CCNP security

Abbad Ur Rahman TalhaN

etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 ASA Initialization

LAB 1 Basic ASA Configuration

Initialization Setup of ASA is similar as Router where you use a rollover cable to connect console

of ASA to com port of PC. Command Line Interface (CLI) here is little different from IOS Router but the

modes are similar as on Router, We have an Unprivileged Mode “>” This is the most basic level of access

to the Cisco Device, the first mode in which you can issue very few commands. To configure your ASA you

need to get in to Privileged Mode “#”.

Task-1 Getting Started With ASA

When we boot up the device we get into unprivileged mode from where we can view the details

of ASA, its supporting features, available interfaces and its Licensing etc...

ciscoasa>show version

Cisco ASA Security Appliance Software Version 8.4(2) IOS Version of ASA

ciscoasa up 33 mins 30 secs Uptime of device

Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz

Internal ATA Compact Flash, 256MB

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

VPN-DES : Disabled perpetual

VPN-3DES-AES : Disabled perpetual

Security Contexts : 0 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 5000 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 5000 perpetual

Total VPN Peers : 0 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

This platform has an Restricted (R) license.

Configuration has not been modified since last system restart.


etm

etric

So

luti

ons


From unprivileged mode we can issue few more commands like ping, traceroute and login etc.…

but to make any changes on the device or to configure device we need to get into privileged mode of

that device. From Unprivileged mode issue enable command to get into privileged mode

ciscoasa> enable

Password: The default password on ASA is Blank <null> hit Enter when prompted

ciscoasa#

When you are in privileged mode now you can start configuring your device, When you are in

privileged mode of ASA you can issue all the commands to device, to make some configuration on

device you need to get into configure mode, you can get into configure mode by issuing configure

terminal command in privileged mode

ciscoasa# configure terminal

ciscoasa(config)# enable password cisco123 Configuring Enable Password

ciscoasa(config)# hostname ASA Modifying Hostname

ASA(config)#

In the description of show version command you can view the licensing details of the device

which exhibits the capabilities of device functioning. ASA comes with two different licenses

Base License

Security plus License

By default ASA comes with Base License where few functions of ASA will be restricted or locked. To use

those functions we need to get an Activation Key from Cisco and Install it on Device.

ASA(config)# activation-key 0x000000000x000000000x000000000x00000000

The following features available in flash activation key are NOT

available in new activation key:

Failover is different.

flash activation key: Restricted(R)

new activation key: Unrestricted(UR)

Proceed with update flash activation key? [confirm] Press Enter

WARNING: The running activation key was not updated with the requested key.

The flash activation key was updated with the requested key, and will become active after the next

reload.


etm

etric

So

luti

ons


Task-2 Configuring Interfaces as per following Credentials

Interface Ip Address Name Security Level

GigabitEthernet 0 192.168.1.10 Outside 0

GigabitEthernet 1 10.1.1.10 Inside 100

GigabitEthernet 2 172.16.1.10 DMZ 50

Simply like a router, Interface configuration in ASA is done from interface mode only.

ASA(config)# interface GigabitEthernet 0

ASA(config-if)# ip address 192.168.1.10 255.0.0.0

ASA(config-if)# no shutdown

ASA(config-if)# interface GigabitEthernet 1




ASA(config-if)# ip address 172.16.1.10


But apart from configuring ip address in ASA we even have to configure Two more credentials

i.e. Name of interface and Trustiness of interface (Security Level). Where Name of the interface is the

any logical name (Like Inside, Outside, Private any name) given to the interface and throughout

configuration the interface will be called with that name not by their Physical names (Ethernet 0 or 1),

Assigning name to interface is mandatory. Even if you assign ip address until and unless you configure

name to it our interface will not function.

And security level is the value which defines the trustiness of an interface. The interface with

high security level value can communicate with low security value interfaces but low valued interface

can’t initiate communication for high valued interfaces by default.


ASA(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ASA(config-if)# security-level 0


etm

etric

So

luti

ons



ASA(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.


ASA(config-if)# nameif DMZ

INFO: Security level for "DMZ" set to 0 by default.


Verification

ASA(config-if)# show running-config ip

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 192.168.1.10 255.255.255.0

!


nameif inside

security-level 100

ip address 10.1.1.10 255.0.0.0

!


nameif dmz

security-level 50

ip address 172.16.1.10 255.255.0.0

ASA identify only the word inside perfectly

when this name is assigned to any interface

automatically security level will be set to 100

Apart from inside any other name gets

security level 0 by default


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Basic ASA Initialization - II

LAB 2 Default security policy modifications and ACL in ASA

ASA is a very advanced firewall which inspects all the TCP and UDP connections by

default from higher security level to lower security level. Apart from basic TCP and UDP

protocols we have other protocols which are given for inspection and the policy which inspects

those protocols is known as Default Inspection Policy.

