Index: CCSP™ Lab Workbook v2.2 Securing Networks With ASA

CCSP Lab Workbook v2.
2 ASA
Securing Networks with
INDEX
Module 01: Configuring IOS FIREWALL
Lab 01: Classic IOS Firewall (CBAC). Lab 02: Zone Based Policy IOS Firewall (ZFW)... 04 05
Module 02: Routing Protocols on the Security Appliance

Lab 01: Configure RIP Lab 02: Configure OSPF... Lab 03: Configure EIGRP.. Lab 04: Configure Redistribution.. 19 24 28 32 35 42 48 55 60 66 70 73 75 78 87 98
Module 03: NAT on the Security Appliance

Lab 01: Configure Dynamic NAT and PAT. Lab 02: Configure Static NAT and PAT.. Lab 03: Configure Dynamic Policy NAT. Lab 04: Configure Static Policy NAT and PAT.. Lab 05: Configure Identity NAT, NAT Exemption, NAT Control.
Module 04: Object Grouping

Lab 01: Configuring Object Grouping..
Module 05: Application Inspection and Filtering

Lab 01: Application Aware Inspection. Lab 02: URL Filtering. Lab 03: Malicious Active Code Filtering..
Lab 01: Firewall Contexts. Lab 02: Failover - Active/Standby Lab 03: Failover - Active/Active....
Module 07: Transparent Firewall

Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com
71
Module 06: Context and Failover on the Security Appliance
CCSP Lab Workbook v2.2 ASA
Lab 01: Configure Layer 2 Transparent Firewall.
107 110
Module 08: VPN on the Security Appliance

Lab 01: IPSec VPN Site to Site Tunnel.
Netmetric Infosolutions (P) Limited Hyderabad, IN
www.netmetric-solutions.com
71
MODULE 01: Configuring IOS FIREWALL

Lab 01: Classic IOS Firewall (CBAC). Lab 02: Zone Based Policy IOS Firewall (ZFW).. 04 05
71
LAB 01
Classic IOS Firewall (CBAC)
F0/ 0
Host A Internet
External Network F 0/ 0
R1
F 0/ 1 Internal Netw ork
Task 1:
Configure the interfaces with the following information Host R1 R1 Internet Host A IP Address 192.168.1.1/24 10.0.1.1/24 192.168.1.2/24 10.0.1.10/24 Interface f 0/0 f 0/1 f0/0 ethernet
Task 2:
Configure CBAC on router R1 to inspect icmp, telnet, ftp, http, smtp, tcp, udp, and dns traffic going from Host A to Internet.
Task 3:
Verify the CBAC configured on R1 by intitiating the respective traffic between Host A and Internet Router.
Task 1:
Configure the interfaces with the following information Step1: Configure the initial configs on Router R1 as per the table.
R1#configure terminal R1(config)#interface f0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit
71

R1(config)#interface f0/1 R1(config-if)#ip address 10.0.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit
Step2: Configure the initial configs on Router Internet as per the table.
Internet# configure terminal Internet(config)#interface f0/0 Internet(config-if)#ip address 192.168.1.2 255.255.255.0 Internet(config-if)#no shutdown Internet(config-if)#exit Internet(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
Task 2:
Configure CBAC on router R1 to inspect icmp, telnet, ftp, http, smtp, tcp, udp, and dns traffic going from Host A to Internet. Step1: Configure the inspection rules with name myfw to inspect icmp, telnet, ftp, http, smtp, tcp, udp and dns on router R1.
R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip
inspect inspect inspect inspect inspect inspect inspect inspect
name name name name name name name name
myfw myfw myfw myfw myfw myfw myfw myfw
icmp telnet ftp http smtp tcp udp dns
Step2: Check the configured inspection rules on R1.
R1#show ip inspect name myfw Inspection name myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 dns alert is on audit-trail is off timeout 30
71
Step3: Configure the IP ACL to denying any IP traffic.

R1(config)#access-list 101 deny ip any any
Step4: Check the configured ACL.

R1#show access-lists 101 Extended IP access list 101 10 deny ip any any R1#
Step5: Now Apply the ACL 101 and the inspection rule myfw to either f0/0 or f0/1 interface of router R1 in the following direction as shown in the config.
NOTE:
Apply CBAC inspection to inbound traffic when configuring CBAC on an internal interface. Apply CBAC inspection to outbound traffic when configuring CBAC on an external interface.
Step5.1: CBAC configured on internal interface f0/1.

R1(config)#interface f0/1 R1(config-if)#ip inspect myfw in R1(config-if)#ip access-group 101 out R1(config-if)#exit
R1#show ip inspect interfaces Interface Configuration Interface FastEthernet0/1 Inbound inspection rule is myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30
71
Step5.2: Check the Configuration on the interface.

dns alert is on audit-trail is off timeout 30 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is 101
(OR)
Step5.1: CBAC configured on external interface f0/0.

R1(config)#interface f0/0 R1(config-if)#ip inspect myfw out R1(config-if)#ip access-group 101 in R1(config-if)#exit
Step5.2: Check the Configuration on the interface.

R1#show ip inspect interfaces Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is not set Outgoing inspection rule is myfw smtp max-data 20000000 alert is on audit-trail is off timeout 3600 telnet alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 http alert is on audit-trail is off timeout 3600 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 dns alert is on audit-trail is off timeout 30 Inbound access list is 101 Outgoing access list is not set
Task 3:
Step1: Ping from Host A to Internet router.

C:\Documents and Settings\netmetric> ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 time=1ms TTL=254 Reply from 192.168.1.2: bytes=32 time=1ms TTL=254 Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
71
Verify the CBAC configured on R1 by intitiating the respective between Host A and Internet Router.

Reply from 192.168.1.2: bytes=32 time=1ms TTL=254 Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
Step2: Check the CBAC inspection during the Ping on R1.

R1#sh ip inspect sessions Established Sessions Session 63DD3718 (10.0.1.10:8)=>(192.168.1.2:0) icmp SIS_OPEN
Step3: Now try to Ping to HostA from Internet router.

Internet# ping 10.0.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
71
LAB 02
Zone Based Policy IOS Firewall (ZFW)
F0/ 0
Host A Internet
F 0/ 0
R1
F 0/ 1
Public Zone
Private Zone
Task 1:
Configure the interfaces with the following information Host R1 R1 Internet Host A IP Address 192.168.1.1/24 10.0.1.1/24 192.168.1.2/24 10.0.1.10/24 Interface f 0/0 f 0/1 f0/0 ethernet
Task 2:
Configure ZFW on router R1 to inspect icmp, tcp and udp traffic going from Host A to Internet as per the topology diagram.
Task 3:
Verify the ZFW configured on R1 by intitiating the respective traffic between Host A and Internet Router.
Task 1:
Configure the interfaces with the following information Step1: Configure the initial configs on Router R1 as per the table.
R1#configure terminal R1(config)#interface f0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface f0/1
71

R1(config-if)#ip address 10.0.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit
Step2: Configure the initial configs on Router Internet as per the table.
Internet# configure terminal Internet(config)#interface f0/0 Internet(config-if)#ip address 192.168.1.2 255.255.255.0 Internet(config-if)#no shutdown Internet(config-if)#exit Internet(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
Task 2:
Configure ZFW on router R1 to inspect icmp, tcp and udp traffic going from Host A to Internet as per the topology diagram. Step1: Configure the Security Zone names private and public as per the topology diagram.
R1(config)#zone security private R1(config-sec-zone)#exit R1(config)#zone security public R1(config-sec-zone)#exit R1(config)#
Step2: Now make the interface f0/1 of R1 as member of the configured private zone.
R1(config)#interface f0/0 R1(config-if)#zone-member security public R1(config-if)#exit
Step3: Now make the interface f0/0 of R1 as member of the configured public zone.
R1(config)#interface f0/1 R1(config-if)#zone-member security private R1(config-if)#exit
Step4: Check the configured Security Zones.

R1# show zone security zone self Description: System defined zone
zone private
71

Member Interfaces: FastEthernet0/1
zone public Member Interfaces: FastEthernet0/0
Step5: Configure the class map type inspect to match-any of the protocols i.e tcp, udp and icmp traffic with name myclass on R1.
R1(config)#class-map type inspect match-any myclass R1(config-cmap)#match protocol tcp R1(config-cmap)#match protocol udp R1(config-cmap)#match protocol icmp R1(config-cmap)#exit
Step6: Check the configuration.
R1#show class-map type inspect myclass Class Map type inspect match-any myclass (id 1) Match protocol tcp Match protocol udp Match protocol icmp
Step7: Configure the policy-map type inspect to inspect the selected traffic on R1 with name mypolicy.
R1(config)#policy-map type inspect mypolicy R1(config-pmap)#class type inspect myclass R1(config-pmap-c)#inspect R1(config-pmap-c)#exit R1(config-pmap)#exit
Step8: Check the configuration.

R1# show policy-map type inspect mypolicy Policy Map type inspect mypolicy Class myclass Inspect
71
Step9: Configure a security zone-pair mypair ,defining the path of the traffic ,where the private zone is the source and public zone is the destination.And then apply the policy-map mypolicy under it which is defining the policy rules i.e here its inspecting the traffic going from private zone to public zone.
R1(config)#zone-pair security mypair source private destination public R1(config-sec-zone-pair)#service-policy type inspect mypolicy R1(config-sec-zone-pair)#exit
Step10: Check the zone-pair configuration.
R1#show zone-pair security Zone-pair name mypair Source-Zone private Destination-Zone public service-policy mypolicy
R1#show policy-map type inspect zone-pair policy exists on zp mypair Zone-pair: mypair Service-policy inspect : mypolicy Class-map: myclass (match-any) Match: protocol tcp 16 packets, 448 bytes 30 second rate 0 bps Match: protocol udp 29 packets, 290 bytes 30 second rate 0 bps Match: protocol icmp 1 packets, 40 bytes 30 second rate 0 bps Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [0:26] udp packets: [0:29] icmp packets: [0:8] Session creations since subsystem startup or last reset 46 Current session counts (estab/half-open/terminating) [0:27:0] Maxever session counts (estab/half-open/terminating) [0:45:0] Last session created 00:00:18
71

Last statistic reset never Last session creation rate 46 Maxever session creation rate 46 Last half-open session total 27 Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes
Task 3:
Verify the ZFW configured on R1 by intitiating the respective traffic between Host A and Internet Router Step1: Ping from Host A to Internet router.
C:\Documents and Settings\netmetric> ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.2: 192.168.1.2: 192.168.1.2: 192.168.1.2: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time=1ms time=1ms time=1ms TTL=254 TTL=254 TTL=254 TTL=254
Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
Step2: Now try to Ping to HostA from Internet router.

Internet# ping 10.0.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
71
MODULE 02: Implementing VPNs

Lab 01: Configure site-site IPsec VPN using pre-shared keys 19 Lab 02: Configure OSPF... 24 Lab 03: Configure EIGRP. 28 Lab 04: Configure Redistribution.. 32
71
LAB 01
Configure site-site IPsec VPN using pre-shared keys
Site 1
10.0.1.0 R1
A
F0/ 0 F0/ 0
Site 2
R6
B
10.0.6.0
10.0.1.12
172.30.1.1
172.30.1.2
10.0.6.12
71
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers.
Task 2:
Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip address as peer address between them. Use "netmetric" as pre-shared key value for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.
ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 Pre-Shared Key: netmetric IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.
Task 3:
Verify the task.
Task 1:
Configure the interfaces as per the topology diagram. Here the end hosts are interpreted by creating a loopback with respective ips on the routers. Step1: Configure the basic configuration on R1 as per the topology diagram.
71

R1(config)#interface f0/0 R1(config-if)#ip address 172.30.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#exit R1(config)#interface loopback0 R1(config-if)#ip address 10.0.1.12 255.255.255.255 R1(config-if)#no shut R1(config-if)#exit
Step2: Configure the basic configuration on R6 as per the topology diagram.
R6(config)#interface f0/0 R6(config-if)#ip address 172.30.1.2 255.255.255.0 R6(config-if)#no shut R6(config-if)#exit R6(config)#interface loopback0 R6(config-if)#ip address 10.0.6.12 255.255.255.255 R6(config-if)#no shut R6(config-if)#exit R6(config)#
Step3: Check the connectivity between R1 and R6.
R6#ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Task 2:
Step1.1: Enable ISAKMP on R1.
R1(config)#crypto isakmp enable
Step1.2: Create ISAKMP Policy with the given parameters on R1.
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share
71

R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#
Step1.3: Check the ISAKMP policy configuration.
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
Step1.4: Configure ISAKMP identity as address.
R1(config)#crypto isakmp identity address
Step1.5: Configure pre-shared key value as netmetric with R6 address as peer..
R1(config)#crypto isakmp key netmetric address 172.30.1.2
Step1.6: Configure IPsec Transform set on R1 with given parameters.
R1(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit R1(config)#
Step1.7: Configure the crypto ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended 103 R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 R1(config-ext-nacl)#exit R1(config)#
71
Step1.8: Configure the crypto map.

