Documente Academic
Documente Profesional
Documente Cultură
2 ASA
INDEX
Module 01: Configuring IOS FIREWALL
Lab 01: Classic IOS Firewall (CBAC). Lab 02: Zone Based Policy IOS Firewall (ZFW)... 04 05
Lab 01: Firewall Contexts. Lab 02: Failover - Active/Standby Lab 03: Failover - Active/Active....
71
107 110
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
LAB 01
Classic IOS Firewall (CBAC)
F0/ 0
Host A Internet
External Network F 0/ 0
R1
Task 1:
Configure the interfaces with the following information Host R1 R1 Internet Host A IP Address 192.168.1.1/24 10.0.1.1/24 192.168.1.2/24 10.0.1.10/24 Interface f 0/0 f 0/1 f0/0 ethernet
Task 2:
Configure CBAC on router R1 to inspect icmp, telnet, ftp, http, smtp, tcp, udp, and dns traffic going from Host A to Internet.
Task 3:
Verify the CBAC configured on R1 by intitiating the respective traffic between Host A and Internet Router.
Task 1:
Configure the interfaces with the following information Step1: Configure the initial configs on Router R1 as per the table.
R1#configure terminal R1(config)#interface f0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit
www.netmetric-solutions.com
71
Step2: Configure the initial configs on Router Internet as per the table.
Internet# configure terminal Internet(config)#interface f0/0 Internet(config-if)#ip address 192.168.1.2 255.255.255.0 Internet(config-if)#no shutdown Internet(config-if)#exit Internet(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
Task 2:
Configure CBAC on router R1 to inspect icmp, telnet, ftp, http, smtp, tcp, udp, and dns traffic going from Host A to Internet. Step1: Configure the inspection rules with name myfw to inspect icmp, telnet, ftp, http, smtp, tcp, udp and dns on router R1.
R1#show ip inspect name myfw Inspection name myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 dns alert is on audit-trail is off timeout 30
www.netmetric-solutions.com
71
Step5: Now Apply the ACL 101 and the inspection rule myfw to either f0/0 or f0/1 interface of router R1 in the following direction as shown in the config.
NOTE:
Apply CBAC inspection to inbound traffic when configuring CBAC on an internal interface. Apply CBAC inspection to outbound traffic when configuring CBAC on an external interface.
R1#show ip inspect interfaces Interface Configuration Interface FastEthernet0/1 Inbound inspection rule is myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30
www.netmetric-solutions.com
71
(OR)
Task 3:
www.netmetric-solutions.com
71
Verify the CBAC configured on R1 by intitiating the respective between Host A and Internet Router.
www.netmetric-solutions.com
71
LAB 02
Zone Based Policy IOS Firewall (ZFW)
F0/ 0
Host A Internet
F 0/ 0
R1
F 0/ 1
Public Zone
Private Zone
Task 1:
Configure the interfaces with the following information Host R1 R1 Internet Host A IP Address 192.168.1.1/24 10.0.1.1/24 192.168.1.2/24 10.0.1.10/24 Interface f 0/0 f 0/1 f0/0 ethernet
Task 2:
Configure ZFW on router R1 to inspect icmp, tcp and udp traffic going from Host A to Internet as per the topology diagram.
Task 3:
Verify the ZFW configured on R1 by intitiating the respective traffic between Host A and Internet Router.
Task 1:
Configure the interfaces with the following information Step1: Configure the initial configs on Router R1 as per the table.
R1#configure terminal R1(config)#interface f0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface f0/1
www.netmetric-solutions.com
71
Step2: Configure the initial configs on Router Internet as per the table.
Internet# configure terminal Internet(config)#interface f0/0 Internet(config-if)#ip address 192.168.1.2 255.255.255.0 Internet(config-if)#no shutdown Internet(config-if)#exit Internet(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
Task 2:
Configure ZFW on router R1 to inspect icmp, tcp and udp traffic going from Host A to Internet as per the topology diagram. Step1: Configure the Security Zone names private and public as per the topology diagram.
R1(config)#zone security private R1(config-sec-zone)#exit R1(config)#zone security public R1(config-sec-zone)#exit R1(config)#
Step2: Now make the interface f0/1 of R1 as member of the configured private zone.
R1(config)#interface f0/0 R1(config-if)#zone-member security public R1(config-if)#exit
Step3: Now make the interface f0/0 of R1 as member of the configured public zone.
R1(config)#interface f0/1 R1(config-if)#zone-member security private R1(config-if)#exit
zone private
www.netmetric-solutions.com
71
Step5: Configure the class map type inspect to match-any of the protocols i.e tcp, udp and icmp traffic with name myclass on R1.
R1(config)#class-map type inspect match-any myclass R1(config-cmap)#match protocol tcp R1(config-cmap)#match protocol udp R1(config-cmap)#match protocol icmp R1(config-cmap)#exit
R1#show class-map type inspect myclass Class Map type inspect match-any myclass (id 1) Match protocol tcp Match protocol udp Match protocol icmp
Step7: Configure the policy-map type inspect to inspect the selected traffic on R1 with name mypolicy.
R1(config)#policy-map type inspect mypolicy R1(config-pmap)#class type inspect myclass R1(config-pmap-c)#inspect R1(config-pmap-c)#exit R1(config-pmap)#exit
www.netmetric-solutions.com
71
Step9: Configure a security zone-pair mypair ,defining the path of the traffic ,where the private zone is the source and public zone is the destination.And then apply the policy-map mypolicy under it which is defining the policy rules i.e here its inspecting the traffic going from private zone to public zone.
R1(config)#zone-pair security mypair source private destination public R1(config-sec-zone-pair)#service-policy type inspect mypolicy R1(config-sec-zone-pair)#exit
R1#show zone-pair security Zone-pair name mypair Source-Zone private Destination-Zone public service-policy mypolicy
R1#show policy-map type inspect zone-pair policy exists on zp mypair Zone-pair: mypair Service-policy inspect : mypolicy Class-map: myclass (match-any) Match: protocol tcp 16 packets, 448 bytes 30 second rate 0 bps Match: protocol udp 29 packets, 290 bytes 30 second rate 0 bps Match: protocol icmp 1 packets, 40 bytes 30 second rate 0 bps Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [0:26] udp packets: [0:29] icmp packets: [0:8] Session creations since subsystem startup or last reset 46 Current session counts (estab/half-open/terminating) [0:27:0] Maxever session counts (estab/half-open/terminating) [0:45:0] Last session created 00:00:18
www.netmetric-solutions.com
71
Task 3:
Verify the ZFW configured on R1 by intitiating the respective traffic between Host A and Internet Router Step1: Ping from Host A to Internet router.
C:\Documents and Settings\netmetric> ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.2: 192.168.1.2: 192.168.1.2: 192.168.1.2: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time=1ms time=1ms time=1ms TTL=254 TTL=254 TTL=254 TTL=254
Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
LAB 01
Configure site-site IPsec VPN using pre-shared keys
Site 1
10.0.1.0 R1
A
F0/ 0 F0/ 0
Site 2
R6
B
10.0.6.0
10.0.1.12
172.30.1.1
172.30.1.2
10.0.6.12
www.netmetric-solutions.com
71
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers.
Task 2:
Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip address as peer address between them. Use "netmetric" as pre-shared key value for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.
ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 Pre-Shared Key: netmetric IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.
Task 3:
Verify the task.
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers. Step1: Configure the basic configuration on R1 as per the topology diagram.
www.netmetric-solutions.com
71
R6(config)#interface f0/0 R6(config-if)#ip address 172.30.1.2 255.255.255.0 R6(config-if)#no shut R6(config-if)#exit R6(config)#interface loopback0 R6(config-if)#ip address 10.0.6.12 255.255.255.255 R6(config-if)#no shut R6(config-if)#exit R6(config)#
R6#ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Task 2:
Step1.1: Enable ISAKMP on R1.
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share
www.netmetric-solutions.com
71
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit R1(config)#
Step1.7: Configure the crypto ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended 103 R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 R1(config-ext-nacl)#exit R1(config)#
www.netmetric-solutions.com
71
Step1.9: Implement the crypto map on the outside interface f0/0 of R1.
R1(config)#interface f0/0 R1(config-if)#crypto map mymap R1(config-if)#exit R1(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
www.netmetric-solutions.com
71
R6(config)#crypto isakmp policy 110 R6(config-isakmp)#encryption 3des R6(config-isakmp)#hash md5 R6(config-isakmp)#authentication pre-share R6(config-isakmp)#group 2 R6(config-isakmp)#exit R6(config)#
R6#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
www.netmetric-solutions.com
71
Step2.7: Configure the crypto ACL to match the interesting traffic for encryption as given.
R6(config)#ip access-list extended 103 R6(config-ext-nacl)#permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 R6(config-ext-nacl)#exit R6(config)#
R6(config)#interface f0/0 R6(config-if)#crypto map mymap R6(config-if)#exit R6(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
www.netmetric-solutions.com
71
Step2.9: Implement the crypto map on the outside interface f0/0 of R6.
R6#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: FastEthernet0/0 FastEthernet0/0 R6#show crypto ipsec transform-set Transform set myset: { esp-3des esp-md5-hmac will negotiate = { Tunnel, },
Step3: Point 10.0.6.0/24 route to the the vpn tunnel initiation/termination point of R1.
R1(config)#ip route 10.0.6.0 255.255.255.0 172.30.1.2
Step4: Point 10.0.1.0/24 route to the the vpn tunnel initiation/termination point of R6.
Task4:
Verify the task.
