CCNP Sec

Netmetric CCNP Security Workbook 2.
ASA Initialization
LAB 1 Basic ASA Configuration

Initialization Setup of ASA is similar as Router where you use a rollover cable to connect console of ASA to com port of PC. Command Line Interface (CLI) here is little different from IOS Router but the modes are similar as on Router, We have an Unprivileged Mode > This is the most basic level of access to the Cisco Device, the first mode in which you can issue very few commands. To configure your ASA you need to get in to Privileged Mode #.
Task-1 Getting Started With ASA

When we boot up the device we get into unprivileged mode from where we can view the details of ASA, its supporting features, available interfaces and its Licensing etc...
ciscoasa>show version Cisco ASA Security Appliance Software Version 8.4(2) ciscoasa up 33 mins 30 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 100 Inside Hosts : Unlimited Failover : Disabled VPN-DES : Disabled VPN-3DES-AES : Disabled Security Contexts :0 GTP/GPRS : Disabled AnyConnect Premium Peers : 5000 AnyConnect Essentials : Disabled Other VPN Peers : 5000 Total VPN Peers :0 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions :2 Total UC Proxy Sessions :2 This platform has an Restricted (R) license. Configuration has not been modified since last system restart.
IOS Version of ASA Uptime of device
perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual perpetual
Netmetric CCNP Security Workbook 2.0
ASA Initialization
From unprivileged mode we can issue few more commands like ping, traceroute and login etc. but to make any changes on the device or to configure device we need to get into privileged mode of that device. From Unprivileged mode issue enable command to get into privileged mode ciscoasa> enable Password: ciscoasa#
The default password on ASA is Blank <null> hit Enter when prompted
When you are in privileged mode now you can start configuring your device, When you are in privileged mode of ASA you can issue all the commands to device, to make some configuration on device you need to get into configure mode, you can get into configure mode by issuing configure terminal command in privileged mode ciscoasa# configure terminal ciscoasa(config)# enable password cisco123 ciscoasa(config)# hostname ASA ASA(config)#
Configuring Enable Password Modifying Hostname
In the description of show version command you can view the licensing details of the device which exhibits the capabilities of device functioning. ASA comes with two different licenses Base License Security plus License
By default ASA comes with Base License where few functions of ASA will be restricted or locked. To use those functions we need to get an Activation Key from Cisco and Install it on Device. ASA(config)# activation-key 0x000000000x000000000x000000000x00000000 The following features available in flash activation key are NOT available in new activation key: Failover is different. flash activation key: Restricted(R) new activation key: Unrestricted(UR) Proceed with update flash activation key? [confirm] Press Enter WARNING: The running activation key was not updated with the requested key. The flash activation key was updated with the requested key, and will become active after the next reload.
Netmetric CCNP Security Workbook 2.0 Task-2 Configuring Interfaces as per following Credentials Interface GigabitEthernet 0 GigabitEthernet 1 GigabitEthernet 2 Ip Address 192.168.1.10 10.1.1.10 172.16.1.10 Name Outside Inside DMZ
ASA Initialization
Security Level 0 100 50
Simply like a router, Interface configuration in ASA is done from interface mode only. ASA(config)# interface GigabitEthernet 0 ASA(config-if)# ip address 192.168.1.10 255.0.0.0 ASA(config-if)# no shutdown ASA(config-if)# interface GigabitEthernet 1 ASA(config-if)# ip address 10.1.1.10 255.0.0.0 ASA(config-if)# no shutdown ASA(config-if)# interface GigabitEthernet 2 ASA(config-if)# ip address 172.16.1.10 ASA(config-if)# no shutdown
But apart from configuring ip address in ASA we even have to configure Two more credentials i.e. Name of interface and Trustiness of interface (Security Level). Where Name of the interface is the any logical name (Like Inside, Outside, Private any name) given to the interface and throughout configuration the interface will be called with that name not by their Physical names (Ethernet 0 or 1), Assigning name to interface is mandatory. Even if you assign ip address until and unless you configure name to it our interface will not function. And security level is the value which defines the trustiness of an interface. The interface with high security level value can communicate with low security value interfaces but low valued interface cant initiate communication for high valued interfaces by default. ASA(config-if)# interface GigabitEthernet 0 ASA(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA(config-if)# security-level 0
ASA Initialization
ASA(config-if)# interface GigabitEthernet 1 ASA(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA(config-if)# interface GigabitEthernet 2 ASA(config-if)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default. ASA(config-if)# security-level 50
ASA identify only the word inside perfectly when this name is assigned to any interface automatically security level will be set to 100 Apart from inside any other name gets security level 0 by default
Verification
ASA(config-if)# show running-config ip ! interface GigabitEthernet0 nameif outside security-level 0 ip address 192.168.1.10 255.255.255.0 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 10.1.1.10 255.0.0.0 ! interface GigabitEthernet2 nameif dmz security-level 50 ip address 172.16.1.10 255.255.0.0
Basic ASA Initialization - II
LAB 2 Default security policy modifications and ACL in ASA

ASA is a very advanced firewall which inspects all the TCP and UDP connections by default from higher security level to lower security level. Apart from basic TCP and UDP protocols we have other protocols which are given for inspection and the policy which inspects those protocols is known as Default Inspection Policy. Only the protocols and the services which are available in that default inspection policy will be inspected by default from high security level to low security level. If we want the inspection of some more services then in that case we have to add those services in default inspection list or create our own separate policy of inspection ASA always consider ICMP as an attack so by def ault there wont be any inspection for ICMP services.
Configure the Ip addressing as per following credentials Device ASA ASA R1 R2 Interface Ethernet 1 Ethernet 0 Fast Ethernet 0/0 Fast Ethernet 0/0 Name Outside/0 Inside/100 --Ip Address 10.1.1.10 192.168.1.10 192.168.1.1 10.1.1.1 Subnet Mask 255.0.0.0 255.255.255.0 255.255.255.0 255.0.0.0
Configure a default route on both the sides pointing towards ASA
Netmetric CCNP Security Workbook 2.0 Task 1 : Verify the Connectivity for telnet and ICMP
Lets make a connection of telnet from PC to Router R1 R1#telnet 192.168.1.10 Trying 192.168.1.10 ... Open User Access Verification Password: R2>
As we have discussed above that ASA by default inspect all TCP and UDP traffic thats why it allows only TCP and UCP communication whereas ICMP is not allowed by default Because Telnet works with TCP protocol thats the reason your telnet connections are allowed but default and not ICMP connections Now check the connectivity from high security level to low security level i.e. from inside to outside using ping R1#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
If we see the output of the ping test then our ping packets are not being allowed even from high security level to low security level where as per the basic rule of ASA its supposed to allow that connection
Task 2 : Configure ASA to inspect ICMP traffic by modifying default inspection policy and verify the Connectivity for ICMP
We can see the default inspection policy in running configuration of device

ASA# show running-config : Saved . . ! class-mapinspection_default match default-inspection-traffic ! ! policy-mapglobal_policy classinspection_default inspectdnspreset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspectsunrpc inspectxdmcp inspect sip inspect netbios inspect tftp ! service-policyglobal_policy global : : end
Services available by default
To modify this default inspection policy we have to get into that class ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# We can modify the policy after getting into that policy To add ICMP inspection into the policy ASA(config-pmap-c)# inspect icmp As soon as we start ICMP inspection our ASA starts inspection of ICMP traffic and now icmp traffic will flow from High security level to low security level R1#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/80 ms To remove any service from default inspection ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# no inspect icmp As soon as we remove the inspection of ICMP again ICMP Traffic is not allowed to transact PC#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Task 3 : Configure ASA to allow ICMP traffic using Access-list. Dont modify default inspection policy.
As we know ASA allow all the traffic from high security level to low security level by default that means even ICMP echo packets which are initiated from inside subnet is allowed to go to outside subnet. But the echo-reply packets which are sent in response to echo are will be blocked because they are being initiated from low security level to high as there is no inspection for ICMP. As we are interested in using access list let's not make any changes with inspection policy than we can allow the ICMP packets from outside using Access-list Here we are creating an access-list to allow icmp traffic ASA(config)# access-list out_in permit icmp any any
Now we have to apply that access-list on outside interface in inbound direction so that all the icmp traffic which is generated from that interface is allowed in to device By this the echo-reply which is generated in respond to echoes from inside is allowed to go to outside ASA(config)# access-group out_in interface outside
Verification R1#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/32/84 ms
ALC and Object Groups
LAB 3 Object Groups in ACL

We may come across various situations where we configure access-lists with multiple numbers entries defining hosts and services and each time we want to add a particular host or service then we will add one more entry to that access-list. The entries made here are known as Access-Control Entries. As the number of entries increases in the access-list it will increase difficulty in managing and modifying access-lists. To ease the management of access-list here Cisco came up with a new tool called as object-group. Object Group here allows you to group similar entities under a single object and you are allowed to use those object groups in access-list We have 4 types of object-groups i. Network type Object Group ii. Services type Object Group iii. Protocols type Object Group iv. Icmp type Object Group
Configure the Ip addressing as per following credentials Device ASA ASA R1 R2 R2 R2 R2 Interface GigabitEthernet0 GigabitEthernet1 Fast Ethernet 0/0 FastEthernet 0/0 Loopback 0 Loopback 1 Loopback 2 Name Outside/0 Inside/100 -----Ip Address 10.1.1.10 192.168.1.10 10.1.1.1 192.168.1.1 21.1.1.1 22.1.1.1 23.1.1.1 Subnet Mask 255.0.0.0 255.255.255.0 255.0.0.0 255.255.255.0 255.0.0.0 255.0.0.0 255.0.0.0
Netmetric CCNP Security Workbook 2.0 R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10 R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.10
Configure a default route on ASA pointing towards Router R2 to make the connectivity for loopbacks ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1
Verify Routing and connectivity R1#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/76 ms R1#ping 21.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 21.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/56 ms R1#telnet 192.168.1.1 Trying 192.168.1.1 ... Open R2> R1#telnet 23.1.1.1 Trying 23.1.1.1 ... Open R2>
Task 1 : Configure an Access-list on ASA to restrict the traffic from inside subnet to hosts 21.1.1.1 , 22.1.1.1 and 23.1.1.1 using http, ftp & telnet services. We are very familiar with access-list and its services But in ASA the access-list is little different from your router. In ASA we dont configure access-list with numbers but we do it with Names We have to configure multiple access-entries to achieve our required task ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq http ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq http ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq ftp ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq telnet ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq http ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq ftp ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq telnet ASA(config)# access-list in-out permit ip any any
Apply the access-list using access-group option in global configuration mode ASA(config)# access-group in-out in interface inside As the access-list is applied over interface it denies the traffic matching ACL R1#telnet 23.1.1.1 Trying 23.1.1.1 ... % Connection refused by remote host and the traffic not matching to access-list is allowed. R1#ping 23.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/76 ms
Netmetric CCNP Security Workbook 2.0 Task 2 : Rewrite the above created access-list using objects groups Steps to configure
1. Create an object group of network type and add the hosts 2. Create another object group of type services and add desired services 3. Use those object groups in Access-list Creating network type object group to catch hosts and network ASA(config)# object-group network nw-host ASA(config-network)# network-object host 21.1.1.1 ASA(config-network)# network-object host 22.1.1.1 ASA(config-network)# network-object host 23.1.1.1
Creating a services type object group with tcp protocol as all our required services (http, ftp & telnet) belongs to tcp. ASA(config)# object-group service serv-obj tcp ASA(config-service)# port-object eq http ASA(config-service)# port-object eq ftp ASA(config-service)# port-object eq telnet
Using those object groups in access list

ASA(config)# access-list obj-acl permit tcp any object-group nw-host object-group serv-obj
Name of ACL Network object group
Service object Group
Application of access-list on interface inside in inbound direction ASA(config)# access-group obj-acl in interface inside

Verification ASA(config)# show run object-group object-group network nw-host network-object host 21.1.1.1 network-object host 22.1.1.1 network-object host 23.1.1.1 object-group service serv-obj tcp port-object eq www port-object eq ftp port-object eq telnet ASA(config)# show access-list
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 object-group nw-host object-group serv-obj access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq www access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq www access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq ftp access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq telnet access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq www access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq ftp access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq telnet
R1#telnet 21.1.1.1 Trying 21.1.1.1 ... % Connection refused by remote host R1#telnet 22.1.1.1 Trying 22.1.1.1 ... % Connection refused by remote host R1#telnet 23.1.1.1 Trying 23.1.1.1 ... % Connection refused by remote host
Time Based Access control using ACL
LAB 4 Time Based ACL

We may come across a situation where well be willing to control the users on the basis of time Access-list can be configured to be active on the basis of time. When we configure our Access-list based on time then in a particular interested time slot the access-list will be active. To configure a Time based Access-list we have to create a time-range first. Time range is a tool where we are allowed to define the time. We can define time with two different options => Absolute => Periodic Using option Absolute we define the starting and ending date whereas using periodic we define the time
Configure the Ip addressing as per following credentials Device ASA ASA R1 R2 Interface GigabitEthernet0 GigabitEthernet1 Fast Ethernet 0/0 FastEthernet 0/0 Name Outside/0 Inside/100 --Ip Address 10.1.1.10 192.168.1.10 10.1.1.1 192.168.1.1 Subnet Mask 255.0.0.0 255.255.255.0 255.0.0.0 255.255.255.0
Task 1 : Configure an access-list by the name Time-Acl to permit the entire host from inside subnet to outside only from 10:00 am to 05:00 pm in between 1 Oct 2011 to 31 Oct 2011 Steps to configure: Create a Time range by above given credentials Configure an access-list and associate the time range with that access-list Apply the access over an interface Creating time-range . ASA(config)# time-range t-range ASA(config-time-range)#
By the above command we have created a time-range with the name t-range. After creating the time range we have to configure the time range as per given credentials. To define the date of time-range we use absolute option ASA(config-time-range)# absolute start 00:00 1 Oct 2012 end 00:00 31 Oct 2012 ASA(config-time-range)#
When we are using absolute option to define the time in time range as soon as the end time meets the access-list will be invalid forever. To define a periodic time we use option periodic ASA(config-time-range)# periodic daily 10:00 to 17:00 ASA(config-time-range)#
Using Periodic option in time range we define our clock time in 24 hours format. ASA(config-time-range)# periodic daily 10:00 to 17:00 ASA(config-time-range)#exit
Verify the configured Time-range ASA(config)# sh run time-range ! time-range t-range absolute start 00:00 01 October 2012 end 00:00 31 October 2012 periodic daily 10:00 to 17:00 !
Configuring an access-list using Time-range ASA(config)# access-list Time-Acl permit ip any any time-range t-range ASA(config)# access-list Time-Acl deny ip any any
ASA(config)# show clock 15:52:57.756 UTC Fri Oct 21 2012 ASA(config)# show access-list access-list time-acl; 2 elements
access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) 0xcaf6f246
access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9 Because the clock is as per the time range we can see that both the entries in access-list is active To verify lets change the clock of our device
ASA(config)# clock set 12:00:00 1 nov 2012 ASA(config)# show clock As soon as the absolute option is met 12:00:11.410 UTC Wed Nov 1 2012 access-list will be inactive ASA(config)# show access-list access-list time-acl; 2 elements access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) (inactive) access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9
Remote Access of ASA
LAB 5 Remote Access of ASA

