPsec VPN using pre-shared keys …………………… 19

Lab 02: Configure OSPF……………………………………………………………………... 24

Lab 03: Configure EIGRP……………………………………………………………………. 28

Lab 04: Configure Redistribution………………………………………………………….. 32


71


LAB 01 Configure site-site IPsec VPN using pre-shared keys

172.30.1.2172.30.1.1

Site 2

10.0.1.12 10.0.6.12

R1 R610.0.1.0 10.0.6.0

BA

Site 1

F0/0 F0/0

Task 1: Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ip’s on the routers.

Task 2: - Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip

address as peer address between them.

- Use "netmetric" as pre-shared key value for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.

ISAKMP ParametersAuthentication: Pre-sharedEncryption: 3DESGroup: 2Hash: MD5Pre-Shared Key: netmetricIPSec ParametersEncryption: ESP-3DESAuthentication: ESP-MD5-HMAC

- Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.

Task 3: Verify the task.


71



Step1: Configure the basic configuration on R1 as per the topology diagram.

R1(config)#interface f0/0R1(config-if)#ip address 172.30.1.1 255.255.255.0R1(config-if)#no shutR1(config-if)#exitR1(config)#interface loopback0R1(config-if)#ip address 10.0.1.12 255.255.255.255R1(config-if)#no shutR1(config-if)#exit


R6(config)#interface f0/0R6(config-if)#ip address 172.30.1.2 255.255.255.0R6(config-if)#no shutR6(config-if)#exitR6(config)#interface loopback0R6(config-if)#ip address 10.0.6.12 255.255.255.255R6(config-if)#no shutR6(config-if)#exitR6(config)#

Step3: Check the connectivity between R1 and R6.

R6#ping 172.30.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms


71


Task 2:

Step1.1: Enable ISAKMP on R1.

R1(config)#crypto isakmp enable

Step1.2: Create ISAKMP Policy with the given parameters on R1.

R1(config)#crypto isakmp policy 110R1(config-isakmp)#encryption 3desR1(config-isakmp)#hash md5R1(config-isakmp)#authentication pre-shareR1(config-isakmp)#group 2R1(config-isakmp)#exitR1(config)#

Step1.3: Check the ISAKMP policy configuration.

R1#show crypto isakmp policy

Global IKE policyProtection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit

Step1.4: Configure ISAKMP identity as address.

R1(config)#crypto isakmp identity address

Step1.5: Configure pre-shared key value as “netmetric” with R6 address as peer..


71


R1(config)#crypto isakmp key netmetric address 172.30.1.2

Step1.6: Configure IPsec Transform set on R1 with given parameters.

R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmacR1(cfg-crypto-trans)#mode tunnelR1(cfg-crypto-trans)#exitR1(config)#

Step1.7: Configure the crypto ACL to match the interesting traffic for encryption as given.

R1(config)#ip access-list extended 103R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255R1(config-ext-nacl)#exitR1(config)#

Step1.8: Configure the crypto map.

R1(config)#crypto map mymap 110 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R1(config-crypto-map)#match address 103R1(config-crypto-map)#set peer 172.30.1.2R1(config-crypto-map)#set transform-set mysetR1(config-crypto-map)#exitR1(config)#

Step1.9: Implement the crypto map on the outside interface f0/0 of R1.

R1(config)#interface f0/0R1(config-if)#crypto map mymapR1(config-if)#exitR1(config)#*Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step1.10: Check the configuration of cryptomap.

R1#show crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.2 Extended IP access list 103 access-list 103 permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 Current peer: 172.30.1.2


71


Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap: FastEthernet0/0

Step1.8: Check the configuration of cryptomap..

R1#show crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp WARNING: This crypto map is in an incomplete state! (missing peer or access-list definitions) Peer = 172.30.1.2 Extended IP access list 110 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap:







71



Global IKE policyProtection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit



Step2.5: Configure pre-shared key value as “netmetric” with R1 address as peer.

R6(config)#crypto isakmp key 0 netmetric address 172.30.1.1


R6(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmacR6(cfg-crypto-trans)#mode tunnelR6(cfg-crypto-trans)#exit




R6(config)#crypto map mymap 110 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer


71


and a valid access list have been configured.R6(config-crypto-map)#match address 103R6(config-crypto-map)#set peer 172.30.1.1R6(config-crypto-map)#set transform-set mysetR6(config-crypto-map)#exit




R6#show crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: FastEthernet0/0 FastEthernet0/0

R6#show crypto ipsec transform-setTransform set myset: { esp-3des esp-md5-hmac } will negotiate = { Tunnel, },

Step3: Point 10.0.6.0/24 route to the the vpn tunnel initiation/termination point of R1.

R1(config)#ip route 10.0.6.0 255.255.255.0 172.30.1.2


R6(config)#ip route 10.0.1.0 255.255.255.0 172.30.1.1


71


Task4: Verify the task.

NOTE: - The VPN tunnel will come up only when the router sees the intresting traffic which is

to be encrypted.

Step1: Ping 10.0.1.12 from loopback 0 of R1.

R6# ping 10.0.1.12 source loopback 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.12, timeout is 2 seconds:Packet sent with a source address of 10.0.6.12.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Step2: Check the ISAKMP tunnel status.

R6#show crypto isakmp sadst src state conn-id slot status172.30.1.1 172.30.1.2 QM_IDLE 1 0 ACTIVE

Step3: Check the IPSec tunnel status.

R6#show crypto ipsec sa

interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.2

protected vrf: (none) local ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0

local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xEFAAF17A(4020957562)


71


inbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: AIM-VPN/BPII-PLUS:1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3586) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: AIM-VPN/BPII-PLUS:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3584) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#ping 10.0.6.12 source loopback 0

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.6.12, timeout is 2 seconds:Packet sent with a source address of 10.0.1.12!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id status172.30.1.1 172.30.1.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA


71


R1#show crypto ipsec sa PFS (Y/N): N, DH group: none


protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xCF7A0D46(3480882502)

inbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:


71


LAB 02 Configure site-site IPsec VPN using PKI.


71


172.30.1.1

Site 2

172.30.1.210.0.1.12 10.0.6.12

R1 R610.0.1.0 10.0.6.0

BA

F0/0 F0/0

Site 1CA

F0/0

172.30.1.3R3


Task 1.5:Configure the router R3 as IOS CA server for router R1 and R6.And do necessary configuration on R1 and R6 respectively to get their certificates from the CA server.



- Use RSA-Signatures for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.

ISAKMP ParametersAuthentication: RSA-SignatureEncryption: 3DESGroup: 2Hash: MD5IPSec ParametersEncryption: ESP-3DESAuthentication: ESP-MD5-HMAC




71










71


Task 1.5:

Step1: Configure the basic CA server as in topology to give CA support to R1 and R6.

Step1.1: Configure the basic configuration on R3 as per the topology diagram.

R3(config)#interface f0/0R3(config-if)#ip address 172.30.1.3 255.255.255.0R3(config-if)#no shutR3(config-if)#exit

Step1.2: Check connectivity from R3 to R1 and R2.

R3# ping 172.30.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.30.1.1, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 20/52/84 ms

R3# ping 172.30.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/84 ms

Step1.3: Configure NTP make R3 as master and enroll rest as client to R3.

R3(config)# ntp master

R6(config)# ntp server 172.30.1.3

R1(config)# ntp server 172.30.1.3

Step1.4: Configure http server on R3 to support SCEP.


71


R3(config)# ip http server

Step1.5: Configure the basic configuration of the CA server on R3 and generate a CA certificate.

R3(config)# crypto pki server R3_CAR3(cs-server)# issuer-name cn=R3_CA,ou=netmetricR3(cs-server)# grant autoR3(cs-server)# no shutdown

%PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.%Some server settings cannot be changed after CA certificate generation.% Please enter a passphrase to protect the private key% or type Return to exit

% Password must be more than 7 characters. Try again% or type Return to exitPassword:netmetric

Re-enter password:netmetric% Generating 1024 bit RSA keys, keys will be non-exportable...

% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.

R3(cs-server)#

%SSH-5-ENABLED: SSH 1.99 has been enabled

%PKI-6-CS_ENABLED: Certificate server now enabled.

R3(cs-server)# exit

Step1.6: Verify the CA Server certificate.

R3# show crypto pki certificatesCA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer:


71


cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA

Step2: Now configure R1 and R6 to take the CA support from R3-CA Server and generate their identity certicates.

Step2.1: Configure the domain-name cisco.com and generate rsa key pair on R1.

R1(config)# ip domain-name cisco.com

R1(config)# crypto key generate rsaThe name for the keys will be: R1.cisco.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#Mar 1 01:28:47.030: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step2.2: Verify the rsa key.

R1# show crypto key mypubkey rsa% Key pair was generated at: 01:28:47 UTC Mar 1 2002Key name: R1.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CE2C4C 6E1B57ED ECC9C1B9 C7D80244 625D5780 9C985DFB 665332D0 F2F46D2E 75A71ACC 2DA8F89F 55C282AA 70ED671F 40BE40E3 B8E1C850 8A27A3A4 3A4794B2 1D9839DF 7BFC72D9 10979809 3276F5C2 7B7F72EC 2B37A55F 1DA73624 C90CDA6A CA4E4AE6 F39DB3C4 AE788E86 34F0A7E0 E30CA738 F99EA20D 29298D06 94451477 59020301 0001


71


% Key pair was generated at: 01:28:48 UTC Mar 1 2002Key name: R1.cisco.com.serverTemporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B01BBD C3207D7B BEDF35DF FFBFCC9D 8E1093DA C5B1895D 50C9B037 68E6D498 D168DA04 95C1472A D2DADF94 AD90076A 44B82F27 2160D231 DE721E24 17989D6A 6B4E52F5 037061F9 8D254300 4F8AC83B B6EC6785 AA4F1D36 CDFBB249 CB2CADC6 C7020301 0001R1#

Step2.3: Configure the domain-name cisco.com and generate rsa key pair on R6.

R6(config)# ip domain-name cisco.com

R6(config)# crypto key generate rsaThe name for the keys will be: R6.cisco.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R6(config)#Mar 1 01:28:47.030: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step2.4: Verify the rsa key.