Only the protocols and the services which are available in that default inspection policy

will be inspected by default from high security level to low security level. If we want the

inspection of some more services then in that case we have to add those services in default

inspection list or create our own separate policy of inspection

ASA always consider ICMP as an attack so by default there won’t be any inspection for

ICMP services.

Configure the Ip addressing as per following credentials

Device Interface Name Ip Address Subnet Mask

ASA Ethernet 1 Outside/0 10.1.1.10 255.0.0.0

ASA Ethernet 0 Inside/100 192.168.1.10 255.255.255.0

R1 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

Configure a default route on both the sides pointing towards ASA


etm

etric

So

luti

ons


Task 1 : Verify the Connectivity for telnet and ICMP

Lets make a connection of telnet from PC to Router R1

R1#telnet 192.168.1.10

Trying 192.168.1.10 ... Open

User Access Verification

Password:

R2>

As we have discussed above that ASA by default inspect all TCP and UDP traffic that’s

why it allows only TCP and UCP communication whereas ICMP is not allowed by default

Because Telnet works with TCP protocol that’s the reason your telnet connections are

allowed but default and not ICMP connections

Now check the connectivity from high security level to low security level i.e. from inside

to outside using ping

R1#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

If we see the output of the ping test then our ping packets are not being allowed even

from high security level to low security level where as per the basic rule of ASA it’s supposed to

allow that connection


etm

etric

So

luti

ons


Task 2 : Configure ASA to inspect ICMP traffic by modifying default inspection policy and

verify the Connectivity for ICMP

We can see the default inspection policy in running configuration of device

ASA# show running-config

: Saved

.

.

!

class-mapinspection_default

match default-inspection-traffic

!

!

policy-mapglobal_policy

classinspection_default

inspectdnspreset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp Services available by default

inspect sqlnet

inspect skinny

inspectsunrpc

inspectxdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policyglobal_policy global

:

: end


etm

etric

So

luti

ons


To modify this default inspection policy we have to get into that class

ASA(config)# policy-map global_policy

ASA(config-pmap)# class inspection_default

ASA(config-pmap-c)#

We can modify the policy after getting into that policy

To add ICMP inspection into the policy

ASA(config-pmap-c)# inspect icmp

As soon as we start ICMP inspection our ASA starts inspection of ICMP traffic and now

icmp traffic will flow from High security level to low security level

R1#ping 192.168.1.1



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/80 ms

To remove any service from default inspection

ASA(config)# policy-map global_policy

ASA(config-pmap)# class inspection_default

ASA(config-pmap-c)# no inspect icmp

As soon as we remove the inspection of ICMP again ICMP Traffic is not allowed to

transact

PC#ping 192.168.1.10



.....



etm

etric

So

luti

ons


Task 3 : Configure ASA to allow ICMP traffic using Access-list. Don’t modify default inspection

policy.

As we know ASA allow all the traffic from high security level to low security level by default

that means even ICMP echo packets which are initiated from inside subnet is allowed to go to outside

subnet. But the echo-reply packets which are sent in response to echo are will be blocked because they

are being initiated from low security level to high as there is no inspection for ICMP.

As we are interested in using access list let's not make any changes with inspection policy

than we can allow the ICMP packets from outside using Access-list

Here we are creating an access-list to allow icmp traffic

ASA(config)# access-list out_in permit icmp any any

Now we have to apply that access-list on outside interface in inbound direction so that all the

icmp traffic which is generated from that interface is allowed in to device

By this the echo-reply which is generated in respond to echoes from inside is allowed to go to

outside

ASA(config)# access-group out_in interface outside

Verification

R1#ping 192.168.1.10



!!!!!



etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 ALC and Object Groups

LAB 3 Object Groups in ACL



ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0

ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0

R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R2 FastEthernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Loopback 0 -- 21.1.1.1 255.0.0.0

R2 Loopback 1 -- 22.1.1.1 255.0.0.0

R2 Loopback 2 -- 23.1.1.1 255.0.0.0


We may come across various situations where we configure access-lists with

multiple numbers entries defining hosts and services and each time we want to add a

particular host or service then we will add one more entry to that access-list. The entries

made here are known as Access-Control Entries. As the number of entries increases in the

access-list it will increase difficulty in managing and modifying access-lists. To ease the

management of access-list here Cisco came up with a new tool called as object-group.