R1(config)#crypto map mymap 110 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#match address 103 R1(config-crypto-map)#set peer 172.30.1.2 R1(config-crypto-map)#set transform-set myset R1(config-crypto-map)#exit R1(config)#
Step1.9: Implement the crypto map on the outside interface f0/0 of R1.
R1(config)#interface f0/0 R1(config-if)#crypto map mymap R1(config-if)#exit R1(config)# *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Step1.10: Check the configuration of cryptomap.

R1#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.2 Extended IP access list 103 access-list 103 permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap: FastEthernet0/0
Step1.8: Check the configuration of cryptomap..

R1#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp WARNING: This crypto map is in an incomplete state! (missing peer or access-list definitions) Peer = 172.30.1.2 Extended IP access list 110 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={
71

myset: { esp-3des esp-md5-hmac } Interfaces using crypto map mymap: } ,
R6(config)#crypto isakmp policy 110 R6(config-isakmp)#encryption 3des R6(config-isakmp)#hash md5 R6(config-isakmp)#authentication pre-share R6(config-isakmp)#group 2 R6(config-isakmp)#exit R6(config)#
R6#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
71

Step2.5: Configure pre-shared key value as netmetric with R1 address as peer.
R6(config)#crypto isakmp key 0 netmetric address 172.30.1.1
R6(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac R6(cfg-crypto-trans)#mode tunnel R6(cfg-crypto-trans)#exit

R6(config)#crypto map mymap 110 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R6(config-crypto-map)#match address 103 R6(config-crypto-map)#set peer 172.30.1.1 R6(config-crypto-map)#set transform-set myset R6(config-crypto-map)#exit
71
R6#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: FastEthernet0/0 FastEthernet0/0 R6#show crypto ipsec transform-set Transform set myset: { esp-3des esp-md5-hmac will negotiate = { Tunnel, },
Step3: Point 10.0.6.0/24 route to the the vpn tunnel initiation/termination point of R1.
R1(config)#ip route 10.0.6.0 255.255.255.0 172.30.1.2
R6(config)#ip route 10.0.1.0 255.255.255.0 172.30.1.1
Task4:
Verify the task.
NOTE:
Step1: Ping 10.0.1.12 from loopback 0 of R1.

R6# ping 10.0.1.12 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.12, timeout is 2 seconds: Packet sent with a source address of 10.0.6.12 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
71
The VPN tunnel will come up only when the router sees the intresting traffic which is to be encrypted.
Step2: Check the ISAKMP tunnel status.
R6#show crypto isakmp sa dst src 172.30.1.1 172.30.1.2
state QM_IDLE
conn-id slot status 1 0 ACTIVE
Step3: Check the IPSec tunnel status.

R6#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xEFAAF17A(4020957562) inbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: AIM-VPN/BPII-PLUS:1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3586) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: AIM-VPN/BPII-PLUS:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3584)
71

IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
R1#ping 10.0.6.12 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.6.12, timeout is 2 seconds: Packet sent with a source address of 10.0.1.12 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 172.30.1.1 172.30.1.2 IPv6 Crypto ISAKMP SA
state QM_IDLE
conn-id status 1001 ACTIVE
R1#show crypto ipsec sa PFS (Y/N): N, DH group: none interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xCF7A0D46(3480882502)
71
inbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
71
LAB 02
Configure site-site IPsec VPN using PKI.
R3 172.30.1.3
F0/ 0
Site 1
10.0.1.0 R1
A
F0/ 0
CA
Site 2
10.0.6.0
F0/ 0
R6
B
10.0.1.12
172.30.1.1
172.30.1.2
10.0.6.12
Task 1:
Task 1.5:
Configure the router R3 as IOS CA server for router R1 and R6.And do necessary configuration on R1 and R6 respectively to get their certificates from the CA server.
Task 2:
Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip address as peer address between them.
71
Use RSA-Signatures for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.
ISAKMP Parameters Authentication: RSA-Signature Encryption: 3DES Group: 2 Hash: MD5 IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.
Task 3:
Verify the task.
Task 1:
71
Task 1.5:
Step1: Configure the basic CA server as in topology to give CA support to R1 and R6. Step1.1: Configure the basic configuration on R3 as per the topology diagram.
R3(config)#interface f0/0 R3(config-if)#ip address 172.30.1.3 255.255.255.0 R3(config-if)#no shut R3(config-if)#exit
Step1.2: Check connectivity from R3 to R1 and R2.
R3# ping 172.30.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/52/84 ms R3# ping 172.30.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/84 ms
71
Step1.3: Configure NTP make R3 as master and enroll rest as client to R3.
R3(config)# ntp master
R6(config)# ntp server 172.30.1.3
R1(config)# ntp server 172.30.1.3
Step1.4: Configure http server on R3 to support SCEP.
R3(config)# ip http server
Step1.5: Configure the basic configuration of the CA server on R3 and generate a CA certificate.
R3(config)# crypto pki server R3_CA R3(cs-server)# issuer-name cn=R3_CA,ou=netmetric R3(cs-server)# grant auto R3(cs-server)# no shutdown %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit % Password must be more than 7 characters. Try again % or type Return to exit Password:netmetric Re-enter password:netmetric % Generating 1024 bit RSA keys, keys will be non-exportable...
71
% Exporting Certificate Server signing certificate and keys... % Certificate Server enabled. R3(cs-server)#
%SSH-5-ENABLED: SSH 1.99 has been enabled %PKI-6-CS_ENABLED: Certificate server now enabled. R3(cs-server)# exit
Step1.6: Verify the CA Server certificate.
R3# show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
Step2: Now configure R1 and R6 to take the CA support from R3-CA Server and generate their identity certicates. Step2.1: Configure the domain-name cisco.com and generate rsa key pair on R1.
R1(config)# ip domain-name cisco.com
R1(config)# crypto key generate rsa The name for the keys will be: R1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024
71
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)# Mar 1 01:28:47.030: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step2.2: Verify the rsa key.
R1# show crypto key mypubkey rsa % Key pair was generated at: 01:28:47 Key name: R1.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 6E1B57ED ECC9C1B9 C7D80244 625D5780 2DA8F89F 55C282AA 70ED671F 40BE40E3 7BFC72D9 10979809 3276F5C2 7B7F72EC F39DB3C4 AE788E86 34F0A7E0 E30CA738 % Key pair was generated at: 01:28:48 Key name: R1.cisco.com.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 BEDF35DF FFBFCC9D 8E1093DA C5B1895D D2DADF94 AD90076A 44B82F27 2160D231 8D254300 4F8AC83B B6EC6785 AA4F1D36 R1#
UTC Mar 1 2002
05000381 8D003081 9C985DFB 665332D0 B8E1C850 8A27A3A4 2B37A55F 1DA73624 F99EA20D 29298D06 UTC Mar 1 2002
89028181 F2F46D2E 3A4794B2 C90CDA6A 94451477
00CE2C4C 75A71ACC 1D9839DF CA4E4AE6 59020301 0001
00036B00 50C9B037 DE721E24 CDFBB249
30680261 68E6D498 17989D6A CB2CADC6
00B01BBD D168DA04 6B4E52F5 C7020301
C3207D7B 95C1472A 037061F9 0001
Step2.3: Configure the domain-name cisco.com and generate rsa key pair on R6.
R6(config)# ip domain-name cisco.com
R6(config)# crypto key generate rsa The name for the keys will be: R6.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R6(config)# Mar 1 01:28:47.030: %SSH-5-ENABLED: SSH 1.99 has been enabled
71
Step2.4: Verify the rsa key.
R6# show crypto key mypubkey rsa % Key pair was generated at: 01:31:53 Key name: R6.cisco.com Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 31101028 708FA8D8 B1A2D928 E24830BB E98A11B4 A658122B 03A78F28 4210EF7F F5CEB71D D469BB30 4ACECE62 578D9379 08D8512C 8D989232 CA2DD92A 9EE9F125 % Key pair was generated at: 01:31:54 Key name: R6.cisco.com.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 E45A983C 9AAD217E 529B6168 F92EA141 5092D62A 333A9C13 5E92F0BD DA4CDA66 AFC37FD4 54FC0C1F C0AD60F4 EF7EF9A8 R6#
UTC Mar 1 2002
05000381 8D003081 76B00A3C 18605335 CD112D8F 15F253D3 7EC681F4 BF9051ED 65C6872E 25F2FDAE UTC Mar 1 2002
89028181 333D76CD C697A205 D0A353F9 69FDA438
00C032A0 1EBE9AB3 3E088B1A 8AC1985A 2F020301 0001
00036B00 AD8C66CD 88B6AD50 5E29CFF6
30680261 F0E4BDC7 6C446563 65566189
00B9F10C 31494F9B 77E45F86 F9020301
D0491DF4 7ECBE402 58B3A665 0001
Step2.5: Declare the CA on R1 and R6.
R1# show crypto pki trustpoints status Trustpoint R3_CA: Issuing CA certificate not configured. State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... No Certificate request(s) ..... None
71
R1(config)# crypto R1(ca-trustpoint)# R1(ca-trustpoint)# R1(ca-trustpoint)#
pki trustpoint R3_CA enrollment url http://172.30.1.3 revocation-check none exit
R6(config)# crypto R6(ca-trustpoint)# R6(ca-trustpoint)# R6(ca-trustpoint)#
pki trustpoint R3_CA enrollment url http://172.30.1.3 revocation-check none exit
R6# show crypto pki trustpoints status Trustpoint R3_CA: Issuing CA certificate not configured. State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... No Certificate request(s) ..... None
Step2.6: Authenticate the CA on R1 and R6 to get the CA certificate.
R1(config)# crypto pki authenticate R3_CA Certificate has the following attributes: Fingerprint MD5: 8B941CA0 2CB012D2 143822B5 A0FEA635 Fingerprint SHA1: 5D7D3208 9C525FCE 2018623E 782E3CF6 79E8202C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R1(config)#
71
R6(config)# crypto pki authenticate R3_CA Certificate has the following attributes: Fingerprint MD5: 8B941CA0 2CB012D2 143822B5 A0FEA635 Fingerprint SHA1: 5D7D3208 9C525FCE 2018623E 782E3CF6 79E8202C % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.
Step2.7: Request the identity certificates of R1 and R6 from the CA.
R1(config)# crypto pki enroll R3_CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: R1.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R3_CA verbose' commandwill show the fingerprint. R1(config)# CRYPTO_PKI: 92ECC4EA
Certificate Request Fingerprint MD5: C36004FF D0BD7A5C 3B45C567
71
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 472CD52C EAB9774F FE6DD447 9F9FC569 C508ED12 %PKI-6-CERTRET: Certificate received from Certificate Authority R1(config)# exit R1# wr Building configuration... [OK]
Step2.7: Request the identity certificates of R1 and R6 from the CA.
R1# show crypto pki certificates Certificate Status: Available Certificate Serial Number: 0x3 Certificate Usage: General Purpose Issuer: cn=R3_CA ou=netmetric Subject: Name: R1.cisco.com hostname=R1.cisco.com Validity Date: start date: 02:02:51 UTC Mar 1 2002 end date: 02:02:51 UTC Mar 1 2003 Associated Trustpoints: R3_CA CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002 end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
R6(config)# crypto pki enroll R3_CA % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.
71
Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: R1.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R3_CA verbose' commandwill show the fingerprint. R6(config)# CRYPTO_PKI: Certificate Request Fingerprint MD5: C36004FF D0BD7A5C 3B45C567 92ECC4EA CRYPTO_PKI: Certificate Request Fingerprint SHA1: 472CD52C EAB9774F FE6DD447 9F9FC569 C508ED12 %PKI-6-CERTRET: Certificate received from Certificate Authority R6(config)# exit R6# wr Building configuration... [OK]
R6# show crypto pki certificates Certificate Status: Available Certificate Serial Number: 0x4 Certificate Usage: General Purpose Issuer: cn=R3_CA ou=netmetric Subject: Name: R6.cisco.com hostname=R6.cisco.com Validity Date: start date: 02:06:15 UTC Mar 1 2002 end date: 02:06:15 UTC Mar 1 2003 Associated Trustpoints: R3_CA CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=R3_CA ou=netmetric Subject: cn=R3_CA ou=netmetric Validity Date: start date: 01:04:10 UTC Mar 1 2002
71

end date: 01:04:10 UTC Feb 28 2005 Associated Trustpoints: R3_CA
Task 2:
R1(config)#crypto isakmp policy 110 R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication rsa-sig R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
71


R1#sh crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.2 Extended IP access list 103 access-list 103 permit ip 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255
71
Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap: FastEthernet0/0
Step1.8: Check the configuration of cryptomap..