R6# show crypto key mypubkey rsa% Key pair was generated at: 01:31:53 UTC Mar 1 2002Key name: R6.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C032A0 31101028 708FA8D8 B1A2D928 E24830BB 76B00A3C 18605335 333D76CD 1EBE9AB3 E98A11B4 A658122B 03A78F28 4210EF7F CD112D8F 15F253D3 C697A205 3E088B1A F5CEB71D D469BB30 4ACECE62 578D9379 7EC681F4 BF9051ED D0A353F9 8AC1985A 08D8512C 8D989232 CA2DD92A 9EE9F125 65C6872E 25F2FDAE 69FDA438 2F020301 0001% Key pair was generated at: 01:31:54 UTC Mar 1 2002Key name: R6.cisco.com.serverTemporary key


71


Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B9F10C D0491DF4 E45A983C 9AAD217E 529B6168 F92EA141 AD8C66CD F0E4BDC7 31494F9B 7ECBE402 5092D62A 333A9C13 5E92F0BD DA4CDA66 88B6AD50 6C446563 77E45F86 58B3A665 AFC37FD4 54FC0C1F C0AD60F4 EF7EF9A8 5E29CFF6 65566189 F9020301 0001R6#

Step2.5: Declare the CA on R1 and R6.

R1(config)# crypto pki trustpoint R3_CAR1(ca-trustpoint)# enrollment url http://172.30.1.3R1(ca-trustpoint)# revocation-check noneR1(ca-trustpoint)# exit

R1# show crypto pki trustpoints statusTrustpoint R3_CA: Issuing CA certificate not configured. State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... No Certificate request(s) ..... None

R6(config)# crypto pki trustpoint R3_CAR6(ca-trustpoint)# enrollment url http://172.30.1.3R6(ca-trustpoint)# revocation-check noneR6(ca-trustpoint)# exit

R6# show crypto pki trustpoints statusTrustpoint R3_CA: Issuing CA certificate not configured. State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... No Certificate request(s) ..... None

Step2.6: Authenticate the CA on R1 and R6 to get the CA certificate.


71


R1(config)# crypto pki authenticate R3_CACertificate has the following attributes: Fingerprint MD5: 8B941CA0 2CB012D2 143822B5 A0FEA635 Fingerprint SHA1: 5D7D3208 9C525FCE 2018623E 782E3CF6 79E8202C

% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.R1(config)#

R1# show crypto pki certificatesCA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA

R6(config)# crypto pki authenticate R3_CACertificate has the following attributes: Fingerprint MD5: 8B941CA0 2CB012D2 143822B5 A0FEA635 Fingerprint SHA1: 5D7D3208 9C525FCE 2018623E 782E3CF6 79E8202C

% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.

R6# show crypto pki certificatesCA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date:


71


start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA

Step2.7: Request the identity certificates of R1 and R6 from the CA.

R1(config)# crypto pki enroll R3_CA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.

Password: cisco123Re-enter password: cisco123

% The subject name in the certificate will include: R1.cisco.com% Include the router serial number in the subject name? [yes/no]: no% Include an IP address in the subject name? [no]:Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate R3_CA verbose' commandwill show the fingerprint.

R1(config)#CRYPTO_PKI: Certificate Request Fingerprint MD5: C36004FF D0BD7A5C 3B45C567 92ECC4EACRYPTO_PKI: Certificate Request Fingerprint SHA1: 472CD52C EAB9774F FE6DD447 9F9FC569 C508ED12%PKI-6-CERTRET: Certificate received from Certificate AuthorityR1(config)# exitR1# wrBuilding configuration...[OK]

Step2.7: Request the identity certificates of R1 and R6 from the CA.

R1# show crypto pki certificatesCertificate Status: Available Certificate Serial Number: 0x3 Certificate Usage: General Purpose Issuer: cn=R3_CA ou=netmetric Subject: Name: R1.cisco.com


71


hostname=R1.cisco.com Validity Date: start date: 02:02:51 UTC Mar 1 2002 end date: 02:02:51 UTC Mar 1 2003 Associated Trustpoints: R3_CA

CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA

R6(config)# crypto pki enroll R3_CA

% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.

Password: cisco123Re-enter password: cisco123

% The subject name in the certificate will include: R1.cisco.com% Include the router serial number in the subject name? [yes/no]: no% Include an IP address in the subject name? [no]:Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate R3_CA verbose' commandwill show the fingerprint.

R6(config)#CRYPTO_PKI: Certificate Request Fingerprint MD5: C36004FF D0BD7A5C 3B45C567 92ECC4EACRYPTO_PKI: Certificate Request Fingerprint SHA1: 472CD52C EAB9774F FE6DD447 9F9FC569 C508ED12%PKI-6-CERTRET: Certificate received from Certificate AuthorityR6(config)# exitR6# wr


71


Building configuration...[OK]

R6# show crypto pki certificatesCertificate Status: Available Certificate Serial Number: 0x4 Certificate Usage: General Purpose Issuer: cn=R3_CA ou=netmetric Subject: Name: R6.cisco.com hostname=R6.cisco.com Validity Date: start date: 02:06:15 UTC Mar 1 2002 end date: 02:06:15 UTC Mar 1 2003 Associated Trustpoints: R3_CA

CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA

Task 2:




71



R1(config)#crypto isakmp policy 110R1(config-isakmp)#encryption 3desR1(config-isakmp)#hash md5R1(config-isakmp)#authentication rsa-sigR1(config-isakmp)#group 2R1(config-isakmp)#exitR1(config)#



Global IKE policyProtection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit






R1(config)#ip access-list extended 103


71


R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255R1(config-ext-nacl)#exitR1(config)#






R1#sh crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.2 Extended IP access list 103 access-list 103 permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap: FastEthernet0/0

Step1.8: Check the configuration of cryptomap..

R1#show crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp WARNING: This crypto map is in an incomplete state! (missing peer or access-list definitions) Peer = 172.30.1.2


71


Extended IP access list 110 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap:




R6(config)#crypto isakmp policy 110R6(config-isakmp)#encryption 3desR6(config-isakmp)#hash md5R6(config-isakmp)#authentication rsa-sigR6(config-isakmp)#group 2R6(config-isakmp)#exitR6(config)#



Global IKE policyProtection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit


71









R6(config)#crypto map mymap 110 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R6(config-crypto-map)#match address 103R6(config-crypto-map)#set peer 172.30.1.1R6(config-crypto-map)#set transform-set mysetR6(config-crypto-map)#exit




R6#show crypto map tag mymap


71


Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: FastEthernet0/0 FastEthernet0/0



R1(config)#ip route 10.0.6.0 255.255.255.0 172.30.1.2


R6(config)#ip route 10.0.1.0 255.255.255.0 172.30.1.1



to be encrypted.




71





R6#show crypto ipsec sa


protected vrf: (none) local ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0

local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xEFAAF17A(4020957562)

inbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: AIM-VPN/BPII-PLUS:1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3586) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: AIM-VPN/BPII-PLUS:2, crypto map: mymap


71


sa timing: remaining key lifetime (k/sec): (4553597/3584) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:



R1#show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id status172.30.1.1 172.30.1.2 QM_IDLE 1001 ACTIVE


R1#show crypto ipsec sa PFS (Y/N): N, DH group: none



local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2


71


path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xCF7A0D46(3480882502)

inbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

LAB 03 Configure site-site GRE/IPsec tunnel


71


172.30.1.2172.30.1.1

Site 2

10.0.1.12 10.0.6.12

R1 R610.0.1.0 10.0.6.0

BA

Site 1

F0/0 F0/0

GRE/IPsecTunnel




- Use "netmetric" as pre-shared key value for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.

- Create a Gre tunnel between R1 and R6 and encrypt any gre traffic passing between R1 and R6 with ipsec.Assign the tunnel ip address in 172.16.1.0/24 network.

ISAKMP ParametersAuthentication: Pre-sharedEncryption: 3DESGroup: 2Hash: MD5Pre-Shared Key: netmetricIPSec ParametersEncryption: ESP-3DESAuthentication: ESP-MD5-HMAC




71









Task 2:



71










Step1.5: Configure pre-shared key value as “netmetric” with R6 address as peer..

R1(config)#crypto isakmp key netmetric address 172.30.1.2


71





R1(config)#ip access-list extended 103R1(config-ext-nacl)#permit gre host 172.30.1.1 host 172.30.1.2R1(config-ext-nacl)#exitR1(config)#



Step1.9: Configure a gre tunnel and Implement the crypto map on the tunnel0 on R1.

R1(config)# interface tunnel 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# tunnel source f0/0R1(config-if)# tunnel destination 172.30.1.2R1(config-if)# crypto map mymapR1(config-if)# no shutdownR1(config-if)# exit*Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON





71


R1#show crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.2 Extended IP access list 103 access-list 103 permit gre host 172.30.1.1 host 172.30.1.2 Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: Tunnel0 FastEthernet0/0







Global IKE policyProtection suite of priority 110 encryption algorithm: Three key triple DES


71


hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit



Step2.5: Configure pre-shared key value as “netmetric” with R1 address as peer.

R6(config)#crypto isakmp key 0 netmetric address 172.30.1.1




R6(config)#ip access-list extended 103R6(config-ext-nacl)#permit gre host 172.30.1.2 host 172.30.1.1R6(config-ext-nacl)#exitR6(config)#


R6(config)#crypto map mymap 110 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R6(config-crypto-map)#match address 103R6(config-crypto-map)#set peer 172.30.1.1R6(config-crypto-map)#set transform-set mysetR6(config-crypto-map)#exit


71


Step2.9: Configure a gre tunnel and Implement the crypto map on the tunnel0 on R6.

R6(config)# interface tunnel 0R6(config-if)# ip address 172.16.1.2 255.255.255.0R6(config-if)# tunnel source f0/0R6(config-if)# tunnel destination 172.30.1.1R6(config-if)# crypto map mymapR6(config-if)# no shutdownR6(config-if)# exit*Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON




R2#sh crypto map tag mymapCrypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit gre host 172.30.1.2 host 172.30.1.1 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: Tunnel0 FastEthernet0/0 }


Step3: Point 10.0.6.0/24 route to gre tunnel0 on R1.


71


R1(config)#ip route 10.0.6.0 255.255.255.0 tunnel0

Step4: Point 10.0.1.0/24 route to gre tunnel0 on R6.

R6(config)#ip route 10.0.1.0 255.255.255.0 tunnel0



to be encrypted.






R6# show crypto ipsec sa


protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,}


71


#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0xE00A33DD(3758765021)

inbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/466) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/465) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Tunnel0 Crypto map tag: mymap, local addr 172.30.1.2

protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0


71


#send errors 0, #recv errors 0

local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0xE00A33DD(3758765021)

inbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/465) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/464) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:R6#



R1#show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id status


71


172.30.1.1 172.30.1.2 QM_IDLE 1001 ACTIVE





local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0x7BB049E(129696926)

inbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/562) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/543) IV size: 8 bytes replay detection support: Y Status: ACTIVE


71


outbound ah sas:

outbound pcp sas:

interface: Tunnel0 Crypto map tag: mymap, local addr 172.30.1.1


local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0x7BB049E(129696926)

inbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/543) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/542) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:


71


LAB 05 Configure Easy VPN – Remote Router as Client.