local access of ASA can be done using console port but when there is need of accessing ASA from remote location we need to use virtual Terminal lines (VTY) of ASA which are blocked by default to make use of remote access of ASA we need to configure those Virtual Terminal lines Remote Access of ASA can be fetched using Telnet, SSH and HTTP
Configure the Ip addressing as per following credentials Device ASA ASA R1 R2 PC Interface Name Ip Address Subnet Mask GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 Fast Ethernet 0/0 - 10.1.1.1 255.0.0.0 FastEthernet 0/0 -192.168.1.1 255.255.255.0 NIC -10.1.1.5 255.0.0.0 Configure a default route on both the sides pointing towards ASA
R1#ping 10.1.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms R1#telnet 10.1.1.10 Trying 10.1.1.10 ... % Connection timed out; remote host not responding
Task 1 : Configure ASA to display a banner whenever a user logins to device. ASA(config)# banner login Welcome to CCNP Security Lab of ASA Firewall
ASA(config)# show run banner banner login Welcome to CCNP Security Lab of ASA Firewall Task 2 : Configure ASA to accept telnet connections from host 10.1.1.1 from inside interface. As telnet is disable by default over ASA we need to enable it as follows ASA(config)# telnet 10.1.1.1 255.255.255.255 inside herein we define which subnet is allowed to access and from which interface the access should be granted.
Verification: R1#telnet 10.1.1.10 Trying 10.1.1.10 ... Open Welcome to CCNP Security Lab of ASA Firewall User Access Verification Password: cisco Type help or '?' for a list of available commands. ASA> Default password for telnet access to ASA is set as cisco R2#telnet 192.168.1.10 Trying 192.168.1.10 ... % Connection timed out; remote host not responding Telnet access from outside interface is still not allowed
Task 3 : Set the telnet access password of ASA to "netadmin" Command to modify telnet password is "passwd" ASA(config)# passwd netadmin
R1#telnet 10.1.1.10 Trying 10.1.1.10 ... Open Welcome to CCNP Security Lab of ASA Firewall User Access Verification Password:netadmin Type help or '?' for a list of available commands. ASA> Task 4 : Create a user Account on ASA and configure ASA to accept telnet connection on basis of user accounts Creating User Account on ASA ASA(config)# username user1 password cisco123
Applying Authentication of local database over telnet ASA(config)# aaa authentication telnet console LOCAL
Verification: R1#telnet 10.1.1.10 Trying 10.1.1.10 ... Open User Access Verification Username: user1 Password: cisco123 Type help or '?' for a list of available commands. ASA>
Task 5 : Configure ASA to allow the SSH access from outside interface for any one with user account
As SSH make use of encryption its must that we generate RSA keys to activate SSH over any device Generating RSA Keys ASA(config)# crypto key generate rsa INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... SSH can be accessed only using user account only thus create a user account for accessing of SSH and configure SSH authentication for Local database. Verify existence of a user account if account is not available create a new account ASA(config)# username user1 password cisco123 Set the SSH authentication system to LOCAL dataase ASA(config)# aaa authentication ssh console LOCAL Allow SSH access for everyone from outside interface ASA(config)# ssh 0.0.0.0 0.0.0.0 outside SSH can be initiated from any address over outside interface as the default network is permitted.
Verification: R2#ssh -l user1 192.168.1.10 Password:cisco123 Type help or '?' for a list of available commands. ASA>
Task 6 : Enable HTTP Access of ASA and access firewall using Cisco ASDM. Enable the access of HTTP over ASA ASA(config)# http server enable Even after enabling HTTP services over ASA, ASA does not allow anyone to access its ASDM Administrator need to authorize the users for access of ASDM (GUI) Authorizing user 10.1.1.5 to access HTTP ASA(config)# http 10.1.1.5 255.255.255.255 inside If user account is not available create an user account ASA(config)# username user1 password cisco123
* Check the availability of ASDM image file in ASA flash ASA(config)# show flash: --#-- --length-- -----date/time------ path : 12 15841428 Jan 16 2012 19:35:19 asdm-641.bin :
Open a Browser from computer and go to Url=https://10.1.1.10
Select Proceed anyways and then Install ASDM Launcher
After Downloading and installing ASDM Launcher to computer Run Cisco ASDM Launcher
Provide the mandatory details such as Device address, username and password
And ASDM loads successfully
Routing over ASA
LAB 6 Dynamic Routing over ASA

Adaptive Security Appliance is designed in such a way that it is capable of performing task of multiple network devices as Router, Firewall as well as VPN Concentrator. So we can even make use of dynamic routing protocols to form our network using ASA. Support of Dynamic Routing was not available in PIX Series its introduced in ASA in IOS version 7.0 ASA Supports 3 majorly used Dynamic routing Protocols RIP EIGRP OSPF Note: ASA is not capable of running multiple instances of EIGRP
Device ASA ASA ASA R1 R1 R1 R2 R2 R2 R3 R3
Interface GigabitEthernet0 GigabitEthernet1 GigabitEthernet2 Fast Ethernet 0/0 Loopback 0 Loopback 1 Fast Ethernet 0/0 Loopback 0 Loopback 1 Fast Ethernet 0/0 Loopback
Name Outside/0 Inside/100 DMZ/50 ---------
Ip Address 10.1.1.10 192.168.1.10 172.16.1.10 10.1.1.1 11.11.11.11 12.12.12.12 192.168.1.1 22.22.22.22 23.23.23.23 172.16.1.1 33.33.33.33
Subnet Mask 255.0.0.0 255.255.255.0 255.255.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.255.255.0 255.0.0.0 255.0.0.0 255.255.0.0 255.255.255
Configure Default Route over all Routers pointing towards ASA
Routing over ASA
Task 1 : Configure Static Routes over ASA to make the subnets over outside interface reachable.
ASA(config)# route outside 22.0.0.0 255.0.0.0 192.168.1.1 ASA(config)# route outside 23.0.0.0 255.0.0.0 192.168.1.1
Verification: ASA# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Gateway of last resort is not set S C S C C 23.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside 172.16.0.0 255.255.0.0 is directly connected, DMZ 22.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside 10.0.0.0 255.0.0.0 is directly connected, inside 192.168.1.0 255.255.255.0 is directly connected, outside
ASA# ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/30 ms ASA# ping 23.23.23.23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/40 ms Task 2 : Clear all the Static Routes on ASA ASA(config)# clear configure Route
ASA# show route C 172.16.0.0 255.255.0.0 is directly connected, DMZ C 10.0.0.0 255.0.0.0 is directly connected, inside C 192.168.1.0 255.255.255.0 is directly connected, outside
Routing over ASA
Task 3 : Configure a Default Route on ASA to make all the Destinations reachable via Router R2
ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 or ASA(config)# route outside 0 0 192.168.1.1
ASA(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP * - candidate default,. Gateway of last resort is 192.168.1.1 to network 0.0.0.0 C C C S* 172.16.0.0 255.255.0.0 is directly connected, DMZ 10.0.0.0 255.0.0.0 is directly connected, inside 192.168.1.0 255.255.255.0 is directly connected, outside 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
Routing over ASA
Task 4 : Configure RIP between Router R1 and ASA and make loopback addresses on Router R1 Reachable from ASA Configuring RIP over ASA ASA(config)# router rip ASA(config-router)# network 10.0.0.0 ASA(config-router)# version 2 Configuring RIP over Router R1 R1(config)#router rip R1(config-router)#network 11.0.0.0 R1(config-router)#network 12.0.0.0 R1(config-router)#network 10.0.0.0 R1(config-router)#version 2 Verification: ASA(config-router)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 192.168.1.1 to network 0.0.0.0 C C R R C S* 172.16.0.0 255.255.0.0 is directly connected, DMZ 10.0.0.0 255.0.0.0 is directly connected, inside 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:10, inside 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:02, inside 192.168.1.0 255.255.255.0 is directly connected, outside 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
Routing over ASA
Task 5: Configure EIGRP AS 100 Between ASA and Router R3 and make loopback addresses on R3 reachable by ASA
Configuring EIGRP over ASA ASA(config-router)# router eigrp 100 ASA(config-router)# network 172.16.1.10 Configuring EIGRP over Router R3 R3(config)#router Eigrp 100 R3(config-router)#network 172.16.1.1 R3(config-router)#network 33.33.33.33
*Mar 1 17:05:33.507: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.16.1.10 (FastEthernet0/0) is up: new adjacency
ASA(config)# show eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface (sec) 0 172.16.1.1 Et2 ASA(config)# show route
Hold (ms) 14
Uptime Cnt 00:00:51
SRTT Num 20
RTO Q Seq 200 0 3
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is 192.168.1.1 to network 0.0.0.0 D C C R R C S* 33.0.0.0 255.0.0.0 [90/158720] via 172.16.1.1, 0:01:33, DMZ 172.16.0.0 255.255.0.0 is directly connected, DMZ 10.0.0.0 255.0.0.0 is directly connected, inside 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside 192.168.1.0 255.255.255.0 is directly connected, outside 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
Netmetric CCNP Security Workbook 2.0 Task 6: Configure OSPF process 1 on outside interface of ASA and Router R2. Configuring OSPF over ASA ASA(config)# router ospf 1 ASA(config-router)# network 192.168.1.0 255.255.255.0 a 0
Routing over ASA
Advertise networks in OSPF Using subnet mask as ASA never use Wildcard Bits in configurations R2(config)#router ospf 1 R2(config-router)#network 192.168.1.0 0.0.0.255 a 0 R2(config-router)#network 22.0.0.0 0.255.255.255 area 0 R2(config-router)# network 23.0.0.0 0.255.255.255 area 0 ASA(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is 192.168.1.1 to network 0.0.0.0 D O C O C R R C S* 33.0.0.0 255.0.0.0 [90/156160] via 172.16.1.1, 3:00:50, DMZ 23.23.23.23 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside 172.16.0.0 255.255.0.0 is directly connected, DMZ 22.22.22.22 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside 10.0.0.0 255.0.0.0 is directly connected, inside 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside 192.168.1.0 255.255.255.0 is directly connected, outside 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
ASA# show ospf neighbor
Neighbor ID 23.23.23.23
Pri State 1 FULL/DR
Dead Time Address 0:00:38 192.168.1.1
Interface inside
Routing over ASA
Task 7 : Redistribute the Routing information between RIP and EIGRP and verify the routing updates Redistributing EIGRP into RIP ASA(config)# router rip ASA(config-router)# redistribute eigrp 100 ASA(config-router)# redistribute eigrp 100 metric 2 Redistributing RIP into EIGRP ASA(config)# Router eigrp 100 ASA(config-router)# redistribute rip metric 128000 100 150 150 2000 Verification: R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default, U - per-user static route Gateway of last resort is 10.1.1.10 to network 0.0.0.0 R R C C C S* 33.0.0.0/8 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0 172.16.0.0/16 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0 10.0.0.0/8 is directly connected, FastEthernet0/0 11.0.0.0/8 is directly connected, Loopback0 12.0.0.0/8 is directly connected, Loopback1 0.0.0.0/0 [1/0] via 10.1.1.10
R3#show ip route Codes: C - connected, S - static, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default. Gateway of last resort is 172.16.1.10 to network 0.0.0.0 C 33.0.0.0/8 is directly connected, Loopback0 C 172.16.0.0/16 is directly connected, FastEthernet0/0 D EX 10.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0 D EX 11.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0 D EX 12.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 172.16.1.10
Basic NAT over ASA 8.0
LAB 7 Basic NAT with ASA 8.0

Network Address Translation is process of changing Source and destination addresses in ip Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to facilitate multiple host to make use of single IP Address to access Internet Services.
the Ip following credentials Device ASA ASA ASA R1 R1 R2 R2 R3 R3 Interface GigabitEthernet0 GigabitEthernet1 GigabitEthernet2 Fast Ethernet 0/0 Loopback 0 Fast Ethernet 0/0 Loopback 0 Fast Ethernet 0/0 Loopback Name Outside/0 Inside/100 DMZ/50 ------Ip Address 10.1.1.10 192.168.1.10 172.16.1.10 10.1.1.1 11.11.11.11 192.168.1.1 22.22.22.22 172.16.1.1 33.33.33.33
Configure addressing as per
Subnet Mask 255.0.0.0 255.255.255.0 255.255.0.0 255.0.0.0 255.0.0.0 255.255.255.0 255.0.0.0 255.255.0.0 255.255.255
Configure Routing and allow ICMP Inspection R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside interface towards outside . When Ever a single IP is translated to another IP and translation of which is defined by administrator manually it's called as Static Translation Over ASA 8.0 all static translations are defined using STATIC keyword, Configuring Static Translations over ASA ASA80(config)# static (inside,outside) 55.56.57.58 10.1.1.1 Verification: To view the current translations on ASA ASA80(config)# show xlate 1 in use, 1 most used Global 55.56.57.58 Local 10.1.1.1 Task 2 : Configure ASA such that it statically translate address 10.1.1.1 to 71.72.73.74 from inside interface towards DMZ. ASA80(config)# static (inside,DMZ) 71.72.73.74 10.1.1.1 Verification: ASA80(config)# show xlate 2 in use, 2 most used Global 71.72.73.74 Local 10.1.1.1 Global 55.56.57.58 Local 10.1.1.1 Task 3 : Clear All the Static Translations Over ASA To clear all the static translations over ASA at once ASA80(config)# clear configure static Verification: ASA80(config)# show xlate 0 in use, 2 most used
Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60 when the traffic of inside interface destinies to any ip of DMZ subnets. when ever we want to translate a group of address to another group we make use of dynamic translation. Process of Dynamic Address Translation is divided into two Steps Define the original Address pool need to be translated Define the translated address also known as Mapped Address Pool Definition of Original IP addresses which are supposed to be translated are always defined using NAT option ASA80(config)# nat (inside) 2 10.0.0.0 255.0.0.0 Note : Number 2 in the command notates NAT ID which can be any number ranging (0-2147483647) the same number should be used to map the translated Address pool. Definition of Translated Address pool is done using Global option with same NAT ID used in NAT option ASA80(config)# global (DMZ) 2 172.16.1.50-172.16.1.60 As we use the same NAT ID the both NAT and GLOBAL pools binds together verification: R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 24/55/84 ms
ASA80(config)# show xlate 1 in use, 2 most used Global 172.16.1.60 Local 10.1.1.1
Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when the traffic of inside interface destinies to any ip of Outside subnet PAT : Whenever we translate multiple IP Address with single IP Along with IP addresses even port numbers get translated such translations are defined as Port Address Translations To Translate All the traffic we can use the default subnet ASA80(config)# nat (inside) 5 0.0.0.0 0.0.0.0
In ASA we have privilege to replace default subnet 0.0.0.0 with a single "0" thus above statement can be even defined as follows ASA80(config)# nat (inside) 5 0 0
Defining Translated Address ASA80(config)# global (outside) 5 192.168.1.99 INFO: Global 192.168.1.99 will be Port Address Translated whenever a single ip address is defined as a translated IP ASA automatically consider it as PAT no extra options are required Verification: R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/71/108 ms R1#ping 23.23.23.23 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/62/88 ms ASA80(config)# show xlate 2 in use, 2 most used PAT Global 192.168.1.99(38897) Local 11.11.11.11 ICMP id 23 PAT Global 192.168.1.99(10530) Local 10.1.1.1 ICMP id 24
Advanced NAT over ASA 8.0
LAB 8 Advanced NAT with ASA 8.0

Network Address Translation is process of changing Source and destination addresses in ip Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to facilitate multiple host to make use of single IP Address to access Internet Services.
Configure the Ip addressing as per following credentials Device ASA ASA ASA R1 R1 R2 R2 R3 R3 Interface GigabitEthernet0 GigabitEthernet1 GigabitEthernet2 Fast Ethernet 0/0 Loopback 0 Fast Ethernet 0/0 Loopback 0 Fast Ethernet 0/0 Loopback Name Outside/0 Inside/100 DMZ/50 ------Ip Address 10.1.1.10 192.168.1.10 172.16.1.10 10.1.1.1 11.11.11.11 192.168.1.1 22.22.22.22 172.16.1.1 33.33.33.33 Subnet Mask 255.0.0.0 255.255.255.0 255.255.0.0 255.0.0.0 255.0.0.0 255.255.255.0 255.0.0.0 255.255.0.0 255.255.255
Configure Routing and allow ICMP Inspection R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms Clear all the configurations of previous LAB Before proceeding with this LAB
Task 1 : Configure ASA to enforce translation over all the traffic such that only traffic which is translated should bypass ASA rest should be denied.
A Special feature of PIX device was to enforce the translation on all the traffic, which has been even inherited into ASA 8.0 by name NAT-CONTROL Before Enabling NAT-CONTROL R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/51/104 ms R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/140 ms To enable NAT control over ASA ASA80(config)# nat-control
Verification: R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 ..... Success rate is 0 percent (0/5)
Task 2 : Bypass the host 10.1.1.1 from Nat-Control and make sure that the host can communicate to any other subnet without translation even when NAT Control is enabled. NAT with ID 0 is dedicated to define no address translation, when ever NAT is to be bypassed for some host or subnets we need to define them in Nat option only with id "0"
ASA80(config)# nat (inside) 0 10.1.1.1 255.255.255.255 nat 0 10.1.1.1 will be identity translated for outbound
0 indicates no address translation or also known as NAT Exemption R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/49/100 ms R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/61/124 ms ASA80(config)# show xlate 2 in use, 2 most used Global 10.1.1.1 Local 10.1.1.1 Global 10.1.1.1 Local 10.1.1.1 Traffic generated from other host still gets blocked due to NAT-CONTROL R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 ..... Success rate is 0 percent (0/5)
Task 3 : Translate traffic of 11.11.11.11 from inside subnet to 202.11.59.19 when it destinies only to host 23.23.23.23 on outside interface Whenever a condition is added into translations such translations are known as Policy based translations where we define the desired condition of translation using an access-list Creating Access-list to define the condition of translation ASA80(config)# access-list nat1 permit ip host 11.11.11.11 host 23.23.23.23 we have created an access by name nat1 which map the traffic between host 11.11.11.11 to 23.23.23.23 Binding that access-list to NAT statement and enforcing translations only on access-list ASA80(config)# nat (inside) 9 access-list nat1 ASA80(config)# global (outside) 9 202.11.59.19 INFO: Global 202.11.59.19 will be Port Address Translated Verification: R1#ping 23.23.23.23 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/71/132 ms ASA80(config)# show xlate 3 in use, 3 most used PAT Global 202.11.59.19(58154) Local 11.11.11.11 ICMP id 41
The Same Host can't reach other destinations as they are not matching ACL in nat option. R1#ping 22.22.22.22 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 ..... Success rate is 0 percent (0/5)
LAB 9 Basic NAT with ASA 8.4