R1#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp WARNING: This crypto map is in an incomplete state! (missing peer or access-list definitions) Peer = 172.30.1.2 Extended IP access list 110 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset: { esp-3des esp-md5-hmac } , } Interfaces using crypto map mymap:
R6(config)#crypto isakmp policy 110 R6(config-isakmp)#encryption 3des R6(config-isakmp)#hash md5 R6(config-isakmp)#authentication rsa-sig R6(config-isakmp)#group 2 R6(config-isakmp)#exit R6(config)#
71
R6#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

71

R6#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit ip 10.0.6.0 0.0.0.255 10.0.1.0 0.0.0.255 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: FastEthernet0/0 FastEthernet0/0 R6#show crypto ipsec transform-set Transform set myset: { esp-3des esp-md5-hmac will negotiate = { Tunnel, },
R1(config)#ip route 10.0.6.0 255.255.255.0 172.30.1.2
R6(config)#ip route 10.0.1.0 255.255.255.0 172.30.1.1
Task4:
Verify the task.
71
NOTE:

state QM_IDLE

R6#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xEFAAF17A(4020957562) inbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: AIM-VPN/BPII-PLUS:1, crypto map: mymap
71
sa timing: remaining key lifetime (k/sec): (4553597/3586) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: AIM-VPN/BPII-PLUS:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4553597/3584) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
state QM_IDLE
71
R1#show crypto ipsec sa PFS (Y/N): N, DH group: none interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.6.0/255.255.255.0/0/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xCF7A0D46(3480882502) inbound esp sas: spi: 0xEFAAF17A(4020957562) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCF7A0D46(3480882502) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: FPGA:2, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4483461/3495) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
71
LAB 03
Configure site-site GRE/IPsec tunnel
Site 1
10.0.1.0 R1
A
GRE/IPsec Tunnel
F0/ 0 F0/ 0
Site 2
R6
B
10.0.6.0
10.0.1.12
172.30.1.1
172.30.1.2
10.0.6.12
Task 1:
Task 2:
Configure an IPsec site-site tunnel between R1 and R6 with the interface f0/0 ip address as peer address between them. Use "netmetric" as pre-shared key value for authentication and 3des/md5 as encryption and hashing algorithm for both ipec phases.
ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 Pre-Shared Key: netmetric IPSec Parameters
71
Create a Gre tunnel between R1 and R6 and encrypt any gre traffic passing between R1 and R6 with ipsec.Assign the tunnel ip address in 172.16.1.0/24 network.
Encryption: ESP-3DES Authentication: ESP-MD5-HMAC Protect traffic between site 1 - 10.0.1.0/24 on R1 network and site 2 - 10.0.6.0/24 on R6 network.
Task 3:
Verify the task.
Task 1:
71
Task 2:
Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
71
R1#show crypto isakmp policy
Step1.5: Configure pre-shared key value as netmetric with R6 address as peer..
R1(config)#crypto isakmp key netmetric address 172.30.1.2
R1(config)#ip access-list extended 103 R1(config-ext-nacl)#permit gre host 172.30.1.1 host 172.30.1.2 R1(config-ext-nacl)#exit R1(config)#

R1(config)# interface tunnel 0 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# tunnel source f0/0 R1(config-if)# tunnel destination 172.30.1.2 R1(config-if)# crypto map mymap R1(config-if)# no shutdown R1(config-if)# exit *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
71
Step1.9: Configure a gre tunnel and Implement the crypto map on the tunnel0 on R1.

R1#show crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.2 Extended IP access list 103 access-list 103 permit gre host 172.30.1.1 host 172.30.1.2 Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: Tunnel0 FastEthernet0/0
71
R6#show crypto isakmp policy Global IKE policy Protection suite of priority 110 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step2.5: Configure pre-shared key value as netmetric with R1 address as peer.
R6(config)#crypto isakmp key 0 netmetric address 172.30.1.1
R6(config)#ip access-list extended 103 R6(config-ext-nacl)#permit gre host 172.30.1.2 host 172.30.1.1 R6(config-ext-nacl)#exit R6(config)#
71
Step2.9: Configure a gre tunnel and Implement the crypto map on the tunnel0 on R6.
R6(config)# interface tunnel 0 R6(config-if)# ip address 172.16.1.2 255.255.255.0 R6(config-if)# tunnel source f0/0 R6(config-if)# tunnel destination 172.30.1.1 R6(config-if)# crypto map mymap R6(config-if)# no shutdown R6(config-if)# exit *Jan 1 01:47:27.387: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2#sh crypto map tag mymap Crypto Map "mymap" 110 ipsec-isakmp Peer = 172.30.1.1 Extended IP access list 103 access-list 103 permit gre host 172.30.1.2 host 172.30.1.1 Current peer: 172.30.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map mymap: Tunnel0 FastEthernet0/0 }
R6#show crypto ipsec transform-set Transform set myset: { esp-3des esp-md5-hmac
71

will negotiate = { Tunnel, },
Step3: Point 10.0.6.0/24 route to gre tunnel0 on R1.

R1(config)#ip route 10.0.6.0 255.255.255.0 tunnel0
Step4: Point 10.0.1.0/24 route to gre tunnel0 on R6.
R6(config)#ip route 10.0.1.0 255.255.255.0 tunnel0
Task4:
Verify the task.
NOTE:

state QM_IDLE

R6# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.2
71
protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0xE00A33DD(3758765021) inbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/466) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/465) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel0 Crypto map tag: mymap, local addr 172.30.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,}
71

#pkts #pkts #pkts #pkts #pkts #send encaps: 14, #pkts encrypt: 14, #pkts digest: 14 decaps: 14, #pkts decrypt: 14, #pkts verify: 14 compressed: 0, #pkts decompressed: 0 not compressed: 0, #pkts compr. failed: 0 not decompressed: 0, #pkts decompress failed: 0 errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0xE00A33DD(3758765021) inbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/465) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4543217/464) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R6#
71
state QM_IDLE
R1# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr 172.30.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0x7BB049E(129696926) inbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/562) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/543) IV size: 8 bytes
71

replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel0 Crypto map tag: mymap, local addr 172.30.1.1
protected vrf: (none) local ident (addr/mask/prot/port): (172.30.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.30.1.1, remote crypto endpt.: 172.30.1.2 path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0 current outbound spi: 0x7BB049E(129696926) inbound esp sas: spi: 0xE00A33DD(3758765021) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/543) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7BB049E(129696926) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4439646/542) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
71
LAB 05
Configure Easy VPN Remote Router as Client.
10.0.6.0 .2 .2 172.30.1.0/24 .1 10.0.1.0
Fa0/1 R6-Client
R1-Server
Task 1:
Task 2:
Configure R1 as Easy VPN server with following requirements. ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC ISAKMP Client Configuration Group Name: R6 Key: VPNKEY Mode: Client Use the address pool 10.0.1.100-10.0.1.150 for remote users. Enable Xauth against the local user database and create user cisco and password cisco. Only encrypt users traffic destined to the subnet 10.0.1.0/24. Configure the Client Router R6 to verify the configuration.
71
Task 3:
Verify the task.
Task 1:
71
Task 2:
Step1.2: Create ISAKMP Policy for Remote VPN client with the given parameters on R1.
71
Step1.5: Configure IPsec Transform set on R1 for Remote VPN client with given parameters.
Step2: Define Group Policy for Mode Configuration Push on R1. Step2.1 Configure the Split Tunnel ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended SPLIT R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#
Step2.2: Configure the ip address pool for the remote users.

R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150
Step2.3: Enable the remote group policy lookup via AAA and configure xauth login credentials.
R1(config)# R1(config)# R1(config)# R1(config)# aaa new-model aaa authorization network vpn-group local aaa authentication login vpn-users local username cisco password 0 cisco
R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# acl SPLIT
Step2.5: Configure Dynamic Crypto map with RRI and ipsec transformset.
R1(config)# crypto dynamic-map dmap 10 R1(config-crypto-map)# set transform-set myset R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end
71
Step2.4 Configure the Remote Group Policy with name R6, specify the isakmp pre-shared key VPNKEY,specify ip address pool for remote users and add the split tunnel acl for selected traffic encryption.
Step3: Apply Mode Configuration and XAUTH. Step3.1 Configure the router to respond to mode configuration requests.
R1(config)# crypto map mymap client configuration address respond
Step3.2 Enable IKE querying for a group policy.

R1(config)# crypto map mymap isakmp authorization list vpn-group
Step 3.3: Enforce XAUTH and apply the dynamic crypto map to the crypto map.
R1(config)# crypto map mymap client authentication list vpn-users R1(config)# crypto map mymap 65535 ipsec-isakmp dynamic dmap
Step4: Apply the Crypto Map to R1 outside interface.

R1(config)# interface f0/0 R1(config-if)# crypto map mymap R1(config-if)# end
Step5: Veify the Crypto Map configuration.
R1# show crypto map interface fastEthernet 0/0 Crypto Map "mymap" 65535 ipsec-isakmp Dynamic map template tag: dmap Interfaces using crypto map mymap: FastEthernet0/0
Step6: Configure the Clinet Router R6 to verify the task. Step6.1 Configure the Cisco Easy VPN Client Profile
71

R6(config)# crypto ipsec R6(config-crypto-ezvpn)# R6(config-crypto-ezvpn)# R6(config-crypto-ezvpn)# R6(config-crypto-ezvpn)# R6(config-crypto-ezvpn)# client ezvpn R6-Client group R6 key VPNKEY peer 172.30.1.2 mode client connect auto end
Step6.2: Assign Cisco Easy VPN Remote to the Interfaces in repective directions.
R6(config)# interface R6(config-if)# crypto R6(config-if)# exit R6(config)# interface R6(config-if)# crypto R6(config-if)# end FastEthernet 0/1 ipsec client ezvpn R6-Client outside Loopback0 ipsec client ezvpn R6-Client inside
Step6.3: Configure XAUTH username and password.

R6(config)# crypto ipsec client ezvpn R6-Client R6(config-crypto-ezvpn)# username cisco password 0 cisco R6(config-crypto-ezvpn)# end
Task 3:
Step1: Initiate the VPN tunnel (Xauth) from R6.
R6(config-crypto-ezvpn)# end *Mar 1 03:11:26.495: EZVPN(remote): Pending XAuth Request, Please enter the following command: *Mar 1 03:11:26.495: EZVPN: crypto ipsec client ezvpn xauth R6# crypto ipsec client ezvpn xauth Username: cisco Password: cisco R6# *Mar 1 03:11:34.823: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=R6 Client_public_addr=172.30.1.2 Server_public_addr=172.30.1.1 Assigned_client_addr=10.0.1.102 *Mar 1 03:11:36.363: %LINK-3-UPDOWN: Interface Loopback1, changed state to up *Mar 1 03:11:37.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
Step2: Check the Crypto ipsec client ezvpn status on R6.

R6# show crypto ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : R6-Client
71

Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 10.0.1.102 Mask: 255.255.255.255 Save Password: Disallowed Split Tunnel List: 1 Address : 10.0.1.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 172.30.1.1
NOTE:
The VPN tunnel will show up but it will encrypt packets only when the router sees the intresting traffic which is to be encrypted.