R6-Client R1-Server

10.0.1.010.0.6.0 172.30.1.0/24

.1.2.2

Fa0/1


Task 2: - Configure R1 as Easy VPN server with following requirements.

ISAKMP ParametersAuthentication: Pre-sharedEncryption: 3DESGroup: 2Hash: MD5

IPSec ParametersEncryption: ESP-3DESAuthentication: ESP-MD5-HMAC

ISAKMP Client ConfigurationGroup Name: R6Key: VPNKEYMode: Client

- Use the address pool 10.0.1.100-10.0.1.150 for remote users.- Enable Xauth against the local user database and create user “cisco” and password

“cisco”.- Only encrypt users’ traffic destined to the subnet 10.0.1.0/24. - Configure the Client Router R6 to verify the configuration.

Task 3:


71


Verify the task.









71


Task 2:



Step1.2: Create ISAKMP Policy for Remote VPN client with the given parameters on R1.







Step1.5: Configure IPsec Transform set on R1 for Remote VPN client with given parameters.


71



Step2: Define Group Policy for Mode Configuration Push on R1.

Step2.1 Configure the Split Tunnel ACL to match the interesting traffic for encryption as given.

R1(config)#ip access-list extended SPLITR1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 anyR1(config-ext-nacl)#exitR1(config)#

Step2.2: Configure the ip address pool for the remote users.

R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150

Step2.3: Enable the remote group policy lookup via AAA and configure xauth login credentials. R1(config)# aaa new-modelR1(config)# aaa authorization network vpn-group localR1(config)# aaa authentication login vpn-users localR1(config)# username cisco password 0 cisco

Step2.4 Configure the Remote Group Policy with name “R6”, specify the isakmp pre-shared key “VPNKEY”,specify ip address pool for remote users and add the split tunnel acl for selected traffic encryption.

R1(config)# crypto isakmp client configuration group R6R1(config-isakmp-group)# key VPNKEYR1(config-isakmp-group)# pool Remote-PoolR1(config-isakmp-group)# acl SPLIT

Step2.5: Configure Dynamic Crypto map with RRI and ipsec transformset. R1(config)# crypto dynamic-map dmap 10R1(config-crypto-map)# set transform-set mysetR1(config-crypto-map)# reverse-routeR1(config-crypto-map)# end

Step3: Apply Mode Configuration and XAUTH.


71


Step3.1 Configure the router to respond to mode configuration requests.

R1(config)# crypto map mymap client configuration address respond

Step3.2 Enable IKE querying for a group policy.

R1(config)# crypto map mymap isakmp authorization list vpn-group

Step 3.3: Enforce XAUTH and apply the dynamic crypto map to the crypto map.

R1(config)# crypto map mymap client authentication list vpn-usersR1(config)# crypto map mymap 65535 ipsec-isakmp dynamic dmap

Step4: Apply the Crypto Map to R1 outside interface.

R1(config)# interface f0/0R1(config-if)# crypto map mymapR1(config-if)# end

Step5: Veify the Crypto Map configuration.

R1# show crypto map interface fastEthernet 0/0Crypto Map "mymap" 65535 ipsec-isakmp Dynamic map template tag: dmap Interfaces using crypto map mymap: FastEthernet0/0

Step6: Configure the Clinet Router R6 to verify the task.

Step6.1 Configure the Cisco Easy VPN Client Profile R6(config)# crypto ipsec client ezvpn R6-ClientR6(config-crypto-ezvpn)# group R6 key VPNKEYR6(config-crypto-ezvpn)# peer 172.30.1.2R6(config-crypto-ezvpn)# mode client


71


R6(config-crypto-ezvpn)# connect autoR6(config-crypto-ezvpn)# end

Step6.2: Assign Cisco Easy VPN Remote to the Interfaces in repective directions.

R6(config)# interface FastEthernet 0/1R6(config-if)# crypto ipsec client ezvpn R6-Client outsideR6(config-if)# exitR6(config)# interface Loopback0R6(config-if)# crypto ipsec client ezvpn R6-Client insideR6(config-if)# end

Step6.3: Configure XAUTH username and password.

R6(config)# crypto ipsec client ezvpn R6-ClientR6(config-crypto-ezvpn)# username cisco password 0 ciscoR6(config-crypto-ezvpn)# end

Task 3:

Step1: Initiate the VPN tunnel (Xauth) from R6.

R6(config-crypto-ezvpn)# end*Mar 1 03:11:26.495: EZVPN(remote): Pending XAuth Request, Please enter the following command:*Mar 1 03:11:26.495: EZVPN: crypto ipsec client ezvpn xauthR6# crypto ipsec client ezvpn xauthUsername: ciscoPassword: ciscoR6#*Mar 1 03:11:34.823: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=R6 Client_public_addr=172.30.1.2 Server_public_addr=172.30.1.1 Assigned_client_addr=10.0.1.102*Mar 1 03:11:36.363: %LINK-3-UPDOWN: Interface Loopback1, changed state to up*Mar 1 03:11:37.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up

Step2: Check the Crypto ipsec client ezvpn status on R6.

R6# show crypto ipsec client ezvpnEasy VPN Remote Phase: 4

Tunnel name : R6-ClientInside interface list: Loopback0Outside interface: FastEthernet0/0


71


Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 10.0.1.102Mask: 255.255.255.255Save Password: DisallowedSplit Tunnel List: 1 Address : 10.0.1.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0Current EzVPN Peer: 172.30.1.1

NOTE: - The VPN tunnel will show up but it will encrypt packets only when the router sees the

intresting traffic which is to be encrypted.


R6# ping 10.0.1.12 source loopback 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.1.12, timeout is 2 seconds:Packet sent with a source address of 10.0.6.12!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/40/92 ms


R6# show crypto isakmp sadst src state conn-id slot status172.30.1.1 172.30.1.2 QM_IDLE 22 0 ACTIVE



interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0, local addr 172.30.1.2

protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.102/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)


71


current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x191189C2(420579778)

inbound esp sas: spi: 0x17D001E4(399507940) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4549679/3294) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x191189C2(420579778) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4549679/3293) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:


71


LAB 06 Configure Easy VPN – Remote PC as Client

PC-Client R1-Server

10.0.1.0172.30.1.0/24

.1.2


Task 2: - Configure R1 as Easy VPN server with following requirements.

ISAKMP ParametersAuthentication: Pre-sharedEncryption: 3DESGroup: 2Hash: MD5

IPSec ParametersEncryption: ESP-3DESAuthentication: ESP-MD5-HMAC

ISAKMP Client ConfigurationGroup Name: R6Key: VPNKEYMode: Client

- Use the address pool 10.0.1.100-10.0.1.150 for remote users.- Enable Xauth against the local user database and create user “cisco” and password

“cisco”.- Only encrypt users’ traffic destined to the subnet 10.0.1.0/24.


71


- Configure the Client PC with cisco VPN client and verify the configuration.





Step2: Configure the basic configuration on PC as per the topology diagram.

C:\Documents and Settings\Administrator> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection:

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 172.30.1.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.30.1.1

Step3: Check the connectivity between R1 and PC.

C:\Documents and Settings\Administrator> ping 172.30.1.1Pinging 172.30.1.1 with 32 bytes of data:Reply from 172.30.1.1: bytes=32 time=54ms TTL=255Reply from 172.30.1.1: bytes=32 time=16ms TTL=255


71


Reply from 172.30.1.1: bytes=32 time=28ms TTL=255Reply from 172.30.1.1: bytes=32 time=4ms TTL=255


Task 2:



Step1.2: Create ISAKMP Policy for Remote VPN client with the given parameters on R1.








71


Step1.5: Configure IPsec Transform set on R1 for Remote VPN client with given parameters.


Step2: Define Group Policy for Mode Configuration Push on R1.

Step2.1 Configure the Split Tunnel ACL to match the interesting traffic for encryption as given.

R1(config)#ip access-list extended SPLITR1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 anyR1(config-ext-nacl)#exitR1(config)#

Step2.2: Configure the ip address pool for the remote users.

R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150

Step2.3: Enable the remote group policy lookup via AAA and configure xauth login credentials. R1(config)# aaa new-modelR1(config)# aaa authorization network vpn-group localR1(config)# aaa authentication login vpn-users localR1(config)# username cisco password 0 cisco

Step2.4 Configure the Remote Group Policy with name “R6”, specify the isakmp pre-shared key “VPNKEY”,specify ip address pool for remote users and add the split tunnel acl for selected traffic encryption.

R1(config)# crypto isakmp client configuration group R6R1(config-isakmp-group)# key VPNKEYR1(config-isakmp-group)# pool Remote-PoolR1(config-isakmp-group)# acl SPLIT

Step2.5: Configure Dynamic Crypto map with RRI and ipsec transformset. R1(config)# crypto dynamic-map dmap 10


71


R1(config-crypto-map)# set transform-set mysetR1(config-crypto-map)# reverse-routeR1(config-crypto-map)# end

Step3: Apply Mode Configuration and XAUTH.

Step3.1 Configure the router to respond to mode configuration requests.

R1(config)# crypto map mymap client configuration address respond

Step3.2 Enable IKE querying for a group policy.

R1(config)# crypto map mymap isakmp authorization list vpn-group

Step 3.3: Enforce XAUTH and apply the dynamic crypto map to the crypto map.

R1(config)# crypto map mymap client authentication list vpn-usersR1(config)# crypto map mymap 65535 ipsec-isakmp dynamic dmap

Step4: Apply the Crypto Map to R1 outside interface.

R1(config)# interface f0/0R1(config-if)# crypto map mymapR1(config-if)# end

Step5: Veify the Crypto Map configuration.

R1# show crypto map interface fastEthernet 0/0Crypto Map "mymap" 65535 ipsec-isakmp Dynamic map template tag: dmap Interfaces using crypto map mymap: FastEthernet0/0

Step6: Configure the Clinet PC with Cisco VPN client and verify the task.


71


Step6.1 Install the Cisco Easy VPN Client on the client PC. Step6.2: Configure the Cisco Easy VPN Client with correct credentials as shown.

Task 3:

Step1: Initiate the VPN tunnel and give the xauth credentials on prompt.