From ASA Ver. 8.4 Cisco introduced new methods of making Network Address Translations over ASA using Objects. All the translations are made based on network objects. legacy commands like static and global have been eliminated and all translations happens using single command NAT.
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside interface towards outside . For all the translations we need to create objects defining the traffic participating in translations and the translation are applied over the objects not on traffic directly. For purpose of Translations specially two types of objects have been introduced Network Service
Network type object is designed to define IP address, Subnet or Range of IP 's Service type object is used to define services of TCP or UDP For static translation we need two different objects defining individual host in each Creating Network Objects ASA84(config)# object network host-in ASA84(config-network-object)# host 10.1.1.1 ASA84(config-network-object)# exit Object named host-in have been created for host 10.1.1.1, another object for mapped ip is to be created ASA84(config)# object network mapped-out ASA84(config-network-object)# host 55.56.57.58 ASA84(config-network-object)# exit Making Static translations over objects ASA84(config)# nat (inside,outside) source static host-in mapped-out Verification: ASA84(config)# show run object object network host-in host 10.1.1.1 object network mapped-out host 55.56.57.58 ASA84(config)# show xlate 1 in use, 1 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:00:56 timeout 0:00:00
Task 2 : Configure ASA such that it statically translate address 10.1.1.1 to 71.72.73.74 from inside interface towards DMZ. Creating Object to define new mapped ip address ASA84(config)# object network map-dmz ASA84(config-network-object)# host 71.72.73.74 ASA84(config-network-object)# exit Defining Translation ASA84(config)# nat (inside,DMZ) source static host-in map-dmz Verification: ASA84(config)# sh xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:13:44 timeout 0:00:00 NAT from inside:10.1.1.1 to DMZ:71.72.73.74 flags s idle 0:01:14 timeout 0:00:00 ASA84(config)# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static host-in mapped-out translate_hits = 0, untranslate_hits = 0 2 (inside) to (DMZ) source static host-in map-dmz translate_hits = 0, untranslate_hits = 0 ASA84(config)# show run nat nat (inside,outside) source static host-in mapped-out nat (inside,DMZ) source static host-in map-dmz Task 3 : Clear All the Static Translations Over ASA ASA84(config)# clear configure nat
Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60 when the traffic of inside interface destinies to any ip of DMZ subnets. ASA84(config)# object network subnet-in ASA84(config-network-object)# subnet 10.0.0.0 255.0.0.0 ASA84(config)# object network isp-range ASA84(config-network-object)# range 172.16.1.50 172.16.1.60 Defining Translations ASA84(config)# nat (inside,DMZ) source dynamic subnet-in isp-range ASA84(config)# show xlate 1 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to DMZ:172.16.1.59 flags i idle 0:00:13 timeout 3:00:00 ASA84(config)# show nat Manual NAT Policies (Section 1) 1 (inside) to (DMZ) source dynamic subnet-in isp-range translate_hits = 5, untranslate_hits = 0 Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when the traffic of inside interface destinies to any ip of Outside subnet creating a new object to define the mapped address ASA84(config)# object network pat-ip ASA84(config-network-object)# host 192.168.1.99 ASA84(config-network-object)# exit Defining Translation ASA84(config)# nat (inside,outside) source dynamic any pat-pool pat-ip Verification: ASA84(config)# show xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice ICMP PAT from inside:10.1.1.1/52 to outside:192.168.1.99/52 flags ri idle 0:00:06 timeout 0:00:30
LAB 10 Advanced NAT with ASA 8.4

Along with NAT based on object groups ASA 8.4 introduced advanced options called as AutoNAT where Translations are defined inside the objects itself.
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside interface towards outside using ASA auto NAT .
Auto NAT is the translation statements when defined inside of objects ASA84(config)# object network host-in ASA84(config-network-object)# host 10.1.1.1 ASA84(config-network-object)# nat (inside,outside) static 55.56.57.58 ASA84(config-network-object)# exit Verification ASA84(config)# show nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source static host-in 55.56.57.58 translate_hits = 0, untranslate_hits = 0 ASA84(config)# show run object object network host-in host 10.1.1.1 ASA84(config)# show run nat ! object network host-in nat (inside,outside) static 55.56.57.58 ASA84(config)# show xlate 1 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:05:14 timeout 0:00:00
Task 2 : Configure ASA to translate any IP address sourced from any interface to the outside interface ip of ASA. ASA84(config)# nat (any,outside) source dynamic any interface above option translate any IP sourcing any interface destinies to outside to IP address which is assigned on interface outside. ASA84(config)# show nat Manual NAT Policies (Section 1) 1 (any) to (outside) source dynamic any interface translate_hits = 0, untranslate_hits = 0 R3#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/48 ms ASA84(config)# show xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:19:55 timeout 0:00:00 ICMP PAT from any:172.16.1.1/0 to outside:192.168.1.10/31798 flags ri idle 0:00:04 timeout 0:00:30
Content Filtering over ASA
LAB 11 Java, Active X & Web Filtering

Java and Active X are considered as beautiful programming languages but if we look at the other side of these languages they are used heavily to write scripts to hack the system. Usually these scripts are allowed into your network as they are a kind of text document but Cisco made ASA so intelligent that it can identify as well as filter the traffic of following specific types Active x ftp, https java & url
Task 1 : Configure ASA such that it filters all the web traffic for inside subnet and drops the packets which contain the java program
ASA make use of option filter to filter a specific data type in a service. ASA(config)# filter java http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
Inside Subnet Outside Subnet
Service to be filtered
Any host from 10.0.0.0/8 subnet can't download or upload any java program
Content Filtering over ASA
Task 2: Configure ASA such that it filters all the web and FTP traffic on all subnets and drops the packets which contain the Active-x program.
ASA(config)# filter activex http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ASA(config)# filter activex ftp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Task 3 :Configure a web sense URL Filter server in Inside subnet on ip address of 10.0.1.11. Make configurations on ASA such that it filters all the web traffic from inside subnets for URL using that URL Filter server
ASA is not so flexible in filtering URLs on it more granularly, so ASA make help from other supporting URL Filters to filter the web traffic for their URL. ASA support only two URL Filters namely web sense & smart filter. ASA(config)# url-server (inside) vendor websense host 10.0.1.11 ASA(config)# filter url http 1.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
LAB 12 Modular Policy Framework

When we call the interconnection of people as a network then we have different type of people available in network and all the people who utilize the network are not same. Basically I just want to say we have multiple types of users available in a same network but we always want our network to behave uniquely for each user example a normal user should be restricted with a certain bandwidth but a superior user should get a high bandwidth .This is how we always desire that behavior of the same network should change depending on the user and the usage. To facilitate us by this desired functionality of network we have a full framework available which is called as Modular Policy Framework (MPF).Majorly MPF is depended on its three components 1. Class-Map where we catch interesting traffic 2. Policy-Map Where We define Desired Action On interesting traffic 3. Service-Policy where we apply the condition on select interface
Interface Configuration on ASA and Other devices Interface Ethernet 0 Ethernet 1 Ethernet 2 Device R1 R2 R3 Ip Address 192.168.1.10 10.1.1.10 172.16.1.10 Interface FastEthernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/0 Name Outside Inside DMZ Ip Address 10.0.1.10 192.168.1.10 172.16.0.10 Security Level 0 100 50 Subnet Mask 255.0.0.0 255.255.255.0 255.255.0.0
Configure a default Route on both the routers pointing towards ASA
Netmetric CCNP Security Workbook 2.0 TASK 1
Configure ASA to catch the traffic from inside subnet and restrict the bandwidth usage to 8000 bits per second when its destination is R2 Steps to configure:1. Create a class-map 2. Create a policy-map 3. Define Service-policy A class-map is a tool used to catch interesting on more granular level where we are allowed not only to catch interesting traffic on the basis of layer 3 addresses (ip address) but even we can catch the traffic not only by access-list but even by Its Precedence, Tunnel group, RTP and DSCP values as well. Create an access-list to define flow of traffic here we want to catch the traffic when its starting from Inside subnet and visiting Site-A ASA(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 Create a class-map with any name and call the access-list in class-map ASA(config)# class-map c-map ASA(config-cmap)# match access-list 101 ASA(config-cmap)# exit Now we are done with catching of interesting traffic then our next step is to define the action over that interesting traffic to do that we are creating a policy-map Policy map is a place where we define our desired action on the cached interesting traffic where you have more granular options available apart from permitting and denying traffic. You have actions like police, priority and inspect etc... ASA(config)# policy-map p-map We created a policy map with the name p-map here then under that policy-map we are calling the class-map which we created. By this well binding our class-map and our policy-map then we define the action over that ASA(config-pmap)# class c-map ASA(config-pmap-c)# police input 8000 Final step our configuration is to apply the created policy here we can apply the policy over a single interface or globally over all interfaces ASA(config)# service-policy p-map interface outside
Netmetric CCNP Security Workbook 2.0 Verification
We can verify our applied policy by generating an extended Ping for the destination of Site-A R1#ping Protocol [ip]: Target IP address: 192.168.1.10 Repeat count [5]: 30 Datagram size [100]: 1000 Increase the size of datagram to generate huge traffic Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 30, 1000-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!.!!.!!.!.!!.!.!!.!!.!.!!.!!. Here we can observe the packet drop when they are exceeding policy Success rate is 63 percent (19/30), round-trip min/avg/max = 20/59/92 ms If we further Increase the size of datagram then more packets gets droped R1#ping Protocol [ip]: Target IP address: 192.168.1.10 Repeat count [5]: 30 Datagram size [100]: 2000 Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 30, 2000-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !.!..!..!...!...!...!..!...!.. Success rate is 30 percent (9/30), round-trip min/avg/max = 56/72/92 ms
Netmetric CCNP Security Workbook 2.0 TASK 2
Configure ASA to catch the telnet traffic from inside subnet and prioritize that when its destination is R3 Create a class map to catch telnet traffic here I am catching the traffic using an extended ACL ASA(config)#access-list 102 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0eq telnet
ASA(config)# class-map telnet-traffic ASA(config-cmap)# match access-list 102 Create a policy-map to define priority action over the class ASA(config-cmap)# policy-map inspect-telnet ASA(config-pmap)# class telnet-traffic ASA(config-pmap-c)# priority
Apply that policy map created on interface Before applying the priority type policy map over the interface we have to enable priority-queue over that interface and set the queue-limit ASA(config)# priority-queue dmz ASA(config-priority-queue)# queue-limit 1024 ASA(config-priority-queue)# exit
Now we can apply that policy-map over interface dmz as we have configured the priority-queue over that interface ASA(config)# service-policy inspect-telnet interface dmz
Virtual Firewalls
LAB 13 Virtual Firewall

One of the major advancement which was made from PIX to ASA is the capability of virtual Firewallingover ASA. The virtual firewall methodology enables a physical firewall to be partitioned into multiple standalone firewalls. Each standalone firewall acts and behaves as an independent entity with its own configuration, interfaces, security policies, routing table, and administrators. In Cisco ASA, these virtual firewalls are known as Security contexts. But two major features of ASA doesnt supports on when you make it into virtual Firewalls are =>VPN =>Dynamic Routing Protocols
Context 1
Context 2
Connect your firewall using console port and start configuring the virtual firewalls
Before making your ASA into virtual firewall make sure that you take backup of your all running configuration, because when you change the mode of your ASA into virtual firewalls or from virtual firwall to single mode, you will lose all the running configuration of your device. Even if you wont take the backup by default your ASA saves the current running configuration to the flash of ASA with file name as old_running.cfg
Netmetric CCNP Security Workbook 2.0 To check the current mode of your ASA ciscoasa(config)# show mode Security context mode: single
Virtual Firewalls
To checkout weather your ASA is capable of virtual firewalling you can see the details in show version output or you can filter that output by issuing following options ciscoasa# show version | grep Security Contexts Security Contexts :2 The output here gives the capability of the device to make into virtual firewalls;the above output here gives the value as 2 that mean I am allowed to create two security contexts. To change the mode of ASA from single to virtual ciscoasa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] As soon as you issue this command your ASA will be reloaded itself and your entire current configuration will be erased. ciscoasa# show mode Security context mode: multiple As we know that ASA will make backup of running configuration in flash its visible when we see the files on flash. ciscoasa# show flash: Directory of flash:/ 9 -rw- 2076 07:45:11 Oct 17 2011 old_running.cfg 10 -rw- 1446 07:45:12 Oct 17 2011 admin.cfg 16128000 bytes total (16119296 bytes free)
Netmetric CCNP Security Workbook 2.0 To see the current context on ASA we can issue the command ciscoasa# show context Context Name Class Interfaces URL *admin default Ethernet0 flash:/admin.cfg Total active Security Contexts: 1
Virtual Firewalls
From the above output we can observe that we have one Context by the name admin which we havent created. When we change our mode from single to multiple we will be having one context created by default and the name of that context will admin context which will have certain more preferences then other context. A very special property of this admin context is that the whole configurations of your physical device will be copied to this admin context. And this context will replace the actual device. Excluding this admin context we can make two more contexts (as on this device) then totally well be having 3 contexts (as admin context is not counted in created context list) If we want to configure any context then we have enter into that particular context and configure that context To enter the context ciscoasa(config)# changeto context admin ciscoasa/admin(config)# Now we are in the context admin which we can observe by change in Hostname And to get back to system ciscoasa/admin(config)# changeto system ciscoasa(config)#
Virtual Firewalls
Task 1
Create two context by the names CTX1 and CTX2 and allocate two interfaces to each context and assign IP Addresses to the interfaces as per below credentials. And save the configuration of those contexts in flash with respective names of context. Interface Ethernet 0 Ethernet 1 Ethernet 2 Ethernet 3 IP Address 1.1.1.1 192.168.1.1 2.2.2.2 172.16.1.1 Subnet Mask 255.0.0.0 255.255.255.0 255.0.0.0 255.255.0.0 Security level 100 0 100 0 Name of interface Inside Outside Inside Outside
CTX 1 CTX 2
Steps to Configure: Create context Allocate interfaces Assign configuration location Creating Context Remember that the names which we assign to context will be case-sensitive ciscoasa(config)# context CTX1 Creating context 'CTX1'... Done. (2) ciscoasa(config-ctx)# exit ciscoasa(config)# context CTX2 Creating context 'CTX2'... Done. (3) Allocating Interfaces to Context To allocate interface to a context get into that context and assign the desired interface and even we can assign one interface two different context that is called as shared interface. ciscoasa(config)# context CTX1 ciscoasa(config-ctx)# allocate-interface ethernet0 ciscoasa(config-ctx)# allocate-interface ethernet1 ciscoasa(config-ctx)# exit ciscoasa(config)# context CTX2 ciscoasa(config-ctx)# allocate-interface ethernet2 ciscoasa(config-ctx)# allocate-interface ethernet3 ciscoasa(config-ctx)# exit
Netmetric CCNP Security Workbook 2.0 Assigning Configuration location to context ciscoasa(config)# context CTX1 ciscoasa(config-ctx)# config-url flash:CTX1 INFO: Converting flash:CTX1 to flash:/CTX1 WARNING: Could not fetch the URL flash:/CTX1 INFO: Creating context with default config ciscoasa(config-ctx)# exit ciscoasa(config)# context CTX2 ciscoasa(config-ctx)# config-url flash:CTX2 INFO: Converting flash:CTX2 to flash:/CTX2 WARNING: Could not fetch the URL flash:/CTX2 INFO: Creating context with default config ciscoasa(config-ctx)# exit Assigning Ip addresses to contexts. ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# interface ethernet0 ciscoasa/CTX1(config-if)# ip address 1.1.1.1 255.0.0.0 ciscoasa/CTX1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa/CTX1(config-if)# no shutdown ciscoasa/CTX1(config-if)# interface ethernet1 ciscoasa/CTX1(config-if)# ip add 192.168.1.1 255.255.255.0 ciscoasa/CTX1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa/CTX1(config-if)# no shutdown ciscoasa/CTX1(config-if)# changeto system ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# interface ethernet2 ciscoasa/CTX2(config-if)# ip address 2.2.2.2 255.0.0.0 ciscoasa/CTX2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa/CTX2(config-if)# no shutdown ciscoasa/CTX2(config-if)# interface ethernet3 ciscoasa/CTX2(config-if)# ip address 172.16.1.1 255.255.0.0 ciscoasa/CTX2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa/CTX2(config-if)# no shutdown
Virtual Firewalls
Virtual Firewalls
Verifying the configurations ciscoasa(config)# show context Context Name Class Interfaces *admin default CTX1 default Ethernet0,Ethernet1 CTX2 default Ethernet2,Ethernet3 URL flash:/admin.cfg flash:/CTX1 flash:/CTX2
ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# show run interface ! interface Ethernet0 nameif inside security-level 100 ip address 1.1.1.1 255.0.0.0 ! interface Ethernet1 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 ciscoasa/CTX1# changeto system ciscoasa(config)#
ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# show run interface ! interface Ethernet2 nameif inside security-level 100 ip address 2.2.2.2 255.0.0.0 ! interface Ethernet3 nameif outside security-level 0 ip address 172.16.1.1 255.255.0.0 ciscoasa/CTX2(config)# changeto system ciscoasa(config)#
Virtual Firewalls
Task 2
Configure context CTX1 to inspect icmp and configure an access-list to deny any traffic from inside to outside subnets Steps to configure: Get into specific context Then apply the desired rules ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# policy-map global_policy ciscoasa/CTX1(config-pmap)# class inspection_default ciscoasa/CTX1(config-pmap-c)# inspect icmp PC-A#ping192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 8/22/40 ms As soon as the inspection of icmp is on we can see that icmp traffic is allowed to transact ciscoasa/CTX1(config)# changeto context CTX2 ciscoasa/CTX2(config)# access-list 101 deny ip any 172.16.0.0 255.255.0.0 ciscoasa/CTX2(config)# access-group 101 in interface inside R2#ping 172.16.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) We can see here no traffic is being allowed from inside to outside subnets but still the traffic from PC is allowed to R1 PC-A#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/64 ms As we did this configuration on context CTX2 it will not effect on other context CTX1by this we can conclude that each context maintains its own configurations
Transparent Firewall
Lab 14 Transparent Firewall