NOTE:
www.netmetric-solutions.com
71
The VPN tunnel will come up only when the router sees the intresting traffic which is to be encrypted.
state QM_IDLE
www.netmetric-solutions.com
71
R1#ping 10.0.6.12 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.6.12, timeout is 2 seconds: Packet sent with a source address of 10.0.1.12 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 172.30.1.1 172.30.1.2 IPv6 Crypto ISAKMP SA
state QM_IDLE
R1#show crypto ipsec sa PFS (Y/N): N, DH group: none interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xCF7A0D46(3480882502)
www.netmetric-solutions.com
71
inbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
www.netmetric-solutions.com
71
LAB 02
Configure site-site IPsec VPN using PKI.
R3 172.30.1.3
F0/ 0
Site 1
10.0.1.0 R1
A
F0/ 0
CA
Site 2
10.0.6.0
F0/ 0
R6
B
10.0.1.12
172.30.1.1
172.30.1.2
10.0.6.12
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers.
Task 1.5:
Configure the router R3 as IOS CA server for router R1 and R6.And do necessary configuration on R1 and R6 respectively to get their certificates from the CA server.
Task 2:
Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip address as peer address between them.
www.netmetric-solutions.com
71
Use RSA-Signatures for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.
ISAKMP Parameters Authentication: RSA-Signature Encryption: 3DES Group: 2 Hash: MD5 IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.
Task 3:
Verify the task.
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers. Step1: Configure the basic configuration on R1 as per the topology diagram.
R1(config)#interface f0/0 R1(config-if)#ip address 172.30.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#interface loopback0 R1(config-if)#ip address 10.0.1.12 255.255.255.255 R1(config-if)#no shut R1(config-if)#exit
www.netmetric-solutions.com
71
R6(config)#interface f0/0 R6(config-if)#ip address 172.30.1.2 255.255.255.0 R6(config-if)#no shut R6(config-if)#exit R6(config)#interface loopback0 R6(config-if)#ip address 10.0.6.12 255.255.255.255 R6(config-if)#no shut R6(config-if)#exit R6(config)#
R6#ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Task 1.5:
Step1: Configure the basic CA server as in topology to give CA support to R1 and R6. Step1.1: Configure the basic configuration on R3 as per the topology diagram.
R3# ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/52/84 ms R3# ping 172.30.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/84 ms
www.netmetric-solutions.com
71
Step1.3: Configure NTP make R3 as master and enroll rest as client to R3.
Step1.5: Configure the basic configuration of the CA server on R3 and generate a CA certificate.
R3(config)# crypto pki server R3_CA R3(cs-server)# issuer-name cn=R3_CA,ou=netmetric R3(cs-server)# grant auto R3(cs-server)# no shutdown %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit % Password must be more than 7 characters. Try again % or type Return to exit Password:netmetric Re-enter password:netmetric % Generating 1024 bit RSA keys, keys will be non-exportable...
www.netmetric-solutions.com
71
% Exporting Certificate Server signing certificate and keys... % Certificate Server enabled. R3(cs-server)#
%SSH-5-ENABLED: SSH 1.99 has been enabled %PKI-6-CS_ENABLED: Certificate server now enabled. R3(cs-server)# exit
R3# show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
Step2: Now configure R1 and R6 to take the CA support from R3-CA Server and generate their identity certicates. Step2.1: Configure the domain-name cisco.com and generate rsa key pair on R1.
R1(config)# crypto key generate rsa The name for the keys will be: R1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024
www.netmetric-solutions.com
71
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)# Mar 1 01:28:47.030: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1# show crypto key mypubkey rsa % Key pair was generated at: 01:28:47 Key name: R1.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 6E1B57ED ECC9C1B9 C7D80244 625D5780 2DA8F89F 55C282AA 70ED671F 40BE40E3 7BFC72D9 10979809 3276F5C2 7B7F72EC F39DB3C4 AE788E86 34F0A7E0 E30CA738 % Key pair was generated at: 01:28:48 Key name: R1.cisco.com.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 BEDF35DF FFBFCC9D 8E1093DA C5B1895D D2DADF94 AD90076A 44B82F27 2160D231 8D254300 4F8AC83B B6EC6785 AA4F1D36 R1#
05000381 8D003081 9C985DFB 665332D0 B8E1C850 8A27A3A4 2B37A55F 1DA73624 F99EA20D 29298D06 UTC Mar 1 2002
Step2.3: Configure the domain-name cisco.com and generate rsa key pair on R6.
R6(config)# crypto key generate rsa The name for the keys will be: R6.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R6(config)# Mar 1 01:28:47.030: %SSH-5-ENABLED: SSH 1.99 has been enabled
www.netmetric-solutions.com
71
R6# show crypto key mypubkey rsa % Key pair was generated at: 01:31:53 Key name: R6.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 31101028 708FA8D8 B1A2D928 E24830BB E98A11B4 A658122B 03A78F28 4210EF7F F5CEB71D D469BB30 4ACECE62 578D9379 08D8512C 8D989232 CA2DD92A 9EE9F125 % Key pair was generated at: 01:31:54 Key name: R6.cisco.com.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 E45A983C 9AAD217E 529B6168 F92EA141 5092D62A 333A9C13 5E92F0BD DA4CDA66 AFC37FD4 54FC0C1F C0AD60F4 EF7EF9A8 R6#
05000381 8D003081 76B00A3C 18605335 CD112D8F 15F253D3 7EC681F4 BF9051ED 65C6872E 25F2FDAE UTC Mar 1 2002
R1# show crypto pki trustpoints status Trustpoint R3_CA: Issuing CA certificate not configured. State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... No Certificate request(s) ..... None
www.netmetric-solutions.com
71
R6# show crypto pki trustpoints status Trustpoint R3_CA: Issuing CA certificate not configured. State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... No Certificate request(s) ..... None
R1(config)# crypto pki authenticate R3_CA Certificate has the following attributes: Fingerprint MD5: 8B941CA0 2CB012D2 143822B5 A0FEA635 Fingerprint SHA1: 5D7D3208 9C525FCE 2018623E 782E3CF6 79E8202C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R1(config)#
R1# show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
www.netmetric-solutions.com
71
R6(config)# crypto pki authenticate R3_CA Certificate has the following attributes: Fingerprint MD5: 8B941CA0 2CB012D2 143822B5 A0FEA635 Fingerprint SHA1: 5D7D3208 9C525FCE 2018623E 782E3CF6 79E8202C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.
R6# show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
R1(config)# crypto pki enroll R3_CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: R1.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R3_CA verbose' commandwill show the fingerprint. R1(config)# CRYPTO_PKI: 92ECC4EA
www.netmetric-solutions.com
71
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 472CD52C EAB9774F FE6DD447 9F9FC569 C508ED12 %PKI-6-CERTRET: Certificate received from Certificate Authority R1(config)# exit R1# wr Building configuration... [OK]
R1# show crypto pki certificates Certificate Status: Available Certificate Serial Number: 0x3 Certificate Usage: General Purpose Issuer: cn=R3_CA ou=netmetric Subject: Name: R1.cisco.com hostname=R1.cisco.com Validity Date: start date: 02:02:51 UTC Mar 1 2002 end date: 02:02:51 UTC Mar 1 2003 Associated Trustpoints: R3_CA CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
R6(config)# crypto pki enroll R3_CA % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.
www.netmetric-solutions.com
71
Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: R1.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R3_CA verbose' commandwill show the fingerprint. R6(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: C36004FF D0BD7A5C 3B45C567 92ECC4EA CRYPTO_PKI: Certificate Request Fingerprint SHA1: 472CD52C EAB9774F FE6DD447 9F9FC569 C508ED12 %PKI-6-CERTRET: Certificate received from Certificate Authority R6(config)# exit R6# wr Building configuration... [OK]
R6# show crypto pki certificates Certificate Status: Available Certificate Serial Number: 0x4 Certificate Usage: General Purpose Issuer: cn=R3_CA ou=netmetric Subject: Name: R6.cisco.com hostname=R6.cisco.com Validity Date: start date: 02:06:15 UTC Mar 1 2002 end date: 02:06:15 UTC Mar 1 2003 Associated Trustpoints: R3_CA CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002
www.netmetric-solutions.com
71
Task 2:
Step1.1: Enable ISAKMP on R1.
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication rsa-sig R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
www.netmetric-solutions.com
71
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit R1(config)#
Step1.7: Configure the crypto ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended 103 R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 R1(config-ext-nacl)#exit R1(config)#
Step1.9: Implement the crypto map on the outside interface f0/0 of R1.
R1(config)#interface f0/0 R1(config-if)#crypto map mymap R1(config-if)#exit R1(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
www.netmetric-solutions.com
71
Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap: FastEthernet0/0
R6(config)#crypto isakmp policy 110 R6(config-isakmp)#encryption 3des R6(config-isakmp)#hash md5 R6(config-isakmp)#authentication rsa-sig R6(config-isakmp)#group 2 R6(config-isakmp)#exit R6(config)#
www.netmetric-solutions.com
71
R6#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step2.6: Configure the crypto ACL to match the interesting traffic for encryption as given.
R6(config)#ip access-list extended 103 R6(config-ext-nacl)#permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 R6(config-ext-nacl)#exit R6(config)#
www.netmetric-solutions.com
71
Step2.9: Implement the crypto map on the outside interface f0/0 of R6.
R6(config)#interface f0/0 R6(config-if)#crypto map mymap R6(config-if)#exit R6(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step3: Point 10.0.6.0/24 route to the the vpn tunnel initiation/termination point of R1.
R1(config)#ip route 10.0.6.0 255.255.255.0 172.30.1.2
Task4:
Verify the task.
www.netmetric-solutions.com
71
Step4: Point 10.0.1.0/24 route to the the vpn tunnel initiation/termination point of R6.