71


Step2: Check the Crypto ipsec client ezvpn status.


71


NOTE: - The VPN tunnel will show up but it will encrypt packets only when the router sees the

intresting traffic which is to be encrypted.

Step3: Ping 10.0.1.12 from PC.


71


Step5: Create a loopback100 on R1 with ip address 100.100.100.100 to check the split tunnel acl.When PC Pings to 100.100.100.100 the vpn tunnel should bypass this traffic.


71



71


Task5: Configure NAT to enable the host on the dmz going to outside have their address translated to the interface address i.e PAT

Step1: On ASA1, configure the global PAT address and the local NAT rule for dmz

ASA1(config)#global (outside) 2 interfaceINFO: outside interface address added to PAT poolASA1(config)#nat (dmz) 2 172.16.1.0 255.255.255.0ASA1(config)#

Step2: Verify the configuration

ASA1(config)#show run globalglobal (outside) 1 192.168.1.10-192.168.1.20global (outside) 2 interfaceglobal (dmz) 1 172.16.1.12

ASA1(config)#show run natnat (inside) 1 10.0.1.0 255.255.255.0nat (dmz) 2 172.16.1.0 255.255.255.0

Step3: On ASA1, configure an inbound access-list allowing only the icmp and telnet traffic for dmz

ASA1(config)#access-list DMZ_OUT permit tcp 172.16.1.0 255.255.255.0 any eq telnetASA1(config)#access-list DMZ_OUT permit icmp any anyASA1(config)#access-group DMZ_OUT in interface dmz

Step4: Configure line VTY and “enable password” on R1

R1(config)#line vty 0 4R1(config-line)#loginR1(config-line)#password ciscoR1(config-line)#exitR1(config)#enable password cisco


71


Step5: Initiate a telnet session from R2 to R1 to verify the IP address translation as per task5

R2#telnet 192.168.1.1Trying 192.168.1.1 ... Open

User Access Verification

Password:ciscoR1>show user Line User Host(s) Idle Location 0 con 0 idle 00:43:07*194 vty 0 idle 00:00:00 192.168.1.2

Interface User Mode Idle Peer Address


71


LAB 02 Configure Static NAT and PAT

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

outside inside

R2

E 0/2

dmz

F 0/0

NOTE: Before you move further, verify and clear any existing NAT translations configured on the security appliance

ASA1(config)#clear configure natASA1(config)#clear configure globalASA1(config)#clear configure static

ASA1(config)#show run natASA1(config)#show run globalASA1(config)#show run static

Task1: Configure Static NAT such that the IP address 10.0.1.10 is translated to 192.168.1.10 when this host is going outside

Task2:


71


Configure Static PAT so that the telnet session initiated from PC1 to the inside interface of ASA1 is redirected to R2 telnet server.

Task3: Configure Static PAT such that the connection to port 8080 from PC1 to the inside interfaces of ASA1 are redirected to the router R1 web server

Task1: Configure Static NAT such that the IP address 10.0.1.10 is translated to 192.168.1.10 when this host is going outside

Step1: Configure a static NAT rule on ASA1 and verify the configuration

ASA1(config)#static (inside,outside) 192.168.1.10 10.0.1.10

ASA1(config)#show nat

NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 1, untranslate_hits = 0

Step2: Now verify the configuration by establishing a telnet session from PC1 to R1

C:\Documents and Settings\netmetric>telnet 192.168.1.1


Password: ciscoR1>show user Line User Host(s) Idle Location 0 con 0 idle 02:33:06*194 vty 0 idle 00:00:00 192.168.1.10


Step3: On ASA1, verify the translation table

ASA1(config)#show xlate1 in use, 1 most usedGlobal 192.168.1.10 Local 10.0.1.10


71


Task2: Configure Static PAT so that the telnet session initiated from PC1 to the inside interface of ASA1 is redirected to R2 telnet server.

Step1: Configure a static NAT rule on ASA1 and verify the configuration

ASA1(config)#static (dmz,inside) tcp interface 23 172.16.1.2 23



NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside any static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 2

ASA1(config)#show xlate2 in use, 2 most usedPAT Global 10.0.1.1(23) Local 172.16.1.2(23)Global 192.168.1.10 Local 10.0.1.10

Step2: Initiate a telnet session from PC1 to 10.0.1.1 (R2) for verification


71




Password: ciscoR2>show user Line User Host(s) Idle Location 0 con 0 idle 01:57:16* 66 vty 0 idle 00:00:00 10.0.1.10


Task3: Configure Static PAT such that the connection to port 8080 from PC1 to the inside interfaces of ASA1 are redirected to the router R1 web server

Step1: Configure the static nat on ASA1 and verify the configuration

ASA1(config)#static (outside,inside) tcp interface 8080 192.168.1.1 80


NAT policies on Interface outside: match tcp outside host 192.168.1.1 eq 80 inside any static translation to 10.0.1.1/8080 translate_hits = 0, untranslate_hits = 0


NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside any static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 3


71


ASA1(config)#show xlate3 in use, 3 most usedPAT Global 10.0.1.1(23) Local 172.16.1.2(23)PAT Global 10.0.1.1(8080) Local 192.168.1.1(80)Global 192.168.1.10 Local 10.0.1.10

Step2: Configure the http/web server on R1

R1(config)#ip http server

Step3: Open the web browser http://10.0.1.1:8080 from PC1, the password for the session would be “cisco”


71


Step4: Enter the enable privilege password as “cisco”

NOTE: On successful authentication you should be able to access the R1 SDM or configuration


71


LAB 03 Configure Dynamic Policy NAT

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

outside inside

R2

E 0/2

dmz

F 0/0


71


NOTE: Before you move further, verify and clear any existing NAT translations configured on the security appliance.



Task1: Configure the security appliance so that the ICMP packets going outside from inside should be translated to the IP address 192.168.1.10 i.e PAT

Task2: Configure the security appliance such that the telnet packets going outside from inside should be translated to the IP address 192.168.1.11 i.e PAT

Task3: Configure the security appliance so that the traffic other than ICMP and Telnet should use the outside interface IP address when going from inside to outside

Task1: Configure the security appliance so that the ICMP packets going outside from inside should be translated to the IP address 192.168.1.10 i.e PAT

Step1: Configure the access-list policies on ASA1

ASA1(config)#access-list ICM permit icmp any any

Step2: Configure the local NAT rules and global pool on ASA1 and verify it

ASA1(config)#nat (inside) 1 access-list ICM

ASA1(config)#global (outside) 1 192.168.1.10INFO: Global 192.168.1.10 will be Port Address Translated

ASA1(config)#show run natnat (inside) 1 access-list IC


71


ASA1(config)#show run globalglobal (outside) 1 192.168.1.10


NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0

ASA1(config)#show xlate0 in use, 3 most used

Step3: Verify the task by initiating the ping from PC1 to R1

C:\Documents and Settings\netmetric>ping 192.168.1.1


Reply from 192.168.1.1: bytes=32 time=1ms TTL=255Reply from 192.168.1.1: bytes=32 time<1ms TTL=255Reply from 192.168.1.1: bytes=32 time<1ms TTL=255Reply from 192.168.1.1: bytes=32 time<1ms TTL=255


Step4: Check the destination IP in the icmp echo reply on R1 using debug feature


71


R1#debug ip icmpICMP packet debugging is onR1#*Sep 2 06:35:11.267: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.10*Sep 2 06:35:12.259: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.10*Sep 2 06:35:13.259: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.10*Sep 2 06:35:14.259: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.10

Step5: Verify the IP translation table

ASA1(config)#show xlate1 in use, 3 most usedPAT Global 192.168.1.10(3) Local 10.0.1.10 ICMP id 1280

Task2: Configure the security appliance such that the telnet packets going outside from inside should be translated to the IP address 192.168.1.11 i.e PAT

Step1: Configure the access-list policies on ASA1

ASA1(config)#access-list TLN permit tcp any any eq telnet

Step2: Configure the local NAT rules and global pool on ASA1 and verify it

ASA1(config)# nat (inside) 2 access-list TLN

ASA1(config)# global (outside) 2 192.168.1.11INFO: Global 192.168.1.11 will be Port Address Translated


71


ASA1(config)# show run natnat (inside) 1 access-list ICnat (inside) 2 access-list TL

ASA1(config)# show run globalglobal (outside) 1 192.168.1.10global (outside) 2 192.168.1.11


NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any outside any eq 23 dynamic translation to pool 2 (192.168.1.11) translate_hits = 0, untranslate_hits = 0 match tcp inside any inside any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any dmz any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0




71




Password:cisco

R1>show user Line User Host(s) Idle Location 0 con 0 idle 00:01:42*194 vty 0 idle 00:00:00 192.168.1.11


Step4: Verify the IP translation table

ASA1(config)#show xlate1 in use, 3 most usedPAT Global 192.168.1.11(1024) Local 10.0.1.10(1548)

Task3: Configure the security appliance so that the traffic other than ICMP and Telnet should use the outside interface IP address when going from inside to outside

Step1: Configure the local nat rules and global pool on ASA1 and verify the configuration

ASA1(config)#show run natnat (inside) 1 access-list ICnat (inside) 2 access-list TLnat (inside) 3 0.0.0.0 0.0.0.0

ASA1(config)#show run globalglobal (outside) 1 192.168.1.10global (outside) 2 192.168.1.11global (outside) 3 interface

ASA1(config)#show run globalglobal (outside) 1 192.168.1.10global (outside) 2 192.168.1.11global (outside) 3 interface


71



NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any outside any eq 23 dynamic translation to pool 2 (192.168.1.11) translate_hits = 0, untranslate_hits = 0 match tcp inside any inside any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any dmz any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match ip inside any outside any dynamic translation to pool 3 (192.168.1.2 [Interface PAT]) translate_hits = 0, untranslate_hits = 0 match ip inside any inside any dynamic translation to pool 3 (No matching global) translate_hits = 0, untranslate_hits = 0 match ip inside any dmz any dynamic translation to pool 3 (No matching global) translate_hits = 0, untranslate_hits = 0


Step2: Establish a connection using the web browser from PC1 to R1 using the address http://192.168.1.1 and give the login password “cisco” when prompted

Step3: Enter the enable privilege password “cisco”



71


Step4: On ASA1, verify the outside interface IP (Global IP) in the IP translation table