Object Group here allows you to group similar entities under a single object and you

are allowed to use those object groups in access-list

We have 4 types of object-groups

i. Network type Object Group

ii. Services type Object Group

iii. Protocols type Object Group

iv. Icmp type Object Group


etm

etric

So

luti

ons


R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10

R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.10

Configure a default route on ASA pointing towards Router R2 to make the connectivity

for loopbacks

ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1

Verify Routing and connectivity

R1#ping 192.168.1.1



!!!!!


R1#ping 21.1.1.1



!!!!!


R1#telnet 192.168.1.1

Trying 192.168.1.1 ... Open

R2>

R1#telnet 23.1.1.1

Trying 23.1.1.1 ... Open

R2>


etm

etric

So

luti

ons


Task 1 : Configure an Access-list on ASA to restrict the traffic from inside subnet to hosts

21.1.1.1 , 22.1.1.1 and 23.1.1.1 using http, ftp & telnet services.

We are very familiar with access-list and its services

But in ASA the access-list is little different from your router. In ASA we don’t configure

access-list with numbers but we do it with Names

We have to configure multiple access-entries to achieve our required task

ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq http

ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp

ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet







ASA(config)# access-list in-out permit ip any any

Apply the access-list using access-group option in global configuration mode

ASA(config)# access-group in-out in interface inside

As the access-list is applied over interface it denies the traffic matching ACL

R1#telnet 23.1.1.1

Trying 23.1.1.1 ...

% Connection refused by remote host

and the traffic not matching to access-list is allowed.

R1#ping 23.1.1.1



!!!!!



etm

etric

So

luti

ons


Task 2 : Rewrite the above created access-list using objects groups

Steps to configure

1. Create an object group of network type and add the hosts

2. Create another object group of type services and add desired services

3. Use those object groups in Access-list

Creating network type object group to catch hosts and network

ASA(config)# object-group network nw-host

ASA(config-network)# network-object host 21.1.1.1



Creating a services type object group with tcp protocol as all our required services

(http, ftp & telnet) belongs to tcp.

ASA(config)# object-group service serv-obj tcp

ASA(config-service)# port-object eq http

ASA(config-service)# port-object eq ftp

ASA(config-service)# port-object eq telnet

Using those object groups in access list

ASA(config)# access-list obj-acl permit tcp any object-group nw-host object-group serv-obj

Application of access-list on interface inside in inbound direction

ASA(config)# access-group obj-acl in interface inside

Name of ACL Network object group

Service object

Group


etm

etric

So

luti

ons


Verification

ASA(config)# show run object-group

object-group network nw-host

network-object host 21.1.1.1



object-group service serv-obj tcp

port-object eq www

port-object eq ftp

port-object eq telnet

ASA(config)# show access-list

access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 object-group nw-host object-group serv-obj

access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq www

access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp

access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet







R1#telnet 21.1.1.1

Trying 21.1.1.1 ...


R1#telnet 22.1.1.1

Trying 22.1.1.1 ...


R1#telnet 23.1.1.1

Trying 23.1.1.1 ...



etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Time Based Access control using ACL

LAB 4 Time Based ACL

We may come across a situation where we’ll be willing to control the users on the basis

of time

Access-list can be configured to be active on the basis of time. When we configure our

Access-list based on time then in a particular interested time slot the access-list will be active.

To configure a Time based Access-list we have to create a time-range first.

Time range is a tool where we are allowed to define the time. We can define time with two

different options

=> Absolute

=> Periodic

Using option Absolute we define the starting and ending date whereas using periodic we

define the time





R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R2 FastEthernet 0/0 - - 192.168.1.1 255.255.255.0



etm

etric

So

luti

ons


Task 1 : Configure an access-list by the name “Time-Acl” to permit the entire host from inside

subnet to outside only from 10:00 am to 05:00 pm in between 1 Oct 2011 to 31 Oct 2011

Steps to configure:-

Create a Time range by above given credentials

Configure an access-list and associate the time range with that access-list

Apply the access over an interface

Creating time-range .

ASA(config)# time-range t-range

ASA(config-time-range)#

By the above command we have created a time-range with the name “t-range”. After

creating the time range we have to configure the time range as per given credentials.

To define the date of time-range we use absolute option

ASA(config-time-range)# absolute start 00:00 1 Oct 2012 end 00:00 31 Oct 2012


When we are using absolute option to define the time in time range as soon as the end

time meets the access-list will be invalid forever. To define a periodic time we use option

periodic

ASA(config-time-range)# periodic daily 10:00 to 17:00


Using Periodic option in time range we define our clock time in 24 hours format.