NOTE:
The VPN tunnel will come up only when the router sees the intresting traffic which is to be encrypted.
state QM_IDLE
www.netmetric-solutions.com
71
sa timing: remaining key lifetime (k/sec): (4553597/3586) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: AIM-VPN/BPII-PLUS:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3584) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
R1#ping 10.0.6.12 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.6.12, timeout is 2 seconds: Packet sent with a source address of 10.0.1.12 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 172.30.1.1 172.30.1.2 IPv6 Crypto ISAKMP SA
state QM_IDLE
www.netmetric-solutions.com
71
R1#show crypto ipsec sa PFS (Y/N): N, DH group: none interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xCF7A0D46(3480882502) inbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
www.netmetric-solutions.com
71
LAB 03
Configure site-site GRE/IPsec tunnel
Site 1
10.0.1.0 R1
A
GRE/IPsec Tunnel
F0/ 0 F0/ 0
Site 2
R6
B
10.0.6.0
10.0.1.12
172.30.1.1
172.30.1.2
10.0.6.12
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers.
Task 2:
Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip address as peer address between them. Use "netmetric" as pre-shared key value for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.
ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 Pre-Shared Key: netmetric IPSec Parameters
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
Create a Gre tunnel between R1 and R6 and encrypt any gre traffic passing between R1 and R6 with ipsec.Assign the tunnel ip address in 172.16.1.0/24 network.
Encryption: ESP-3DES Authentication: ESP-MD5-HMAC Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.
Task 3:
Verify the task.
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers. Step1: Configure the basic configuration on R1 as per the topology diagram.
R1(config)#interface f0/0 R1(config-if)#ip address 172.30.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#interface loopback0 R1(config-if)#ip address 10.0.1.12 255.255.255.255 R1(config-if)#no shut R1(config-if)#exit
R6(config)#interface f0/0 R6(config-if)#ip address 172.30.1.2 255.255.255.0 R6(config-if)#no shut R6(config-if)#exit R6(config)#interface loopback0 R6(config-if)#ip address 10.0.6.12 255.255.255.255 R6(config-if)#no shut R6(config-if)#exit R6(config)#
www.netmetric-solutions.com
71
R6#ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Task 2:
Step1.1: Enable ISAKMP on R1.
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#
Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
www.netmetric-solutions.com
71
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit R1(config)#
Step1.7: Configure the crypto ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended 103 R1(config-ext-nacl)#permit gre host 172.30.1.1 host 172.30.1.2 R1(config-ext-nacl)#exit R1(config)#
R1(config)# interface tunnel 0 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# tunnel source f0/0 R1(config-if)# tunnel destination 172.30.1.2 R1(config-if)# crypto map mymap R1(config-if)# no shutdown R1(config-if)# exit *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step1.9: Implement the crypto map on the outside interface f0/0 of R1.
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
Step1.9: Configure a gre tunnel and Implement the crypto map on the tunnel0 on R1.
R1(config)#interface f0/0 R1(config-if)#crypto map mymap R1(config-if)#exit R1(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R6(config)#crypto isakmp policy 110 R6(config-isakmp)#encryption 3des R6(config-isakmp)#hash md5 R6(config-isakmp)#authentication pre-share R6(config-isakmp)#group 2 R6(config-isakmp)#exit R6(config)#
www.netmetric-solutions.com
71
R6#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step2.7: Configure the crypto ACL to match the interesting traffic for encryption as given.
R6(config)#ip access-list extended 103 R6(config-ext-nacl)#permit gre host 172.30.1.2 host 172.30.1.1 R6(config-ext-nacl)#exit R6(config)#
www.netmetric-solutions.com
71
R6(config)#crypto map mymap 110 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R6(config-crypto-map)#match address 103 R6(config-crypto-map)#set peer 172.30.1.1 R6(config-crypto-map)#set transform-set myset R6(config-crypto-map)#exit
Step2.9: Configure a gre tunnel and Implement the crypto map on the tunnel0 on R6.
R6(config)# interface tunnel 0 R6(config-if)# ip address 172.16.1.2 255.255.255.0 R6(config-if)# tunnel source f0/0 R6(config-if)# tunnel destination 172.30.1.1 R6(config-if)# crypto map mymap R6(config-if)# no shutdown R6(config-if)# exit *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step2.10: Implement the crypto map on the outside interface f0/0 of R6.
R6(config)#interface f0/0 R6(config-if)#crypto map mymap R6(config-if)#exit R6(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
www.netmetric-solutions.com
71
Task4:
Verify the task.
NOTE:
The VPN tunnel will come up only when the router sees the intresting traffic which is to be encrypted.
state QM_IDLE
www.netmetric-solutions.com
71
protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0xE00A33DD(3758765021) inbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/466) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/465) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel0 Crypto map tag: mymap, local addr 172.30.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,}
www.netmetric-solutions.com
71
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0xE00A33DD(3758765021) inbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/465) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/464) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R6#
R1#ping 10.0.6.12 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.6.12, timeout is 2 seconds: Packet sent with a source address of 10.0.1.12 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
www.netmetric-solutions.com
71
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 172.30.1.1 172.30.1.2 IPv6 Crypto ISAKMP SA
state QM_IDLE
R1# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0x7BB049E(129696926) inbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/562) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/543) IV size: 8 bytes
www.netmetric-solutions.com
71
protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0x7BB049E(129696926) inbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/543) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/542) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
www.netmetric-solutions.com
71
LAB 05
Configure Easy VPN Remote Router as Client.
10.0.6.0 .2 .2 172.30.1.0/24 .1 10.0.1.0
Fa0/1 R6-Client
R1-Server
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers.
Task 2:
Configure R1 as Easy VPN server with following requirements. ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC ISAKMP Client Configuration Group Name: R6 Key: VPNKEY Mode: Client Use the address pool 10.0.1.100-10.0.1.150 for remote users. Enable Xauth against the local user database and create user cisco and password cisco. Only encrypt users traffic destined to the subnet 10.0.1.0/24. Configure the Client Router R6 to verify the configuration.
www.netmetric-solutions.com
71
Task 3:
Verify the task.
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers. Step1: Configure the basic configuration on R1 as per the topology diagram.
R1(config)#interface f0/0 R1(config-if)#ip address 172.30.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#interface loopback0 R1(config-if)#ip address 10.0.1.12 255.255.255.255 R1(config-if)#no shut R1(config-if)#exit
R6#ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
www.netmetric-solutions.com
71
R6(config)#interface f0/0 R6(config-if)#ip address 172.30.1.2 255.255.255.0 R6(config-if)#no shut R6(config-if)#exit R6(config)#interface loopback0 R6(config-if)#ip address 10.0.6.12 255.255.255.255 R6(config-if)#no shut R6(config-if)#exit R6(config)#
Task 2:
Step1.1: Enable ISAKMP on R1.
Step1.2: Create ISAKMP Policy for Remote VPN client with the given parameters on R1.
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
www.netmetric-solutions.com
71
Step1.5: Configure IPsec Transform set on R1 for Remote VPN client with given parameters.
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit R1(config)#
Step2: Define Group Policy for Mode Configuration Push on R1. Step2.1 Configure the Split Tunnel ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended SPLIT R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#
Step2.3: Enable the remote group policy lookup via AAA and configure xauth login credentials.
R1(config)# R1(config)# R1(config)# R1(config)# aaa new-model aaa authorization network vpn-group local aaa authentication login vpn-users local username cisco password 0 cisco
R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# acl SPLIT
Step2.5: Configure Dynamic Crypto map with RRI and ipsec transformset.
R1(config)# crypto dynamic-map dmap 10 R1(config-crypto-map)# set transform-set myset R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end
www.netmetric-solutions.com
71
Step2.4 Configure the Remote Group Policy with name R6, specify the isakmp pre-shared key VPNKEY,specify ip address pool for remote users and add the split tunnel acl for selected traffic encryption.
Step3: Apply Mode Configuration and XAUTH. Step3.1 Configure the router to respond to mode configuration requests.
Step 3.3: Enforce XAUTH and apply the dynamic crypto map to the crypto map.
R1(config)# crypto map mymap client authentication list vpn-users R1(config)# crypto map mymap 65535 ipsec-isakmp dynamic dmap
R1# show crypto map interface fastEthernet 0/0 Crypto Map "mymap" 65535 ipsec-isakmp Dynamic map template tag: dmap Interfaces using crypto map mymap: FastEthernet0/0
Step6: Configure the Clinet Router R6 to verify the task. Step6.1 Configure the Cisco Easy VPN Client Profile
www.netmetric-solutions.com
71
Step6.2: Assign Cisco Easy VPN Remote to the Interfaces in repective directions.
R6(config)# interface R6(config-if)# crypto R6(config-if)# exit R6(config)# interface R6(config-if)# crypto R6(config-if)# end FastEthernet 0/1 ipsec client ezvpn R6-Client outside Loopback0 ipsec client ezvpn R6-Client inside
Task 3:
Step1: Initiate the VPN tunnel (Xauth) from R6.
R6(config-crypto-ezvpn)# end *Mar 1 03:11:26.495: EZVPN(remote): Pending XAuth Request, Please enter the following command: *Mar 1 03:11:26.495: EZVPN: crypto ipsec client ezvpn xauth R6# crypto ipsec client ezvpn xauth Username: cisco Password: cisco R6# *Mar 1 03:11:34.823: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=R6 Client_public_addr=172.30.1.2 Server_public_addr=172.30.1.1 Assigned_client_addr=10.0.1.102 *Mar 1 03:11:36.363: %LINK-3-UPDOWN: Interface Loopback1, changed state to up *Mar 1 03:11:37.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
www.netmetric-solutions.com
71
NOTE:
The VPN tunnel will show up but it will encrypt packets only when the router sees the intresting traffic which is to be encrypted.
www.netmetric-solutions.com
71
state QM_IDLE
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x191189C2(420579778) inbound esp sas: spi: 0x17D001E4(399507940) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4549679/3294) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x191189C2(420579778) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4549679/3293) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas:
www.netmetric-solutions.com
71
LAB 06
Configure Easy VPN Remote PC as Client
172.30.1.0/24 .2 PC-Client
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers.