ASA1(config)#show xlate12 in use, 12 most usedPAT Global 192.168.1.2(1035) Local 10.0.1.10(1582)PAT Global 192.168.1.2(1034) Local 10.0.1.10(1580)PAT Global 192.168.1.2(1033) Local 10.0.1.10(1578)PAT Global 192.168.1.2(1032) Local 10.0.1.10(1573)PAT Global 192.168.1.2(1031) Local 10.0.1.10(1571)PAT Global 192.168.1.2(1030) Local 10.0.1.10(1569)PAT Global 192.168.1.2(1029) Local 10.0.1.10(1567)PAT Global 192.168.1.2(1028) Local 10.0.1.10(1565)PAT Global 192.168.1.2(1027) Local 10.0.1.10(1563)PAT Global 192.168.1.2(1026) Local 10.0.1.10(1561)PAT Global 192.168.1.2(1025) Local 10.0.1.10(1559)PAT Global 192.168.1.2(1024) Local 10.0.1.10(1557)


71


LAB 04 Configure Static Policy NAT and PAT

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

outside inside

R2

E 0/2

dmz

F 0/0




Task1: Configure Static NAT on the Security Appliance using access-list such that the IP address assigned to PC1 i.e., 10.0.1.10 is translated to 192.168.1.10 when it is going outside

Task2: Configure Static Policy PAT on the security appliance such that the telnet to the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R2 telnet server in DMZ

Task3:


71


Configure Static Policy PAT such that the connections to port 8080 on the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R1 web server

Task1: Configure Static NAT on the Security Appliance using access-list such that the IP address assigned to PC1 i.e., 10.0.1.10 is translated to 192.168.1.10 when it is going outside

Step1: Configure the access-list policy on ASA1

ASA1(config)#access-list PC1 permit ip host 10.0.1.10 any

Step2: Configure the static NAT rule on ASA1 and verify the configuration

ASA1(config)#static (inside,outside) 192.168.1.10 access-list PC1



Step3: Verify the translation table configuration

ASA1(config)#show xlate1 in use, 31 most usedGlobal 192.168.1.10 Local 10.0.1.10

Step4: Verify the task by initiating a telnet session to R1 from PC1



Password: cisco

R1>show user Line User Host(s) Idle Location 0 con 0 idle 02:33:06*194 vty 0 idle 00:00:00 192.168.1.10


71


Task2: Configure Static Policy PAT on the security appliance such that the telnet to the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R2 telnet server in DMZ


ASA1(config)#access-list TLN permit tcp host 172.16.1.2 eq 23 10.0.1.0 255 255.255.0

Step2: Configure the static NAT rule on ASA1

ASA1(config)# static (dmz,inside) tcp interface 23 access-list TLN



NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside 10.0.1.0 255.255.255.0 static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 1

Step4: Verify the task by initiating the telnet session from PC1 to 10.0.1.1 i.e the inside interface on ASA1



Password: cisco

R2>show user Line User Host(s) Idle Location* 66 vty 0 idle 00:00:00 10.0.1.10



71


Task3: Configure Static Policy PAT such that the connections to port 8080 on the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R1 web server


ASA1(config)#access-list WEB permit tcp host 192.168.1.1 eq 80 10.0.1.0 255.255.255.0

Step2: Configure the static NAT rule on ASA1

ASA1(config)#static (outside,inside) tcp interface 8080 access-list WEB



NAT policies on Interface outside: match tcp outside host 192.168.1.1 eq 80 inside 10.0.1.0 255.255.255.0 static translation to 10.0.1.1/8080 translate_hits = 0, untranslate_hits = 0


NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside 10.0.1.0 255.255.255.0 static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 2

Step4: Verify the translation table configuration


71


ASA1(config)#show xlate3 in use, 31 most usedPAT Global 10.0.1.1(23) Local 172.16.1.2(23)PAT Global 10.0.1.1(8080) Local 192.168.1.1(80)Global 192.168.1.10 Local 10.0.1.10

Step5: Establish a connection using the web browser from PC1 to the address http://10.0.1.1:8080 and give the login password “cisco” when prompted

Step6: Enter the enable privilege password “cisco”


Step7: On ASA1, verify the connection table

ASA1(config)#show conn9 in use, 11 most usedTCP out 10.0.1.1(192.168.1.1):80 in 10.0.1.10:2212 idle 0:00:00 bytes 0 flags aATCP out 10.0.1.1(192.168.1.1):80 in 10.0.1.10:2210 idle 0:00:00 bytes 1773 flags UIOTCP out 10.0.1.1(192.168.1.1):80 in 10.0.1.10:2208 idle 0:00:00 bytes 8713 flags UfFRIOTCP out 10.0.1.1(192.168.1.1):80 in 10.0.1.10:2206 idle 0:00:00 bytes 13791 flag s UIO


71


LAB 05 Configure Identity NAT, NAT exemption & NAT Control

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

outside inside

R2

E 0/2

dmz

F 0/0




71



Task1: Enable NAT control on ASA1

Task2: Configure NAT on ASA1 such that the inside network 10.0.1.0/24 is self translated to its IP

Task3: Configure NAT on ASA1 such that R2 is exempted from NAT

Task1: Enable NAT control on ASA1

Step1: Configure NAT-Control on the security appliance and verify the configuration

ASA1(config)#show run nat-controlno nat-controlASA1(config)#nat-controlASA1(config)#show run nat-controlnat-control

Step2: Verify the NAT configuration


NAT policies on Interface inside: match ip inside any outside any no translation group, implicit deny policy_hits = 0 match ip inside any dmz any no translation group, implicit deny policy_hits = 0

NAT policies on Interface dmz: match ip dmz any outside any no translation group, implicit deny policy_hits = 0


71


NOTE: After completing the above task, try to initiate a ping request from PC1 to R1, which would fail. To restore this we would have to configure identity NAT or NAT exemption. This is executed in the next task



Request timed out.Request timed out.Request timed out.Request timed out.

Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Task2: Configure NAT on ASA1 such that the inside network 10.0.1.0/24 is self translated to its IP

Step1: Configure identity NAT rule on ASA1

ASA1(config)#nat (inside) 0 10.0.1.0 255.255.255.0nat 0 10.0.1.0 will be identity translated for outbound



NAT policies on Interface inside: match ip inside any outside any no translation group, implicit deny policy_hits = 0 match ip inside any dmz any no translation group, implicit deny policy_hits = 0

NAT policies on Interface dmz: match ip dmz any outside any no translation group, implicit deny policy_hits = 0



71




Reply from 192.168.1.1: bytes=32 time=1ms TTL=255Reply from 192.168.1.1: bytes=32 time<1ms TTL=255Reply from 192.168.1.1: bytes=32 time<1ms TTL=255Reply from 192.168.1.1: bytes=32 time<1ms TTL=255


Step3: Verify the IP in ICMP packet using the debug feature on R1


Task3: Configure NAT on ASA1 such that R2 is exempted from NAT

Step1: Initiate the ping from R2 to R1 which would fail

R2#ping 192.168.1.1Type escape sequence to abortSending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Step2: Configure the access-list policy and nat rule on ASA1


71


ASA1(config)#access-list R2 permit ip host 172.16.1.2 anyASA1(config)#nat (dmz) 0 access-list R2


ASA1(config)#show nat dmz match ip dmz host 172.16.1.2 outside any NAT exempt translate_hits = 0, untranslate_hits = 0 match ip dmz host 172.16.1.2 dmz any NAT exempt translate_hits = 0, untranslate_hits = 0 match ip dmz any outside any no translation group, implicit deny policy_hits = 5

Step4: Verify the task by initiating ping from R2 to R1

R2#ping 192.168.1.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Step5: Check the IP in the ICMP packet in R1 by using debug feature.



71


MODULE 04: Object Grouping

Lab 01: Configuring Object Grouping…..…………………………………….. 66


71


LAB 01 Configuring Object Grouping


71


Task1:Allow access to the Application Servers from the outside

NOTE: Use the minimum number of lines possible to accomplish access to these application servers

Task2:Create Services groups on ASA1 as

DMZ_SERVICESHTTPHTTPSFTP

And Host and network groups asDMZ_SERVERS192.168.1.8192.168.1.9192.168.1.10

Can apply group names to ACLs

Task1:Allow access to the Application Servers from the outside

NOTE: Use the minimum number of lines possible to accomplish access to these application servers

ASA1(config)#show run staticstatic (dmz,outside) 192.168.1.8 172.16.1.1 netmask 255.255.255.255static (dmz,outside) 192.168.1.9 172.16.1.2 netmask 255.255.255.255static (dmz,outside) 192.168.1.10 172.16.1.3 netmask 255.255.255.255

ASA1(config)#show run access-listASA1(config)#access-list 100 permit tcp any host 192.168.1.8 eq httpASA1(config)#access-list 100 permit tcp any host 192.168.1.8 eq httpsASA1(config)#access-list 100 permit tcp any host 192.168.1.8 eq ftpASA1(config)#access-list 100 permit tcp any host 192.168.1.9 eq httpASA1(config)#access-list 100 permit tcp any host 192.168.1.9 eq httpsASA1(config)#access-list 100 permit tcp any host 192.168.1.9 eq ftpASA1(config)#access-list 100 permit tcp any host 192.168.1.10 eq httpASA1(config)#access-list 100 permit tcp any host 192.168.1.10 eq httpsASA1(config)#access-list 100 permit tcp any host 192.168.1.10 eq ftp


71


NOTE: Before you move forward, please ensure you complete the following tasks to create object groups and use them in your configuration

1. Specify the type of object group that you want to create and configure a name for the group

2. Define the members of the object group3. Apply the object group to an ACL

Task2:Create Services groups on ASA1 as

DMZ_SERVICESHTTPHTTPSFTP

And Host and network groups asDMZ_SERVERS192.168.1.8192.168.1.9192.168.1.10

Can apply group names to ACLs

ASA1(config)#object-group service DMZ_SERVICES tcpport-object eq httpport-object eq httpsport-object eq ftp

ASA1(config)#object-group network DMZ_SERVERSnetwork-object host 192.168.1.8network-object host 192.168.1.9network-object host 192.168.1.10

ASA1(config)#access-list 100 permit tcp any object-group DMZ_SERVERS object-group DMZ_SERVICESASA1(config)#access-list 100 in interface outside


71


MODULE 05: Application Inspection and Filtering

Lab 01: Application Aware Inspection…………………………………………. 70

Lab 02: URL Filtering…………………………………………………………….. 73

Lab 03: Malicious Active Code Filtering……………………………………….. 75


71


LAB 01 Application Aware Inspection

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

FTP Server

200.1.1.2 10.1.1.2

Task1:Configure FTP to be inspected on port 2100 in addition to port 21. Do not use any access-list for this task