ASA(config-time-range)# periodic daily 10:00 to 17:00

ASA(config-time-range)#exit


etm

etric

So

luti

ons


Verify the configured Time-range

ASA(config)# sh run time-range

!

time-range t-range

absolute start 00:00 01 October 2012 end 00:00 31 October 2012

periodic daily 10:00 to 17:00

!

Configuring an access-list using Time-range

ASA(config)# access-list Time-Acl permit ip any any time-range t-range

ASA(config)# access-list Time-Acl deny ip any any

ASA(config)# show clock

15:52:57.756 UTC Fri Oct 21 2012


access-list time-acl; 2 elements

access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) 0xcaf6f246

access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9

Because the clock is as per the time range we can see that both the entries in access-list

is active

To verify lets change the clock of our device

ASA(config)# clock set 12:00:00 1 nov 2012

ASA(config)# show clock

12:00:11.410 UTC Wed Nov 1 2012


access-list time-acl; 2 elements

access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) (inactive)

access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9

As soon as the absolute option is met

access-list will be inactive


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Remote Access of ASA

LAB 5 Remote Access of ASA

local access of ASA can be done using console port but when there is need of accessing

ASA from remote location we need to use virtual Terminal lines (VTY) of ASA which are blocked

by default to make use of remote access of ASA we need to configure those Virtual Terminal

lines

Remote Access of ASA can be fetched using Telnet, SSH and HTTP





R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R2 FastEthernet 0/0 - - 192.168.1.1 255.255.255.0

PC NIC -- 10.1.1.5 255.0.0.0


R1#ping 10.1.1.10



!!!!!


R1#telnet 10.1.1.10

Trying 10.1.1.10 ...

% Connection timed out; remote host not responding


etm

etric

So

luti

ons


Task 1 : Configure ASA to display a banner whenever a user logins to device.

ASA(config)# banner login Welcome to CCNP Security Lab of ASA Firewall

ASA(config)# show run banner

banner login Welcome to CCNP Security Lab of ASA Firewall

Task 2 : Configure ASA to accept telnet connections from host 10.1.1.1 from inside interface.

As telnet is disable by default over ASA we need to enable it as follows

ASA(config)# telnet 10.1.1.1 255.255.255.255 inside

herein we define which subnet is allowed to access and from which interface the access

should be granted.

Verification:

R1#telnet 10.1.1.10


Welcome to CCNP Security Lab of ASA Firewall


Password: cisco

Type help or '?' for a list of available commands.

ASA>

Default password for telnet access to ASA is set as cisco

R2#telnet 192.168.1.10

Trying 192.168.1.10 ...

% Connection timed out; remote host not responding

Telnet access from outside interface is still not allowed


etm

etric

So

luti

ons


Task 3 : Set the telnet access password of ASA to "netadmin"

Command to modify telnet password is "passwd"

ASA(config)# passwd netadmin

R1#telnet 10.1.1.10


Welcome to CCNP Security Lab of ASA Firewall


Password:netadmin


ASA>

Task 4 : Create a user Account on ASA and configure ASA to accept telnet connection on basis

of user accounts

Creating User Account on ASA

ASA(config)# username user1 password cisco123

Applying Authentication of local database over telnet

ASA(config)# aaa authentication telnet console LOCAL

Verification:

R1#telnet 10.1.1.10



Username: user1

Password: cisco123


ASA>


etm

etric

So

luti

ons


Task 5 : Configure ASA to allow the SSH access from outside interface for any one with user

account

As SSH make use of encryption its must that we generate RSA keys to activate SSH over

any device

Generating RSA Keys

ASA(config)# crypto key generate rsa

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

SSH can be accessed only using user account only thus create a user account for

accessing of SSH and configure SSH authentication for Local database.

Verify existence of a user account if account is not available create a new account


Set the SSH authentication system to LOCAL dataase

ASA(config)# aaa authentication ssh console LOCAL

Allow SSH access for everyone from outside interface

ASA(config)# ssh 0.0.0.0 0.0.0.0 outside

SSH can be initiated from any address over outside interface as the default network is

permitted.

Verification:

R2#ssh -l user1 192.168.1.10

Password:cisco123


ASA>


etm

etric

So

luti

ons


Task 6 : Enable HTTP Access of ASA and access firewall using Cisco ASDM.