10.0.1.0 .1 R1-Server
Task 2:
Configure R1 as Easy VPN server with following requirements. ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC ISAKMP Client Configuration Group Name: R6 Key: VPNKEY Mode: Client Use the address pool 10.0.1.100-10.0.1.150 for remote users. Enable Xauth against the local user database and create user cisco and password cisco. Only encrypt users traffic destined to the subnet 10.0.1.0/24.
www.netmetric-solutions.com
71
Configure the Client PC with cisco VPN client and verify the configuration.
Task 3:
Verify the task.
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers. Step1: Configure the basic configuration on R1 as per the topology diagram.
R1(config)#interface f0/0 R1(config-if)#ip address 172.30.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#interface loopback0 R1(config-if)#ip address 10.0.1.12 255.255.255.255 R1(config-if)#no shut R1(config-if)#exit
C:\Documents and Settings\Administrator> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 172.30.1.2 : 255.255.255.0 : 172.30.1.1
C:\Documents and Settings\Administrator> ping 172.30.1.1 Pinging 172.30.1.1 with 32 bytes of data: Reply from 172.30.1.1: bytes=32 time=54ms TTL=255 Reply from 172.30.1.1: bytes=32 time=16ms TTL=255 Reply from 172.30.1.1: bytes=32 time=28ms TTL=255 Reply from 172.30.1.1: bytes=32 time=4ms TTL=255
www.netmetric-solutions.com
71
Ping statistics for 172.30.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 54ms, Average = 25ms
Task 2:
Step1.1: Enable ISAKMP on R1.
Step1.2: Create ISAKMP Policy for Remote VPN client with the given parameters on R1.
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
www.netmetric-solutions.com
71
Step1.5: Configure IPsec Transform set on R1 for Remote VPN client with given parameters.
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit R1(config)#
Step2: Define Group Policy for Mode Configuration Push on R1. Step2.1 Configure the Split Tunnel ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended SPLIT R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#
Step2.3: Enable the remote group policy lookup via AAA and configure xauth login credentials.
R1(config)# R1(config)# R1(config)# R1(config)# aaa new-model aaa authorization network vpn-group local aaa authentication login vpn-users local username cisco password 0 cisco
R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# acl SPLIT
Step2.5: Configure Dynamic Crypto map with RRI and ipsec transformset.
R1(config)# crypto dynamic-map dmap 10 R1(config-crypto-map)# set transform-set myset R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end
www.netmetric-solutions.com
71
Step2.4 Configure the Remote Group Policy with name R6, specify the isakmp pre-shared key VPNKEY,specify ip address pool for remote users and add the split tunnel acl for selected traffic encryption.
Step3: Apply Mode Configuration and XAUTH. Step3.1 Configure the router to respond to mode configuration requests.
Step 3.3: Enforce XAUTH and apply the dynamic crypto map to the crypto map.
R1(config)# crypto map mymap client authentication list vpn-users R1(config)# crypto map mymap 65535 ipsec-isakmp dynamic dmap
R1# show crypto map interface fastEthernet 0/0 Crypto Map "mymap" 65535 ipsec-isakmp Dynamic map template tag: dmap Interfaces using crypto map mymap: FastEthernet0/0
Step6: Configure the Clinet PC with Cisco VPN client and verify the task. Step6.1 Install the Cisco Easy VPN Client on the client PC.
www.netmetric-solutions.com
71
Step6.2: Configure the Cisco Easy VPN Client with correct credentials as shown.
Task 3:
Step1: Initiate the VPN tunnel and give the xauth credentials on prompt.
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
NOTE:
The VPN tunnel will show up but it will encrypt packets only when the router sees the intresting traffic which is to be encrypted.
Step5: Create a loopback100 on R1 with ip address 100.100.100.100 to check the split tunnel acl.When PC Pings to 100.100.100.100 the vpn tunnel should bypass this traffic.
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
Task5:
Configure NAT to enable the host on the dmz going to outside have their address translated to the interface address i.e PAT Step1: On ASA1, configure the global PAT address and the local NAT rule for dmz
ASA1(config)#global (outside) 2 interface INFO: outside interface address added to PAT pool ASA1(config)#nat (dmz) 2 172.16.1.0 255.255.255.0 ASA1(config)#
ASA1(config)#show run global global (outside) 1 192.168.1.10-192.168.1.20 global (outside) 2 interface global (dmz) 1 172.16.1.12
ASA1(config)#show run nat nat (inside) 1 10.0.1.0 255.255.255.0 nat (dmz) 2 172.16.1.0 255.255.255.0
www.netmetric-solutions.com
71
Step3: On ASA1, configure an inbound access-list allowing only the icmp and telnet traffic for dmz
ASA1(config)#access-list DMZ_OUT permit tcp 172.16.1.0 255.255.255.0 any eq telnet ASA1(config)#access-list DMZ_OUT permit icmp any any ASA1(config)#access-group DMZ_OUT in interface dmz
Step5: Initiate a telnet session from R2 to R1 to verify the IP address translation as per task5
R2#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password:cisco R1>show user Line User 0 con 0 *194 vty 0 Interface User
Mode
Idle
Peer Address
www.netmetric-solutions.com
71
LAB 02
Configure Static NAT and PAT
outside F 0/ 0
inside E 0/ 1
INTERNET
F 0/ 1
P C1
R1
E 0/ 0
AS A 1
E 0/ 2
dmz F 0/ 0
R2
www.netmetric-solutions.com
71
NOTE:
Before you move further, verify and clear any existing NAT translations configured on the security appliance
ASA1(config)#clear configure nat ASA1(config)#clear configure global ASA1(config)#clear configure static
Task1:
Configure Static NAT such that the IP address 10.0.1.10 is translated to 192.168.1.10 when this host is going outside
Task2:
Configure Static PAT so that the telnet session initiated from PC1 to the inside interface of ASA1 is redirected to R2 telnet server.
Task3:
Configure Static PAT such that the connection to port 8080 from PC1 to the inside interfaces of ASA1 are redirected to the router R1 web server
Task1:
Configure Static NAT such that the IP address 10.0.1.10 is translated to 192.168.1.10 when this host is going outside Step1: Configure a static NAT rule on ASA1 and verify the configuration
ASA1(config)#static (inside,outside) 192.168.1.10 10.0.1.10
ASA1(config)#show nat NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 1, untranslate_hits = 0
Step2: Now verify the configuration by establishing a telnet session from PC1 to R1
www.netmetric-solutions.com
71
Task2:
Configure Static PAT so that the telnet session initiated from PC1 to the inside interface of ASA1 is redirected to R2 telnet server. Step1: Configure a static NAT rule on ASA1 and verify the configuration
ASA1(config)#static (dmz,inside) tcp interface 23 172.16.1.2 23
www.netmetric-solutions.com
71
ASA1(config)#show xlate 2 in use, 2 most used PAT Global 10.0.1.1(23) Local 172.16.1.2(23) Global 192.168.1.10 Local 10.0.1.10
Step2: Initiate a telnet session from PC1 to 10.0.1.1 (R2) for verification
C:\Documents and Settings\netmetric>telnet 10.0.1.1
User Access Verification Password: cisco R2>show user Line User 0 con 0 * 66 vty 0 Interface User
Task3:
Configure Static PAT such that the connection to port 8080 from PC1 to the inside interfaces of ASA1 are redirected to the router R1 web server Step1: Configure the static nat on ASA1 and verify the configuration
ASA1(config)#static (outside,inside) tcp interface 8080 192.168.1.1 80
www.netmetric-solutions.com
71
ASA1(config)#show xlate 3 in use, 3 most used PAT Global 10.0.1.1(23) Local 172.16.1.2(23) PAT Global 10.0.1.1(8080) Local 192.168.1.1(80) Global 192.168.1.10 Local 10.0.1.10
Step3: Open the web browser http://10.0.1.1:8080 from PC1, the password for the session would be cisco
www.netmetric-solutions.com
71
NOTE:
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
LAB 03
Configure Dynamic Policy NAT
outside F 0/ 0 inside E 0/ 1 E 0/ 0
INTERNET
F 0/ 1
P C1
R1
AS A 1
E 0/ 2
dmz F 0/ 0
R2
NOTE:
Before you move further, verify and clear any existing NAT translations configured on the security appliance.