Task2:Enable Application inspection in the Default inspection policy for the ICMP


71


Task 3:There is a FTP Server located at 10.1.1.2. Translate this server as 200.1.1.4 on the outside. Allow FTP traffic to this Server from the outside

Task4:FTP traffic connections to this server should be reset if they are trying to execute the following commands:

Put Rmd Rnfr Dele

Task 5:Configure maximum number of incoming connections towards this FTP server to 400. Also, set the maximum number of half-open connections to this Web server to 200. Set the embryonic Timeout to 1 minute

Task1:Configure FTP to be inspected on port 2100 in addition to port 21. Do not use any access-list for this task

ASA1:class FTP2100match port tcp eq 2100!policy-map global_policyclass FTP2100inspect ftp

Task2:Enable Application inspection in the Default inspection policy for the ICMP


71


ASA1:policy-map global_policyclass inspection_defaultinspect icmp

Task3:There is a FTP Server located at 10.1.1.2. Translate this server as 200.1.1.4 on the outside. Allow FTP traffic to this Server from the outside

ASA1:static (inside,outside) 200.1.1.2 10.1.1.2!access-list 100 permit tcp any host 200.1.1.2 eq 21

Task4:FTP traffic connections to this server should be reset if they are trying to execute the following commands:

Put Rmd Rnfr Dele

ASA1:policy-map type inspect FTP FTP1match-request command put rmd rnfr delereset!access-list 100 permit tcp any host 200.1.1.2 eq 21!class-map class1match access-list 100!policy-map global_policyclass class1inspect FTP strict FTP1


71


Task 5:Configure maximum number of incoming connections towards this FTP server to 400. Also, set the maximum number of half-open connections to this Web server to 200. Set the embryonic Timeout to 1 minute

ASA1:policy-map global_policyclass class1set connection conn-max 400set connection embryonic-conn-max 200set connection timeout embryonic 0:1:0

LAB 02 URL Filtering


71


R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

X

WebSence

Task 1:A Websense server exists at 172.16.1.3. Configure ASA1 such that it should forward all web requests to Websense before it allows the access to Internet. If the Websense server is down, the web requests should be allowed to go out

Task2:Configure ASA1 such that It should also forward all HTTPS and FTP to Websense before it allow the access to internet. If the Websense server is down, the web requests should be allowed to go out

Task 1:A Websense server exists at 172.16.1.3. Configure ASA1 such that it should forward all web requests to Websense before it allows the access to Internet. If the Websense server is down, the web requests should be allowed to go out


71


NOTE: The security appliance sends all URL requests to the Websense URL-filtering server

at 172.16.1.3. The URL-filtering server determines whether requested URLs should be blocked. If the URL-filtering server goes offline, the security appliance allows all URL requests

to continue without filtering.

ASA1:url-server (dmz) vendor websense host 172.16.1.3 timeout 30 protocol TCP version 4filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Task2:Configure ASA1 such that It should also forward all HTTPS and FTP to Websense before it allow the access to internet. If the Websense server is down, the web requests should be allowed to go out

NOTE: The security appliance sends all HTTPS and FTP URL requests to the URL-filtering

server to be filtered If the URL-filtering server goes offline, the security appliance allows all HTTPS and

FTP URL requests to continue without filtering

ASA1:filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allowfilter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

LAB 03 Malicious Active Code Filtering


71


Task1:Configure ASA such that it filter ActiveX

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

Block ActiveX

ASA1:filter ActiveX 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

NOTE: ActiveX blocking applies to web traffic on port 80 from any local host and to any foreign host.

Task2:Configure ASA such that it filter JAVA

R1 E 0/0ASA 1

PC1INTERNET

F 0/1

F 0/0 E 0/1

Block JAVA


71


ASA1:filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

NOTE: JAVA blocking applies to web traffic on port 80 from any local host and to any foreign

host Java programs and ActiveX controls can enable attackers to invade network

systems. Cisco security appliances can be used to filter Java applets and block ActiveX

controls.


71


MODULE 06 Context and Failover on the Security Appliance

Lab 01: Firewall Contexts………………………………………………………………….. 78

Lab 02: Failover - Active/Standby………………………………………………………… 87

Lab 03: Failover - Active/Active………………………………………………………….. 98


71


LAB 01 Configuring Firewall Contexts

CTX1 CTX2

R1 R2

R3PC1

outside

inside

E 0/3E 0/0

M0/0E 0/1

F 0/0F0/0

F0/0

ASA 1

Task 1: Enable the security appliance to support multiple contexts and verify the configuration

Task 2:Configure Context CTX1 and CTX2 on ASA1 with CTX1.cfg and CTX2.cfg as config files respectively as per the given table and topology

Task 3: Change the management interface m 0/0 allocated to context CTX2 to a regular data interface.

Task 4: Configure Access-list on both the contexts to restore the basic connectivity and the save configuration on the security appliance

Task 5: Configure the routers and PCs as per the diagram and table with their default route pointing to the security appliance


71


Task 6: Verify the connectivity across the contexts

Table:

Host Context IP Address Interface Name Security LevelASA1 CTX1 192.168.1.1/24 e 0/0 outside 0ASA1 CTX1 10.0.1.1/24 e 0/1 inside 100ASA1 CTX2 192.168.31.1/24 e 0/3 outside 0ASA1 CTX2 10.0.31.1/24 m 0/0 inside 100R1 - 192.168.1.2/24 f 0/0 - -PC1 - 10.0.1.10/24 ethernet - -R2 - 192.168.31.2/24 f 0/0 - -R3 - 10.0.31.2/24 f 0/0 - -

Task 1: Enable the security appliance to support multiple contexts and verify the configuration

ASA1(config)#show modeSecurity context mode: singleASA1(config)#mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm]<enter>Convert the system configuration? [confirm]<enter>

ASA1(config)#show modeSecurity context mode: multiple

NOTE: Below is the default configuration of a security appliance which supports multiple contexts


71


ASA1(config)#show running-configurationASA Version 8.0(2) <system>!hostname ASA1enable password 8Ry2YjIyt7RRXU24 encryptedno mac-address auto!interface Ethernet0/0shutdown!interface Ethernet0/1shutdown!interface Ethernet0/2shutdown!interface Ethernet0/3shutdown!interface Management0/0 shutdown!class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5!ftp mode passivepager lines 24no failoverno asdm history enablearp timeout 14400console timeout 0

admin-context admincontext admin allocate-interface Ethernet0/0 allocate-interface Ethernet0/1 config-url disk0:/admin.cfg!prompt hostname contextCryptochecksum:c156e4956700c7d5c6914ec2038e34fd: end


71


Task 2:Configure Context CTX1 and CTX2 on ASA1 with CTX1.cfg and CTX2.cfg as config files respectively as per the given table and topology

Step1: Bring all the interfaces to “up” state on ASA1

ASA1#configure terminalASA1(config)#ASA1(config)#interface e0/0ASA1(config-if)#no shutdownASA1(config-if)#interface e0/1ASA1(config-if)#no shutdownASA1(config-if)#interface e0/2ASA1(config-if)#no shutdownASA1(config-if)#interface e0/3ASA1(config-if)#no shutdownASA1(config)#interface management 0/0ASA1(config-if)#no shutdownASA1(config-if)#exit

NOTE: Admin Context should be pre-configured before configuring any context on ASA1

Step2: On ASA1 from the system context, create Context CTX1 with config-url CTX1.cfg and allocate the interfaces e0/0, e0/1 to this context

ASA1(config)#context CTX1Creating context 'CTX1'... Done. (2)ASA1(config-ctx)#config-url disk0:/CTX1.cfgWARNING: Could not fetch the URL disk0:/CTX1.cfgINFO: Creating context with default configASA1(config-ctx)#allocate-interface e0/0ASA1(config-ctx)#allocate-interface e0/1ASA1(config-ctx)#exit


71


Step3: On ASA1 from the system context, create Context CTX2 with config-url CTX2.cfg and allocate the interfaces e0/3, m0/0 to this context

ASA1(config)#context CTX2Creating context 'CTX2'... Done. (3)ASA1(config-ctx)#config-url disk0:/CTX2.cfgWARNING: Could not fetch the URL disk0:/CTX2.cfgINFO: Creating context with default configASA1(config-ctx)#allocate-interface e0/3ASA1(config-ctx)#allocate-interface m0/0ASA1(config-ctx)#exit

Step4: Configure the interfaces in context CTX1 with the appropriate nameif, security level and IP address as mentioned in the table above

ASA1(config)#changeto context CTX1ASA1/CTX1(config)#show interface ip briefInterface IP-Address OK? Method Status ProtocolEthernet0/0 unassigned YES unset down downEthernet0/1 unassigned YES unset down downASA1/CTX1(config)#

ASA1/CTX1(config)#interface e0/0ASA1/CTX1(config-if)#nameif outsideINFO: Security level for "outside" set to 0 by default.ASA1/CTX1(config-if)#security-level 0ASA1/CTX1(config-if)#ip address 192.168.1.1 255.255.255.0ASA1/CTX1(config-if)#no shutdownASA1/CTX1(config-if)#exit

ASA1/CTX1(config)#interface e0/1ASA1/CTX1(config-if)#nameif insideINFO: Security level for "inside" set to 100 by default.ASA1/CTX1(config-if)#security-level 100ASA1/CTX1(config-if)#ip address 10.0.1.1 255.255.255.0ASA1/CTX1(config-if)#no shutdownASA1/CTX1(config-if)#exit


71


Step5: Configure the interfaces in context CTX2 with the appropriate nameif, security level and IP address as mentioned in the table above

ASA1(config)#changeto context CTX2ASA1/CTX1(config)#

ASA1/CTX2(config)#interface e0/3ASA1/CTX2(config-if)#nameif outsideINFO: Security level for "outside" set to 0 by default.ASA1/CTX2(config-if)#security-level 0ASA1/CTX2(config-if)#ip address 192.168.31.1 255.255.255.0ASA1/CTX2(config-if)#no shutdownASA1/CTX2(config-if)#exit

ASA1/CTX2(config)#interface m0/0ASA1/CTX2(config-if)#nameif insideINFO: Security level for "inside" set to 100 by default.ASA1/CTX2(config-if)#security-level 100ASA1/CTX2(config-if)#ip address 10.0.31.1 255.255.255.0ASA1/CTX2(config-if)#no shutdownASA1/CTX2(config-if)#exit

Task 3: Change the management interface m 0/0 allocated to context CTX2 to a regular data interface.