Enable the access of HTTP over ASA

ASA(config)# http server enable

Even after enabling HTTP services over ASA, ASA does not allow anyone to access its

ASDM Administrator need to authorize the users for access of ASDM (GUI)

Authorizing user 10.1.1.5 to access HTTP

ASA(config)# http 10.1.1.5 255.255.255.255 inside

If user account is not available create an user account


* Check the availability of ASDM image file in ASA flash

ASA(config)# show flash:

--#-- --length-- -----date/time------ path

:

12 15841428 Jan 16 2012 19:35:19 asdm-641.bin

:

Open a Browser from computer and go to Url=https://10.1.1.10


etm

etric

So

luti

ons


Select Proceed anyways and then Install ASDM Launcher


etm

etric

So

luti

ons


After Downloading and installing ASDM Launcher to computer Run Cisco ASDM Launcher

Provide the mandatory details such as Device address, username and password

And ASDM loads successfully


etm

etric

So

luti

ons



etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Routing over ASA

LAB 6 Dynamic Routing over ASA




ASA GigabitEthernet2 DMZ/50 172.16.1.10 255.255.0.0

R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R1 Loopback 0 - - 11.11.11.11 255.0.0.0

R1 Loopback 1 - - 12.12.12.12 255.0.0.0

R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Loopback 0 - - 22.22.22.22 255.0.0.0

R2 Loopback 1 -- 23.23.23.23 255.0.0.0

R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0

R3 Loopback - - 33.33.33.33 255.255.255

Configure Default Route over all Routers pointing towards ASA

Adaptive Security Appliance is designed in such a way that it is capable of performing

task of multiple network devices as Router, Firewall as well as VPN Concentrator.

So we can even make use of dynamic routing protocols to form our network using ASA.

Support of Dynamic Routing was not available in PIX Series its introduced in ASA in IOS version 7.0

ASA Supports 3 majorly used Dynamic routing Protocols

RIP

EIGRP

OSPF

Note: ASA is not capable of running multiple instances of EIGRP


etm

etric

So

luti

ons


Task 1 : Configure Static Routes over ASA to make the subnets over outside interface reachable.



Verification:

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

Gateway of last resort is not set

S 23.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside

C 172.16.0.0 255.255.0.0 is directly connected, DMZ

S 22.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside

C 10.0.0.0 255.0.0.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

ASA# ping 22.22.22.22



!!!!!


ASA# ping 23.23.23.23



!!!!!


Task 2 : Clear all the Static Routes on ASA

ASA(config)# clear configure Route

ASA# show route





etm

etric

So

luti

ons


Task 3 : Configure a Default Route on ASA to make all the Destinations reachable via Router R2


or

ASA(config)# route outside 0 0 192.168.1.1

ASA(config)# show route


* - candidate default,.

Gateway of last resort is 192.168.1.1 to network 0.0.0.0




S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside


etm

etric

So

luti

ons


Task 4 : Configure RIP between Router R1 and ASA and make loopback addresses on Router R1

Reachable from ASA

Configuring RIP over ASA

ASA(config)# router rip

ASA(config-router)# network 10.0.0.0

ASA(config-router)# version 2

Configuring RIP over Router R1

R1(config)#router rip

R1(config-router)#network 11.0.0.0



R1(config-router)#version 2

Verification:

ASA(config-router)# show route


D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route




R 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:10, inside

R 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:02, inside


S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside


etm

etric

So

luti

ons


Task 5: Configure EIGRP AS 100 Between ASA and Router R3 and make loopback addresses on R3

reachable by ASA

Configuring EIGRP over ASA

ASA(config-router)# router eigrp 100

ASA(config-router)# network 172.16.1.10

Configuring EIGRP over Router R3

R3(config)#router Eigrp 100


R3(config-router)#network 33.33.33.33 *Mar 1 17:05:33.507: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.16.1.10 (FastEthernet0/0) is up: new adjacency

ASA(config)# show eigrp neighbors

EIGRP-IPv4 neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 172.16.1.1 Et2 14 00:00:51 20 200 0 3






D 33.0.0.0 255.0.0.0 [90/158720] via 172.16.1.1, 0:01:33, DMZ



R 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside

R 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside


S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside


etm

etric

So

luti

ons


Task 6: Configure OSPF process 1 on outside interface of ASA and Router R2.

Configuring OSPF over ASA

ASA(config)# router ospf 1

ASA(config-router)# network 192.168.1.0 255.255.255.0 a 0

Advertise networks in OSPF Using subnet mask as ASA never use Wildcard Bits in configurations

R2(config)#router ospf 1

R2(config-router)#network 192.168.1.0 0.0.0.255 a 0

R2(config-router)#network 22.0.0.0 0.255.255.255 area 0

R2(config-router)# network 23.0.0.0 0.255.255.255 area 0






D 33.0.0.0 255.0.0.0 [90/156160] via 172.16.1.1, 3:00:50, DMZ

O 23.23.23.23 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside


O 22.22.22.22 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside


R 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside

R 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside


S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

ASA# show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

23.23.23.23 1 FULL/DR 0:00:38 192.168.1.1 inside


etm

etric

So

luti

ons


Task 7 : Redistribute the Routing information between RIP and EIGRP and verify the routing updates