R6# ping 10.0.1.12 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.12, timeout is 2 seconds: Packet sent with a source address of 10.0.6.12 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/40/92 ms

R6# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0, local addr 172.30.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.1.102/255.255.255.255/0/0)
71
R6# show crypto isakmp sa dst src 172.30.1.1 172.30.1.2
state QM_IDLE

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 172.30.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x191189C2(420579778) inbound esp sas: spi: 0x17D001E4(399507940) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4549679/3294) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x191189C2(420579778) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: SW:1, crypto map: FastEthernet0/0-head-0 sa timing: remaining key lifetime (k/sec): (4549679/3293) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas:
71
outbound pcp sas:
LAB 06
Configure Easy VPN Remote PC as Client
172.30.1.0/24 .2 PC-Client
Task 1:
10.0.1.0 .1 R1-Server
Task 2:
Configure R1 as Easy VPN server with following requirements. ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 IPSec Parameters Encryption: ESP-3DES Authentication: ESP-MD5-HMAC ISAKMP Client Configuration Group Name: R6 Key: VPNKEY Mode: Client Use the address pool 10.0.1.100-10.0.1.150 for remote users. Enable Xauth against the local user database and create user cisco and password cisco. Only encrypt users traffic destined to the subnet 10.0.1.0/24.
71
Configure the Client PC with cisco VPN client and verify the configuration.
Task 3:
Verify the task.
Task 1:
Step2: Configure the basic configuration on PC as per the topology diagram.
C:\Documents and Settings\Administrator> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 172.30.1.2 : 255.255.255.0 : 172.30.1.1
Step3: Check the connectivity between R1 and PC.
C:\Documents and Settings\Administrator> ping 172.30.1.1 Pinging 172.30.1.1 with 32 bytes of data: Reply from 172.30.1.1: bytes=32 time=54ms TTL=255 Reply from 172.30.1.1: bytes=32 time=16ms TTL=255 Reply from 172.30.1.1: bytes=32 time=28ms TTL=255 Reply from 172.30.1.1: bytes=32 time=4ms TTL=255
71
Task 2:
Step1.2: Create ISAKMP Policy for Remote VPN client with the given parameters on R1.
71
Step1.5: Configure IPsec Transform set on R1 for Remote VPN client with given parameters.
Step2: Define Group Policy for Mode Configuration Push on R1. Step2.1 Configure the Split Tunnel ACL to match the interesting traffic for encryption as given.
R1(config)#ip access-list extended SPLIT R1(config-ext-nacl)#permit ip 10.0.1.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#
Step2.2: Configure the ip address pool for the remote users.

R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150
Step2.3: Enable the remote group policy lookup via AAA and configure xauth login credentials.
R1(config)# R1(config)# R1(config)# R1(config)# aaa new-model aaa authorization network vpn-group local aaa authentication login vpn-users local username cisco password 0 cisco
R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# acl SPLIT
Step2.5: Configure Dynamic Crypto map with RRI and ipsec transformset.
R1(config)# crypto dynamic-map dmap 10 R1(config-crypto-map)# set transform-set myset R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end
71
Step2.4 Configure the Remote Group Policy with name R6, specify the isakmp pre-shared key VPNKEY,specify ip address pool for remote users and add the split tunnel acl for selected traffic encryption.
Step3: Apply Mode Configuration and XAUTH. Step3.1 Configure the router to respond to mode configuration requests.
R1(config)# crypto map mymap client configuration address respond
Step3.2 Enable IKE querying for a group policy.

R1(config)# crypto map mymap isakmp authorization list vpn-group
Step 3.3: Enforce XAUTH and apply the dynamic crypto map to the crypto map.
R1(config)# crypto map mymap client authentication list vpn-users R1(config)# crypto map mymap 65535 ipsec-isakmp dynamic dmap
Step4: Apply the Crypto Map to R1 outside interface.

R1(config)# interface f0/0 R1(config-if)# crypto map mymap R1(config-if)# end
Step5: Veify the Crypto Map configuration.
R1# show crypto map interface fastEthernet 0/0 Crypto Map "mymap" 65535 ipsec-isakmp Dynamic map template tag: dmap Interfaces using crypto map mymap: FastEthernet0/0
Step6: Configure the Clinet PC with Cisco VPN client and verify the task. Step6.1 Install the Cisco Easy VPN Client on the client PC.
71
Step6.2: Configure the Cisco Easy VPN Client with correct credentials as shown.
Task 3:
Step1: Initiate the VPN tunnel and give the xauth credentials on prompt.
71
Step2: Check the Crypto ipsec client ezvpn status.
71
NOTE:
The VPN tunnel will show up but it will encrypt packets only when the router sees the intresting traffic which is to be encrypted.
Step3: Ping 10.0.1.12 from PC.
Step5: Create a loopback100 on R1 with ip address 100.100.100.100 to check the split tunnel acl.When PC Pings to 100.100.100.100 the vpn tunnel should bypass this traffic.
71
71
71
71
Task5:
Configure NAT to enable the host on the dmz going to outside have their address translated to the interface address i.e PAT Step1: On ASA1, configure the global PAT address and the local NAT rule for dmz
ASA1(config)#global (outside) 2 interface INFO: outside interface address added to PAT pool ASA1(config)#nat (dmz) 2 172.16.1.0 255.255.255.0 ASA1(config)#
ASA1(config)#show run global global (outside) 1 192.168.1.10-192.168.1.20 global (outside) 2 interface global (dmz) 1 172.16.1.12
ASA1(config)#show run nat nat (inside) 1 10.0.1.0 255.255.255.0 nat (dmz) 2 172.16.1.0 255.255.255.0
71
Step2: Verify the configuration
Step3: On ASA1, configure an inbound access-list allowing only the icmp and telnet traffic for dmz
ASA1(config)#access-list DMZ_OUT permit tcp 172.16.1.0 255.255.255.0 any eq telnet ASA1(config)#access-list DMZ_OUT permit icmp any any ASA1(config)#access-group DMZ_OUT in interface dmz
Step4: Configure line VTY and enable password on R1

R1(config)#line vty 0 4 R1(config-line)#login R1(config-line)#password cisco R1(config-line)#exit R1(config)#enable password cisco
Step5: Initiate a telnet session from R2 to R1 to verify the IP address translation as per task5
R2#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password:cisco R1>show user Line User 0 con 0 *194 vty 0 Interface User
Mode
Idle
Peer Address
71
Host(s) idle idle
Idle Location 00:43:07 00:00:00 192.168.1.2
LAB 02
Configure Static NAT and PAT
outside F 0/ 0
inside E 0/ 1
INTERNET
F 0/ 1
P C1
R1
E 0/ 0
AS A 1
E 0/ 2
dmz F 0/ 0
R2
71
NOTE:
Before you move further, verify and clear any existing NAT translations configured on the security appliance
ASA1(config)#clear configure nat ASA1(config)#clear configure global ASA1(config)#clear configure static
ASA1(config)#show run nat ASA1(config)#show run global ASA1(config)#show run static
Task1:
Configure Static NAT such that the IP address 10.0.1.10 is translated to 192.168.1.10 when this host is going outside
Task2:
Configure Static PAT so that the telnet session initiated from PC1 to the inside interface of ASA1 is redirected to R2 telnet server.
Task3:
Configure Static PAT such that the connection to port 8080 from PC1 to the inside interfaces of ASA1 are redirected to the router R1 web server
Task1:
Configure Static NAT such that the IP address 10.0.1.10 is translated to 192.168.1.10 when this host is going outside Step1: Configure a static NAT rule on ASA1 and verify the configuration
ASA1(config)#static (inside,outside) 192.168.1.10 10.0.1.10
ASA1(config)#show nat NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 1, untranslate_hits = 0
Step2: Now verify the configuration by establishing a telnet session from PC1 to R1
71

C:\Documents and Settings\netmetric>telnet 192.168.1.1 User Access Verification Password: cisco R1>show user Line User 0 con 0 *194 vty 0 Interface User
Host(s) idle idle Mode
Idle Location 02:33:06 00:00:00 192.168.1.10 Idle Peer Address
Step3: On ASA1, verify the translation table

ASA1(config)#show xlate 1 in use, 1 most used Global 192.168.1.10 Local 10.0.1.10
Task2:
Configure Static PAT so that the telnet session initiated from PC1 to the inside interface of ASA1 is redirected to R2 telnet server. Step1: Configure a static NAT rule on ASA1 and verify the configuration
ASA1(config)#static (dmz,inside) tcp interface 23 172.16.1.2 23
71

ASA1(config)#show nat NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 1, untranslate_hits = 0 NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside any static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 2
ASA1(config)#show xlate 2 in use, 2 most used PAT Global 10.0.1.1(23) Local 172.16.1.2(23) Global 192.168.1.10 Local 10.0.1.10
Step2: Initiate a telnet session from PC1 to 10.0.1.1 (R2) for verification
C:\Documents and Settings\netmetric>telnet 10.0.1.1
User Access Verification Password: cisco R2>show user Line User 0 con 0 * 66 vty 0 Interface User
Task3:
Configure Static PAT such that the connection to port 8080 from PC1 to the inside interfaces of ASA1 are redirected to the router R1 web server Step1: Configure the static nat on ASA1 and verify the configuration
ASA1(config)#static (outside,inside) tcp interface 8080 192.168.1.1 80
71

ASA1(config)#show nat NAT policies on Interface outside: match tcp outside host 192.168.1.1 eq 80 inside any static translation to 10.0.1.1/8080 translate_hits = 0, untranslate_hits = 0 NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 1, untranslate_hits = 0 NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside any static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 3
ASA1(config)#show xlate 3 in use, 3 most used PAT Global 10.0.1.1(23) Local 172.16.1.2(23) PAT Global 10.0.1.1(8080) Local 192.168.1.1(80) Global 192.168.1.10 Local 10.0.1.10
Step2: Configure the http/web server on R1

R1(config)#ip http server
Step3: Open the web browser http://10.0.1.1:8080 from PC1, the password for the session would be cisco
71
Step4: Enter the enable privilege password as cisco
NOTE:
71
On successful authentication you should be able to access the R1 SDM or configuration
71
LAB 03
Configure Dynamic Policy NAT
outside F 0/ 0 inside E 0/ 1 E 0/ 0
INTERNET
F 0/ 1
P C1
R1
AS A 1
E 0/ 2
dmz F 0/ 0
R2
NOTE:
Before you move further, verify and clear any existing NAT translations configured on the security appliance.
Task1: Task2:
Configure the security appliance such that the telnet packets going outside from inside should be translated to the IP address 192.168.1.11 i.e PAT
Task3:
Configure the security appliance so that the traffic other than ICMP and Telnet should use the outside interface IP address when going from inside to outside
71
Configure the security appliance so that the ICMP packets going outside from inside should be translated to the IP address 192.168.1.10 i.e PAT
Task1:
Configure the security appliance so that the ICMP packets going outside from inside should be translated to the IP address 192.168.1.10 i.e PAT Step1: Configure the access-list policies on ASA1
ASA1(config)#access-list ICM permit icmp any any
Step2: Configure the local NAT rules and global pool on ASA1 and verify it
ASA1(config)#nat (inside) 1 access-list ICM ASA1(config)#global (outside) 1 192.168.1.10 INFO: Global 192.168.1.10 will be Port Address Translated
ASA1(config)#show run nat nat (inside) 1 access-list IC
ASA1(config)#show run global global (outside) 1 192.168.1.10
ASA1(config)#show nat NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0
ASA1(config)#show xlate 0 in use, 3 most used
71
Step3: Verify the task by initiating the ping from PC1 to R1

C:\Documents and Settings\netmetric>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.1: 192.168.1.1: 192.168.1.1: 192.168.1.1: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time<1ms time<1ms time<1ms TTL=255 TTL=255 TTL=255 TTL=255
Step4: Check the destination IP in the icmp echo reply on R1 using debug feature
R1#debug ip icmp ICMP packet debugging R1# *Sep 2 06:35:11.267: *Sep 2 06:35:12.259: *Sep 2 06:35:13.259: *Sep 2 06:35:14.259:
is on ICMP: ICMP: ICMP: ICMP: echo echo echo echo reply reply reply reply sent, sent, sent, sent, src src src src 192.168.1.1, 192.168.1.1, 192.168.1.1, 192.168.1.1, dst dst dst dst 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10
Step5: Verify the IP translation table

ASA1(config)#show xlate 1 in use, 3 most used PAT Global 192.168.1.10(3) Local 10.0.1.10 ICMP id 1280
71
Task2:
Configure the security appliance such that the telnet packets going outside from inside should be translated to the IP address 192.168.1.11 i.e PAT Step1: Configure the access-list policies on ASA1
ASA1(config)#access-list TLN permit tcp any any eq telnet
Step2: Configure the local NAT rules and global pool on ASA1 and verify it
ASA1(config)# nat (inside) 2 access-list TLN ASA1(config)# global (outside) 2 192.168.1.11 INFO: Global 192.168.1.11 will be Port Address Translated
ASA1(config)# show run nat nat (inside) 1 access-list IC nat (inside) 2 access-list TL
ASA1(config)# show run global global (outside) 1 192.168.1.10 global (outside) 2 192.168.1.11
71

ASA1(config)#show nat NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any outside any eq 23 dynamic translation to pool 2 (192.168.1.11) translate_hits = 0, untranslate_hits = 0 match tcp inside any inside any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any dmz any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0

C:\Documents and Settings\netmetric>telnet 192.168.1.1 User Access Verification Password:cisco R1>show user Line 0 con 0 *194 vty 0 Interface
User
User
Mode
Idle
Peer Address
Step4: Verify the IP translation table