If you look at a layer 2 switch it doesnt require any ip addresses as they are layer 2 device they work with MAC Address and even they behave as a hidden device into the network they never exhibits there existence in the network From the basics of our firewall we know that our firewall is basically a layer 3 device which works with IP addresses and exhibits there existence into network. Transparent Firewall is a device where you configure your layer 3 firewall to work as a layer 2 Firewall which doesnt work with IP addresses but works with MAC addresses. As it works with MAC Addresses it doesnt exhibits his existence in the network and still capable of filtering and managing traffic from layer 2 We have to remember here that when we are making our ASA as a transparent firewall then few services doesnt work on ASA Firewall Dynamic routing protocols IPv6 Quality of Service Multicast To view the current mode of working of ASA issue the following command ASA# show firewall Firewall mode: Router To change the mode of ASA from router mode to transparent mode issue the following command ASA(config)# firewall transparent !!As soon as we issue the above command to ASA well lose our entire running configuration ASA(config)# show firewall Firewall mode: Transparent As now we are working with transparent mode of firewall we dont have any ip addresses configured so we need an IP address for our firewall to manage our device remotely. To Assign IP address to a firewall in Transparent mode new virtual interfaces have to be configured named Bridge Virtual Interface and IP address to the firewall is assigned to that particular interface

LAB Topology
Transparent Firewall
Device R1 R2
Interface Fast Ethernet 0/0 FastEthernet 0/0
Ip Address 10.1.1.1 10.1.1.2
Subnet Mask 255.0.0.0 255.0.0.0
Task 1 : Configure ASA as Transparent Firewall and Assign the interface credentials as follows Create a Transparent Firewall Interface (Bridge Virtual Interface) for management and activation of device and assign IP Address 10.1.1.10 Interface Giga Ethernet 0 Giga Ethernet 1 Name Outside Inside Security level 0 100
ASA(config)# firewall transparent Creating a Bridge Virtual Interface and assigning IP address to it ASA(config)# interface BVI1 ASA(config-if)# ip address 10.1.1.10 255.0.0.0 Configuring Interfaces and associating then to Bridge Virtual Interface 1 ASA(config)# interface GigabitEthernet0 ASA(config-if)# nameif outside ASA(config-if)# bridge-group 1 ASA(config-if)# security-level 0 ASA(config)# interface GigabitEthernet1 ASA(config-if)# nameif inside ASA(config-if)# bridge-group 1 ASA(config-if)# security-level 100
Failover- Active /Standby
LAB 15 Failover Active/Standby

ASA is very important device of every network which is mostly perimeter device failure of which may let whole network to go down. considering this criticalness Failover of ASA has been introduced which is an Automated process of swapping the Active Device when It goes down.
failover configuration
Netmetric CCNP Security Workbook 2.0 LAB TOPOLOGY
Device R1 R2
Interface Fast Ethernet 0/0 FastEthernet 0/0
Ip Address 10.1.1.1 192.168.1.1
Subnet Mask 255.0.0.0 255.0.0.0
Task 1 : Configure Failover for ASA such that when ASA1 crashes ASA2 should automatically replace itself with ASA1 Before proceeding with failover configuration make sure Devices are licensed for it. ASA1(config)# show version | grep Failover Failover : Active/Active ASA2(config)# show version | grep Failover Failover : Active/Active While making failover configuration make sure you define a standby IP Address over every interface. ASA1(config)# interface GigaEthernet0 ASA1(config-if)# no shutdown ASA1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA1(config-if)# ip add 192.168.1.10 255.255.255.0 standby 192.168.1.7
ASA1(config-if)# interface GigaEthernet 1 ASA1(config-if)# no shutdown ASA1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1(config-if)# ip add 10.1.1.10 255.0.0.0 standby 10.1.1.7
After making Basic ASA interface configuration start making Failover Interface the interface which is being dedicated for failover should enabled ASA1(config-if)# interface GigaEthernet 2 ASA1(config-if)# no shutdown Here Interface GigaEthernet 2 is being dedicated for failover Enable Failover and define ASA1 as primary unit. ASA1(config)# failover lan enable ASA1(config)# failover lan unit primary
Define the interface name which is being used as failover interface and allocate a logical name to that interface and assign an unused IP address to the interface ASA1(config)# failover lan interface failint GigaEthernet 2 INFO: Non-failover interface config is cleared on GigaEthernet 2 and its sub-interfaces ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7 ASA1(config)# failover
Configuring ASA2 to be the secondary mate to ASA1 Enable all the interfaces participating in failover before making any configurations on ASA2 ASA2(config-if)# interface GigaEthernet 0 ASA2(config-if)# no shutdown ASA2(config-if)# interface GigaEthernet 1 ASA2(config-if)# no shutdown ASA2(config-if)# interface GigaEthernet 2 ASA2(config-if)# no shutdown
Configure the secondary failover configurations here as well ASA2(config)# failover lan enable ASA2(config)# failover lan unit secondary ASA2(config)# failover lan interface failint GigaEthernet2 INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfaces ASA2(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7 ASA2(config)#failover
As soon we issue command failover it activates the failover and look for the mate ASA2(config)# . Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate
ASA1# sh failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: failint GigaEthernet2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 08:37:46 UTC Nov 25 2012 This host: Primary - Active Active time: 585 (sec) Interface outside (192.168.1.10): Normal Interface inside (10.1.1.10): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.1.1.7): Normal Stateful Failover Logical Update Statistics Link : Unconfigured.
Netmetric CCNP Security Workbook 2.0 ASA1(config)# show failover state
State Last Failure Reason Date/Time This host Primary Active None Other host - Secondary Standby Ready Comm Failure 18:04:15 UTC Dec 29 2012 ====Configuration State=== Sync Done ====Communication State=== Mac set
Netmetric CCNP Security Workbook 2.0 Task 2 : Change the Active/Standby Failover into Stateful Failover ASA1(config)# failover link failint GigaEthernet2
ASA1# show failover

Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: failint GigaEthernet2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 08:37:46 UTC Nov 25 2012 This host: Primary - Active Active time: 765 (sec) Interface outside (192.168.1.10): Normal Interface inside (10.1.1.10): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.1.1.7): Normal Stateful Failover Logical Update Statistics Link : failint GigaEthernet2 (up) Stateful Obj xmit xerr General 9 0 sys cmd 8 0 up time 0 0 RPC services 0 0 TCP conn 0 0 UDP conn 0 0 ARP tbl 1 0 Xlate_Timeout 0 0 VPN IKE upd 0 0 VPN IPSEC upd 0 0 VPN CTCP upd 0 0 VPN SDI upd 0 0 VPN DHCP upd 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 8 Xmit Q: 0 2 59
rcv 8 8 0 0 0 0 0 0 0 0 0 0 0 0
rerr 0 0 0 0 0 0 0 0 0 0 0 0 0 0
LAB 15 Failover Active/Active