ASA1(config)#clear configure nat ASA1(config)#clear configure global ASA1(config)#clear configure static
Task1: Task2:
Configure the security appliance such that the telnet packets going outside from inside should be translated to the IP address 192.168.1.11 i.e PAT
Task3:
Configure the security appliance so that the traffic other than ICMP and Telnet should use the outside interface IP address when going from inside to outside
www.netmetric-solutions.com
71
Configure the security appliance so that the ICMP packets going outside from inside should be translated to the IP address 192.168.1.10 i.e PAT
Task1:
Configure the security appliance so that the ICMP packets going outside from inside should be translated to the IP address 192.168.1.10 i.e PAT Step1: Configure the access-list policies on ASA1
ASA1(config)#access-list ICM permit icmp any any
Step2: Configure the local NAT rules and global pool on ASA1 and verify it
ASA1(config)#nat (inside) 1 access-list ICM ASA1(config)#global (outside) 1 192.168.1.10 INFO: Global 192.168.1.10 will be Port Address Translated
ASA1(config)#show nat NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0
www.netmetric-solutions.com
71
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
Step4: Check the destination IP in the icmp echo reply on R1 using debug feature
R1#debug ip icmp ICMP packet debugging R1# *Sep 2 06:35:11.267: *Sep 2 06:35:12.259: *Sep 2 06:35:13.259: *Sep 2 06:35:14.259:
is on ICMP: ICMP: ICMP: ICMP: echo echo echo echo reply reply reply reply sent, sent, sent, sent, src src src src 192.168.1.1, 192.168.1.1, 192.168.1.1, 192.168.1.1, dst dst dst dst 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10
www.netmetric-solutions.com
71
Task2:
Configure the security appliance such that the telnet packets going outside from inside should be translated to the IP address 192.168.1.11 i.e PAT Step1: Configure the access-list policies on ASA1
ASA1(config)#access-list TLN permit tcp any any eq telnet
Step2: Configure the local NAT rules and global pool on ASA1 and verify it
ASA1(config)# nat (inside) 2 access-list TLN ASA1(config)# global (outside) 2 192.168.1.11 INFO: Global 192.168.1.11 will be Port Address Translated
ASA1(config)# show run nat nat (inside) 1 access-list IC nat (inside) 2 access-list TL
ASA1(config)# show run global global (outside) 1 192.168.1.10 global (outside) 2 192.168.1.11
www.netmetric-solutions.com
71
User
User
Mode
Idle
Peer Address
www.netmetric-solutions.com
71
Task3:
Configure the security appliance so that the traffic other than ICMP and Telnet should use the outside interface IP address when going from inside to outside Step1: Configure the local nat rules and global pool on ASA1 and verify the configuration
ASA1(config)#show run nat nat (inside) 1 access-list IC nat (inside) 2 access-list TL nat (inside) 3 0.0.0.0 0.0.0.0 ASA1(config)#show run global global (outside) 1 192.168.1.10 global (outside) 2 192.168.1.11 global (outside) 3 interface ASA1(config)#show run global global (outside) 1 192.168.1.10 global (outside) 2 192.168.1.11 global (outside) 3 interface
www.netmetric-solutions.com
71
NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any outside any eq 23 dynamic translation to pool 2 (192.168.1.11) translate_hits = 0, untranslate_hits = 0 match tcp inside any inside any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any dmz any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match ip inside any outside any dynamic translation to pool 3 (192.168.1.2 [Interface PAT]) translate_hits = 0, untranslate_hits = 0 match ip inside any inside any dynamic translation to pool 3 (No matching global) translate_hits = 0, untranslate_hits = 0 match ip inside any dmz any dynamic translation to pool 3 (No matching global) translate_hits = 0, untranslate_hits = 0
Step2: Establish a connection using the web browser from PC1 to R1 using the address http://192.168.1.1 and give the login password cisco when prompted Step3: Enter the enable privilege password cisco
NOTE:
On successful authentication you should be able to access the R1 SDM or configuration
www.netmetric-solutions.com
71
Step4: On ASA1, verify the outside interface IP (Global IP) in the IP translation table
ASA1(config)#show xlate 12 in use, 12 most used PAT Global 192.168.1.2(1035) PAT Global 192.168.1.2(1034) PAT Global 192.168.1.2(1033) PAT Global 192.168.1.2(1032) PAT Global 192.168.1.2(1031) PAT Global 192.168.1.2(1030) PAT Global 192.168.1.2(1029) PAT Global 192.168.1.2(1028) PAT Global 192.168.1.2(1027) PAT Global 192.168.1.2(1026) PAT Global 192.168.1.2(1025) PAT Global 192.168.1.2(1024)
Local Local Local Local Local Local Local Local Local Local Local Local
10.0.1.10(1582) 10.0.1.10(1580) 10.0.1.10(1578) 10.0.1.10(1573) 10.0.1.10(1571) 10.0.1.10(1569) 10.0.1.10(1567) 10.0.1.10(1565) 10.0.1.10(1563) 10.0.1.10(1561) 10.0.1.10(1559) 10.0.1.10(1557)
www.netmetric-solutions.com
71
LAB 04
Configure Static Policy NAT and PAT
outside F 0/ 0 inside E 0/ 1 E 0/ 0
INTERNET
F 0/ 1
P C1
R1
AS A 1
E 0/2
dmz F 0/0
R2
NOTE:
Before you move further, verify and clear any existing NAT translations configured on the security appliance.
ASA1(config)#clear configure nat ASA1(config)#clear configure global ASA1(config)#clear configure static
Configure Static NAT on the Security Appliance using access-list such that the IP address assigned to PC1 i.e., 10.0.1.10 is translated to 192.168.1.10 when it is going outside
Task2:
Configure Static Policy PAT on the security appliance such that the telnet to the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R2 telnet server in DMZ
Task3:
Configure Static Policy PAT such that the connections to port 8080 on the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R1 web server
www.netmetric-solutions.com
71
Task1:
Task1:
Configure Static NAT on the Security Appliance using access-list such that the IP address assigned to PC1 i.e., 10.0.1.10 is translated to 192.168.1.10 when it is going outside Step1: Configure the access-list policy on ASA1
ASA1(config)#access-list PC1 permit ip host 10.0.1.10 any
Step2: Configure the static NAT rule on ASA1 and verify the configuration
ASA1(config)#static (inside,outside) 192.168.1.10 access-list PC1
ASA1(config)#show nat NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 0, untranslate_hits = 0
User
www.netmetric-solutions.com
71
Task2:
Configure Static Policy PAT on the security appliance such that the telnet to the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R2 telnet server in DMZ Step1: Configure the access-list policy on ASA1
ASA1(config)#access-list TLN permit tcp host 172.16.1.2 eq 23 10.0.1.0 255 255.255.0
Step4: Verify the task by initiating the telnet session from PC1 to 10.0.1.1 i.e the inside interface on ASA1
C:\Documents and Settings\netmetric>telnet 10.0.1.1 User Access Verification Password: cisco R2>show user Line * 66 vty 0 Interface
User
User
www.netmetric-solutions.com
71
Task3:
Configure Static Policy PAT such that the connections to port 8080 on the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R1 web server Step1: Configure the access-list policy on ASA1
ASA1(config)#access-list WEB permit tcp host 192.168.1.1 eq 80 10.0.1.0 255.255.255.0
www.netmetric-solutions.com
71
Step5: Establish a connection using the web browser from PC1 to the address http://10.0.1.1:8080 and give the login password cisco when prompted Step6: Enter the enable privilege password cisco
NOTE:
On successful authentication you should be able to access the R1 SDM or configuration Step7: On ASA1, verify the connection table
ASA1(config)#show conn 9 in use, 11 most used TCP out 10.0.1.1(192.168.1.1):80 aA TCP out 10.0.1.1(192.168.1.1):80 flags UIO TCP out 10.0.1.1(192.168.1.1):80 flags UfFRIO TCP out 10.0.1.1(192.168.1.1):80 flag s UIO
in 10.0.1.10:2212 idle 0:00:00 bytes 0 flags in 10.0.1.10:2210 idle 0:00:00 bytes 1773 in 10.0.1.10:2208 idle 0:00:00 bytes 8713 in 10.0.1.10:2206 idle 0:00:00 bytes 13791
www.netmetric-solutions.com
71
LAB 05
Configure Identity NAT, NAT exemption & NAT Control
outside F 0/ 0 inside E 0/ 1 E 0/ 0
INTERNET
F 0/ 1
P C1
R1
AS A 1
E 0/ 2
dmz F 0/ 0
R2
NOTE:
Before you move further, verify and clear any existing NAT translations configured on the security appliance.