ASA1(config)#show xlate 1 in use, 3 most used PAT Global 192.168.1.11(1024) Local 10.0.1.10(1548)
71
Host(s) idle idle
Idle Location 00:01:42 00:00:00 192.168.1.11
Task3:
Configure the security appliance so that the traffic other than ICMP and Telnet should use the outside interface IP address when going from inside to outside Step1: Configure the local nat rules and global pool on ASA1 and verify the configuration
ASA1(config)#show run nat nat (inside) 1 access-list IC nat (inside) 2 access-list TL nat (inside) 3 0.0.0.0 0.0.0.0 ASA1(config)#show run global global (outside) 1 192.168.1.10 global (outside) 2 192.168.1.11 global (outside) 3 interface ASA1(config)#show run global global (outside) 1 192.168.1.10 global (outside) 2 192.168.1.11 global (outside) 3 interface
71

ASA1(config)#show nat
NAT policies on Interface inside: match icmp inside any outside any dynamic translation to pool 1 (192.168.1.10) translate_hits = 2, untranslate_hits = 1 match icmp inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match icmp inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any outside any eq 23 dynamic translation to pool 2 (192.168.1.11) translate_hits = 0, untranslate_hits = 0 match tcp inside any inside any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match tcp inside any dmz any eq 23 dynamic translation to pool 2 (No matching global) translate_hits = 0, untranslate_hits = 0 match ip inside any outside any dynamic translation to pool 3 (192.168.1.2 [Interface PAT]) translate_hits = 0, untranslate_hits = 0 match ip inside any inside any dynamic translation to pool 3 (No matching global) translate_hits = 0, untranslate_hits = 0 match ip inside any dmz any dynamic translation to pool 3 (No matching global) translate_hits = 0, untranslate_hits = 0
Step2: Establish a connection using the web browser from PC1 to R1 using the address http://192.168.1.1 and give the login password cisco when prompted Step3: Enter the enable privilege password cisco
NOTE:
On successful authentication you should be able to access the R1 SDM or configuration
71
Step4: On ASA1, verify the outside interface IP (Global IP) in the IP translation table
ASA1(config)#show xlate 12 in use, 12 most used PAT Global 192.168.1.2(1035) PAT Global 192.168.1.2(1034) PAT Global 192.168.1.2(1033) PAT Global 192.168.1.2(1032) PAT Global 192.168.1.2(1031) PAT Global 192.168.1.2(1030) PAT Global 192.168.1.2(1029) PAT Global 192.168.1.2(1028) PAT Global 192.168.1.2(1027) PAT Global 192.168.1.2(1026) PAT Global 192.168.1.2(1025) PAT Global 192.168.1.2(1024)
Local Local Local Local Local Local Local Local Local Local Local Local
10.0.1.10(1582) 10.0.1.10(1580) 10.0.1.10(1578) 10.0.1.10(1573) 10.0.1.10(1571) 10.0.1.10(1569) 10.0.1.10(1567) 10.0.1.10(1565) 10.0.1.10(1563) 10.0.1.10(1561) 10.0.1.10(1559) 10.0.1.10(1557)
71
LAB 04
Configure Static Policy NAT and PAT
INTERNET
F 0/ 1
P C1
R1
AS A 1
E 0/2
dmz F 0/0
R2
NOTE:
Configure Static NAT on the Security Appliance using access-list such that the IP address assigned to PC1 i.e., 10.0.1.10 is translated to 192.168.1.10 when it is going outside
Task2:
Configure Static Policy PAT on the security appliance such that the telnet to the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R2 telnet server in DMZ
Task3:
Configure Static Policy PAT such that the connections to port 8080 on the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R1 web server
71
Task1:
Task1:
Configure Static NAT on the Security Appliance using access-list such that the IP address assigned to PC1 i.e., 10.0.1.10 is translated to 192.168.1.10 when it is going outside Step1: Configure the access-list policy on ASA1
ASA1(config)#access-list PC1 permit ip host 10.0.1.10 any
Step2: Configure the static NAT rule on ASA1 and verify the configuration
ASA1(config)#static (inside,outside) 192.168.1.10 access-list PC1
ASA1(config)#show nat NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 0, untranslate_hits = 0
Step3: Verify the translation table configuration

ASA1(config)#show xlate 1 in use, 31 most used Global 192.168.1.10 Local 10.0.1.10
Step4: Verify the task by initiating a telnet session to R1 from PC1

C:\Documents and Settings\netmetric>telnet 192.168.1.1 User Access Verification Password: cisco R1>show user Line 0 con 0 *194 vty 0
User
Host(s) idle idle
Idle Location 02:33:06 00:00:00 192.168.1.10
71
Task2:
Configure Static Policy PAT on the security appliance such that the telnet to the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R2 telnet server in DMZ Step1: Configure the access-list policy on ASA1
ASA1(config)#access-list TLN permit tcp host 172.16.1.2 eq 23 10.0.1.0 255 255.255.0
Step2: Configure the static NAT rule on ASA1

ASA1(config)# static (dmz,inside) tcp interface 23 access-list TLN

ASA1(config)#show nat NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside 10.0.1.0 255.255.255.0 static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 1
Step4: Verify the task by initiating the telnet session from PC1 to 10.0.1.1 i.e the inside interface on ASA1
C:\Documents and Settings\netmetric>telnet 10.0.1.1 User Access Verification Password: cisco R2>show user Line * 66 vty 0 Interface
User
Host(s) idle Mode
Idle Location 00:00:00 10.0.1.10 Idle Peer Address
User
71
Task3:
Configure Static Policy PAT such that the connections to port 8080 on the inside interface of ASA1 from 10.0.1.0/24 is redirected to the router R1 web server Step1: Configure the access-list policy on ASA1
ASA1(config)#access-list WEB permit tcp host 192.168.1.1 eq 80 10.0.1.0 255.255.255.0
Step2: Configure the static NAT rule on ASA1

ASA1(config)#static (outside,inside) tcp interface 8080 access-list WEB

ASA1(config)#show nat NAT policies on Interface outside: match tcp outside host 192.168.1.1 eq 80 inside 10.0.1.0 255.255.255.0 static translation to 10.0.1.1/8080 translate_hits = 0, untranslate_hits = 0 NAT policies on Interface inside: match ip inside host 10.0.1.10 outside any static translation to 192.168.1.10 translate_hits = 1, untranslate_hits = 0 NAT policies on Interface dmz: match tcp dmz host 172.16.1.2 eq 23 inside 10.0.1.0 255.255.255.0 static translation to 10.0.1.1/23 translate_hits = 0, untranslate_hits = 2
Step4: Verify the translation table configuration

ASA1(config)#show xlate 3 in use, 31 most used PAT Global 10.0.1.1(23) Local 172.16.1.2(23) PAT Global 10.0.1.1(8080) Local 192.168.1.1(80) Global 192.168.1.10 Local 10.0.1.10
71
Step5: Establish a connection using the web browser from PC1 to the address http://10.0.1.1:8080 and give the login password cisco when prompted Step6: Enter the enable privilege password cisco
NOTE:
On successful authentication you should be able to access the R1 SDM or configuration Step7: On ASA1, verify the connection table
ASA1(config)#show conn 9 in use, 11 most used TCP out 10.0.1.1(192.168.1.1):80 aA TCP out 10.0.1.1(192.168.1.1):80 flags UIO TCP out 10.0.1.1(192.168.1.1):80 flags UfFRIO TCP out 10.0.1.1(192.168.1.1):80 flag s UIO
in 10.0.1.10:2212 idle 0:00:00 bytes 0 flags in 10.0.1.10:2210 idle 0:00:00 bytes 1773 in 10.0.1.10:2208 idle 0:00:00 bytes 8713 in 10.0.1.10:2206 idle 0:00:00 bytes 13791
71
LAB 05
Configure Identity NAT, NAT exemption & NAT Control
INTERNET
F 0/ 1
P C1
R1
AS A 1
E 0/ 2
dmz F 0/ 0
R2
NOTE:
Task1:
Enable NAT control on ASA1
Task2:
Configure NAT on ASA1 such that the inside network 10.0.1.0/24 is self translated to its IP
71
Task3:
Configure NAT on ASA1 such that R2 is exempted from NAT
Task1:
Enable NAT control on ASA1 Step1: Configure NAT-Control on the security appliance and verify the configuration
ASA1(config)#show run nat-control no nat-control ASA1(config)#nat-control ASA1(config)#show run nat-control nat-control
Step2: Verify the NAT configuration

ASA1(config)#show nat NAT policies on Interface inside: match ip inside any outside any no translation group, implicit deny policy_hits = 0 match ip inside any dmz any no translation group, implicit deny policy_hits = 0 NAT policies on Interface dmz: match ip dmz any outside any no translation group, implicit deny policy_hits = 0
NOTE:
After completing the above task, try to initiate a ping request from PC1 to R1, which would fail. To restore this we would have to configure identity NAT or NAT exemption. This is executed in the next task
71

C:\Documents and Settings\netmetric>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Request Request Request Request timed timed timed timed out. out. out. out.
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Task2:
Configure NAT on ASA1 such that the inside network 10.0.1.0/24 is self translated to its IP Step1: Configure identity NAT rule on ASA1
ASA1(config)#nat (inside) 0 10.0.1.0 255.255.255.0 nat 0 10.0.1.0 will be identity translated for outbound

ASA1(config)#show nat NAT policies on Interface inside: match ip inside any outside any no translation group, implicit deny policy_hits = 0 match ip inside any dmz any no translation group, implicit deny policy_hits = 0 NAT policies on Interface dmz: match ip dmz any outside any no translation group, implicit deny policy_hits = 0
71

C:\Documents and Settings\netmetric>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.1: 192.168.1.1: 192.168.1.1: 192.168.1.1: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time<1ms time<1ms time<1ms TTL=255 TTL=255 TTL=255 TTL=255
Step3: Verify the IP in ICMP packet using the debug feature on R1

Task3:
Configure NAT on ASA1 such that R2 is exempted from NAT Step1: Initiate the ping from R2 to R1 which would fail
R2#ping 192.168.1.1 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Step2: Configure the access-list policy and nat rule on ASA1
71

ASA1(config)#access-list R2 permit ip host 172.16.1.2 any ASA1(config)#nat (dmz) 0 access-list R2

ASA1(config)#show nat dmz match ip dmz host 172.16.1.2 outside any NAT exempt translate_hits = 0, untranslate_hits = 0 match ip dmz host 172.16.1.2 dmz any NAT exempt translate_hits = 0, untranslate_hits = 0 match ip dmz any outside any no translation group, implicit deny policy_hits = 5
Step4: Verify the task by initiating ping from R2 to R1

R2#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Step5: Check the IP in the ICMP packet in R1 by using debug feature.