Active / Active failover Configuring is failover facility for Context and making sure that when one context goes down another one should replicate and deployment of failover happens on virtual firewalls rather than physical.
failover configuration
Netmetric CCNP Security Workbook 2.0 LAB TOPOLOGY
Device R1 R2 R3 R4
Interface Fast Ethernet 0/0 FastEthernet 0/0 FastEthernet 0/0 FastEthernet 0/0
Ip Address 10.1.1.1 192.168.1.1 11.1.1.1 172.16.1.1
Subnet Mask 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
Task 1 : Configure Change the mode of ASA from Single to multiple ASA1(config)# mode multiple
ASA2(config)# mode multiple
ASA1# show mode Security context mode: multiple ASA2# show mode Security context mode: multiple
Netmetric CCNP Security Workbook 2.0 Task 2 :Create two Context on ASA1 as following Credentials Name Ctx1 Ctx2 Interface GigaEthernet 0 GigaEthernet 1 GigaEthernet 2 GigaEthernet 3 Config-Url Flash:/ctx1 Flash:/ctx2
ASA1(config)# context Ctx1 Creating context 'ctx1'... Done. (2) ASA1(config-ctx)# config-url ctx1 INFO: Converting ctx1 to disk0:/ctx1 WARNING: Could not fetch the URL disk0:/ctx1 INFO: Creating context with default config ASA1(config-ctx)# allocate-interface g0 ASA1(config-ctx)# allocate-interface g1
ASA1(config)# context ctx2 Creating context 'ctx2'... Done. (3) ASA1(config-ctx)# config-url ctx2 INFO: Converting ctx2 to disk0:/ctx2 WARNING: Could not fetch the URL disk0:/ctx2 INFO: Creating context with default config ASA1(config-ctx)# allocate-interface g2 ASA1(config-ctx)# allocate-interface g3
Netmetric CCNP Security Workbook 2.0 Task 3 : Configure Context CTX1 and CTX2 as follows Name Ctx1 Ctx2 Interface GigaEthernet 0 GigaEthernet 1 GigaEthernet 2 GigaEthernet 3 Nameif Outside Inside Inside Outside
IP Address 192.168.1.10 10.1.1.10 11.1.1.10 172.16.1.10
Standby IP 192.168.1.11 10.1.1.11 11.1.1.11 172.16.1.11
ASA1(config)# changeto context ctx1 ASA1/ctx1(config)# interface gigabitEthernet 0 ASA1/ctx1(config-if)# ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11 ASA1/ctx1(config-if)# no shutdown ASA1/ctx1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default.
ASA1/ctx1(config)# interface gigabitEthernet 1 ASA1/ctx1(config-if)# ip address 10.1.1.10 255.0.0.0 standby 10.1.1.11 ASA1/ctx1(config-if)# no shutdown ASA1/ctx1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/ctx1(config)# changeto context ctx2 ASA1/ctx2(config)# interface gigabitEthernet 2 ASA1/ctx2(config-if)# ip address 11.1.1.10 255.0.0.0 standby 11.1.1.11 ASA1/ctx2(config-if)# no shutdown ASA1/ctx2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/ctx2(config)# interface gigabitEthernet 3 ASA1/ctx2(config-if)# ip address 172.16.1.10 255.0.0.0 standby 172.16.1.11 ASA1/ctx2(config-if)# no shutdown ASA1/ctx2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default.
Task 4 : Configure Failover on Such that Context ctx1 should be active on ASA1 and CTX2 should be active on ASA2 ASA1(config)# failover lan unit primary ASA1(config)# failover lan interface failint g4 INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces ASA1(config)# failover link failint g4 ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7 ASA1(config)# failover Create Failover Groups and associate context to each group ASA1(config)# failover group 1 ASA1(config-fover-group)# primary ASA1(config-fover-group)# exit ASA1(config)# failover group 2 ASA1(config-fover-group)# secondary ASA1(config-fover-group)# exit Associating Groups to context created so that ctx1 can be primary and ctx2 should be secondary on ASA1 ASA1(config)# context ctx1 ASA1(config-ctx)# join-failover-group 1 ASA1(config-ctx)# exit ASA1(config)# context ctx2 ASA1(config-ctx)# join-failover-group 2 ASA1(config-ctx)# exit
Netmetric CCNP Security Workbook 2.0 Configuring Failover Link ASA2
ASA2(config)# failover lan unit secondary ASA2(config)# failover lan interface failint g4 INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces ASA2(config)# failover link failint g4 ASA2(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.11 ASA2(config)# failover Failover LAN became OK Switchover enabled Configuration has changed, replicate to mate.
Netmetric CCNP Security Workbook 2.0 Verification: ASA1(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failint GigabitEthernet4 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 60 maximum Version: Ours 8.4(2), Mate 8.4(2) Group 1 last failover at: 05:36:55 UTC Dec 30 2012 Group 2 last failover at: 05:36:55 UTC Dec 30 2012 This host: Primary Group 1 State: Active Active time: 255 (sec) Group 2 State: Active Active time: 255 (sec) ctx1 Interface outside (192.168.1.10): Normal (Waiting) ctx1 Interface inside (10.1.1.10): Normal (Waiting) ctx2 Interface inside (11.1.1.10): Normal (Waiting) ctx2 Interface outside (172.16.1.10): Normal (Waiting) Other host: Secondary Group 1 State: Standby Ready Active time: 0 (sec) Group 2 State: Standby Ready Active time: 0 (sec) ctx1 Interface outside (192.168.1.11): Normal (Waiting) ctx1 Interface inside (10.1.1.11): Normal (Waiting) ctx2 Interface inside (11.1.1.11): Normal (Waiting) ctx2 Interface outside (172.16.1.11): Normal (Waiting)
Site-to-Site IPSec VPN
LAB - 1 Making Site to Site IPSec Virtual Private Network
Points to Remember:
Majorly we used VPN technology is IPsec (Internet Protocol Security) IPsec is a protocol suite which is designed to provide the solution for remote connectivity over an insecure network IPsec Provides Confidentiality and Integrity to the ip packets traversing over internet An another supporting protocols which is always associated with IPsec is ISAKMP (Internet security Association Key Management Protocol) ISAKMP is purely dedicated to transfer the security keys from one device to another ISAKMP works on UDP port no.500
For making of site to site VPN using IPSec technology, it requires Devices which support VPN services and are licensed for it A Static IP Address on both ends which is routable
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet Loopbacks here demonstrates Local LAN Interface Configuration on Router Device R1 R1 R2 R2 R3 R3 Interface F0/0 loopback F0/0 F0/1 F0/0 loopback Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.2 33.33.33.33 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3 Verification for routing R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure a IPSec site-to-site vpn between R1 and R3 to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) Process of making an IPSec VPN can be simplified by following the sequence of configuration. o o o o o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange Define IPSec Credentials, which are used in data Exchange Define interesting traffic using an access-list Map all the credentials of VPN in a crypto map Apply the Map on Interface Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit
As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33 definition of it can be done by an simple extended access-list
R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Netmetric CCNP Security Workbook 2.0 Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101
A crypto map binds the interesting traffic and peer with a specific transform set Application of this crypto map over as interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map
Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1
R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2
Netmetric CCNP Security Workbook 2.0 Verification Generating Interesting Traffic R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms As soon as VPN starts the traffic between two local LAN starts Transactions. R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0)
R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
Task 2 : Modify Existing VPN connection to secure the telnet access between two peers An IPSec VPN Always catch interesting traffic based on crypto ACL (Access-list matched in crypto map is termed as crypto ACL) , Whatever traffic is supposed to pass through VPN it need to added into ACL Modifying Access-list of Router R1 R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
Modifying Access-list of Router R3 R3(config)#access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet
Task 3 : Imagine there is one more Peer by name Site C (R4) at ip address 3.3.3.3 with loopback ip address 55.55.55.55, Secure the Access between Loopbacks of R1 and R4. Create a new Access-list for catching traffic between Loopbacks R1(config)#access-list 102 permit ip host 11.11.11.11 host 55.55.55.55 Create a Crypto map with same name but different ID ( No Need to Add a Different named VPN Map as you can not apply more than one Map on an interface) R3(config)#crypto map vpn-map 11 ipsec-isakmp R3(config-crypto-map)#set peer 3.3.3.3 R3(config-crypto-map)#set transform-set t-set-1 R3(config-crypto-map)#match address 102
Site-to-Site IPSec VPN over ASA
LAB - 2 Making Site to Site IPSec Virtual Private Network Over ASA
LAB Topology
In Above topology two ASA are acting as border devices of two sites Site A & Site B Respectively and R2 is acting as Internet where as Router R1 and Router R3 are Local LAN of their respective sites Interface Configuration on Router Device ASA Site A ASA Site A ASA Site B ASA Site B R1 R3 Interface E0/0 E0/1 E0/0 E0/1 F0/0 F0/0 Name-if Outside Inside Outside Inside -- --- -Ip Address 1.1.1.1 11.11.11.10 2.2.2.2 33.33.33.10 11.11.11.11 33.33.33.33 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA Verification for routing ciscoasa-site-A# ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1 ciscoasa-Site-B# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms
Task 1 : Configure a IPSec site-to-site vpn between Site A and Site B to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services, In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2 IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with Site to Site VPN we need to enable IKEv1 here ciscoasa-site-A(config)# crypto ikev1 enable Outside Configure all the Credentials of ISAKMP in a policy ciscoasa-site-A(config)# crypto ikev1 policy 10 ciscoasa-site-A(config-ikev1-policy)# encryption aes ciscoasa-site-A(config-ikev1-policy)# hash sha ciscoasa-site-A(config-ikev1-policy)# group 2 ciscoasa-site-A(config-ikev1-policy)# authentication pre-share ciscoasa-site-A(config-ikev1-policy)# lifetime 6000 Defining Pre-share key using Tunnel Group options A tunnel group specially designed to define the attributes related to VPN and its Functionality, The name of tunnel group of type L2L should be always the Peer Address ciscoasa-site-A(config)# tunnel-group 2.2.2.2 type ipsec-l2l ciscoasa-site-A(config)# tunnel-group 2.2.2.2 ipsec-attributes ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 Configure IPSec Credentials for both devices ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Definition of Interesting Traffic using Access-list ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Netmetric CCNP Security Workbook 2.0 Create a Crypto map and bind all the credentials with that MAP
ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2 ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-site-A(config)# crypto map mymap 10 match address 101 Apply The MAP on interface facing to Internet ciscoasa-site-A(config)# crypto map mymap interface Outside
Make the VPN Configuration on Other Side As well ciscoasa-Site-B(config)# crypto ikev1 enable Outside ciscoasa-Site-B(config)# crypto ikev1 policy 10 ciscoasa-Site-B(config-ikev1-policy)# authentication pre-share ciscoasa-Site-B(config-ikev1-policy)# encryption aes ciscoasa-Site-B(config-ikev1-policy)# hash sha ciscoasa-Site-B(config-ikev1-policy)# group 2 ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600 ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 type ipsec-l2l ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 ipsec-attributes ciscoasa-Site-B(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Define interesting traffic by means of an access-list again which is mirrored to other side ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11 Crypto MAP Creation and Application ciscoasa-Site-B(config)# crypto map mymap 10 match address 109 ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1 ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-Site-B(config)# crypto map mymap interface outside
Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms Verification of ISAKMP functionality ciscoasa-site-A# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Verification if IPSec Functionality
ciscoasa-site-A# show crypto ipsec sa interface: Outside Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1 access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33 local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer: 2.2.2.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 80 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 58, media mtu 1500
Netmetric CCNP Security Workbook 2.0 ciscoasa-Site-B# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 1.1.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE
ciscoasa-Site-B# show crypto ipsec sa interface: outside Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2 access-list 109 extended permit ip host 33.33.33.33 host 11.11.11.11 local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) current_peer: 1.1.1.1 #pkts encaps: 362, #pkts encrypt: 362, #pkts digest: 362 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 362, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
Site-to-Site IPSec VPN using CA Server
LAB - 3 Making Site to Site IPSec Virtual Private Network with
Points to Remember:
Digital Certificate is issued by an external Authority after Verification Any Other Device who have the certificate from same authority can form VPN with each other A Certificate Authority can be any server flavor Operating system or a Cisco router The process of requesting and enrolling a certificate is done over SCEP protocol Simple Certificate Enrollment Protocol(SCEP) is devoloped over HTTP so it also work on TCP/80 This Authentication which is done by an External Authentication Server is also called as PKI (Public Key Infrastucture)
Whenever the authentication of VPN is set to Digital Certificates Peers Exchange there certificates As Soon as they confirm that the issuer is same for both the certificates they form vpn with each other
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet as well as Certificate Authority. Loopbacks here demonstrates Local LAN Interface Configuration on Router Device R1 R1 R2 R2 R3 R3 Interface F0/0 loopback F0/0 F0/1 F0/0 loopback Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.2 33.33.33.33 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
Task 1 : Configure Router R1 to Act as Certificate Authority, and request Certificates From Router R1 and R3 Prerequisite Make sure that you have enabled HTTP services on the router which is acting as CA Server And Ensure proper clock is synchronized between peers and Server before making CA Thus Configure NTP on all the Routers Participating in VPN and make sure they are sync. Verification R1#show clock 11:41:56.595 UTC Sat Jan 5 2013 R2#show clock 11:42:02.871 UTC Sat Jan 5 2013 R3#show clock 11:42:04.805 UTC Sat Jan 5 2013 R2(config)#ip http server R2#show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable once verify the services and pre-requisite start making router R2 as Certificate Authority (CA) R2(config)#crypto pki server ios_ca R2(cs-server)#grant auto R2(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password:******** Re-enter password:******** % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] % Exporting Certificate Server signing certificate and keys... Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled % Certificate Server enabled. Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.
To enroll a certificate on Router R1 create a Trust point where all the properties of local Router and address of CA is to be defined R1(config)#crypto pki trustpoint ca_r1 R1(ca-trustpoint)#enrollment url http://1.1.1.2 R1(ca-trustpoint)#revocation-check none After we define the CA Server Address we need get certificate from CA To Enroll yourself and Get CA Certificate into your Router R1(config)#crypto pki authenticate ca_r1 Certificate has the following attributes: Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. To enroll the certificate from the CA Server R1(config)#crypto pki enroll ca_r1
% % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:******* Re-enter password:******* % The subject name in the certificate will include: R1.lab.local % Include the router serial number in the subject name? [yes/no]: no % The IP address in the certificate is 1.1.1.1 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate ca_r1 verbose' command will show the fingerprint. Jan 5 15:51:37.984: %PKI-6-CERTRET: Certificate received from Certificate Authority
Netmetric CCNP Security Workbook 2.0 Repeat the process with Router R3 as well R3(config)#crypto pki trustpoint ca_r3 R3(ca-trustpoint)#enrollment url http://1.1.1.2 R3(ca-trustpoint)#serial-number none R3(ca-trustpoint)#ip-address 2.2.2.2 R3(ca-trustpoint)#revocation-check none Authenticate Router R3 to CA
R3(config)#crypto pki authenticate ca_r3 Certificate has the following attributes: Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Enroll Router R3 to CA R3(config)#crypto pki enroll ca_r3 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:******** Re-enter password:********* % The subject name in the certificate will include: R3.lab.local % The IP address in the certificate is 2.2.2.2 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate ca_r3 verbose' command will show the fingerprint. Jan 5 16:03:58.279: %PKI-6-CERTRET: Certificate received from Certificate Authority
Netmetric CCNP Security Workbook 2.0 Verify certificates R1#show crypto pki certificates
Certificate Status: Available Certificate Serial Number: 02 Certificate Usage: General Purpose Issuer: cn=ios_ca Subject: Name: R1.lab.local IP Address: 1.1.1.1 ipaddress=1.1.1.1+hostname=R1.lab.local Validity Date: start date: 15:51:36 UTC Jan 5 2013 end date: 15:51:36 UTC Jan 5 2014 Associated Trustpoints: ca_r1
R3#show crypto pki certificates

Certificate Status: Available Certificate Serial Number: 03 Certificate Usage: General Purpose Issuer: cn=ios_ca Subject: Name: R3.lab.local IP Address: 2.2.2.2 ipaddress=2.2.2.2+hostname=R3.lab.local Validity Date: start date: 16:03:56 UTC Jan 5 2013 end date: 16:03:56 UTC Jan 5 2014 Associated Trustpoints: ca_r3
R1#sh crypto pki trustpoints