ASA1(config)#clear configure nat ASA1(config)#clear configure global ASA1(config)#clear configure static
Task1:
Enable NAT control on ASA1
Task2:
Configure NAT on ASA1 such that the inside network 10.0.1.0/24 is self translated to its IP
www.netmetric-solutions.com
71
Task3:
Configure NAT on ASA1 such that R2 is exempted from NAT
Task1:
Enable NAT control on ASA1 Step1: Configure NAT-Control on the security appliance and verify the configuration
ASA1(config)#show run nat-control no nat-control ASA1(config)#nat-control ASA1(config)#show run nat-control nat-control
NOTE:
After completing the above task, try to initiate a ping request from PC1 to R1, which would fail. To restore this we would have to configure identity NAT or NAT exemption. This is executed in the next task
www.netmetric-solutions.com
71
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Task2:
Configure NAT on ASA1 such that the inside network 10.0.1.0/24 is self translated to its IP Step1: Configure identity NAT rule on ASA1
ASA1(config)#nat (inside) 0 10.0.1.0 255.255.255.0 nat 0 10.0.1.0 will be identity translated for outbound
www.netmetric-solutions.com
71
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
is on ICMP: ICMP: ICMP: ICMP: echo echo echo echo reply reply reply reply sent, sent, sent, sent, src src src src 192.168.1.1, 192.168.1.1, 192.168.1.1, 192.168.1.1, dst dst dst dst 10.0.1.10 10.0.1.10 10.0.1.10 10.0.1.10
Task3:
Configure NAT on ASA1 such that R2 is exempted from NAT Step1: Initiate the ping from R2 to R1 which would fail
R2#ping 192.168.1.1 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
www.netmetric-solutions.com
71
is on ICMP: ICMP: ICMP: ICMP: echo echo echo echo reply reply reply reply sent, sent, sent, sent, src src src src 192.168.1.1, 192.168.1.1, 192.168.1.1, 192.168.1.1, dst dst dst dst 172.16.1.2 172.16.1.2 172.16.1.2 172.16.1.2
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
LAB 01
Configuring Object Grouping
www.netmetric-solutions.com
71
Task1:
Allow access to the Application Servers from the outside
NOTE:
Use the minimum number of lines possible to accomplish access to these application servers
Task2:
Create Services groups on ASA1 as DMZ_SERVICES HTTP HTTPS FTP And Host and network groups as DMZ_SERVERS 192.168.1.8 192.168.1.9 192.168.1.10 Can apply group names to ACLs
Task1:
Allow access to the Application Servers from the outside
NOTE:
Use the minimum number of lines possible to accomplish access to these application servers
ASA1(config)#show run static static (dmz,outside) 192.168.1.8 172.16.1.1 netmask 255.255.255.255 static (dmz,outside) 192.168.1.9 172.16.1.2 netmask 255.255.255.255 static (dmz,outside) 192.168.1.10 172.16.1.3 netmask 255.255.255.255
ASA1(config)#show run access-list ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit
192.168.1.8 eq http 192.168.1.8 eq https 192.168.1.8 eq ftp 192.168.1.9 eq http 192.168.1.9 eq https 192.168.1.9 eq ftp 192.168.1.10 eq http 192.168.1.10 eq https 192.168.1.10 eq ftp
www.netmetric-solutions.com
71
NOTE:
Before you move forward, please ensure you complete the following tasks to create object groups and use them in your configuration 1. Specify the type of object group that you want to create and configure a name for the group 2. Define the members of the object group 3. Apply the object group to an ACL
Task2:
Create Services groups on ASA1 as DMZ_SERVICES HTTP HTTPS FTP And Host and network groups as DMZ_SERVERS 192.168.1.8 192.168.1.9 192.168.1.10 Can apply group names to ACLs
ASA1(config)#object-group service DMZ_SERVICES tcp port-object eq http port-object eq https port-object eq ftp
ASA1(config)#object-group network DMZ_SERVERS network-object host 192.168.1.8 network-object host 192.168.1.9 network-object host 192.168.1.10
ASA1(config)#access-list 100 permit tcp any object-group DMZ_SERVERS objectgroup DMZ_SERVICES ASA1(config)#access-list 100 in interface outside
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
LAB 01
Application Aware Inspection
FTP Server F 0/ 0 E 0/ 1 E 0/ 0
INTERN ET
F 0/ 1
R1
AS A 1
10.1.1.2
200.1.1.2
Task1:
Configure FTP to be inspected on port 2100 in addition to port 21. Do not use any accesslist for this task
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
P C1
Task2:
Enable Application inspection in the Default inspection policy for the ICMP
Task 3:
There is a FTP Server located at 10.1.1.2. Translate this server as 200.1.1.4 on the outside. Allow FTP traffic to this Server from the outside
Task4:
FTP traffic connections to this server should be reset if they are trying to execute the following commands: Put Rmd Rnfr Dele
Task 5:
Configure maximum number of incoming connections towards this FTP server to 400. Also, set the maximum number of half-open connections to this Web server to 200. Set the embryonic Timeout to 1 minute
Task1:
Configure FTP to be inspected on port 2100 in addition to port 21. Do not use any accesslist for this task
ASA1:
class FTP2100 match port tcp eq 2100 ! policy-map global_policy class FTP2100 inspect ftp
Task2:
Enable Application inspection in the Default inspection policy for the ICMP
www.netmetric-solutions.com
71
ASA1:
policy-map global_policy class inspection_default inspect icmp
Task3:
There is a FTP Server located at 10.1.1.2. Translate this server as 200.1.1.4 on the outside. Allow FTP traffic to this Server from the outside
ASA1:
static (inside,outside) 200.1.1.2 10.1.1.2 ! access-list 100 permit tcp any host 200.1.1.2 eq 21
Task4:
FTP traffic connections to this server should be reset if they are trying to execute the following commands: Put Rmd Rnfr Dele
ASA1:
policy-map type inspect FTP FTP1 match-request command put rmd rnfr dele reset ! access-list 100 permit tcp any host 200.1.1.2 eq 21 ! class-map class1 match access-list 100 ! policy-map global_policy class class1 inspect FTP strict FTP1
Task 5:
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
Configure maximum number of incoming connections towards this FTP server to 400. Also, set the maximum number of half-open connections to this Web server to 200. Set the embryonic Timeout to 1 minute
ASA1:
policy-map global_policy class class1 set connection conn-max 400 set connection embryonic-conn-max 200 set connection timeout embryonic 0:1:0
LAB 02
URL Filtering
www.netmetric-solutions.com
71
Web S en ce
F 0/ 0
E 0/ 1 E 0/ 0
INTERNET
F 0/ 1
P C1
R1
AS A 1
Task 1:
A Websense server exists at 172.16.1.3. Configure ASA1 such that it should forward all web requests to Websense before it allows the access to Internet. If the Websense server is down, the web requests should be allowed to go out
Task2:
Configure ASA1 such that It should also forward all HTTPS and FTP to Websense before it allow the access to internet. If the Websense server is down, the web requests should be allowed to go out
Task 1:
A Websense server exists at 172.16.1.3. Configure ASA1 such that it should forward all web requests to Websense before it allows the access to Internet. If the Websense server is down, the web requests should be allowed to go out
www.netmetric-solutions.com
71
NOTE:
The security appliance sends all URL requests to the Websense URL-filtering server at 172.16.1.3. The URL-filtering server determines whether requested URLs should be blocked. If the URL-filtering server goes offline, the security appliance allows all URL requests to continue without filtering.
ASA1:
url-server (dmz) vendor websense host 172.16.1.3 timeout 30 protocol TCP version 4 filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Task2:
Configure ASA1 such that It should also forward all HTTPS and FTP to Websense before it allow the access to internet. If the Websense server is down, the web requests should be allowed to go out
NOTE:
The security appliance sends all HTTPS and FTP URL requests to the URL-filtering server to be filtered If the URL-filtering server goes offline, the security appliance allows all HTTPS and FTP URL requests to continue without filtering
ASA1:
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
LAB 03
Malicious Active Code Filtering
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
Task1:
Configure ASA such that it filter ActiveX
F 0/ 0
E 0/ 1 E 0/ 0
INTERN ET
F 0/ 1
P C1
R1
AS A 1
Block A ive ct X
ASA1:
filter ActiveX 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
NOTE:
ActiveX blocking applies to web traffic on port 80 from any local host and to any foreign host.
Task2:
Configure ASA such that it filter JAVA
F 0/ 0
E 0/ 1 E 0/ 0
INTERN ET
F 0/ 1
P C1
R1
Block JA A V
www.netmetric-solutions.com
71
AS A 1
ASA1:
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
NOTE:
JAVA blocking applies to web traffic on port 80 from any local host and to any foreign host Java programs and ActiveX controls can enable attackers to invade network systems. Cisco security appliances can be used to filter Java applets and block ActiveX controls.
www.netmetric-solutions.com
71
MODULE 06
Context and Failover on the Security Appliance
Lab 01: Firewall Contexts.. Lab 02: Failover - Active/Standby Lab 03: Failover - Active/Active.. 78 87 98
www.netmetric-solutions.com
71
LAB 01
Configuring Firewall Contexts
outside
R1
F0/ 0
R2
F 0/ 0
E 0/ 0
E 0/ 3
ASA1
CTX1
E 0/ 1
CTX2
M0/ 0
F0/ 0
P C1
R3
inside
Task 1:
Enable the security appliance to support multiple contexts and verify the configuration
Task 2:
Configure Context CTX1 and CTX2 on ASA1 with CTX1.cfg and CTX2.cfg as config files respectively as per the given table and topology
Task 3: Task 4:
Configure Access-list on both the contexts to restore the basic connectivity and the save configuration on the security appliance
Task 5:
Configure the routers and PCs as per the diagram and table with their default route pointing to the security appliance
Task 6:
Verify the connectivity across the contexts
www.netmetric-solutions.com
71
Change the management interface m 0/0 allocated to context CTX2 to a regular data interface.