ASA1/CTX2(config)#interface m0/0ASA1/CTX2(config-if)#no management-only

Task 4: Configure Access-list on both the contexts to restore the basic connectivity and the save configuration on the security appliance


71


Step1: Configure the inbound access-list on outside interface of the context CTX1

ASA1(config)#changeto context CTX1ASA1/CTX1(config)#access-list OUT_IN permit icmp any anyASA1/CTX1(config)#access-group OUT_IN in interface outside

Step2: Configure the inbound access-list on outside interface of the context CTX2

ASA1(config)#changeto context CTX2ASA1/CTX2(config)#access-list OUT_IN permit icmp any anyASA1/CTX2(config)#access-group OUT_IN in interface outside

Step3: Save the configuration of all the contexts on ASA1

ASA1/CTX2(config)#changeto systemASA1(config)#ASA1(config)#write memory allBuilding configuration...Saving context : system : (000/003 Contexts saved)Cryptochecksum: 730e0ccd 3a4b4ee5 3e8c465f d0b1cd4d

890 bytes copied in 3.300 secs (296 bytes/sec)Saving context : admin : (001/003 Contexts saved)Cryptochecksum: f7912198 f47e8334 3cd92682 bc05a6fb

1357 bytes copied in 0.190 secsSaving context : CTX1 : (002/003 Contexts saved)Cryptochecksum: 5d1597e5 9a7cbb52 156e1e2f cb8c813f

%Error opening disk0:/CTX1.cfg (File exists)Saving context : CTX2 : (003/003 Contexts saved)Cryptochecksum: 66ec92e3 6273e794 3845ab7d b8c49a9c

1556 bytes copied in 0.170 secs[OK]ASA1(config)#

Task 5: Configure the routers and PCs as per the diagram and table with their default route pointing to the security appliance


71


Step1: Configure the interface and default route on R1 as per the diagram

R1(config)#interface fa0/0R1(config-if)#ip address 192.168.1.2 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exitR1(config)#R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1





Task 6: Verify the connectivity across the contexts

Step1: Initiate the ping from PC1 to ASA1/CTX1 inside interface


71




Reply from 10.0.1.1: bytes=32 time<1ms TTL=255Reply from 10.0.1.1: bytes=32 time<1ms TTL=255Reply from 10.0.1.1: bytes=32 time<1ms TTL=255Reply from 10.0.1.1: bytes=32 time<1ms TTL=255


Step2: Initiate the ping from PC1 to R1 both located in the context CTX1





Step3: Initiate the ping from R3 to ASA1/CTX2 inside interface


71


R3#ping 10.0.31.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.31.1, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Step4: Initiate the ping from R3 to R2 both located in the context CTX2

R3#ping 192.168.31.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.31.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

LAB 02 Failover – Active/Standby


71


CTX1 CTX2

E 0/0

ASA 2

E 0/3

M0/0E 0/1

CTX1 CTX2

R1 R2

R3

PC1

E 0/0

F0/0

ASA 1

F 0/0

E 0/3

M0/0E 0/1

E 0/2 E 0/2

F0/0

NOTE: Complete Lab 1 of Module 4 before proceeding further

Task 1: Configure the Vlans on the switch as per the topology diagram.

Task 2:Configure the standby ip address as per the table.

Task 3:Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for both context CTX1 and CTX2 and ASA2 acts as the Standby host respectively.

Task 4: Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.

Table:

Host Context IP Address Standby Interface Nameif Security


71


IP Address Level

ASA1,ASA2 CTX1 192.168.1.1/24 192.168.1.7/24 e 0/0 outside 0

ASA1,ASA2 CTX1 10.0.1.1/24 10.0.1.7/24 e 0/1 inside 100


ASA1,ASA2 CTX2 10.0.31.1/24 10.0.31.7/24 m 0/0 inside 100

ASA1,ASA2 - 172.17.1.1/24 172.17.1.7/24 e 0/2 Failover Interface

R1 - 192.168.1.2/24 f 0/0 - -

PC1 - 10.0.1.10/24 ethernet - -

R2 - 192.168.31.2/24 f 0/0 - -

R3 - 10.0.31.2/24 f 0/0 - -

Task1: Configure the vlans on the switch as per the topology diagram.

Step1: Configure the interfaces of the devices in the same switch vlans as per the topology diagram.

Switch(config)#interface range fa0/3 , fa0/13 , fa0/23Switch(config-if-range)#switchport mode accessSwitch(config-if-range)#switchport access vlan 13Switch(config-if-range)#exit

Switch(config)#interface range fa0/10 , fa0/20 , fa0/30Switch(config-if-range)#switchport mode accessSwitch(config-if-range)#switchport access vlan 20



Task2:


71


Configure the standby ip address as per the table.

Step1: Add the standby ip address to ASA1 context CTX1 configuration as per the table.

ASA1/CTX1(config)#interface e0/0ASA1/CTX1(config-if)#ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7ASA1/CTX1(config-if)#exitASA1/CTX1(config)#interface e0/1ASA1/CTX1(config-if)#ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7ASA1/CTX1(config-if)#exit

Step2: Verify the configuration ASA1/CTX1(config)#show run ip!interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7!interface Ethernet0/1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7!

Step3: Add the standby ip address to ASA1 context CTX2 configuration as per the table.

ASA1/CTX1(config)#changeto context CTX2ASA1/CTX2(config)#ASA1/CTX2(config)#interface e0/3ASA1/CTX2(config-if)#ipaddress 192.168.31.1 255.255.255.0 standby 192.168.31.7ASA1/CTX2(config-if)#exitASA1/CTX2(config)#interface m0/0ASA1/CTX2(config-if)#ip address 10.0.31.1 255.255.255.0 standby 10.0.31.7ASA1/CTX2(config-if)#exitASA1/CTX2(config)#



71


ASA1/CTX2(config)#show run ip!interface Ethernet0/3 nameif outside security-level 0 ip address 192.168.31.1 255.255.255.0 standby 192.168.31.7!interface Management0/0 nameif inside security-level 100 ip address 10.0.31.1 255.255.255.0 standby 10.0.31.7!

Task3: Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for both context CTX1 and CTX2 and ASA2 acts as the Standby host respectively. Step1: Configure failover on ASA1. ASA1/CTX2(config)#changeto systemASA1(config)#failover lan unit primaryASA1(config)#failover lan interface failover ethernet0/2INFO: Non-failover interface config is cleared on Ethernet0/2 and its sub-interfacesASA1(config)#failover link failover ethernet0/2ASA1(config)#failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.7ASA1(config)#failover

Step2: Configure failover monitoring interface on ASA1/CTX1. ASA1(config)#changeto context CTX1ASA1/CTX1(config)#monitor-interface outsideASA1/CTX1(config)#monitor-interface insideASA1/CTX1(config)#exit

Step3: Configure failover monitoring interface on ASA1/CTX2.

ASA1/CTX1#changeto context CTX2ASA1/CTX2(config)#monitor-interface outsideASA1/CTX2(config)#monitor-interface inside


71


Step4: Verify the Security Context Mode and Firewall mode on ASA2. ASA2(config)#show modeSecurity context mode:multipleASA2(config)#show firewallFirewall mode:Router

Step5: Configure failover on ASA2. ASA2(config)#interface e0/2ASA2(config-if)#no shutdownASA2(config-if)#exitASA2(config)#failover lan unit secondaryASA2(config)#failover lan interface failover ethernet0/2INFO: Non-failover interface config is cleared on Ethernet0/2 and its sub-interfacesASA2(config)#failover link failover ethernet0/2ASA2(config)#failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.7ASA2(config)#failover

Step6: Verify the failover configuration on ASA1. ASA1(config)#show failover interface interface failover Ethernet0/2 System IP Address: 172.17.1.1 255.255.255.0 My IP Address : 172.17.1.1 Other IP Address : 172.17.1.7

ASA1(config)# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 12:40:04 UTC Sep 13 2010 This host: Primary - Active Active time: 491 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec)


71


slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty

Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr rcv rerr General 53 0 49 0 sys cmd 49 0 49 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 4 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0

Logical Update Queue Information Cur Max Total Recv Q: 0 1 49 Xmit Q: 0 1 53

Step7: Verify the failover monitoring interface on ASA1/CTX1.

ASA1/CTX1(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.1.1): Normal Interface inside (10.0.1.1): Normal Other host: Secondary - Standby Ready Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal

Step8: Verify the failover monitoring interface on ASA1/CTX2. ASA1/CTX2(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.31.1): Normal Interface inside (10.0.31.1): Normal Other host: Secondary - Standby Ready Interface outside (192.168.31.7): Normal Interface inside (10.0.31.7): Normal


71


Task4: Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1. Step1: Initiate a telnet session from PC1 to R1.





Step2: While keeping the telnet session open shutdown the outside interface of ASA1 on the switch Switch(config)#interface fa0/10Switch(config-if)#shutdownSwitch(config-if)#02:06:30: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down02:06:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down

Step3: Verify that the telnet session did not break during step 2 i.e. during failover. R1> <enter>R1> <enter>R1> <enter>

R1>show user Line User Host(s) Idle Location 0 con 0 idle 00:00:11* 66 vty 0 idle 00:00:00 10.0.1.10



71


Step4: Verify the changed failover status on ASA1. ASA1(config)# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 13:42:52 UTC Sep 13 2010 This host: Primary - Failed Active time: 3767 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): No Link CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Secondary - Active Active time: 255 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty


Logical Update Queue Information Cur Max Total Recv Q: 0 1 523


71


Xmit Q: 0 1 533

Step5: Verify the changed failover monitoring interface status on ASA1/CTX1. ASA1/CTX1(config)# show monitor-interface This host: Primary - Failed Interface outside (192.168.1.7): No Link Interface inside (10.0.1.7): Normal Other host: Secondary - Active Interface outside (192.168.1.1): Normal Interface inside (10.0.1.1): Normal

Step6: Now restore back to normal the outside interface of ASA1/CTX1 i.e “no shutdown” the respective interface on the switch. Switch(config)#interface fa0/10Switch(config-if)#no shutSwitch(config-if)#exit02:11:02: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up02:11:02: %SYS-5-CONFIG_I: Configured from console by console02:11:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up

Step7: Verify the failover status on ASA1.

ASA1(config)#show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 13:42:52 UTC Sep 13 2010 This host: Primary - Standby Ready Active time: 3767 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal


71


slot 1: empty Other host: Secondary - Active Active time: 654 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty



NOTE: Even after the outside interface of the ASA1/CTX1 is restored back to normal, ASA1 is acting as standby host for both the context CTX1 and CTX2, and ASA2 is the active host respectively.