Trustpoint ca_r1: Subject Name: cn=ios_ca Serial Number: 01 Certificate configured. SCEP URL: http://1.1.1.2:80/cgi-bin
Verification on CA Server i.e Router R2 R2#show crypto pki server Certificate Server ios_ca: Status: enabled State: enabled
Task 2 : Configure a IPSec site-to-site vpn between R1 and R3 using PKI authentication to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) Process of making an IPSec VPN can be simplified by following the sequence of configuration. o o o o o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange Define IPSec Credentials, which are used in data Exchange Define interesting traffic using an access-list Map all the credentials of VPN in a crypto map Apply the Map on Interface Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication rsa-sig R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we are using rsa-signatures here so no need to define any preshare key. This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit
As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33 definition of it can be done by an simple extended access-list
R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Netmetric CCNP Security Workbook 2.0 Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101
A crypto map binds the interesting traffic and peer with a specific transform set Application of this crypto map over as interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map
Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication rsa-sig R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac No Need to define any pre-share key as we are using Authentication as rsa-sig(i.e Digital Certificates) R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2
Netmetric CCNP Security Workbook 2.0 Verification Generating Interesting Traffic R1#ping 33.33.33.33 source 11.11.11.11
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 20.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms As soon as VPN starts the traffic between two local LAN starts Transactions. R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
LAB - 4 Making Site to Site IPSec VPN Over ASA with PKI
LAB Topology
In Above topology two ASA are acting as border devices of two sites Site A & Site B Respectively and R2 is acting as Internet as well as a CA server where as Router R1 and Router R3 are Local LAN of their respective sites Interface Configuration on Router Device ASA Site A ASA Site A ASA Site B ASA Site B R1 R3 Interface E0/0 E0/1 E0/0 E0/1 F0/0 F0/0 Name-if Outside Inside Outside Inside -- --- -Ip Address 1.1.1.1 11.11.11.10 2.2.2.2 33.33.33.10 11.11.11.11 33.33.33.33 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA Verification for routing ciscoasa-site-A# ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1 ciscoasa-Site-B# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms Task 1 : Configure Router R2 as CA server and Enroll ASA Site A and Site B to that CA Server
R2(config)#ip http server R2#show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable once verify the services and pre-requisite start making router R2 as Certificate Authority (CA) R2(config)#crypto pki server ios_ca R2(cs-server)#grant auto R2(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password:******** Re-enter password:******** % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] % Exporting Certificate Server signing certificate and keys... Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled % Certificate Server enabled. Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled. To verify the certificate server R2#sh crypto pki server Certificate Server ios_ca: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=ios_ca CA cert fingerprint: B853F5E4 1DEFC727 3C2FFF84 994AA49A Granting mode is: auto Last certificate issued serial number: 0x3 CA certificate expiration timer: 15:00:58 UTC Jan 5 2016 CRL NextUpdate timer: 21:00:59 UTC Jan 5 2013 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage To enroll a certificate on ASA1 create a Trust point where all the properties of ASA1 is configured and address of CA is to be defined
ciscoasa-site-A (config)# crypto ca trustpoint ios_ca ciscoasa-site-A (config-ca-trustpoint)# enrollment url http://1.1.1.2 ciscoasa-site-A (config-ca-trustpoint)# revocation-check none Authenticate to CA Server ciscoasa-site-A (config)# crypto ca authenticate ios_ca INFO: Certificate has the following attributes: Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Generate RSA Keys and then Enroll to CA Server ciscoasa-site-A (config)# crypto key generate rsa
ciscoasa-site-A (config)# crypto ca enroll ios_ca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ******** Re-enter password: ********
% The fully-qualified domain name in the certificate will be: ciscoasa-site-A % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority The certificate has been granted by CA!
To enroll a certificate on ASA2 create a Trust point where all the properties of ASA2 is configured and address of CA is to be defined
ciscoasa-site-B (config)# crypto ca trustpoint ios_ca ciscoasa-site-B (config-ca-trustpoint)# enrollment url http://2.2.2.1 ciscoasa-site-B (config-ca-trustpoint)# revocation-check none Authenticate to CA Server ciscoasa-site-B (config)# crypto ca authenticate ios_ca INFO: Certificate has the following attributes: Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Generate RSA Keys and then Enroll to CA Server ciscoasa-site-B (config)# crypto key generate rsa
ciscoasa-site-B (config)# crypto ca enroll ios_ca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ******** Re-enter password: ********
% The fully-qualified domain name in the certificate will be: ciscoasa-site-B % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority The certificate has been granted by CA!
Netmetric CCNP Security Workbook 2.0 Verification ciscoasa-site-A(config)# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 04 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=ios_ca Subject Name: hostname=ciscoasa Validity Date: start date: 18:18:26 UTC Jan 5 2013 end date: 18:18:26 UTC Jan 5 2014 Associated Trustpoints: ios_ca
ciscoasa-site-B(config)# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 05 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=ios_ca Subject Name: hostname=ciscoasa Validity Date: start date: 18:18:26 UTC Jan 5 2013 end date: 18:18:26 UTC Jan 5 2014 Associated Trustpoints: ios_ca
Task 2 : Configure a IPSec site-to-site vpn between Site A and Site B using PKI to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services, In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2 IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with Site to Site VPN we need to enable IKEv1 here ciscoasa-site-A(config)# crypto ikev1 enable Outside Configure all the Credentials of ISAKMP in a policy ciscoasa-site-A(config)# crypto ikev1 policy 10 ciscoasa-site-A(config-ikev1-policy)# encryption aes ciscoasa-site-A(config-ikev1-policy)# hash sha ciscoasa-site-A(config-ikev1-policy)# group 2 ciscoasa-site-A(config-ikev1-policy)# authentication rsa-sig ciscoasa-site-A(config-ikev1-policy)# lifetime 6000 As we have certificates as authentication no need to define pre-share key Configure IPSec Credentials for both devices ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Definition of Interesting Traffic using Access-list ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 Create a Crypto map and bind all the credentials with that MAP ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2 ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-site-A(config)# crypto map mymap 10 match address 101 Apply The MAP on interface facing to Internet ciscoasa-site-A(config)# crypto map mymap interface Outside
Make the VPN Configuration on Other Side As well
Netmetric CCNP Security Workbook 2.0 ciscoasa-Site-B(config)# crypto ikev1 enable Outside ciscoasa-Site-B(config)# crypto ikev1 policy 10 ciscoasa-Site-B(config-ikev1-policy)# authentication rsa-sig ciscoasa-Site-B(config-ikev1-policy)# encryption aes ciscoasa-Site-B(config-ikev1-policy)# hash sha ciscoasa-Site-B(config-ikev1-policy)# group 2 ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600
ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Define interesting traffic by means of an access-list again which is mirrored to other side ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11 Crypto MAP Creation and Application ciscoasa-Site-B(config)# crypto map mymap 10 match address 109 ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1 ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-Site-B(config)# crypto map mymap interface outside
Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms Verification of ISAKMP functionality ciscoasa-site-A# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Verification if IPSec Functionality
ciscoasa-site-A# show crypto ipsec sa interface: Outside Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1 access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33 local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer: 2.2.2.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 80 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 58, media mtu 1500
Netmetric CCNP Security Workbook 2.0 ciscoasa-Site-B# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 1.1.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE
ciscoasa-Site-B# show crypto ipsec sa interface: outside Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2 access-list 109 extended permit ip host 33.33.33.33 host 11.11.11.11 local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) current_peer: 1.1.1.1 #pkts encaps: 362, #pkts encrypt: 362, #pkts digest: 362 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 362, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
Site-to-Site GRE VPN
LAB - 5 Making Site to Site GRE Virtual Private Network
Points to Remember:
GRE is an only tunneling protocol which is used to form a tunnel between two sites GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite It adds an extra interface for each peer which allows us to configure Routing and QoS GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly connected
we need a static IP on both peers who are participation in a GRE tunnel
LAB Topology
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their public IP address as peer address to each other. o o o o GRE VPN's is always configured using virtual interfaces called as tunnels which do have an ip address which is to be assigned by administrator, Apart from ip address a Tunnel interface needs its association with physical interfaces which is done by defining tunnel source and tunnel destination Tunnel source is association of your tunnel with a physical interface you have, it can be associated by defining an ip address or the name of interface it defines the starting point of tunnel. Tunnel destination is defining the end point of the tunnel which physical ip address of remote device generally termed as peer address
R1(config)#interface tunnel 0 R1(config-if)#ip add 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source 1.1.1.1 R1(config-if)#tunnel destination 2.2.2.2 If authentication is desired over tunnel, then we can configure a pre-share key over tunnel. In GRE Authentication is Optional unlike IPSec where its mandatory. R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well R2(config)#interface tunnel 123 R2(config-if)#ip add 6.6.6.32255.0.00.0 R2(config-if)#tunnel source FastEthernet 0/0 R2(config-if)#tunnel destination 1.1.1.1 R2(config-if)#tunnel key 123456 R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is 1.1.1.2 to network 0.0.0.0 C C C S* 1.0.0.0/8 is directly connected, FastEthernet0/0 6.0.0.0/8 is directly connected, Tunnel0 11.0.0.0/8 is directly connected, Loopback0 0.0.0.0/0 [1/0] via 1.1.1.2 Tunnel Is Acting as a Directly connected network to other side
Netmetric CCNP Security Workbook 2.0 R1#ping 6.6.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms R3#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
Tunnel Communication is working well, But when local lan communication is desired its not working. R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R3#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
Task 2 : Route the traffic of both side local LAN using static routing via tunnel to make the local LAN reachable. R1(config)#ip route 33.33.33.0 255.255.255.0 6.6.6.2 Adding a static route reachable via tunnel will make the local LAN communication work well either next hop can be tunnel or the ip of Next hop Tunnel Address R3(config)#ip route 11.11.11.0 255.255.255.0 tunnel 0 As soon routes are added in routing table local LAN will be Reachable R1#show ip route C 1.0.0.0/8 is directly connected, FastEthernet0/0 33.0.0.0/24 is subnetted, 1 subnets S 33.33.33.0 [1/0] via 6.6.6.2 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 1.1.1.2 R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms R3#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/59/96 ms Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
GRE/IPSec with Crypto - Map
LAB - 6 GRE Over IPSec VPN with Crypto-Map
Points to Remember:
GRE is an only tunneling protocol which is used to form a tunnel between two sites GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite It adds an extra interface for each peer which allows us to configure Routing and QoS GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly connected
we need a static IP on both peers who are participation in a GRE tunnel
LAB Topology
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their public IP address as peer address to each other. R1(config)#interface tunnel 0 R1(config-if)#ip add 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source 1.1.1.1 R1(config-if)#tunnel destination 2.2.2.2 R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well R2(config)#interface tunnel 123 R2(config-if)#ip add 6.6.6.32255.0.00.0 R2(config-if)#tunnel source FastEthernet 0/0 R2(config-if)#tunnel destination 1.1.1.1 R2(config-if)#tunnel key 123456 R1#ping 6.6.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms R3#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to make the local LAN reachable. we need to advertise the tunnel address as common address between peers R1(config)#router eigrp 100 R1(config-router)#net 11.0.0.0 R1(config-router)#net 6.0.0.0 !! Do not Advertise Physical networks in Dynamic Routing R3(config)#router eigrp 100 R3(config-router)#network 33.0.0.0 R3(config-router)#network 6.0.0.0 As soon routes are added in routing table local LAN will be Reachable R1#show ip route C D C C S* 1.0.0.0/8 is directly connected, FastEthernet0/0 33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0 6.0.0.0/8 is directly connected, Tunnel0 11.0.0.0/8 is directly connected, Loopback0 0.0.0.0/0 [1/0] via 1.1.1.2
R3#show ip route C C C D S* 2.0.0.0/8 is directly connected, FastEthernet0/0 33.0.0.0/8 is directly connected, Loopback0 6.0.0.0/8 is directly connected, Tunnel0 11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0 0.0.0.0/0 [1/0] via 2.2.2.1
R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPsec VPN solution with crypto-maps. Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit As per task our interesting traffic as all GRE Traffic sourced from 1.1.1.1 and destinies at 2.2.2.2 definition of it can be done by an simple extended access-list Make sure that your access list catches GRE Traffic. R1(config)#access-list 101 permit gre host 1.1.1.1 host 2.2.2.2 Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101 Appling the crypto map to interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map
Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1
R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R1(config)#access-list 101 permit gre host 2.2.2.2 host 1.1.1.1 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2
Netmetric CCNP Security Workbook 2.0 Verification Generating Interesting Traffic R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255
LAB - 7 GRE Over IPSec VPN with IPSec Profiles
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their public IP address as peer address to each other. R1(config)#interface tunnel 0 R1(config-if)#ip add 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source 1.1.1.1 R1(config-if)#tunnel destination 2.2.2.2 R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well R2(config)#interface tunnel 123 R2(config-if)#ip add 6.6.6.32255.0.00.0 R2(config-if)#tunnel source FastEthernet 0/0 R2(config-if)#tunnel destination 1.1.1.1 R2(config-if)#tunnel key 123456 R1#ping 6.6.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms R3#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to make the local LAN reachable. we need to advertise the tunnel address as common address between peers R1(config)#router eigrp 100 R1(config-router)#net 11.0.0.0 R1(config-router)#net 6.0.0.0 !! Do not Advertise Physical networks in Dynamic Routing R3(config)#router eigrp 100 R3(config-router)#network 33.0.0.0 R3(config-router)#network 6.0.0.0 As soon routes are added in routing table local LAN will be Reachable R1#show ip route C D C C S* 1.0.0.0/8 is directly connected, FastEthernet0/0 33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0 6.0.0.0/8 is directly connected, Tunnel0 11.0.0.0/8 is directly connected, Loopback0 0.0.0.0/0 [1/0] via 1.1.1.2
R3#show ip route C C C D S* 2.0.0.0/8 is directly connected, FastEthernet0/0 33.0.0.0/8 is directly connected, Loopback0 6.0.0.0/8 is directly connected, Tunnel0 11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0 0.0.0.0/0 [1/0] via 2.2.2.1
R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPSec Profile. Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit As per task we are supposed to use IPSEC PROFILE to protect the traffic of tunnel thus creating an IPSec Profile. An IPSec Profile is a replacement of crypto-map which is used to apply a security policy only for tunnel interfaces, An IPSec Profile doesn't need any access-list or peer address R1(config)#crypto ipsec profile demo-profile R1(ipsec-profile)#set transform-set t-set-1
IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing through that tunnel R1(config)#interface tunnel 0 R1(config-if)#tunnel protection ipsec profile demo-profile
R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1
R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R3(config)#crypto ipsec profile demo-profile R3(ipsec-profile)#set transform-set t-set-1
IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing through that tunnel R3(config)#interface tunnel 0 R3(config-if)#tunnel protection ipsec profile demo-profile
Netmetric CCNP Security Workbook 2.0 Verification Generating Interesting Traffic R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255
Dynamic Multipoint VPN
LAB - 8 Site-to-Site Dynamic Multipoint VPN ( DMVPN)
DMVPN is a Cisco proprietary VPN service. DMVPN make use of NHRP and MGRE as two special services to make a Dynamic VPN service successful. Next Hop Resolution Protocol (NHRP) is a special query process designed to inquire unknown address of peers MGRE is a multi-point GRE tunnel which is capable to work without a fixed tunnel destination
Its mandatory for a hub to be always on a static IP address to be reachable to spokes. A spoke either can be on static IP or on Dynamic IP Address. whenever VPN process starts from a spoke to another spoke the Query of unknown address reaches to HUB. HUB resolves the query as per it NHRP Database and back to spoke with current address using which the Peering will be formed.
LAB Topology
In Above topology Router R4 is acting as HUB, Router R1 & R3 are acting as spokes and R2 is acting as Internet Loopbacks on routers here demonstrates Local LAN of each site. Interface Configuration on Devices Device R1 R1 R2 R2 R2 R3 R3 R4 R4 Interface F0/0 Loopback F0/0 F0/1 F1/0 F0/0 Loopback F0/0 Loopback Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.2 3.3.3.2 2.2.2.3 33.33.33.33 3.3.3.3 44.44.44.44 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers Verification for routing
R1#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Dynamic Multipoint tunnels between Router R1, R2,R3 R4 where R4 Acting as HUB and R1 and R3 are spokes do not use a static peer address or fixed tunnel destination.
configure GRE Tunnels on all the routers (HUB and Spokes both in same subnet) as the fixed tunnel destination is not allowed Make the mode of tunnel as Multipoint GRE, When a tunnel is configured in Multipoint mode its capable to be terminated on different destinations
R1(config)#interface tunnel 0 R1(config-if)#ip address 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source fastEthernet 0/0 R1(config-if)#tunnel mode gre multipoint R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well with different IP address of same subnet R3(config)#interface tunnel 0 R3(config-if)#ip address 6.6.6.3 2255.0.00.0 R3(config-if)#tunnel source FastEthernet 0/0 R3(config-if)#tunnel mode gre multipoint R3(config-if)#tunnel key 123456 R4(config)#interface Tunnel 0 R4(config-if)#ip add 6.6.6.4 255.0.0.0 R4(config-if)#tunnel source FastEthernet 0/0 R4(config-if)#tunnel mode gre multipoint R4(config-if)#tunnel key 123456
Netmetric CCNP Security Workbook 2.0 Make NHRP configurations on HUB and Spokes Configuring NHRP for HUB router R4(config)#interface tunnel 0 R4(config-if)#ip nhrp network-id 123 R4(config-if)#ip nhrp map multicast dynamic
Configuring NHRP for spoke routers while configuring NHRP over spoke we need to define the Next Hop Server (NHS) which is HUB and bind the tunnel and physical IP address of HUB R1(config)#interface tunnel 0 R1(config-if)#ip nhrp network-id 123 R1(config-if)#ip nhrp nhs 6.6.6.4 R1(config-if)#ip nhrp map 6.6.6.4 3.3.3.3 R1(config-if)#ip nhrp map multicast 3.3.3.3 R3(config)#interface Tunnel0 R3(config-if)#ip nhrp network-id 123 R3(config-if)#ip nhrp nhs 6.6.6.4 R3(config-if)#ip nhrp map 6.6.6.4 3.3.3.3 R3(config-if)#ip nhrp map multicast 3.3.3.3 As we complete NHRP configuration the HUB device records all the addresses in its database R4#show ip nhrp detail 6.6.6.1/32 via 6.6.6.1, Tunnel0 created 00:14:30, expire 01:45:29 Type: dynamic, Flags: unique nat registered NBMA address: 1.1.1.1 6.6.6.3/32 via 6.6.6.3, Tunnel0 created 00:10:10, expire 01:49:49 Type: dynamic, Flags: unique nat registered NBMA address: 2.2.2.3 And when all ip addresses are registered in database all the tunnels will be reachable to each other's even without a strict tunnel destination
Netmetric CCNP Security Workbook 2.0 Verification: Connectivity between Spoke to others R1#ping 6.6.6.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/98/208 ms R1#ping 6.6.6.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/242/524 ms Connectivity between HUB and others R4#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/176/304 ms R4#ping 6.6.6.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 68/192/268 ms
Task 2 : Configure Dynamic Routing between peers using EIGRP as routing protocols and make all the loopbacks reachable to each others R1(config)#router eigrp 100 R1(config-router)#network 11.11.11.11 R1(config-router)#network 6.0.0.0 R3(config)#router eigrp 100 R3(config-router)#network 33.33.33.33 R3(config-router)#network 6.0.0.0 R4(config)#router eigrp 100 R4(config-router)#network 44.44.44.44 R4(config-router)#network 6.0.0.0 To make the routes reachable to other spoke we need to break the split horizon on tunnel interface and disable the next hop changes on tunnel so that the routes from one spoke should reach to other spokes without any change R4(config)#interface tunnel 0 R4(config-if)#no ip split-horizon eigrp 100 R4(config-if)#no ip next-hop-self eigrp 100 Verification R3#show ip route C 2.0.0.0/8 is directly connected, FastEthernet0/0 C 33.0.0.0/8 is directly connected, Loopback0 C 6.0.0.0/8 is directly connected, Tunnel0 D 11.0.0.0/8 [90/310172416] via 6.6.6.1, 00:25:46, Tunnel0 D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:25:53, Tunnel0 S* 0.0.0.0/0 [1/0] via 2.2.2.2 R1#sh ip route C 1.0.0.0/8 is directly connected, FastEthernet0/0 D 33.0.0.0/8 [90/310172416] via 6.6.6.3, 00:26:57, Tunnel0 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:27:05, Tunnel0 S* 0.0.0.0/0 [1/0] via 1.1.1.2
Task 3 : Protect The tunnels which is created between HUB and Spokes using IPSec Profile.
R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key , on all devices key word netmetric is the shared key with the address 0.0.0.0 as address is not fixed . R1(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0 R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile demo-profile R1(ipsec-profile)#set transform-set t-set-1
R1(config)#interface tunnel 0 R1(config-if)#tunnel protection ipsec profile demo-profile
Netmetric CCNP Security Workbook 2.0 Repeat the steps with other devices as well R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0 R3(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac
R3(config)#interface tunnel 0 R3(config-if)#tunnel protection ipsec profile demo-profile ===================================================================================== R4(config)#crypto isakmp enable R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encryption 3des R4(config-isakmp)#authentication pre-share R4(config-isakmp)#group 2 R4(config-isakmp)#hash md5 R4(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0 R4(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac
R4(config)#interface tunnel 0 R4(config-if)#tunnel protection ipsec profile demo-profile
Netmetric CCNP Security Workbook 2.0 Verification: R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 2.2.2.3 3.3.3.3 QM_IDLE 1002 0 ACTIVE 1.1.1.1 3.3.3.3 QM_IDLE 1001 0 ACTIVE R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 2.2.2.3 3.3.3.3 QM_IDLE 1002 0 ACTIVE 1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE 1.1.1.1 3.3.3.3 QM_IDLE 1002 0 ACTIVE R1#ping 33.33.33.33 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 228/236/244 ms R3#ping 11.11.11.11 source 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 33.33.33.33 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 236/290/336 ms R3#traceroute 11.11.11.11 Type escape sequence to abort. Tracing the route to 11.11.11.11 1 6.6.6.1 360 msec * 140 msec
Remote Access VPN Router as Server
LAB - 9 Remote Access VPN Router as Server (Easy VPN)
When a user gets connected an IP Address needs to be assigned to the user to make him part of LAN Distinguished rules can be configured for each group of users using ISAKMP Client Groups AAA must be used to make the VPN User authentication. Only VPN server is to be configured with all the VPN configurations client doesnt need any specific VPN configs
Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on internet. VPN Initiation can be done only by clients using an Application called Cisco VPN Client
LAB Topology
In Above topology Router R1 is acting as VPN Server and RouterR2 is Internet to make the connectivity between networks. Loopback1 on router R1 here demonstrates Local LAN. Interface Configuration on Devices Device R1 R1 R2 R2 R3 R3 PC Interface F0/0 Loopback F0/0 F0/1 F0/0 Loopback NIC Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.2 33.33.33.33 2.2.2.3 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
C:\>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=232ms TTL=45 Reply from 1.1.1.1: bytes=32 time=231ms TTL=45 Reply from 1.1.1.1: bytes=32 time=230ms TTL=45 Reply from 1.1.1.1: bytes=32 time=229ms TTL=45 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 229ms, Maximum = 232ms, Average = 230msR3
R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Router R1 as a Easy VPN server. Create a Group of Users "Sales" and secure the access of 11.0.0.0/8 subnet for them. Configure Basic ISAKMP Credentials for key Exchange process R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)# group 2 No need to define a specific pre-share key as the authentication is desired by using username and password Define IPSec Transform Set R1(config)#crypto ipsec transform-set t-set esp-3des esp-sha-hmac As VPN Authentication is desired by using user accounts AAA Services need to configured with ISAKMP Enabling AAA services on router and creating a new authentication and authorization methods R1(config)#aaa new-model R1(config)#aaa authentication login vpn-users local R1(config)#aaa authorization network vpn-groups local As the Authentication is set to Local creating a new user account on local Database R1(config)#username user1 password 0 cisco123 Interesting traffic to secured can be define in an Access-list which is termed as Split Access-list R1(config)#access-list 109 permit ip 11.0.0.0 0.255.255.255 any A pool of IP needs to defined from where the Address is allocated to remote devices R1(config)#ip local pool vpn 10.1.1.1 10.1.1.50
Creating Group for VPN clients where all the credentials defined for client are configured R1(config)#crypto isakmp client configuration group Sales R1(config-isakmp-group)# key ciscoabc R1(config-isakmp-group)# pool vpn R1(config-isakmp-group)# acl 109 A normal crypto map makes peer address definition as a mandatory credential as we do not mention any specific peer address we make a dynamic crypto map which is capable of working without Peer as well. R1(config)#crypto dynamic-map d-map 10 R1(config-crypto-map)#set transform-set t-set R1(config-crypto-map)#reverse-route As the dynamic crypto map cannot be applied over interface directly bind the dynamic map with a Normal Crypto map R1(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map Bind the AAA and VPN configuration in Crypto map R1(config)#crypto map mymap client authentication list vpn-users R1(config)#crypto map mymap isakmp authorization list vpn-groups R1(config)#crypto map mymap client configuration address respond Apply the map to interface connected to internet i.e FastEthernet 0/0 R1(config)#interface FastEthernet0/0 R1(config-if)# crypto map mymap
Task 2 : Configure PC as a VPN client of Router R1 and Verify the IP Address Assigned and connectivity
Download and Install Cisco VPN Client Software Select New option and define all your credentials required to be authenticate
Netmetric CCNP Security Workbook 2.0 Select the connection Entry Created and Connect to it
as soon as Connection Initiate the User Authentication Prompt Pops-up
After Successful Authentication VPN Gets Connected and Status of VPN Can be verified in status tab in Statistics options
IP Address Assigned to Client is 10.1.1.5
To check the secured LAN details select Tab: Route Details
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 1.1.1.1 2.2.2.3
state QM_IDLE
conn-id 1001
slot status 0 ACTIVE
Task 3 : Configure Router R3 as a VPN client of Router R1 to secure the communication of lacal LAN of R3 and R1 (Loopbacks)and Verify the IP Address Assigned and connectivity Define the VPN client configuration on Router R3 with all the same user credentials R3(config)#crypto ipsec client ezvpn ez-remote R3(config-crypto-ezvpn)# connect auto R3(config-crypto-ezvpn)# group Sales key ciscoabc R3(config-crypto-ezvpn)# mode client R3(config-crypto-ezvpn)# peer 1.1.1.1 R3(config-crypto-ezvpn)# username user1 password cisco123 Apply crypto map on both the interfaces Interface on which Local LAN traffic is inbound to router Apply it on as inside R3(config)#interface Loopback0 R3(config-if)#crypto ipsec client ezvpn ez-remote inside Interface through which router is connected to internet Apply as outside R3(config)#interface FastEthernet0/0 R3(config-if)#crypto ipsec client ezvpn ez-remote outside
Netmetric CCNP Security Workbook 2.0 Verification: To Verify Assigned Address on Router R3#show ip interface brief Interface IP-Address FastEthernet0/0 2.2.2.2 FastEthernet0/1 unassigned NVI0 unassigned Loopback0 33.33.33.33 Loopback1 10.1.1.3
OK? YES YES NO YES YES
Method manual unset unset manual manual
Status up administratively down up up up
Protocol up down up up up
To Verify the Connectivity between Loopbacks R3#ping 11.11.11.11 source 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 33.33.33.33 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/140/184 ms Verification of VPN Establishment at Client Router R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 1.1.1.1 2.2.2.2
state QM_IDLE
conn-id 1002
slot status 0 ACTIVE
Verification of VPN Establishment at Server Router R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 1.1.1.1 2.2.2.3 1.1.1.1 2.2.2.2
state QM_IDLE QM_IDLE
conn-id 1001 1002
slot status 0 ACTIVE 0 ACTIVE
Netmetric CCNP Security Workbook 2.0 R3#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0, local addr 2.2.2.2
protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.3/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 1.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x47AC3BBD(1202469821)
Remote Access VPN - ASA as Server
LAB - 10 Remote Access VPN ASA as Server (Easy VPN)