Redistributing EIGRP into RIP

ASA(config)# router rip

ASA(config-router)# redistribute eigrp 100

ASA(config-router)# redistribute eigrp 100 metric 2

Redistributing RIP into EIGRP

ASA(config)# Router eigrp 100

ASA(config-router)# redistribute rip metric 128000 100 150 150 2000

Verification:

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP


* - candidate default, U - per-user static route


R 33.0.0.0/8 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0

R 172.16.0.0/16 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0

C 10.0.0.0/8 is directly connected, FastEthernet0/0

C 11.0.0.0/8 is directly connected, Loopback0


S* 0.0.0.0/0 [1/0] via 10.1.1.10

R3#show ip route

Codes: C - connected, S - static, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

* - candidate default.




D EX 10.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0



S* 0.0.0.0/0 [1/0] via 172.16.1.10


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.0

LAB 7 Basic NAT with ASA 8.0

Network Address Translation is process of changing Source and destination addresses in ip

Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to

facilitate multiple host to make use of single IP Address to access Internet Services.

Configure

the Ip addressing as per

following credentials





R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R1 Loopback 0 - - 11.11.11.11 255.0.0.0

R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Loopback 0 - - 22.22.22.22 255.0.0.0

R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0

R3 Loopback - - 33.33.33.33 255.255.255

Configure Routing and allow ICMP Inspection

R1#ping 22.22.22.22



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside

interface towards outside .

When Ever a single IP is translated to another IP and translation of which is defined by

administrator manually it's called as Static Translation

Over ASA 8.0 all static translations are defined using STATIC keyword,

Configuring Static Translations over ASA

ASA80(config)# static (inside,outside) 55.56.57.58 10.1.1.1

Verification:

To view the current translations on ASA

ASA80(config)# show xlate

1 in use, 1 most used

Global 55.56.57.58 Local 10.1.1.1


interface towards DMZ.

ASA80(config)# static (inside,DMZ) 71.72.73.74 10.1.1.1

Verification:



Global 71.72.73.74 Local 10.1.1.1

Global 55.56.57.58 Local 10.1.1.1

Task 3 : Clear All the Static Translations Over ASA

To clear all the static translations over ASA at once

ASA80(config)# clear configure static

Verification:




etm

etric

So

luti

ons


Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60

when the traffic of inside interface destinies to any ip of DMZ subnets.

when ever we want to translate a group of address to another group we make use of dynamic

translation.

Process of Dynamic Address Translation is divided into two Steps

Define the original Address pool need to be translated

Define the translated address also known as Mapped Address Pool

Definition of Original IP addresses which are supposed to be translated are always defined using

NAT option

ASA80(config)# nat (inside) 2 10.0.0.0 255.0.0.0

Note : Number 2 in the command notates NAT ID which can be any number ranging (0-2147483647) the

same number should be used to map the translated Address pool.

Definition of Translated Address pool is done using Global option with same NAT ID used in NAT

option

ASA80(config)# global (DMZ) 2 172.16.1.50-172.16.1.60

As we use the same NAT ID the both NAT and GLOBAL pools binds together

verification:

R1#ping 33.33.33.33



.!!!!




Global 172.16.1.60 Local 10.1.1.1


etm

etric

So

luti

ons


Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when

the traffic of inside interface destinies to any ip of Outside subnet

PAT : Whenever we translate multiple IP Address with single IP Along with IP addresses even port

numbers get translated such translations are defined as Port Address Translations

To Translate All the traffic we can use the default subnet


In ASA we have privilege to replace default subnet 0.0.0.0 with a single "0" thus above statement

can be even defined as follows

ASA80(config)# nat (inside) 5 0 0

Defining Translated Address

ASA80(config)# global (outside) 5 192.168.1.99

INFO: Global 192.168.1.99 will be Port Address Translated

whenever a single ip address is defined as a translated IP ASA automatically consider it as PAT no

extra options are required

Verification:

R1#ping 22.22.22.22



!!!!!


R1#ping 23.23.23.23 source loopback 0



Packet sent with a source address of 11.11.11.11

.!!!!




PAT Global 192.168.1.99(38897) Local 11.11.11.11 ICMP id 23



etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.0

LAB 8 Advanced NAT with ASA 8.0

Network Address Translation is process of changing Source and destination addresses in ip

Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to

facilitate multiple host to make use of single IP Address to access Internet Services.






R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R1 Loopback 0 - - 11.11.11.11 255.0.0.0

R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Loopback 0 - - 22.22.22.22 255.0.0.0

R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0

R3 Loopback - - 33.33.33.33 255.255.255


R1#ping 22.22.22.22



!!!!!