Table: Host ASA1 ASA1 ASA1 ASA1 R1 PC1 R2 R3 Context CTX1 CTX1 CTX2 CTX2 IP Address 192.168.1.1/24 10.0.1.1/24 192.168.31.1/24 10.0.31.1/24 192.168.1.2/24 10.0.1.10/24 192.168.31.2/24 10.0.31.2/24 Interface e 0/0 e 0/1 e 0/3 m 0/0 f 0/0 ethernet f 0/0 f 0/0 Name outside inside outside inside Security Level 0 100 0 100 -
Task 1:
Enable the security appliance to support multiple contexts and verify the configuration
ASA1(config)#show mode Security context mode: single ASA1(config)#mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm]<enter> Convert the system configuration? [confirm]<enter>
NOTE:
Below is the default configuration of a security appliance which supports multiple contexts
www.netmetric-solutions.com
71
ASA1(config)#show running-configuration ASA Version 8.0(2) <system> ! hostname ASA1 enable password 8Ry2YjIyt7RRXU24 encrypted no mac-address auto ! interface Ethernet0/0 shutdown ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Management0/0 shutdown ! class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! ftp mode passive pager lines 24 no failover no asdm history enable arp timeout 14400 console timeout 0 admin-context admin context admin allocate-interface Ethernet0/0 allocate-interface Ethernet0/1 config-url disk0:/admin.cfg ! prompt hostname context Cryptochecksum:c156e4956700c7d5c6914ec2038e34fd : end
www.netmetric-solutions.com
71
Task 2:
Configure Context CTX1 and CTX2 on ASA1 with CTX1.cfg and CTX2.cfg as config files respectively as per the given table and topology Step1: Bring all the interfaces to up state on ASA1
ASA1#configure terminal ASA1(config)# ASA1(config)#interface e0/0 ASA1(config-if)#no shutdown ASA1(config-if)#interface e0/1 ASA1(config-if)#no shutdown ASA1(config-if)#interface e0/2 ASA1(config-if)#no shutdown ASA1(config-if)#interface e0/3 ASA1(config-if)#no shutdown ASA1(config)#interface management 0/0 ASA1(config-if)#no shutdown ASA1(config-if)#exit
NOTE:
Admin Context should be pre-configured before configuring any context on ASA1 Step2: On ASA1 from the system context, create Context CTX1 with config-url CTX1.cfg and allocate the interfaces e0/0, e0/1 to this context
ASA1(config)#context CTX1 Creating context 'CTX1'... Done. (2) ASA1(config-ctx)#config-url disk0:/CTX1.cfg WARNING: Could not fetch the URL disk0:/CTX1.cfg INFO: Creating context with default config ASA1(config-ctx)#allocate-interface e0/0 ASA1(config-ctx)#allocate-interface e0/1 ASA1(config-ctx)#exit
www.netmetric-solutions.com
71
Step3: On ASA1 from the system context, create Context CTX2 with config-url CTX2.cfg and allocate the interfaces e0/3, m0/0 to this context
ASA1(config)#context CTX2 Creating context 'CTX2'... Done. (3) ASA1(config-ctx)#config-url disk0:/CTX2.cfg WARNING: Could not fetch the URL disk0:/CTX2.cfg INFO: Creating context with default config ASA1(config-ctx)#allocate-interface e0/3 ASA1(config-ctx)#allocate-interface m0/0 ASA1(config-ctx)#exit
Step4: Configure the interfaces in context CTX1 with the appropriate nameif, security level and IP address as mentioned in the table above
ASA1(config)#changeto context CTX1 ASA1/CTX1(config)#show interface ip brief Interface IP-Address OK? Method Status Ethernet0/0 unassigned YES unset down Ethernet0/1 unassigned YES unset down ASA1/CTX1(config)#
ASA1/CTX1(config)#interface e0/0 ASA1/CTX1(config-if)#nameif outside INFO: Security level for "outside" set to 0 by default. ASA1/CTX1(config-if)#security-level 0 ASA1/CTX1(config-if)#ip address 192.168.1.1 255.255.255.0 ASA1/CTX1(config-if)#no shutdown ASA1/CTX1(config-if)#exit ASA1/CTX1(config)#interface e0/1 ASA1/CTX1(config-if)#nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/CTX1(config-if)#security-level 100 ASA1/CTX1(config-if)#ip address 10.0.1.1 255.255.255.0 ASA1/CTX1(config-if)#no shutdown ASA1/CTX1(config-if)#exit
www.netmetric-solutions.com
71
Step5: Configure the interfaces in context CTX2 with the appropriate nameif, security level and IP address as mentioned in the table above
ASA1(config)#changeto context CTX2 ASA1/CTX1(config)# ASA1/CTX2(config)#interface e0/3 ASA1/CTX2(config-if)#nameif outside INFO: Security level for "outside" set to 0 by default. ASA1/CTX2(config-if)#security-level 0 ASA1/CTX2(config-if)#ip address 192.168.31.1 255.255.255.0 ASA1/CTX2(config-if)#no shutdown ASA1/CTX2(config-if)#exit ASA1/CTX2(config)#interface m0/0 ASA1/CTX2(config-if)#nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/CTX2(config-if)#security-level 100 ASA1/CTX2(config-if)#ip address 10.0.31.1 255.255.255.0 ASA1/CTX2(config-if)#no shutdown ASA1/CTX2(config-if)#exit
Task 3:
Change the management interface m 0/0 allocated to context CTX2 to a regular data interface.
ASA1/CTX2(config)#interface m0/0 ASA1/CTX2(config-if)#no management-only
Task 4:
Step1: Configure the inbound access-list on outside interface of the context CTX1
ASA1(config)#changeto context CTX1 ASA1/CTX1(config)#access-list OUT_IN permit icmp any any ASA1/CTX1(config)#access-group OUT_IN in interface outside
www.netmetric-solutions.com
71
Configure Access-list on both the contexts to restore the basic connectivity and the save configuration on the security appliance
Step2: Configure the inbound access-list on outside interface of the context CTX2
ASA1(config)#changeto context CTX2 ASA1/CTX2(config)#access-list OUT_IN permit icmp any any ASA1/CTX2(config)#access-group OUT_IN in interface outside
Task 5:
Step1: Configure the interface and default route on R1 as per the diagram
R1(config)#interface fa0/0 R1(config-if)#ip address 192.168.1.2 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)# R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
www.netmetric-solutions.com
71
Configure the routers and PCs as per the diagram and table with their default route pointing to the security appliance
Step2: Configure the interface and default route on R2 as per the diagram
R2(config)#interface fa0/0 R2(config-if)#ip address 192.168.31.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)# R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.31.1
Step3: Configure the interface and default route on R3 as per the diagram
R3(config)#interface fa0/0 R3(config-if)#ip address 10.0.31.2 255.255.255.0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)# R3(config)#ip route 0.0.0.0 0.0.0.0 10.0.31.1
Task 6:
Verify the connectivity across the contexts Step1: Initiate the ping from PC1 to ASA1/CTX1 inside interface
C:\Documents and Settings\netmetric>ping 10.0.1.1 Pinging 10.0.1.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 10.0.1.1: 10.0.1.1: 10.0.1.1: 10.0.1.1: bytes=32 bytes=32 bytes=32 bytes=32 time<1ms time<1ms time<1ms time<1ms TTL=255 TTL=255 TTL=255 TTL=255
Ping statistics for 10.0.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
www.netmetric-solutions.com
71
Step2: Initiate the ping from PC1 to R1 both located in the context CTX1
C:\Documents and Settings\netmetric>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.2: 192.168.1.2: 192.168.1.2: 192.168.1.2: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time=1ms time=1ms time=1ms TTL=255 TTL=255 TTL=255 TTL=255
Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
Step4: Initiate the ping from R3 to R2 both located in the context CTX2
R3#ping 192.168.31.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.31.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
www.netmetric-solutions.com
71
LAB 02
Failover Active/Standby
R1
F0/ 0
R2
F 0/ 0
E 0/ 0
E 0/ 3
E 0/ 0
E 0/ 3
ASA1
CTX1
E 0/ 1
E 0/ 2
E 0/ 2
ASA2
CTX1
E 0/ 1
CTX2
M0/ 0
CTX2
M0/ 0
P C1 R3
F0/ 0
NOTE:
Task 1:
Configure the Vlans on the switch as per the topology diagram.
Task 2:
Configure the standby ip address as per the table.
Task 3:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for both context CTX1 and CTX2 and ASA2 acts as the Standby host respectively.
Task 4:
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.
Table:
Standby IP Address 192.168.1.1/24 192.168.1.7/24 10.0.1.1/24 10.0.1.7/24 192.168.31.1/24 192.168.31.7/24 10.0.31.1/24 10.0.31.7/24 172.17.1.1/24 172.17.1.7/24 192.168.1.2/24 10.0.1.10/24 192.168.31.2/24 10.0.31.2/24
IP Address
Interface Nameif Security Level e 0/0 outside 0 e 0/1 inside 100 e 0/3 outside 0 m 0/0 inside 100 e 0/2 Failover Interface f 0/0 ethernet f 0/0 f 0/0 -
Task1:
Configure the vlans on the switch as per the topology diagram. Step1: Configure the interfaces of the devices in the same switch vlans as per the topology diagram.
Switch(config)#interface range fa0/3 , fa0/13 , fa0/23 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 13 Switch(config-if-range)#exit Switch(config)#interface range fa0/10 , fa0/20 , fa0/30 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 20 Switch(config)#interface range fa0/1 , fa0/11 , fa0/21 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 11 Switch(config-if-range)#exit Switch(config)#interface range fa0/2 , fa0/12 , fa0/22 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 12 Switch(config-if-range)#exit
www.netmetric-solutions.com
71
Task2:
Configure the standby ip address as per the table. Step1: Add the standby ip address to ASA1 context CTX1 configuration as per the table.
ASA1/CTX1(config)#interface e0/0 ASA1/CTX1(config-if)#ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 ASA1/CTX1(config-if)#exit ASA1/CTX1(config)#interface e0/1 ASA1/CTX1(config-if)#ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7 ASA1/CTX1(config-if)#exit
Step3: Add the standby ip address to ASA1 context CTX2 configuration as per the table.
ASA1/CTX1(config)#changeto context CTX2 ASA1/CTX2(config)# ASA1/CTX2(config)#interface e0/3 ASA1/CTX2(config-if)#ipaddress 192.168.31.1 255.255.255.0 standby 192.168.31.7 ASA1/CTX2(config-if)#exit ASA1/CTX2(config)#interface m0/0 ASA1/CTX2(config-if)#ip address 10.0.31.1 255.255.255.0 standby 10.0.31.7 ASA1/CTX2(config-if)#exit ASA1/CTX2(config)#
www.netmetric-solutions.com
71
Task3:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for both context CTX1 and CTX2 and ASA2 acts as the Standby host respectively. Step1: Configure failover on ASA1.
ASA1/CTX2(config)#changeto system ASA1(config)#failover lan unit primary ASA1(config)#failover lan interface failover ethernet0/2 INFO: Non-failover interface config is cleared on Ethernet0/2 and its subinterfaces ASA1(config)#failover link failover ethernet0/2 ASA1(config)#failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.7 ASA1(config)#failover
www.netmetric-solutions.com
71
Step4: Verify the Security Context Mode and Firewall mode on ASA2.
ASA2(config)#show mode Security context mode:multiple ASA2(config)#show firewall Firewall mode:Router
www.netmetric-solutions.com
71
CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 53 0 sys cmd 49 0 up time 0 0 RPC services 0 0 TCP conn 0 0 UDP conn 0 0 ARP tbl 4 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 49 Xmit Q: 0 1 53
rcv 49 49 0 0 0 0 0 0 0
rerr 0 0 0 0 0 0 0 0 0
www.netmetric-solutions.com
71
Task4:
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1. Step1: Initiate a telnet session from PC1 to R1.