LAB Topology
In Above topology ASA is acting as VPN Server and RouterR2 is Internet to make the connectivity between networks. Router R1 here demonstrates Local LAN. Interface Configuration on Devices Device ASA ASA R1 R2 R2 PC Interface G0 G1 F0/0 F0/0 F0/1 NIC Ip Address 1.1.1.1 11.11.11.10 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.3 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC Verification for routing
Netmetric CCNP Security Workbook 2.0 Task 1 : Configure ASA as a Easy VPN server. Enable Isakmp IKEv1 and configure its credentials ciscoasa(config)#crypto ikev1 enable outside ciscoasa(config)#crypto ikev1 policy 10 ciscoasa(config-ikev1-policy)# authentication pre-share ciscoasa(config-ikev1-policy)# encryption 3des ciscoasa(config-ikev1-policy)# hash sha ciscoasa(config-ikev1-policy)# group 2 ciscoasa(config-ikev1-policy)# lifetime 36000
Define an IPSec Transform Set ciscoasa(config)#crypto ipsec ikev1 transform-set t-set esp-3des esp-sha-hmac Defining Pool of IP Address to be allocated to clients ciscoasa(config)#ip local pool demo-pool 10.1.1.1-10.1.1.50 Creating User Account for VPN Access ciscoasa(config)#username user1 password cisco123
Creating a VPN Group by name Ra-ASA and defining there attributes ciscoasa(config)#tunnel-group Ra-ASA type remote-access ciscoasa(config)#tunnel-group Ra-ASA general-attributes ciscoasa-site-A(config-tunnel-ipsec)# address-pool demo-pool ciscoasa(config)#tunnel-group Ra-ASA ipsec-attributes ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
Binding all the credentials with a crypto map
ciscoasa(config)#crypto dynamic-map d-map1 1 set ikev1 transform-set t-set ciscoasa(config)#crypto dynamic-map d-map1 1 set reverse-route ciscoasa(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map1 Applying the Crypto Map over Interface ciscoasa(config)#crypto map mymap interface outside
Netmetric CCNP Security Workbook 2.0 Task 2: Configure PC to be VPN client for ASA.
Netmetric CCNP Security Workbook 2.0 Verification: ciscoasa(config)# show crypto isakmp sa IKEv1 SAs:
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.3 Type : user Role : responder Rekey : no State : AM_ACTIVE
ciscoasa(config)# show crypto ipsec sa interface: outside Crypto map tag: d-map1, seq num: 1, local addr: 1.1.1.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) current_peer: 2.2.2.3, username: user1 dynamic allocated peer ip: 10.1.1.1 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.3/0 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 27287AB7 current inbound spi : FBD9BDEF
Netmetric CCNP Security Workbook 2.0 Reverse Route Added in ASA routing table ciscoasa(config)# show route Gateway of last resort is 1.1.1.2 to network 0.0.0.0 C S C S* 1.0.0.0 255.0.0.0 is directly connected, outside 10.1.1.1 255.255.255.255 [1/0] via 1.1.1.2, outside 11.0.0.0 255.0.0.0 is directly connected, inside 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside
To view protocol specific results ciscoasa# show crypto protocol statistics ikev1 [IKEv1 statistics] Encrypt packet requests: 86 Encapsulate packet requests: 86 Decrypt packet requests: 140 Decapsulate packet requests: 140 HMAC calculation requests: 147 SA creation requests: 3 SA rekey requests: 0 SA deletion requests: 2 Next phase key allocation requests: 6 Random number generation requests: 95 Failed requests: 0 ciscoasa# show crypto protocol statistics ipsec [IPsec statistics] Encrypt packet requests: 4 Encapsulate packet requests: 4 Decrypt packet requests: 4 Decapsulate packet requests: 4 HMAC calculation requests: 4 SA creation requests: 6 SA rekey requests: 0 SA deletion requests: 4 Next phase key allocation requests: 0 Random number generation requests: 3 Failed requests: 0
Client Less SSL VPN - IOS CLI
LAB - 11 Client Less SSL VPN- Router as Server (CLI)
SSL Works on TCP port number 443 Initially Introduced by Netscape later introduced as standard VPN Protocol by Name TLS(Transport Layer Security) It provides security from Transport Layer (i.e. layer 4 ) to Application Layer (i.e. layer 7) Authentication happens only based on digital certificates. pre-share authentication is not supported. When SSL VPN is configured to establish using only a web Browser and no other application is required its called as Client-Less SSL VPN Only web enabled services like HTTP,FTP and Email are supported Over an Client Less SSL VPN
Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on internet. VPN Initiation can be done only by clients using a web browser
Netmetric CCNP Security Workbook 2.0 LAB Topology
In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the connectivity between networks and PC is our client with a browser. Loopback1 on router R1 here demonstrates Local LAN.
Interface Configuration on Devices Device R1 R1 R2 R2 PC Interface F0/0 Loopback F0/0 F0/1 NIC Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.3 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers
Verification for routing

Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with port number 443 SSL VPN configuration is mainly divided into two parts 1. Configuring Gateway 2. Configuring Context Gateway define the interface and the ports where the SSL services are supposed to be enabled and by default all the newly created gateways will be in disabled mode which can has to be enabled manuallu using "insiervice" Creating and Enabling SSL Gateway R1(config )#webvpn gateway ssl_gw R1(config-webvpn-gateway)# ip address 1.1.1.1 port 443 R1(config-webvpn-gateway)# inservice Context define the user policy and the environment of SSL VPN. Creating a Context and defining the web page properties of that context. R1(config )#webvpn context ssl_ctx R1(config-webvpn-context)# title "Netmetric-Infosolutions" R1(config-webvpn-context)# title-color green R1(config-webvpn-context)# gateway ssl_gw R1(config-webvpn-context)# inservice
Creating a user account for SSL access as authentication is mandatory and by default its set to local authentication R1(config )#username user1 password cisco123
Netmetric CCNP Security Workbook 2.0 Verification: Open Browser and enter the url as http://1.1.1.1
As we do not have any digital certificate issued by Certificate authorities a warning is posted don't worry and select proceed anyways
Netmetric CCNP Security Workbook 2.0 Enter the user credentials when prompted then Login
Once authenticated successfully we get default SSL Page where we are allowed enter the desired URL to communicate the local LAN
Task 2 : Modify Existing SSL VPN connection and provide users a login banner and Bookmark list on SSL VPN Web Page to ease the access of local services. URL list can be defined under context configuration R1(config-webvpn-gateway)#webvpn context ssl_ctx R1(config-webvpn-context)#url-list "Servers" R1(config-webvpn-url)#Heading "Business Servers" R1(config-webvpn-url)#url-text Server1 url-value http://11.11.11.11 R1(config-webvpn-url)#url-text Server2 url-value http://17.14.12.34 R1(config-webvpn-url)#exit
Newly created URL List can be applied to users by associating it to default group policy not only URL List but also the banner can be defined in Policy it self R1(config-webvpn-context)#policy group demo_ssl R1(config-webvpn-group)#url-list "Servers" R1(config-webvpn-group)#banner "Welcome to Netmetric Solutions" R1(config-webvpn-group)#exit
Making the policy created as default policy so that it should be applied to all users R1(config-webvpn-context)#default-group-policy demo_ssl
Netmetric CCNP Security Workbook 2.0 Verification:
Netmetric CCNP Security Workbook 2.0 Banner message will be displayed as login succeeds
URL List which is defined under policy is on web page after Login
Task 3 : Imagine a Tacacs+ server on address 11.11.11.49, Configure SSL Server to authenticate users using that Tacacs+ server. Enable AAA services and define address of Tacacs server R1(config)#aaa new-model R1(config)#tacacs-server host 11.11.11.49 key ciscot Define a new authentication method with Tacacs option R1(config)#aaa authentication login ssl-auth group tacacs+
Call the authentication method in web VPN Context R1(config)#webvpn context ssl_ctx R1(config-webvpn-context)#aaa authentication list ssl-auth
LAB - 12 Client Less SSL VPN- Router as Server (GUI)

LAB Topology
In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the connectivity between networks and PC is our client with a browser. Loopback1 on router R1 here demonstrates Local LAN.
Interface Configuration on Devices Device R1 R1 R2 R2 PC Interface F0/0 Loopback F0/0 F0/1 NIC Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.3 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with port number 443 using Cisco Configuration Professional
Select Configure
Select SSL VPN Manager
Select 1
Select 2
Configure Prerequisite before getting started with SSL VPN
Netmetric CCNP Security Workbook 2.0 Enable AAA and generate Self signed certificate
Netmetric CCNP Security Workbook 2.0 After completing Prerequisite starting WebVPN Wizard
Its Optional to enable Secure SDM access requires only if in future you plan to use SDM through same interface.
Netmetric CCNP Security Workbook 2.0 Select Authentication method for users in following options
Select ADD if some more users are desired
Following step allows to configure Bookmark List (URL-LIST) for users
As we are working with client-less SSL VPN no need to enable full tunnel support thus deselect option
Netmetric CCNP Security Workbook 2.0 Select Webpage design from drop down themes
As you select finish you are done by making a SSL VPN
Netmetric CCNP Security Workbook 2.0 Verification:
Clientless SSL VPN - ASA
LAB - 13 Clientless SSL VPN ASA as Server (WebVPN)

LAB Topology
In Above topology ASA is acting as SSL VPN Server and RouterR2 is Internet to make the connectivity between networks. Router R1 here demonstrates Local LAN. Interface Configuration on Devices Device ASA ASA R1 R2 R2 PC Interface G0 G1 F0/0 F0/0 F0/1 NIC Ip Address 1.1.1.1 11.11.11.10 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.3 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC Verification for routing
Netmetric CCNP Security Workbook 2.0 Task 1 : Configure ASA as a SSL VPN Server. Get Started with ASDM Goto tab: Wizards>VPN Wizards> select : Clientless SSL VPN Wizard
A simple six step Wizard help to Configure a SSL VPN
Define Connecion Profile name selectthe interface on which SSL Services are to initiated
Select the user authentication method and modify the user account database
Either go for a creation of new policy or modify the existing policy which comes by default
The Bookmark List visible for users can be modified and whatever bookmark is created here will be available after successful login of user
Adding a Bookmark LIst by name Local_servers and adding some bookmarks by name Server1 and Server2
Conclude the VPN configuration by Hitting Finish
Netmetric CCNP Security Workbook 2.0 Verification: Login to the ASA with the defines URL in SSL Profile https://1.1.1.1/vpn
A warning is issued by browser as its not a trusted digital certificate
Netmetric CCNP Security Workbook 2.0 Login using the user credentials
Basic SSL VPN Page seen on ASA based VPN with a web Bookmark list
Select Server1to go to that address
Netmetric CCNP Security Workbook 2.0 Monitoring of SSL VPN Select Monitoring > VPN >VPN Statistics > Sessions
Filter can be set to view only Clientless SSL VPN Sessions
Netmetric CCNP Security Workbook 2.0 Double Click Session to get a full view of session details
Cisco IOS Classic Firewall
LAB 1 Classic IOS Firewall (CBAC)

When you say you are working with ACLs it means you are filtering the traffic on the basis of their names(i.e. IP Addresses) or services and more over you cannot configure ACL to be such intelligent that it should identify the originator of traffic and reply traffic. To make the packet filtering more enhanced we came up with Context-based access control (CBAC) it intelligently filters TCP and UDP packets based on application layer protocol session information.in CBAC we dont work with IP Addresses now we allow or deny the services from inside to o utside or vise-versa. And even CBAC maintains a state table in which it makes the record of traffic going out of interface and depending on that it will allow the incoming traffic
Interface Configuration
Device Outside DMZ CBAC-FW PC Interface Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0 NIC IP Address 2.2.2.2 3.3.3.3 1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ) 1.1.1.2
Configure RIP on All Devices and advertise all connected network to make reachability
Task 1:
We want to make sure that an INSIDER can Access Outside network as well as DMZ An Outsider Cant access inside network but can access DMZ network And DMZ Cant access any network both Inside and Outside
Steps to configure: Use any routing protocol to make networks reachable we are using rip in this case Block all the inbound traffic for private or local network Allow traffic to only DMZ Network from outside Create an inspection rule depending on the interesting traffic for each interface Apply the inspection rule on the respective interfaces
By using a simple block statement in access-list we are denying all the traffic for inside network from other networks CBAC-FW(config)#access-list 101 deny ip any any CBAC-FW(config)#int f 0/0 CBAC-FW(config-if)#ip access-group 101 OUT Now when all the traffic is blocked from other network to inside network then even the reply traffic for the queries done from inside network is blocked To allow that reply traffic we are making an inspection rule with desired protocols and services to be inspected and maintain a state table CBAC-FW(config)#ip inspect name my-cbac tcp CBAC-FW(config)#ip inspect name my-cbac icmp CBAC-FW(config)#ip inspect name my-cbac udp With the above commands we are starting to maintain the state table for tcp, udp and icmp now we will apply this inspection rule on the interface which is connected to outside CBAC-FW(config)#int f 0/1 CBAC-FW(config-if)#ip inspect my-cbac out Now we dont want DMZ to interact with any network CBAC-FW(config)#access-list 102 deny ip any any CBAC-FW(config)#interface FastEthernet1/0 CBAC-FW(config-if)#ip access-group 102 in But we want outside network should be able to communicate with dmz so create a separate inspection for that traffic
Netmetric CCNP Security Workbook 2.0 CBAC-FW(config)#ip inspect name cbac-dmz http CBAC-FW(config)#ip inspect name cbac-dmz telnet CBAC-FW(config)#ip inspect name cbac-dmz icmp
Apply that inspection rule on the interface in outbound direction on which DMZ is connected CBAC-FW(config)#interface FastEthernet1/0 CBAC-FW(config-if)# ip inspect cbac-dmz out
From outside allow only the specific traffic which is meant for the DMZ network and block all the rest traffic CBAC-FW(config)#access-list 103 permit ip any host 3.3.3.3 CBAC-FW(config)#access-list 103 deny ip any any CBAC-FW(config)#interface FastEthernet0/1 CBAC-FW(config-if)#ip access-group 103 in The traffic which is generated from inside is allowed to go to outside network and reply is allowed to come back
From outside the connection is not successful to inside but its successful to DMZ Outside>ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Outside>ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/112 ms
Zone Based Firewall
Lab 2 Zone Based Policy IOS Firewall