Clear all the configurations of previous LAB Before proceeding with this LAB


etm

etric

So

luti

ons


Task 1 : Configure ASA to enforce translation over all the traffic such that only traffic which is

translated should bypass ASA rest should be denied.

A Special feature of PIX device was to enforce the translation on all the traffic, which has been

even inherited into ASA 8.0 by name NAT-CONTROL

Before Enabling NAT-CONTROL

R1#ping 22.22.22.22



!!!!!


R1#ping 33.33.33.33



!!!!!


To enable NAT control over ASA

ASA80(config)# nat-control

Verification:

R1#ping 22.22.22.22



.....


R1#ping 33.33.33.33 source 11.11.11.11




.....



etm

etric

So

luti

ons


Task 2 : Bypass the host 10.1.1.1 from Nat-Control and make sure that the host can communicate to

any other subnet without translation even when NAT Control is enabled.

NAT with ID 0 is dedicated to define no address translation, when ever NAT is to be bypassed for

some host or subnets we need to define them in Nat option only with id "0"


nat 0 10.1.1.1 will be identity translated for outbound

0 indicates no address translation or also known as NAT Exemption

R1#ping 22.22.22.22



!!!!!


R1#ping 33.33.33.33



!!!!!




Global 10.1.1.1 Local 10.1.1.1

Global 10.1.1.1 Local 10.1.1.1

Traffic generated from other host still gets blocked due to NAT-CONTROL

R1#ping 33.33.33.33 source 11.11.11.11




.....



etm

etric

So

luti

ons


Task 3 : Translate traffic of 11.11.11.11 from inside subnet to 202.11.59.19 when it destinies only to

host 23.23.23.23 on outside interface

Whenever a condition is added into translations such translations are known as Policy based

translations where we define the desired condition of translation using an access-list

Creating Access-list to define the condition of translation

ASA80(config)# access-list nat1 permit ip host 11.11.11.11 host 23.23.23.23

we have created an access by name nat1 which map the traffic between host 11.11.11.11 to

23.23.23.23

Binding that access-list to NAT statement and enforcing translations only on access-list

ASA80(config)# nat (inside) 9 access-list nat1

ASA80(config)# global (outside) 9 202.11.59.19

INFO: Global 202.11.59.19 will be Port Address Translated

Verification:

R1#ping 23.23.23.23 source 11.11.11.11




!!!!!





The Same Host can't reach other destinations as they are not matching ACL in nat option.

R1#ping 22.22.22.22 source 11.11.11.11




.....



etm

etric

So

luti

ons


LAB 9 Basic NAT with ASA 8.4

From ASA Ver. 8.4 Cisco introduced new methods of making Network Address Translations over

ASA using Objects. All the translations are made based on network objects. legacy commands like static

and global have been eliminated and all translations happens using single command NAT.






R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R1 Loopback 0 - - 11.11.11.11 255.0.0.0

R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Loopback 0 - - 22.22.22.22 255.0.0.0

R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0

R3 Loopback - - 33.33.33.33 255.255.255


R1#ping 22.22.22.22



!!!!!



etm

etric

So

luti

ons



interface towards outside .

For all the translations we need to create objects defining the traffic participating in translations

and the translation are applied over the objects not on traffic directly.

For purpose of Translations specially two types of objects have been introduced

Network

Service

Network type object is designed to define IP address, Subnet or Range of IP 's

Service type object is used to define services of TCP or UDP

For static translation we need two different objects defining individual host in each

Creating Network Objects

ASA84(config)# object network host-in

ASA84(config-network-object)# host 10.1.1.1

ASA84(config-network-object)# exit

Object named host-in have been created for host 10.1.1.1, another object for mapped ip is to be created

ASA84(config)# object network mapped-out



Making Static translations over objects

ASA84(config)# nat (inside,outside) source static host-in mapped-out

Verification:

ASA84(config)# show run object

object network host-in

host 10.1.1.1

object network mapped-out

host 55.56.57.58



Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from inside:10.1.1.1 to outside:55.56.57.58

flags s idle 0:00:56 timeout 0:00:00


etm

etric

So

luti

ons



interface towards DMZ.