Step1: To forcibly change the state of ASA1 standby host back to active host configure the following ASA1(config)#failover active Switching to Active

Step2: Verify the changed failover status on ASA1

ASA1(config)#show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximum


71


Version: Ours 8.0(2), Mate 8.0(2)Last Failover at: 13:54:08 UTC Sep 13 2010 This host: Primary - Active Active time: 3833 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 677 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty




71


LAB 03 Failover – Active/Active

CTX1 CTX2

E 0/0

ASA 2

E 0/3

M0/0E 0/1

CTX1 CTX2

R1 R2

R3

PC1

E 0/0

F0/0

ASA 1

F 0/0

E 0/3

M0/0E 0/1

E 0/2 E 0/2

F0/0

NOTE: Complete Lab 1 and Lab 2 of this module before starting this lab.


71


Task 1: Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for context CTX1 and standby host for context CTX2 and ASA2 should be a Standby host for context CTX1 and Active host for context CTX2 respectively.

Task 2: Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.

Table:

Host Context IP Address Standby IP Address

Interface Nameif Security Level


ASA1,ASA2 CTX1 10.0.1.1/24 10.0.1.7/24 e 0/1 inside 100


ASA1,ASA2 CTX2 10.0.31.1/24 10.0.31.7/24 m 0/0 inside 100

ASA1,ASA2 - 172.17.1.1/24 172.17.1.7/24 e 0/2 Failover Interface

R1 - 192.168.1.2/24 f 0/0 - -

PC1 - 10.0.1.10/24 ethernet - -

R2 - 192.168.31.2/24 f 0/0 - -

R3 - 10.0.31.2/24 f 0/0 - -

Task1: Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for context CTX1 and standby host for context CTX2 and ASA2 should be a Standby host for context CTX1 and Active host for context CTX2 respectively.

NOTE: First disable the failover before making any changes to the failover configuration.

Step1: Configure failover groups. ASA1(config)# no failover

ASA1(config)# failover group 1


71


ASA1(config-fover-group)# primaryASA1(config-fover-group)# preemptASA1(config-fover-group)#exit

ASA1(config)# failover group 2ASA1(config-fover-group)# secondaryASA1(config-fover-group)# preemptASA1(config-fover-group)# exit

Step1: Configure failover groups. ASA1(config)#no failoverASA1(config)#failover group 1ASA1(config-fover-group)#primaryASA1(config-fover-group)#preemptASA1(config-fover-group)#exitASA1(config)#ASA1(config)#failover group 2ASA1(config-fover-group)#secondaryASA1(config-fover-group)#preemptASA1(config-fover-group)#exit

NOTE: The "preempt" command enables the device to switch automatically the primary unit device as "active" and secondary unit as "standby" in the event where the failed interface/link is restored back to normal status after a failover. Here we don’t have to forcibly change the failover status manually using the "failover enable" command.

Step2: Join the context CTX1 and CTX2 to failover group 1 and 2 respectively. And enable failover. ASA1(config)# context CTX1ASA1(config-ctx)# join-failover-group 1ASA1(config-ctx)# exit

ASA1(config)# context CTX2ASA1(config-ctx)# join-failover-group 2ASA1(config-ctx)# exitASA1(config)#ASA1(config)# failover


71


Step3: Verify the failover status. ASA1(config)# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Group 1 last failover at: 14:07:31 UTC Sep 13 2010Group 2 last failover at: 14:07:30 UTC Sep 13 2010

This host: Primary Group 1 State: Active Active time: 42 (sec) Group 2 State: Standby Ready Active time: 0 (sec)


Other host: Secondary Group 1 State: Standby Ready Active time: 0 (sec) Group 2 State: Active Active time: 45 (sec)


Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr rcv rerr General 650 0 643 0 sys cmd 636 0 636 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 8 0 0 0 UDP conn 0 0 0 0 ARP tbl 6 0 7 0 Xlate_Timeout 0 0 0 0


71


SIP Session 0 0 0 0


Step4: Verify the failover monitoring interfaces on ASA1/CTX1.

ASA1(config)# changeto context CTX1ASA1/CTX1(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.1.1): Normal Interface inside (10.0.1.1): Normal Other host: Secondary - Standby Ready Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal

Step5: Verify the failover monitoring interfaces on ASA1/CTX2.

ASA1/CTX1(config)# changeto context CTX2ASA1/CTX2(config)# show monitor-interface This host: Primary - Standby Ready Interface outside (192.168.31.7): Normal Interface inside (10.0.31.7): Normal Other host: Secondary - Active Interface outside (192.168.31.1): Normal Interface inside (10.0.31.1): Normal

Task2: Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.

Step1: Initiate a telnet session from PC1 to R1. C:\Documents and Settings\netmetric>telnet 192.168.1.2





71


Step2: While keeping the telnet session open shutdown the outside interface of ASA1 on the switch.

Switch(config)#interface fa0/10Switch(config-if)#shutdownSwitch(config-if)#02:06:30: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down02:06:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down

Step3: Verify that the telnet session did not break during step 2 i.e. during failover. R1> <enter>R1> <enter>R1> <enter>

R1>show user Line User Host(s) Idle Location 0 con 0 idle 00:00:11* 66 vty 0 idle 00:00:00 10.0.1.10


Step4: Verify the changed failover status on ASA1. ASA1(config)#show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Group 1 last failover at: 14:36:00 UTC Sep 13 2010Group 2 last failover at: 14:07:30 UTC Sep 13 2010

This host: Primary Group 1 State: Failed


71


Active time: 1709 (sec) Group 2 State: Standby Ready Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): No Link (Waiting) CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty

Other host: Secondary Group 1 State: Active Active time: 22 (sec) Group 2 State: Active Active time: 1734 (sec)

slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal (Waiting) CTX1 Interface inside (10.0.1.1): Normal (Waiting) CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty



Step5: Now restore back the outside interface of ASA1/CTX1 to normal i.e “no shutdown” the respective interface on the switch.


71


Switch(config)#interface fa0/10Switch(config-if)#no shutdownSwitch(config-if)#exit02:11:02: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up02:11:02: %SYS-5-CONFIG_I: Configured from console by console02:11:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up

Step6: Verify the changed failover status on ASA1. ASA1(config)# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Group 1 last failover at: 14:39:33 UTC Sep 13 2010Group 2 last failover at: 14:07:30 UTC Sep 13 2010

This host: Primary Group 1 State: Active Active time: 1717 (sec) Group 2 State: Standby Ready Active time: 0 (sec)


Other host: Secondary Group 1 State: Standby Ready Active time: 213 (sec) Group 2 State: Active Active time: 1933 (sec)


Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr rcv rerr


71


General 902 0 895 0 sys cmd 888 0 888 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 8 0 0 0 UDP conn 0 0 0 0 ARP tbl 6 0 7 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0


MODULE 07: Layer 2 Transparent Firewall

Lab 01: Configure Layer 2 Transparent Firewall …………………………………… 107


71


LAB 01 Configure Layer 2 Transparent Firewall

R1 E 0/0ASA 1

INTERNET

F 0/1

F 0/0 E 0/1

R2E 0/0

10.1.1.2

10.1.1.1

Task 1:Configure the ASA as a Transparent Firewall

Task 2:


71


Configure F0/0 as the outside interface with a security level of 0 and F0/1 as the inside interface with a security level of 100. Bring the Interfaces up

Task 3:Configure the ASA to allow R2 and R1 to communicate to each other to exchange Routing information. R2 and R1 should run RIP V2 as the routing protocol

Task 1:Configure the ASA as a Transparent Firewall

ASA1:Firewall Transparent

Task 2:Configure F0/0 as the outside interface with a security level of 0 and F0/1 as the inside interface with a security level of 100. Bring the Interfaces up


71


ASA1:interface E 0/0nameif outsideno shutdown!interface E 0/1nameif insideno shutdown

Task 3:Configure the ASA to allow R2 and R1 to communicate to each other to exchange Routing information. R2 and R1 should run RIP V2 as the routing protocol

ASA1:access-list outside permit udp host host 10.1.1.1 host 224.0.0.9 eq ripaccess-list inside permit udp host 10.1.1.2 host 224.0.0.9 eq rip!access-group outside in interface outsideaccess-group inside in interface inside

MODULE 08: VPN on the Security Appliance

Lab 01: IPSec VPN Site to Site Tunnel……………………………………………… 110


71


LAB 01 IPSec VPN Site to Site Tunnel


71


Task1: Configure an IPSec Tunnel to encrypt traffic from 10.1.1.0/24 on ASA1 inside network to the 20.1.1.0/24 on ASA2 inside network. Use the Outside IP address of ASA as the Tunnel End pointsUse the below mentioned Parameters for the Tunnel between ASA1 and ASA2 ISAKMP Parameters

Authentication: Pre-sharedEncryption: 3DESGroup: 2Hash: MD5Pre-Shared Key: netmetricccsp

IPSec ParametersEncryption: ESP-3DESAuthentication: ESP-SHA-HMAC

NOTE: You are allowed to create static routes for this Lab


71


ASA1:crypto isakmp enable outside

crypto isakmp policy 10Authentication pre-shareHash md5Group 2Encryption 3des!crypto isakmp key netmetric123 address 192.168.1.2crypto ipsec transform-set set1 esp-3des esp-sha-hmacaccess-list 111 permit ip 10.1.1.0 255.0.0.0 20.1.1.0 255.0.0.0

crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 set peer 192.168.1.2crypto map mymap 10 set transform-set set1crypto map mymap 10 match address 111

crypto map mymap interface outsideroute outside 20.0.0.0 255.0.0.0 192.168.1.2

ASA2:crypto isakmp enable outside!crypto isakmp policy 10Authentication pre-shareHash md5Group 2Encryption 3des!Crypto isakmp key netmetric123 address 192.168.1.1crypto ipsec transform-set set1 esp-3des esp-sha-hmacaccess-list 111 permit ip 20.1.1.0 255.0.0.0 10.1.1.0 255.0.0.0!crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 set peer 192.168.1.1crypto map mymap 10 set transform-set set1crypto map mymap 10 match address 111

crypto map mymap interface outsideroute outside10.0.0.0 255.0.0.0 192.168.1.1


71


Verify ACLs and interesting trafficshow run access-list

Verify correct IKE configurationshow run isakmpshow run tunnel-group

Verify correct IPsec configurationshow run ipsec

Verify IPsec and ISAKMP SAsshow crypto ipsec sashow crypto isakmp sa


SNRS CCSP 2.1

Documents

Transcript of SNRS CCSP 2.1