71
MODULE 04: Object Grouping

Lab 01: Configuring Object Grouping.... 66
71
LAB 01
Configuring Object Grouping
71
Task1:
Allow access to the Application Servers from the outside
NOTE:
Use the minimum number of lines possible to accomplish access to these application servers
Task2:
Create Services groups on ASA1 as DMZ_SERVICES HTTP HTTPS FTP And Host and network groups as DMZ_SERVERS 192.168.1.8 192.168.1.9 192.168.1.10 Can apply group names to ACLs
Task1:
Allow access to the Application Servers from the outside
NOTE:
Use the minimum number of lines possible to accomplish access to these application servers
ASA1(config)#show run static static (dmz,outside) 192.168.1.8 172.16.1.1 netmask 255.255.255.255 static (dmz,outside) 192.168.1.9 172.16.1.2 netmask 255.255.255.255 static (dmz,outside) 192.168.1.10 172.16.1.3 netmask 255.255.255.255
ASA1(config)#show run access-list ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit ASA1(config)#access-list 100 permit
tcp tcp tcp tcp tcp tcp tcp tcp tcp
any any any any any any any any any
host host host host host host host host host
192.168.1.8 eq http 192.168.1.8 eq https 192.168.1.8 eq ftp 192.168.1.9 eq http 192.168.1.9 eq https 192.168.1.9 eq ftp 192.168.1.10 eq http 192.168.1.10 eq https 192.168.1.10 eq ftp
71
NOTE:
Before you move forward, please ensure you complete the following tasks to create object groups and use them in your configuration 1. Specify the type of object group that you want to create and configure a name for the group 2. Define the members of the object group 3. Apply the object group to an ACL
Task2:
Create Services groups on ASA1 as DMZ_SERVICES HTTP HTTPS FTP And Host and network groups as DMZ_SERVERS 192.168.1.8 192.168.1.9 192.168.1.10 Can apply group names to ACLs
ASA1(config)#object-group service DMZ_SERVICES tcp port-object eq http port-object eq https port-object eq ftp
ASA1(config)#object-group network DMZ_SERVERS network-object host 192.168.1.8 network-object host 192.168.1.9 network-object host 192.168.1.10
ASA1(config)#access-list 100 permit tcp any object-group DMZ_SERVERS objectgroup DMZ_SERVICES ASA1(config)#access-list 100 in interface outside
71
MODULE 05: Application Inspection and Filtering

Lab 01: Application Aware Inspection. Lab 02: URL Filtering.. Lab 03: Malicious Active Code Filtering.. 70 73 75
71
LAB 01
Application Aware Inspection
FTP Server F 0/ 0 E 0/ 1 E 0/ 0
INTERN ET
F 0/ 1
R1
AS A 1
10.1.1.2
200.1.1.2
Task1:
Configure FTP to be inspected on port 2100 in addition to port 21. Do not use any accesslist for this task
71
P C1
Task2:
Enable Application inspection in the Default inspection policy for the ICMP
Task 3:
There is a FTP Server located at 10.1.1.2. Translate this server as 200.1.1.4 on the outside. Allow FTP traffic to this Server from the outside
Task4:
FTP traffic connections to this server should be reset if they are trying to execute the following commands: Put Rmd Rnfr Dele
Task 5:
Configure maximum number of incoming connections towards this FTP server to 400. Also, set the maximum number of half-open connections to this Web server to 200. Set the embryonic Timeout to 1 minute
Task1:
Configure FTP to be inspected on port 2100 in addition to port 21. Do not use any accesslist for this task
ASA1:
class FTP2100 match port tcp eq 2100 ! policy-map global_policy class FTP2100 inspect ftp
Task2:
Enable Application inspection in the Default inspection policy for the ICMP
71
ASA1:
policy-map global_policy class inspection_default inspect icmp
Task3:
There is a FTP Server located at 10.1.1.2. Translate this server as 200.1.1.4 on the outside. Allow FTP traffic to this Server from the outside
ASA1:
static (inside,outside) 200.1.1.2 10.1.1.2 ! access-list 100 permit tcp any host 200.1.1.2 eq 21
Task4:
FTP traffic connections to this server should be reset if they are trying to execute the following commands: Put Rmd Rnfr Dele
ASA1:
policy-map type inspect FTP FTP1 match-request command put rmd rnfr dele reset ! access-list 100 permit tcp any host 200.1.1.2 eq 21 ! class-map class1 match access-list 100 ! policy-map global_policy class class1 inspect FTP strict FTP1
Task 5:
71
Configure maximum number of incoming connections towards this FTP server to 400. Also, set the maximum number of half-open connections to this Web server to 200. Set the embryonic Timeout to 1 minute
ASA1:
policy-map global_policy class class1 set connection conn-max 400 set connection embryonic-conn-max 200 set connection timeout embryonic 0:1:0
LAB 02
URL Filtering
71
Web S en ce
F 0/ 0
E 0/ 1 E 0/ 0
INTERNET
F 0/ 1
P C1
R1
AS A 1
Task 1:
A Websense server exists at 172.16.1.3. Configure ASA1 such that it should forward all web requests to Websense before it allows the access to Internet. If the Websense server is down, the web requests should be allowed to go out
Task2:
Configure ASA1 such that It should also forward all HTTPS and FTP to Websense before it allow the access to internet. If the Websense server is down, the web requests should be allowed to go out
Task 1:
A Websense server exists at 172.16.1.3. Configure ASA1 such that it should forward all web requests to Websense before it allows the access to Internet. If the Websense server is down, the web requests should be allowed to go out
71
NOTE:
The security appliance sends all URL requests to the Websense URL-filtering server at 172.16.1.3. The URL-filtering server determines whether requested URLs should be blocked. If the URL-filtering server goes offline, the security appliance allows all URL requests to continue without filtering.
ASA1:
url-server (dmz) vendor websense host 172.16.1.3 timeout 30 protocol TCP version 4 filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Task2:
Configure ASA1 such that It should also forward all HTTPS and FTP to Websense before it allow the access to internet. If the Websense server is down, the web requests should be allowed to go out
NOTE:
The security appliance sends all HTTPS and FTP URL requests to the URL-filtering server to be filtered If the URL-filtering server goes offline, the security appliance allows all HTTPS and FTP URL requests to continue without filtering
ASA1:
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
LAB 03
Malicious Active Code Filtering
71
Task1:
Configure ASA such that it filter ActiveX
F 0/ 0
E 0/ 1 E 0/ 0
INTERN ET
F 0/ 1
P C1
R1
AS A 1
Block A ive ct X
ASA1:
filter ActiveX 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
NOTE:
ActiveX blocking applies to web traffic on port 80 from any local host and to any foreign host.
Task2:
Configure ASA such that it filter JAVA
F 0/ 0
E 0/ 1 E 0/ 0
INTERN ET
F 0/ 1
P C1
R1
Block JA A V
71
AS A 1
ASA1:
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
NOTE:
JAVA blocking applies to web traffic on port 80 from any local host and to any foreign host Java programs and ActiveX controls can enable attackers to invade network systems. Cisco security appliances can be used to filter Java applets and block ActiveX controls.
71
MODULE 06
Context and Failover on the Security Appliance
Lab 01: Firewall Contexts.. Lab 02: Failover - Active/Standby Lab 03: Failover - Active/Active.. 78 87 98
71
LAB 01
Configuring Firewall Contexts
outside
R1
F0/ 0
R2
F 0/ 0
E 0/ 0
E 0/ 3
ASA1
CTX1
E 0/ 1
CTX2
M0/ 0
F0/ 0
P C1
R3
inside
Task 1:
Enable the security appliance to support multiple contexts and verify the configuration
Task 2:
Configure Context CTX1 and CTX2 on ASA1 with CTX1.cfg and CTX2.cfg as config files respectively as per the given table and topology
Task 3: Task 4:
Configure Access-list on both the contexts to restore the basic connectivity and the save configuration on the security appliance
Task 5:
Configure the routers and PCs as per the diagram and table with their default route pointing to the security appliance
Task 6:
Verify the connectivity across the contexts
71
Change the management interface m 0/0 allocated to context CTX2 to a regular data interface.
Table: Host ASA1 ASA1 ASA1 ASA1 R1 PC1 R2 R3 Context CTX1 CTX1 CTX2 CTX2 IP Address 192.168.1.1/24 10.0.1.1/24 192.168.31.1/24 10.0.31.1/24 192.168.1.2/24 10.0.1.10/24 192.168.31.2/24 10.0.31.2/24 Interface e 0/0 e 0/1 e 0/3 m 0/0 f 0/0 ethernet f 0/0 f 0/0 Name outside inside outside inside Security Level 0 100 0 100 -
Task 1:
Enable the security appliance to support multiple contexts and verify the configuration
ASA1(config)#show mode Security context mode: single ASA1(config)#mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm]<enter> Convert the system configuration? [confirm]<enter>
ASA1(config)#show mode Security context mode: multiple
NOTE:
Below is the default configuration of a security appliance which supports multiple contexts
71
ASA1(config)#show running-configuration ASA Version 8.0(2) <system> ! hostname ASA1 enable password 8Ry2YjIyt7RRXU24 encrypted no mac-address auto ! interface Ethernet0/0 shutdown ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Management0/0 shutdown ! class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! ftp mode passive pager lines 24 no failover no asdm history enable arp timeout 14400 console timeout 0 admin-context admin context admin allocate-interface Ethernet0/0 allocate-interface Ethernet0/1 config-url disk0:/admin.cfg ! prompt hostname context Cryptochecksum:c156e4956700c7d5c6914ec2038e34fd : end
71
Task 2:
Configure Context CTX1 and CTX2 on ASA1 with CTX1.cfg and CTX2.cfg as config files respectively as per the given table and topology Step1: Bring all the interfaces to up state on ASA1
ASA1#configure terminal ASA1(config)# ASA1(config)#interface e0/0 ASA1(config-if)#no shutdown ASA1(config-if)#interface e0/1 ASA1(config-if)#no shutdown ASA1(config-if)#interface e0/2 ASA1(config-if)#no shutdown ASA1(config-if)#interface e0/3 ASA1(config-if)#no shutdown ASA1(config)#interface management 0/0 ASA1(config-if)#no shutdown ASA1(config-if)#exit
NOTE:
Admin Context should be pre-configured before configuring any context on ASA1 Step2: On ASA1 from the system context, create Context CTX1 with config-url CTX1.cfg and allocate the interfaces e0/0, e0/1 to this context
ASA1(config)#context CTX1 Creating context 'CTX1'... Done. (2) ASA1(config-ctx)#config-url disk0:/CTX1.cfg WARNING: Could not fetch the URL disk0:/CTX1.cfg INFO: Creating context with default config ASA1(config-ctx)#allocate-interface e0/0 ASA1(config-ctx)#allocate-interface e0/1 ASA1(config-ctx)#exit
71
Step3: On ASA1 from the system context, create Context CTX2 with config-url CTX2.cfg and allocate the interfaces e0/3, m0/0 to this context
ASA1(config)#context CTX2 Creating context 'CTX2'... Done. (3) ASA1(config-ctx)#config-url disk0:/CTX2.cfg WARNING: Could not fetch the URL disk0:/CTX2.cfg INFO: Creating context with default config ASA1(config-ctx)#allocate-interface e0/3 ASA1(config-ctx)#allocate-interface m0/0 ASA1(config-ctx)#exit
Step4: Configure the interfaces in context CTX1 with the appropriate nameif, security level and IP address as mentioned in the table above
ASA1(config)#changeto context CTX1 ASA1/CTX1(config)#show interface ip brief Interface IP-Address OK? Method Status Ethernet0/0 unassigned YES unset down Ethernet0/1 unassigned YES unset down ASA1/CTX1(config)#
Protocol down down
ASA1/CTX1(config)#interface e0/0 ASA1/CTX1(config-if)#nameif outside INFO: Security level for "outside" set to 0 by default. ASA1/CTX1(config-if)#security-level 0 ASA1/CTX1(config-if)#ip address 192.168.1.1 255.255.255.0 ASA1/CTX1(config-if)#no shutdown ASA1/CTX1(config-if)#exit ASA1/CTX1(config)#interface e0/1 ASA1/CTX1(config-if)#nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/CTX1(config-if)#security-level 100 ASA1/CTX1(config-if)#ip address 10.0.1.1 255.255.255.0 ASA1/CTX1(config-if)#no shutdown ASA1/CTX1(config-if)#exit
71
Step5: Configure the interfaces in context CTX2 with the appropriate nameif, security level and IP address as mentioned in the table above
ASA1(config)#changeto context CTX2 ASA1/CTX1(config)# ASA1/CTX2(config)#interface e0/3 ASA1/CTX2(config-if)#nameif outside INFO: Security level for "outside" set to 0 by default. ASA1/CTX2(config-if)#security-level 0 ASA1/CTX2(config-if)#ip address 192.168.31.1 255.255.255.0 ASA1/CTX2(config-if)#no shutdown ASA1/CTX2(config-if)#exit ASA1/CTX2(config)#interface m0/0 ASA1/CTX2(config-if)#nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/CTX2(config-if)#security-level 100 ASA1/CTX2(config-if)#ip address 10.0.31.1 255.255.255.0 ASA1/CTX2(config-if)#no shutdown ASA1/CTX2(config-if)#exit
Task 3:
Change the management interface m 0/0 allocated to context CTX2 to a regular data interface.
ASA1/CTX2(config)#interface m0/0 ASA1/CTX2(config-if)#no management-only
Task 4:
Step1: Configure the inbound access-list on outside interface of the context CTX1
ASA1(config)#changeto context CTX1 ASA1/CTX1(config)#access-list OUT_IN permit icmp any any ASA1/CTX1(config)#access-group OUT_IN in interface outside
71
Configure Access-list on both the contexts to restore the basic connectivity and the save configuration on the security appliance
Step2: Configure the inbound access-list on outside interface of the context CTX2
ASA1(config)#changeto context CTX2 ASA1/CTX2(config)#access-list OUT_IN permit icmp any any ASA1/CTX2(config)#access-group OUT_IN in interface outside
Step3: Save the configuration of all the contexts on ASA1