C:\Documents and Settings\netmetric>telnet 192.168.1.2 User Access Verification Password: cisco R1>show user Line User 0 con 0 * 66 vty 0 Interface User
Step2: While keeping the telnet session open shutdown the outside interface of ASA1 on the switch
Switch(config)#interface fa0/10 Switch(config-if)#shutdown Switch(config-if)# 02:06:30: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administ ratively down 02:06:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, chan ged state to down
Step3: Verify that the telnet session did not break during step 2 i.e. during failover.
R1> R1> R1> <enter> <enter> <enter>
User
Host(s) idle
Idle 00:00:11
Location
www.netmetric-solutions.com
71
rerr 0 0 0 0 0 0 0 0 0
www.netmetric-solutions.com
71
Recv Q: Xmit Q:
Step6: Now restore back to normal the outside interface of ASA1/CTX1 i.e no shutdown the respective interface on the switch.
Switch(config)#interface fa0/10 Switch(config-if)#no shut Switch(config-if)#exit 02:11:02: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up 02:11:02: %SYS-5-CONFIG_I: Configured from console by console 02:11:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, chan ged state to up
www.netmetric-solutions.com
71
CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Secondary - Active Active time: 654 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 587 0 sys cmd 573 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 580 Xmit Q: 0 1 587
rerr 0 0 0 0 0 0 0 0 0
NOTE:
Even after the outside interface of the ASA1/CTX1 is restored back to normal, ASA1 is acting as standby host for both the context CTX1 and CTX2, and ASA2 is the active host respectively. Step1: To forcibly change the state of ASA1 standby host back to active host configure the following
ASA1(config)#failover active Switching to Active
www.netmetric-solutions.com
71
Version: Ours 8.0(2), Mate 8.0(2) Last Failover at: 13:54:08 UTC Sep 13 2010 This host: Primary - Active Active time: 3833 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 677 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 598 0 sys cmd 584 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 591 Xmit Q: 0 1 598
rerr 0 0 0 0 0 0 0 0 0
www.netmetric-solutions.com
71
LAB 03
Failover Active/Active
R1
F0/ 0
R2
F 0/ 0
E 0/ 0
E 0/ 3
E 0/ 0
E 0/ 3
ASA1
CTX1
E 0/ 1
E 0/ 2
E 0/ 2
ASA2
CTX1 CTX2
M0/ 0
CTX2
M0/ 0
E 0/ 1
P C1 R3
F0/ 0
NOTE:
Complete Lab 1 and Lab 2 of this module before starting this lab.
www.netmetric-solutions.com
71
Task 1:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for context CTX1 and standby host for context CTX2 and ASA2 should be a Standby host for context CTX1 and Active host for context CTX2 respectively.
Task 2:
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.
Table:
Standby IP Address 192.168.1.1/24 192.168.1.7/24 10.0.1.1/24 10.0.1.7/24 192.168.31.1/24 192.168.31.7/24 10.0.31.1/24 10.0.31.7/24 172.17.1.1/24 172.17.1.7/24 192.168.1.2/24 10.0.1.10/24 192.168.31.2/24 10.0.31.2/24
IP Address
Interface Nameif Security Level e 0/0 outside 0 e 0/1 inside 100 e 0/3 outside 0 m 0/0 inside 100 e 0/2 Failover Interface f 0/0 ethernet f 0/0 f 0/0 -
Task1:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for context CTX1 and standby host for context CTX2 and ASA2 should be a Standby host for context CTX1 and Active host for context CTX2 respectively.
NOTE:
First disable the failover before making any changes to the failover configuration. Step1: Configure failover groups.
ASA1(config)# no failover ASA1(config)# failover group 1 ASA1(config-fover-group)# primary ASA1(config-fover-group)# preempt
www.netmetric-solutions.com
71
NOTE:
The "preempt" command enables the device to switch automatically the primary unit device as "active" and secondary unit as "standby" in the event where the failed interface/link is restored back to normal status after a failover. Here we dont have to forcibly change the failover status manually using the "failover enable" command. Step2: Join the context CTX1 and CTX2 to failover group 1 and 2 respectively. And enable failover.
ASA1(config)# context CTX1 ASA1(config-ctx)# join-failover-group 1 ASA1(config-ctx)# exit ASA1(config)# context CTX2 ASA1(config-ctx)# join-failover-group 2 ASA1(config-ctx)# exit ASA1(config)# ASA1(config)# failover
www.netmetric-solutions.com
71
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Group 1 Group 2 Secondary State: Active time: State: Active time:
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 650 0 sys cmd 636 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total
rerr 0 0 0 0 0 0 0 0 0
www.netmetric-solutions.com
71
Task2:
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1. Step1: Initiate a telnet session from PC1 to R1.
C:\Documents and Settings\netmetric>telnet 192.168.1.2 User Access Verification Password: cisco R1>show user Line User 0 con 0 * 66 vty 0 Interface User
Step2: While keeping the telnet session open shutdown the outside interface of ASA1 on the switch.
www.netmetric-solutions.com
71
Switch(config)#interface fa0/10 Switch(config-if)#shutdown Switch(config-if)# 02:06:30: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down 02:06:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down
Step3: Verify that the telnet session did not break during step 2 i.e. during failover.
R1> R1> R1> <enter> <enter> <enter>
User
User
www.netmetric-solutions.com
71
outside (192.168.1.7): No Link (Waiting) inside (10.0.1.7): Normal outside (192.168.31.7): Normal inside (10.0.31.7): Normal
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal (Waiting) CTX1 Interface inside (10.0.1.1): Normal (Waiting) CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 876 0 sys cmd 862 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 869 Xmit Q: 0 1 876
rerr 0 0 0 0 0 0 0 0 0
Step5: Now restore back the outside interface of ASA1/CTX1 to normal i.e no shutdown the respective interface on the switch.
Switch(config)#interface fa0/10 Switch(config-if)#no shutdown Switch(config-if)#exit 02:11:02: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up 02:11:02: %SYS-5-CONFIG_I: Configured from console by console 02:11:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up
www.netmetric-solutions.com
71
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal (Waiting) CTX1 Interface inside (10.0.1.1): Normal (Waiting) CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Group 1 Group 2 Secondary State: Active time: State: Active time:
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal (Waiting) CTX1 Interface inside (10.0.1.7): Normal (Waiting) CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 902 0 sys cmd 888 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total
rerr 0 0 0 0 0 0 0 0 0
www.netmetric-solutions.com
71
Recv Q: Xmit Q:
0 0
1 1
895 902
www.netmetric-solutions.com
71
LAB 01
Configure Layer 2 Transparent Firewall
F 0/ 0
E 0/ 1 E 0/ 0 E 0/ 0
IN TERN ET
F 0/ 1
R1
R2
AS A 1
10.1.1.2
Task 1:
Configure the ASA as a Transparent Firewall
Task 2:
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
10.1.1.1
Configure F0/0 as the outside interface with a security level of 0 and F0/1 as the inside interface with a security level of 100. Bring the Interfaces up
Task 3:
Configure the ASA to allow R2 and R1 to communicate to each other to exchange Routing information. R2 and R1 should run RIP V2 as the routing protocol
Task 1:
Configure the ASA as a Transparent Firewall
ASA1:
Firewall Transparent
Task 2:
Configure F0/0 as the outside interface with a security level of 0 and F0/1 as the inside interface with a security level of 100. Bring the Interfaces up
www.netmetric-solutions.com
71
ASA1:
interface E 0/0 nameif outside no shutdown ! interface E 0/1 nameif inside no shutdown
Task 3:
Configure the ASA to allow R2 and R1 to communicate to each other to exchange Routing information. R2 and R1 should run RIP V2 as the routing protocol
ASA1:
access-list outside permit udp host host 10.1.1.1 host 224.0.0.9 eq rip access-list inside permit udp host 10.1.1.2 host 224.0.0.9 eq rip ! access-group outside in interface outside access-group inside in interface inside
110
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71
LAB 01
Task1:
Configure an IPSec Tunnel to encrypt traffic from 10.1.1.0/24 on ASA1 inside network to the 20.1.1.0/24 on ASA2 inside network. Use the Outside IP address of ASA as the Tunnel End points Use the below mentioned Parameters for the Tunnel between ASA1 and ASA2 ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 Pre-Shared Key: netmetricccsp IPSec Parameters Encryption: ESP-3DES Authentication: ESP-SHA-HMAC
NOTE:
You are allowed to create static routes for this Lab
www.netmetric-solutions.com
71
ASA1:
crypto isakmp enable outside crypto isakmp policy 10 Authentication pre-share Hash md5 Group 2 Encryption 3des ! crypto isakmp key netmetric123 address 192.168.1.2 crypto ipsec transform-set set1 esp-3des esp-sha-hmac access-list 111 permit ip 10.1.1.0 255.0.0.0 20.1.1.0 255.0.0.0 crypto crypto crypto crypto map map map map mymap mymap mymap mymap 10 10 10 10 ipsec-isakmp set peer 192.168.1.2 set transform-set set1 match address 111
crypto map mymap interface outside route outside 20.0.0.0 255.0.0.0 192.168.1.2
ASA2:
crypto isakmp enable outside ! crypto isakmp policy 10 Authentication pre-share Hash md5 Group 2 Encryption 3des ! Crypto isakmp key netmetric123 address 192.168.1.1 crypto ipsec transform-set set1 esp-3des esp-sha-hmac access-list 111 permit ip 20.1.1.0 255.0.0.0 10.1.1.0 255.0.0.0 ! crypto map mymap 10 ipsec-isakmp crypto map mymap 10 set peer 192.168.1.1 crypto map mymap 10 set transform-set set1 crypto map mymap 10 match address 111 crypto map mymap interface outside route outside10.0.0.0 255.0.0.0 192.168.1.1
www.netmetric-solutions.com
71
www.netmetric-solutions.com
71