Somehow using CBAC we succeeded to maintain the state table in our router and even configured our router to work as firewall. But very soon after working with CBAC Network Admins realized that there are few short comings in working with CBAC majorly, CBAC failed to filter the applications for specific users (i.e. you cannot configure inspection rule for set of users rules are applicable on all users) and when you are working with multiple interfaces as the number of interfaces increases the complications in implementing CBAC increases.to meet these short comings a new method of implementing Firewall has been introduced Zone Based Firewall herein we are configuring ACLs to catch interesting traffic and we are configuring a group of interfaces as a single zone and then the rules will be applied on them.
Steps to configure: Use any routing protocol to make networks reachable we are using rip in this case Create Security Zones and associate interfaces with zones Create a class map of type inspect to define the interesting traffic Create a policy map of type inspect to define the action on interesting traffic Create Zone pairs to define the source and destination of traffic
Interface Configuration
Device Outside DMZ ZBF PC Interface Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0 NIC IP Address 2.2.2.2 3.3.3.3 1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ) 1.1.1.2
We are implementing the same typical DMZ network Setup here what we did in previous lab
Zone Based Firewall
First of all we are configuring RIP on all devices to advertise all networks and making all the three networks reachable from every one
Check the Reachability from each device to each device then proceed with configuration
Unlike CBAC where I implement the rules depending on the interfaces here I want to implement the rules on the group of interfaces which I call as a zone, as per our requirement I am creating three zones named DMZ, OUTSIDE and INSIDE ZBF(config)#zone security INSIDE ZBF(config-sec-zone)#exit ZBF(config)#zone security OUTSIDE ZBF(config-sec-zone)#exit ZBF(config)#zone security DMZ ZBF(config-sec-zone)#exit After Creating of Security zones there will be no change in the behavior of device then you associate those zones with interfaces ZBF(config)#int f 0/0 ZBF(config-if)#zone-member security INSIDE ZBF(config)#int f 0/1 ZBF(config-if)#zone-member security OUTSIDE ZBF(config-if)#int f 1/0 ZBF(config-if)#zone-member security DMZ
Remember that as soon as we associate those zones with interfaces the communication within all the zones will be blocked and no two interfaces belongs to different zones can communicate neither an unzone interface (interface which is not associated with any zone) can communicate to a zoned interface but two interfaces which belongs to same zone and even the two interfaces which are unzone can communicate with each other. Now we need to create a class map of type inspect to identify the interesting traffic. Before defining interesting traffic in class-map we need to create an access list to define source and destination of desired inspection traffic and even we need to define the protocol which we want to inspect ZBF(config)#access-list 101 permit ip any any ZBF(config)#class-map type inspect c-map-1 ZBF(config-cmap)#match access-group 101 ZBF(config-cmap)#match protocol icmp
Zone Based Firewall
After defining the traffic in class map now its time to define the action on the interesting traffic for that we need to create a policy map of type inspect then call the class of interesting traffic. In that class define the desired action. As per our requirement we need inspection to be done on our traffic so we are defining inspect as our action. ZBF(config)#policy-map type inspect p-map-1 ZBF(config-pmap)#class c-map-1 ZBF(config-pmap-c)#inspect Now the only left out task is to apply that policy map and to define the source and the destination of our traffic this is done by configuring zone-pairs ZBF(config)#zone-pair security allow-in-out source INSIDE destination OUTSIDE ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit With this task our insiders can access outside network now but outsiders cant access inside as we defined source to be INSIDE and destination to be OUTSIDE. Remember that this zone pair works unidirectional only As we want insiders to access DMZ as well and even we want outsiders to access DMZ so we need to create two more zone pairs with respective source and destinations ZBF(config)#zone-pair security allow-in-dmz source INSIDE destination DMZ ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit ZBF(config)#zone-pair security allow-out-dmz source OUTSIDE destination DMZ ZBF(config-sec-zone-pair)##service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit
Netmetric CCNP Security Workbook 2.0 Verification Beginning from outside I am pinging to inside and DMZ OUTSIDE>ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) OUTSIDE>ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/80 ms
Zone Based Firewall
We can observe from above that as per our requirement outsider can visit DMZ but cannot Visit INSIDE network. Now lets make a connection from DMZ DMZ#ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) DMZ#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
DMZ is not allowed to visit either INSIDE or OUTSIDE network
Netmetric CCNP Security Workbook 2.0 But An Insider can visit both the other networks DMZ and OUTSIDE
Zone Based Firewall
By this we Achieved our desired Network Security
Basic Sensor Initialization
LAB 1 Basic Sensor Initialization

An Intrusion Prevention System has the capability to detect and prevent misuse and abuse of, and unauthorized access to, network resources An Intrusion Prevention / Detection system is an advanced filtering device dedicated to filter the content of network up to layer 7 which is not only capable to filter on basis of content but also the structure of the packet. The most common method of filtering traffic over a sensor is using signatures . where signature can be defined as pre defined pattern or structure of malicious traffic.
A Sensor is a layer 2 device placed mostly behind firewall and configured to filter the malicious traffic in inbound and outbound directions of network Basic Configuration of sensor can be done by Command Line Interface through console port to initiate the sensor and its services.
Task 1 : Initiate the sensor and configure the basic services and interface configurations as following options.
Host Name Ip Address Subnet Mask Default Gateway Https port Telnet Permitted Host NMSIPS 10.1.1.10 255.0.0.0 10.1.1.1 443 Enabled 10.0.0.0 255.0.0.0
Step 1 Connect IPS Console port to Com port of computer using a Console Cable to access the CLI of Device
Step 2 Open a terminal Emulator application like Hyper terminal or putty.
Netmetric CCNP Security Workbook 2.0 Step 3 : Login Sensor using user credentials.
Sensor login: Cisco Password: *********** sensor#

Step 4: As sensor initializes issue the SETUP option to make basic configuration and follow the interactive mode of Sensor
sensor# setup System Configuration Dialog At any point you may enter a question mark '?' for help . User ctrlc to abort configuration dialog at any prompt . Default settings are in square brackets ' [] ' .
Current Configuration: service host networksettings hostip 192.168.1.10/24,192.168.1.1 host-name sensor telnet option disabled ftp-timeout 300 no login-banner-text exit timezone-settings offset 0 standard- time-zone name UTC exit summertime-option disabled ntpoption disabled exit service webserver port 443 exit Setup Configuration last modified: Sat Nov 24 09:37:20 2012
Continue with configuration dialog?[yes]: Yes

As the Setup command executes current configuration of device is displayed and prompt for modification of current configuration appears type YES to make changes as desired.
Enter Hostname
Continue with configuration dialog?[yes]: Yes IP Address of Enter host name [sensor] : NMSIPS Sensor Enter IP interface []; 10.1.1.10/24,10.1.1.1 Enter telnetserver status [disabled] : enabled Enter web-server port [443]; <Enter> port number on which GUI is Modify current access list? [no] yes supposed to work Current access list entries : No entries
Permit: 10.0.0.0/8
Permit: Modify system clock setting?[no]: no Modify interface/virtual sensor configuration? [No]: no Modify default threat prevention settings? [No]: no the following configuration was entered. service host networksettings hostip 10.1.1.10/24,10.1.1.1 host-name nms telnet option enabled access-list 10.0.0.0/32 ftp-timeout 300 no login-banner-text exit timezone-settings offset 0 standard- time-zone name UTC exit summertime-option disabled ntpoption disabled exit
Access-list here defines the list of users permitted to access the sensor remotely
[0] Go to the command prompt without saving this config [1] Return to setup without saving this config [2] save this configuration and exit setup Enter you selection [2]: 2 Select second option to save basic config and end setup utility -----Configuration saved--------------select desired options as per requrement
Netmetric CCNP Security Workbook 2.0 Task 2 : Initiate web access of sensor through web browser.
Step 1 : Connect the computer to Sensor via Ethernet and assign the IP Address on computer in same subnet to sensor.
C:\>ipconfig Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::79b9:ae4b:fc78:88fd%16 IPv4 Address. . . . . . . . . . . . : 10.1.1.2 Subnet Mask . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . : 10.1.1.1
Step 2: Start a browser (Internet Explorer/Firefox)
go to url (https://<ip address of sensor>) https://10.1.1.10 accept security warning message then type Username & password of your sensor when prompted.
After successful logging you should see Sensor Dashboard
IDS-Promiscuous mode of Sensor
LAB 2 Promiscuous Mode - IDS

An Intrusion Detection System has the capability to only detect misuse and abuse of, and unauthorized access to, network resources An Intrusion Detection system is always placed in offline mode or promiscuous mode where device does not have capability to drop any traffic but it informs about the misuse to administrator and Admin takes the action immediately. As IDS is not inline device it will not add any latency in network.
In Promiscuous mode, Sensor is not Placed in between the transit path of network rather its connected to switch and a copy of the traffic is sent to Sensor.
LAB Topology
Interface Configuration R1 => FastEthernet R2 =>FastEthernet 10.1.1.1 10.1.1.2
Task 1 : Configure Sensor in Promiscuous mode to work as Intrusion Detection System . A Promiscuous mode device need a copy of traffic thus always the switch in network is used to monitor the traffic and send the copy of packet from a port another. Step: 1 Enable SPAN on the switch interfaces
SW1(config)#monitor session 1 source interface fa0/1 SW1(config)#monitor session 1 destination interface fa0/23
Step: 2 On IDS Sensor
Go to configure Interfaces; Select interface on which switch is connected (e.v.Ethernet 2/0) and click enable button then Apply.
Click here
Click here
Go to configure Analysis Engine Virtual Sensor then Click vs0 and edit
Click here
Highlight Fastethernet 2/0 interface on the list and click Assign button. Then click OK and Apply the changes to the sensor
Click here
Click here
Verification:
Switch#sh monitor session 1 Session 1 --------Source Ports: RX Only: None TX Only: None Both: Fa0/1 Source VLANs: RX Only: None TX Only: None Both: None Destination Ports: Fa0/23 Filter VLANs: None
To Test it, let's simulate an attack. Ping from your PC to Router R1

C:\>ping 10.1.1.1 Pinging 10.1.1.1with 32 bytes of data: Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Ping statistics for 10.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
Go to monitoring Events, check show past events radio button and select 1 minute. then click on view button
See the signatures Logs on the Event viewer to get logs click Refresh tab
Click here
Click here
Highlight the Event log and click Details to see more log details. Here the picture output for Event details.
Attacker student Pc IP Target Router IP aaaa aaaa
IPS-Inline mode of Sensor
LAB 3 Inline Mode - IPS

An Intrusion Prevention System has the capability to only detect misuse and abuse of, and unauthorized access to, network resources An Intrusion Prevention system is always placed in inline mode in transit path of network such that all data traffic is supposed to pass through the sensor, then it do have capability to drop any traffic and also it informs about the misuse to administrator. An IPS is inline device it will add some latency in network for traffic filtering.
In Promiscuous mode, Sensor is not Placed in between the transit path of network rather its connected to switch and a copy of the traffic is sent to Sensor.
LAB Topology
Interface Configuration R1 => FastEthernet R2 =>FastEthernet 10.1.1.1 10.1.1.2
Connect Fast Ethernet 2/0 and Fast Ethernet 2/1 of sensor to Router R1 and R2 Respectively
Task 1 : Configure Sensor in Inline mode to work as Intrusion Prevention System . Step 1 : Enable Interfaces of Sensor. Go to configuration Interface, select Fastethernet 2/0 & Fastethernet 2/1 and Enable then Apply to Sensor
Step 2 : Define a Interface Pair Go to configuration Interface configuration Select Interface Pairs Add. Then enter a name for interface pair, Select fa2/0 and 2/1 interface on the list, make some description and click on OK Apply to the sensor.
Netmetric CCNP Security Workbook 2.0 Step 3 : Associate Interface Pair with Analysis Engine
Go to configuration analysis Engine Virtual Sensors Select vs0 and click Edit select newly created interface pair {pair-1} on the list and click Assign. Then click OK and apply changes to the sensor.
2 4
Verification:
IPS-Inline VLAN mode of Sensor
LAB 4 Inline VLAN Mode - IPS

Inline interface mode of Sensor requires two dedicated interfaces for monitoring traffic but in a case we have only single interface and we are in need of inline filtering we can devide our network in VLANs and filter the traffic based on VLAN where. an Inline VLAN mode of filtering traffic divides network into two different VLANS and enforce the traffic to pass through IPS using a VLAN pairing over it. and an IPS here act as Inter VLAN Router.
Interface Configuration R1 => FastEthernet R2 =>FastEthernet Switch=> FastEthernet 0/1 Switch => FastEthernet 0/2 Connect R1- F0/1 ==> SW F0/1 R2 F0/1 to SW F0/2 10.1.1.1 10.1.1.2 VLAN10 VLAN20
Task 1 : Configure Sensor in Inline VLAN mode to work as Intrusion Prevention System . Step 1 : Configure VLANs on Switch
Switch(config)#vlan 10 Switch(config-vlan)#exit Switch(config)#vlan 20 Switch(config-vlan)#exit
Step 2 : Associate VLANs with Interfaces respectively
Switch(config)#interface range fa0/1 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config)#interface range fa0/2 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 20
Step 3 : Enable Interface on Sensor
Go to configuration interface configuration Interfaces select Fastethernet 2/0 and click enable button and apply changes to the sensor
3 4
Netmetric CCNP Security Workbook 2.0 Step 4 : Create a VLAN pair
Go to configuration interface configuration Vlan pair then Click Add button.
Netmetric CCNP Security Workbook 2.0 Step 5 : Associate VLAN Pair with Analysis Engine
Go to configuration Analysis Engine Virtual sensor select vs0 virtual sensor 0 on the list and click edit. Highlight Fastethernet 2/0.1 interface on the list and click assign button. Then Click ok and apply the changes to the sensor.
1
3 2

CCNP Sec

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CCNP Sec

Încărcat de

Drepturi de autor:

Formate disponibile

Netmetric CCNP Security Workbook 2.

LAB 1 Basic ASA Configuration

Task-1 Getting Started With ASA

IOS Version of ASA Uptime of device

Netmetric CCNP Security Workbook 2.0

Configuring Enable Password Modifying Hostname

Security Level 0 100 50

Netmetric CCNP Security Workbook 2.0

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

LAB 2 Default security policy modifications and ACL in ASA

Configure a default route on both the sides pointing towards ASA

Basic ASA Initialization - II

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

We can see the default inspection policy in running configuration of device

Services available by default

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

LAB 3 Object Groups in ACL

Configure a default route on both the sides pointing towards ASA

ALC and Object Groups

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

ALC and Object Groups

Using those object groups in access list

Service object Group

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

Netmetric CCNP Security Workbook 2.0

Time Based Access control using ACL

LAB 4 Time Based ACL

Configure a default route on both the sides pointing towards ASA

Netmetric CCNP Security Workbook 2.0

Time Based Access control using ACL

Netmetric CCNP Security Workbook 2.0

Time Based Access control using ACL

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

LAB 5 Remote Access of ASA

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

Open a Browser from computer and go to Url=https://10.1.1.10

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

Select Proceed anyways and then Install ASDM Launcher

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

And ASDM loads successfully

Netmetric CCNP Security Workbook 2.0

Remote Access of ASA

Netmetric CCNP Security Workbook 2.0