ASA1/CTX2(config)#changeto system ASA1(config)# ASA1(config)#write memory all Building configuration... Saving context : system : (000/003 Contexts saved) Cryptochecksum: 730e0ccd 3a4b4ee5 3e8c465f d0b1cd4d 890 bytes copied in 3.300 secs (296 bytes/sec) Saving context : admin : (001/003 Contexts saved) Cryptochecksum: f7912198 f47e8334 3cd92682 bc05a6fb 1357 bytes copied in 0.190 secs Saving context : CTX1 : (002/003 Contexts saved) Cryptochecksum: 5d1597e5 9a7cbb52 156e1e2f cb8c813f %Error opening disk0:/CTX1.cfg (File exists) Saving context : CTX2 : (003/003 Contexts saved) Cryptochecksum: 66ec92e3 6273e794 3845ab7d b8c49a9c 1556 bytes copied in 0.170 secs [OK] ASA1(config)#
Task 5:
Step1: Configure the interface and default route on R1 as per the diagram
R1(config)#interface fa0/0 R1(config-if)#ip address 192.168.1.2 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)# R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
71
Configure the routers and PCs as per the diagram and table with their default route pointing to the security appliance
Task 6:
Verify the connectivity across the contexts Step1: Initiate the ping from PC1 to ASA1/CTX1 inside interface
C:\Documents and Settings\netmetric>ping 10.0.1.1 Pinging 10.0.1.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 10.0.1.1: 10.0.1.1: 10.0.1.1: 10.0.1.1: bytes=32 bytes=32 bytes=32 bytes=32 time<1ms time<1ms time<1ms time<1ms TTL=255 TTL=255 TTL=255 TTL=255
71
Step2: Initiate the ping from PC1 to R1 both located in the context CTX1
C:\Documents and Settings\netmetric>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.2: 192.168.1.2: 192.168.1.2: 192.168.1.2: bytes=32 bytes=32 bytes=32 bytes=32 time=1ms time=1ms time=1ms time=1ms TTL=255 TTL=255 TTL=255 TTL=255
Step3: Initiate the ping from R3 to ASA1/CTX2 inside interface

Step4: Initiate the ping from R3 to R2 both located in the context CTX2
R3#ping 192.168.31.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.31.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
71
LAB 02
Failover Active/Standby
R1
F0/ 0
R2
F 0/ 0
E 0/ 0
E 0/ 3
E 0/ 0
E 0/ 3
ASA1
CTX1
E 0/ 1
E 0/ 2
E 0/ 2
ASA2
CTX1
E 0/ 1
CTX2
M0/ 0
CTX2
M0/ 0
P C1 R3
F0/ 0
NOTE:
Task 1:
Configure the Vlans on the switch as per the topology diagram.
Task 2:
Configure the standby ip address as per the table.
Task 3:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for both context CTX1 and CTX2 and ASA2 acts as the Standby host respectively.
Task 4:
71
Complete Lab 1 of Module 4 before proceeding further
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.
Table:
Host ASA1,ASA2 ASA1,ASA2 ASA1,ASA2 ASA1,ASA2 ASA1,ASA2 R1 PC1 R2 R3
Context CTX1 CTX1 CTX2 CTX2 -
Standby IP Address 192.168.1.1/24 192.168.1.7/24 10.0.1.1/24 10.0.1.7/24 192.168.31.1/24 192.168.31.7/24 10.0.31.1/24 10.0.31.7/24 172.17.1.1/24 172.17.1.7/24 192.168.1.2/24 10.0.1.10/24 192.168.31.2/24 10.0.31.2/24
IP Address
Interface Nameif Security Level e 0/0 outside 0 e 0/1 inside 100 e 0/3 outside 0 m 0/0 inside 100 e 0/2 Failover Interface f 0/0 ethernet f 0/0 f 0/0 -
Task1:
Configure the vlans on the switch as per the topology diagram. Step1: Configure the interfaces of the devices in the same switch vlans as per the topology diagram.
Switch(config)#interface range fa0/3 , fa0/13 , fa0/23 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 13 Switch(config-if-range)#exit Switch(config)#interface range fa0/10 , fa0/20 , fa0/30 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 20 Switch(config)#interface range fa0/1 , fa0/11 , fa0/21 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 11 Switch(config-if-range)#exit Switch(config)#interface range fa0/2 , fa0/12 , fa0/22 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 12 Switch(config-if-range)#exit
71
Task2:
Configure the standby ip address as per the table. Step1: Add the standby ip address to ASA1 context CTX1 configuration as per the table.
ASA1/CTX1(config)#interface e0/0 ASA1/CTX1(config-if)#ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 ASA1/CTX1(config-if)#exit ASA1/CTX1(config)#interface e0/1 ASA1/CTX1(config-if)#ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7 ASA1/CTX1(config-if)#exit

ASA1/CTX1(config)#show run ip ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7 !
Step3: Add the standby ip address to ASA1 context CTX2 configuration as per the table.
ASA1/CTX1(config)#changeto context CTX2 ASA1/CTX2(config)# ASA1/CTX2(config)#interface e0/3 ASA1/CTX2(config-if)#ipaddress 192.168.31.1 255.255.255.0 standby 192.168.31.7 ASA1/CTX2(config-if)#exit ASA1/CTX2(config)#interface m0/0 ASA1/CTX2(config-if)#ip address 10.0.31.1 255.255.255.0 standby 10.0.31.7 ASA1/CTX2(config-if)#exit ASA1/CTX2(config)#
71

ASA1/CTX2(config)#show run ip ! interface Ethernet0/3 nameif outside security-level 0 ip address 192.168.31.1 255.255.255.0 standby 192.168.31.7 ! interface Management0/0 nameif inside security-level 100 ip address 10.0.31.1 255.255.255.0 standby 10.0.31.7 !
Task3:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for both context CTX1 and CTX2 and ASA2 acts as the Standby host respectively. Step1: Configure failover on ASA1.
ASA1/CTX2(config)#changeto system ASA1(config)#failover lan unit primary ASA1(config)#failover lan interface failover ethernet0/2 INFO: Non-failover interface config is cleared on Ethernet0/2 and its subinterfaces ASA1(config)#failover link failover ethernet0/2 ASA1(config)#failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.7 ASA1(config)#failover
Step2: Configure failover monitoring interface on ASA1/CTX1.

ASA1(config)#changeto context CTX1 ASA1/CTX1(config)#monitor-interface outside ASA1/CTX1(config)#monitor-interface inside ASA1/CTX1(config)#exit
Step3: Configure failover monitoring interface on ASA1/CTX2.
71

ASA1/CTX1#changeto context CTX2 ASA1/CTX2(config)#monitor-interface outside ASA1/CTX2(config)#monitor-interface inside
Step4: Verify the Security Context Mode and Firewall mode on ASA2.
ASA2(config)#show mode Security context mode:multiple ASA2(config)#show firewall Firewall mode:Router
Step5: Configure failover on ASA2.

ASA2(config)#interface e0/2 ASA2(config-if)#no shutdown ASA2(config-if)#exit ASA2(config)#failover lan unit secondary ASA2(config)#failover lan interface failover ethernet0/2 INFO: Non-failover interface config is cleared on Ethernet0/2 and its subinterfaces ASA2(config)#failover link failover ethernet0/2 ASA2(config)#failover interface ip failover 172.17.1.1 255.255.255.0 standby 172.17.1.7 ASA2(config)#failover
Step6: Verify the failover configuration on ASA1.

ASA1(config)#show failover interface interface failover Ethernet0/2 System IP Address: 172.17.1.1 255.255.255.0 My IP Address : 172.17.1.1 Other IP Address : 172.17.1.7 ASA1(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Last Failover at: 12:40:04 UTC Sep 13 2010 This host: Primary - Active Active time: 491 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal
71
CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 53 0 sys cmd 49 0 up time 0 0 RPC services 0 0 TCP conn 0 0 UDP conn 0 0 ARP tbl 4 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 49 Xmit Q: 0 1 53
rcv 49 49 0 0 0 0 0 0 0
rerr 0 0 0 0 0 0 0 0 0
Step7: Verify the failover monitoring interface on ASA1/CTX1.

ASA1/CTX1(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.1.1): Normal Interface inside (10.0.1.1): Normal Other host: Secondary - Standby Ready Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal
Step8: Verify the failover monitoring interface on ASA1/CTX2.

ASA1/CTX2(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.31.1): Normal Interface inside (10.0.31.1): Normal Other host: Secondary - Standby Ready Interface outside (192.168.31.7): Normal Interface inside (10.0.31.7): Normal
71
Task4:
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1. Step1: Initiate a telnet session from PC1 to R1.
C:\Documents and Settings\netmetric>telnet 192.168.1.2 User Access Verification Password: cisco R1>show user Line User 0 con 0 * 66 vty 0 Interface User
Step2: While keeping the telnet session open shutdown the outside interface of ASA1 on the switch
Switch(config)#interface fa0/10 Switch(config-if)#shutdown Switch(config-if)# 02:06:30: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administ ratively down 02:06:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, chan ged state to down
Step3: Verify that the telnet session did not break during step 2 i.e. during failover.
R1> R1> R1> <enter> <enter> <enter>
R1>show user Line 0 con 0
User
Host(s) idle
Idle 00:00:11
Location
71

* 66 vty 0 Interface User idle Mode
00:00:00 10.0.1.10 Idle Peer Address
Step4: Verify the changed failover status on ASA1.

ASA1(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Last Failover at: 13:42:52 UTC Sep 13 2010 This host: Primary - Failed Active time: 3767 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): No Link CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Secondary - Active Active time: 255 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 533 0 sys cmd 519 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information
rcv 523 519 0 0 0 0 4 0 0
rerr 0 0 0 0 0 0 0 0 0
71

Cur 0 0 Max 1 1 Total 523 533
Recv Q: Xmit Q:
Step5: Verify the changed failover monitoring interface status on ASA1/CTX1.

ASA1/CTX1(config)# show monitor-interface This host: Primary - Failed Interface outside (192.168.1.7): No Link Interface inside (10.0.1.7): Normal Other host: Secondary - Active Interface outside (192.168.1.1): Normal Interface inside (10.0.1.1): Normal
Step6: Now restore back to normal the outside interface of ASA1/CTX1 i.e no shutdown the respective interface on the switch.
Switch(config)#interface fa0/10 Switch(config-if)#no shut Switch(config-if)#exit 02:11:02: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up 02:11:02: %SYS-5-CONFIG_I: Configured from console by console 02:11:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, chan ged state to up
Step7: Verify the failover status on ASA1.

ASA1(config)#show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Last Failover at: 13:42:52 UTC Sep 13 2010 This host: Primary - Standby Ready Active time: 3767 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal
71
CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Secondary - Active Active time: 654 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 587 0 sys cmd 573 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 580 Xmit Q: 0 1 587
rcv 580 573 0 0 0 0 7 0 0
rerr 0 0 0 0 0 0 0 0 0
NOTE:
Even after the outside interface of the ASA1/CTX1 is restored back to normal, ASA1 is acting as standby host for both the context CTX1 and CTX2, and ASA2 is the active host respectively. Step1: To forcibly change the state of ASA1 standby host back to active host configure the following
ASA1(config)#failover active Switching to Active
Step2: Verify the changed failover status on ASA1

ASA1(config)#show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum
71
Version: Ours 8.0(2), Mate 8.0(2) Last Failover at: 13:54:08 UTC Sep 13 2010 This host: Primary - Active Active time: 3833 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Other host: Secondary - Standby Ready Active time: 677 (sec) slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 598 0 sys cmd 584 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 591 Xmit Q: 0 1 598
rcv 591 584 0 0 0 0 7 0 0
rerr 0 0 0 0 0 0 0 0 0
71
LAB 03
Failover Active/Active
R1
F0/ 0
R2
F 0/ 0
E 0/ 0
E 0/ 3
E 0/ 0
E 0/ 3
ASA1
CTX1
E 0/ 1
E 0/ 2
E 0/ 2
ASA2
CTX1 CTX2
M0/ 0
CTX2
M0/ 0
E 0/ 1
P C1 R3
F0/ 0
NOTE:
Complete Lab 1 and Lab 2 of this module before starting this lab.
71
Task 1:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for context CTX1 and standby host for context CTX2 and ASA2 should be a Standby host for context CTX1 and Active host for context CTX2 respectively.
Task 2:
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1.
Table:
Host ASA1,ASA2 ASA1,ASA2 ASA1,ASA2 ASA1,ASA2 ASA1,ASA2 R1 PC1 R2 R3
Context CTX1 CTX1 CTX2 CTX2 -
Standby IP Address 192.168.1.1/24 192.168.1.7/24 10.0.1.1/24 10.0.1.7/24 192.168.31.1/24 192.168.31.7/24 10.0.31.1/24 10.0.31.7/24 172.17.1.1/24 172.17.1.7/24 192.168.1.2/24 10.0.1.10/24 192.168.31.2/24 10.0.31.2/24
IP Address
Interface Nameif Security Level e 0/0 outside 0 e 0/1 inside 100 e 0/3 outside 0 m 0/0 inside 100 e 0/2 Failover Interface f 0/0 ethernet f 0/0 f 0/0 -
Task1:
Configure the failover and monitoring interfaces for failover, and make sure ASA1 is active host for context CTX1 and standby host for context CTX2 and ASA2 should be a Standby host for context CTX1 and Active host for context CTX2 respectively.
NOTE:
First disable the failover before making any changes to the failover configuration. Step1: Configure failover groups.
ASA1(config)# no failover ASA1(config)# failover group 1 ASA1(config-fover-group)# primary ASA1(config-fover-group)# preempt
71

ASA1(config-fover-group)#exit ASA1(config)# failover group 2 ASA1(config-fover-group)# secondary ASA1(config-fover-group)# preempt ASA1(config-fover-group)# exit
Step1: Configure failover groups.

ASA1(config)#no failover ASA1(config)#failover group 1 ASA1(config-fover-group)#primary ASA1(config-fover-group)#preempt ASA1(config-fover-group)#exit ASA1(config)# ASA1(config)#failover group 2 ASA1(config-fover-group)#secondary ASA1(config-fover-group)#preempt ASA1(config-fover-group)#exit
NOTE:
The "preempt" command enables the device to switch automatically the primary unit device as "active" and secondary unit as "standby" in the event where the failed interface/link is restored back to normal status after a failover. Here we dont have to forcibly change the failover status manually using the "failover enable" command. Step2: Join the context CTX1 and CTX2 to failover group 1 and 2 respectively. And enable failover.
ASA1(config)# context CTX1 ASA1(config-ctx)# join-failover-group 1 ASA1(config-ctx)# exit ASA1(config)# context CTX2 ASA1(config-ctx)# join-failover-group 2 ASA1(config-ctx)# exit ASA1(config)# ASA1(config)# failover
Step3: Verify the failover status.
71

ASA1(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Group 1 last failover at: 14:07:31 UTC Sep 13 2010 Group 2 last failover at: 14:07:30 UTC Sep 13 2010 This host: Group 1 Group 2 Primary State: Active time: State: Active time:
Active 42 (sec) Standby Ready 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal CTX1 Interface inside (10.0.1.1): Normal CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Group 1 Group 2 Secondary State: Active time: State: Active time:
Standby Ready 0 (sec) Active 45 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal CTX1 Interface inside (10.0.1.7): Normal CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 650 0 sys cmd 636 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total
rcv 643 636 0 0 0 0 7 0 0
rerr 0 0 0 0 0 0 0 0 0
71

Recv Q: Xmit Q: 0 0 1 1 643 650
Step4: Verify the failover monitoring interfaces on ASA1/CTX1.

ASA1(config)# changeto context CTX1 ASA1/CTX1(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.1.1): Normal Interface inside (10.0.1.1): Normal Other host: Secondary - Standby Ready Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal
Step5: Verify the failover monitoring interfaces on ASA1/CTX2.

ASA1/CTX1(config)# changeto context CTX2 ASA1/CTX2(config)# show monitor-interface This host: Primary - Standby Ready Interface outside (192.168.31.7): Normal Interface inside (10.0.31.7): Normal Other host: Secondary - Active Interface outside (192.168.31.1): Normal Interface inside (10.0.31.1): Normal
Task2:
Verify the failover by shutting down the outside monitoring interface of ASA1/CTX1 during the telnet session from PC1 to R1. Step1: Initiate a telnet session from PC1 to R1.
C:\Documents and Settings\netmetric>telnet 192.168.1.2 User Access Verification Password: cisco R1>show user Line User 0 con 0 * 66 vty 0 Interface User
Step2: While keeping the telnet session open shutdown the outside interface of ASA1 on the switch.
71
Switch(config)#interface fa0/10 Switch(config-if)#shutdown Switch(config-if)# 02:06:30: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down 02:06:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down
Step3: Verify that the telnet session did not break during step 2 i.e. during failover.
R1> R1> R1> <enter> <enter> <enter>
R1>show user Line 0 con 0 * 66 vty 0 Interface
User
User

ASA1(config)#show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Group 1 last failover at: 14:36:00 UTC Sep 13 2010 Group 2 last failover at: 14:07:30 UTC Sep 13 2010 This host: Group 1 Group 2 Primary State: Active time: State: Active time:
Failed 1709 (sec) Standby Ready 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys)
71

CTX1 Interface CTX1 Interface CTX2 Interface CTX2 Interface slot 1: empty Other host: Group 1 Group 2 Secondary State: Active time: State: Active time:
outside (192.168.1.7): No Link (Waiting) inside (10.0.1.7): Normal outside (192.168.31.7): Normal inside (10.0.31.7): Normal
Active 22 (sec) Active 1734 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal (Waiting) CTX1 Interface inside (10.0.1.1): Normal (Waiting) CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 876 0 sys cmd 862 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 869 Xmit Q: 0 1 876
rcv 869 862 0 0 0 0 7 0 0
rerr 0 0 0 0 0 0 0 0 0
Step5: Now restore back the outside interface of ASA1/CTX1 to normal i.e no shutdown the respective interface on the switch.
Switch(config)#interface fa0/10 Switch(config-if)#no shutdown Switch(config-if)#exit 02:11:02: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up 02:11:02: %SYS-5-CONFIG_I: Configured from console by console 02:11:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up
71

ASA1(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Group 1 last failover at: 14:39:33 UTC Sep 13 2010 Group 2 last failover at: 14:07:30 UTC Sep 13 2010 This host: Group 1 Group 2 Primary State: Active time: State: Active time:
Active 1717 (sec) Standby Ready 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.1): Normal (Waiting) CTX1 Interface inside (10.0.1.1): Normal (Waiting) CTX2 Interface outside (192.168.31.7): Normal CTX2 Interface inside (10.0.31.7): Normal slot 1: empty Other host: Group 1 Group 2 Secondary State: Active time: State: Active time:
Standby Ready 213 (sec) Active 1933 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(2)) status (Up Sys) CTX1 Interface outside (192.168.1.7): Normal (Waiting) CTX1 Interface inside (10.0.1.7): Normal (Waiting) CTX2 Interface outside (192.168.31.1): Normal CTX2 Interface inside (10.0.31.1): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/2 (up) Stateful Obj xmit xerr General 902 0 sys cmd 888 0 up time 0 0 RPC services 0 0 TCP conn 8 0 UDP conn 0 0 ARP tbl 6 0 Xlate_Timeout 0 0 SIP Session 0 0 Logical Update Queue Information Cur Max Total
rcv 895 888 0 0 0 0 7 0 0
rerr 0 0 0 0 0 0 0 0 0
71
Recv Q: Xmit Q:
0 0
1 1
895 902
MODULE 07: Layer 2 Transparent Firewall

Lab 01: Configure Layer 2 Transparent Firewall 107
71
LAB 01
Configure Layer 2 Transparent Firewall
F 0/ 0
E 0/ 1 E 0/ 0 E 0/ 0
IN TERN ET
F 0/ 1
R1
R2
AS A 1
10.1.1.2
Task 1:
Configure the ASA as a Transparent Firewall
Task 2:
71
10.1.1.1
Configure F0/0 as the outside interface with a security level of 0 and F0/1 as the inside interface with a security level of 100. Bring the Interfaces up
Task 3:
Configure the ASA to allow R2 and R1 to communicate to each other to exchange Routing information. R2 and R1 should run RIP V2 as the routing protocol
Task 1:
Configure the ASA as a Transparent Firewall
ASA1:
Firewall Transparent
Task 2:
Configure F0/0 as the outside interface with a security level of 0 and F0/1 as the inside interface with a security level of 100. Bring the Interfaces up
71
ASA1:
interface E 0/0 nameif outside no shutdown ! interface E 0/1 nameif inside no shutdown
Task 3:
Configure the ASA to allow R2 and R1 to communicate to each other to exchange Routing information. R2 and R1 should run RIP V2 as the routing protocol
ASA1:
access-list outside permit udp host host 10.1.1.1 host 224.0.0.9 eq rip access-list inside permit udp host 10.1.1.2 host 224.0.0.9 eq rip ! access-group outside in interface outside access-group inside in interface inside
Lab 01: IPSec VPN Site to Site Tunnel
110
71
MODULE 08: VPN on the Security Appliance
IPSec VPN Site to Site Tunnel
71
LAB 01
Task1:
Configure an IPSec Tunnel to encrypt traffic from 10.1.1.0/24 on ASA1 inside network to the 20.1.1.0/24 on ASA2 inside network. Use the Outside IP address of ASA as the Tunnel End points Use the below mentioned Parameters for the Tunnel between ASA1 and ASA2 ISAKMP Parameters Authentication: Pre-shared Encryption: 3DES Group: 2 Hash: MD5 Pre-Shared Key: netmetricccsp IPSec Parameters Encryption: ESP-3DES Authentication: ESP-SHA-HMAC
NOTE:
You are allowed to create static routes for this Lab
71
ASA1:
crypto isakmp enable outside crypto isakmp policy 10 Authentication pre-share Hash md5 Group 2 Encryption 3des ! crypto isakmp key netmetric123 address 192.168.1.2 crypto ipsec transform-set set1 esp-3des esp-sha-hmac access-list 111 permit ip 10.1.1.0 255.0.0.0 20.1.1.0 255.0.0.0 crypto crypto crypto crypto map map map map mymap mymap mymap mymap 10 10 10 10 ipsec-isakmp set peer 192.168.1.2 set transform-set set1 match address 111
crypto map mymap interface outside route outside 20.0.0.0 255.0.0.0 192.168.1.2
ASA2:
crypto isakmp enable outside ! crypto isakmp policy 10 Authentication pre-share Hash md5 Group 2 Encryption 3des ! Crypto isakmp key netmetric123 address 192.168.1.1 crypto ipsec transform-set set1 esp-3des esp-sha-hmac access-list 111 permit ip 20.1.1.0 255.0.0.0 10.1.1.0 255.0.0.0 ! crypto map mymap 10 ipsec-isakmp crypto map mymap 10 set peer 192.168.1.1 crypto map mymap 10 set transform-set set1 crypto map mymap 10 match address 111 crypto map mymap interface outside route outside10.0.0.0 255.0.0.0 192.168.1.1
71
Verify ACLs and interesting traffic

show run access-list
Verify correct IKE configuration

show run isakmp show run tunnel-group
Verify correct IPsec configuration

show run ipsec
Verify IPsec and ISAKMP SAs

show crypto ipsec sa show crypto isakmp sa
71

Index: CCSP™ Lab Workbook v2.2 Securing Networks With ASA

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Index: CCSP™ Lab Workbook v2.2 Securing Networks With ASA

Încărcat de

Drepturi de autor:

Formate disponibile

CCSP Lab Workbook v2.

Securing Networks with

Module 02: Routing Protocols on the Security Appliance

Module 03: NAT on the Security Appliance

Module 04: Object Grouping

Module 05: Application Inspection and Filtering

Module 07: Transparent Firewall

Module 06: Context and Failover on the Security Appliance

CCSP Lab Workbook v2.2 ASA

Securing Networks with

Lab 01: Configure Layer 2 Transparent Firewall.

Module 08: VPN on the Security Appliance

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

MODULE 01: Configuring IOS FIREWALL

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

F 0/ 1 Internal Netw ork

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip R1(config)#ip

inspect inspect inspect inspect inspect inspect inspect inspect

name name name name name name name name

myfw myfw myfw myfw myfw myfw myfw myfw

icmp telnet ftp http smtp tcp udp dns

Step2: Check the configured inspection rules on R1.

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

Step3: Configure the IP ACL to denying any IP traffic.

Step4: Check the configured ACL.

Step5.1: CBAC configured on internal interface f0/1.

Netmetric Infosolutions (P) Limited Hyderabad, IN

Step5.2: Check the Configuration on the interface.

CCSP Lab Workbook v2.2 ASA

Securing Networks with

Step5.1: CBAC configured on external interface f0/0.

Step5.2: Check the Configuration on the interface.

Step1: Ping from Host A to Internet router.

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

Step2: Check the CBAC inspection during the Ping on R1.

Step3: Now try to Ping to HostA from Internet router.

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

Step4: Check the configured Security Zones.

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with

zone public Member Interfaces: FastEthernet0/0

Step6: Check the configuration.

Step8: Check the configuration.

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCSP Lab Workbook v2.2 ASA

Securing Networks with