Creating Object to define new mapped ip address

ASA84(config)# object network map-dmz



Defining Translation

ASA84(config)# nat (inside,DMZ) source static host-in map-dmz

Verification:

ASA84(config)# sh xlate





NAT from inside:10.1.1.1 to DMZ:71.72.73.74


ASA84(config)# show nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static host-in mapped-out

translate_hits = 0, untranslate_hits = 0

2 (inside) to (DMZ) source static host-in map-dmz


ASA84(config)# show run nat

nat (inside,outside) source static host-in mapped-out

nat (inside,DMZ) source static host-in map-dmz

Task 3 : Clear All the Static Translations Over ASA

ASA84(config)# clear configure nat


etm

etric

So

luti

ons


Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60

when the traffic of inside interface destinies to any ip of DMZ subnets.

ASA84(config)# object network subnet-in

ASA84(config-network-object)# subnet 10.0.0.0 255.0.0.0

ASA84(config)# object network isp-range

ASA84(config-network-object)# range 172.16.1.50 172.16.1.60

Defining Translations

ASA84(config)# nat (inside,DMZ) source dynamic subnet-in isp-range




NAT from inside:10.1.1.1 to DMZ:172.16.1.59 flags i idle 0:00:13 timeout 3:00:00



1 (inside) to (DMZ) source dynamic subnet-in isp-range


Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when

the traffic of inside interface destinies to any ip of Outside subnet

creating a new object to define the mapped address

ASA84(config)# object network pat-ip



Defining Translation

ASA84(config)# nat (inside,outside) source dynamic any pat-pool pat-ip

Verification:




ICMP PAT from inside:10.1.1.1/52 to outside:192.168.1.99/52 flags ri idle 0:00:06 timeout 0:00:30


etm

etric

So

luti

ons


LAB 10 Advanced NAT with ASA 8.4

Along with NAT based on object groups ASA 8.4 introduced advanced options called as AutoNAT

where Translations are defined inside the objects itself.






R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0

R1 Loopback 0 - - 11.11.11.11 255.0.0.0

R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0

R2 Loopback 0 - - 22.22.22.22 255.0.0.0

R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0

R3 Loopback - - 33.33.33.33 255.255.255


R1#ping 22.22.22.22



!!!!!



etm

etric

So

luti

ons



interface towards outside using ASA auto NAT .

Auto NAT is the translation statements when defined inside of objects

ASA84(config)# object network host-in


ASA84(config-network-object)# nat (inside,outside) static 55.56.57.58


Verification


Auto NAT Policies (Section 2)

1 (inside) to (outside) source static host-in 55.56.57.58


ASA84(config)# show run object


host 10.1.1.1

ASA84(config)# show run nat

!


nat (inside,outside) static 55.56.57.58







etm

etric

So

luti

ons


Task 2 : Configure ASA to translate any IP address sourced from any interface to the outside interface

ip of ASA.

ASA84(config)# nat (any,outside) source dynamic any interface

above option translate any IP sourcing any interface destinies to outside to IP address which is

assigned on interface outside.



1 (any) to (outside) source dynamic any interface


R3#ping 22.22.22.22



!!!!!







ICMP PAT from any:172.16.1.1/0 to outside:192.168.1.10/31798 flags ri idle 0:00:04 timeout 0:00:30


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Content Filtering over ASA

LAB 11 Java, Active X & Web Filtering

Java and Active X are considered as beautiful programming languages but if we look at the other

side of these languages they are used heavily to write scripts to hack the system.

Usually these scripts are allowed into your network as they are a kind of text document but Cisco made

ASA so intelligent that it can identify as well as filter the traffic of following specific types

Active x

ftp,

https

java & url

Task 1 : Configure ASA such that it filters all the web traffic for inside subnet and drops the packets

which contain the java program

ASA make use of option “filter” to filter a specific data type in a service.

ASA(config)# filter java http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0

Any host from 10.0.0.0/8 subnet can't download or upload any java program

Inside Subnet Service to be filtered

Outside Subnet


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Content Filtering over ASA

Task 2: Configure ASA such that it filters all the web and FTP traffic on all subnets and drops the

packets which contain the Active-x program.

ASA(config)# filter activex http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ASA(config)# filter activex ftp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Task 3 :Configure a web sense URL Filter server in Inside subnet on ip address of 10.0.1.11. Make

configurations on ASA such that it filters all the web traffic from inside subnets for URL using that URL

Filter server

ASA is not so flexible in filtering URL’s on it more granularly, so ASA make help from other

supporting URL Filters to filter the web traffic for their URL.

ASA support only two URL Filters namely web sense & smart filter.

ASA(config)# url-server (inside) vendor websense host 10.0.1.11

ASA(config)# filter url http 1.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0


etm

etric

So

luti

ons


LAB 12 Modular Policy Framework

Interface Configuration on ASA and Other devices

Interface Ip Address Name Security Level

Ethernet 0 192.168.1.10 Outside 0

Ethernet 1 10.1.1.10 Inside 100

Ethernet 2 172.16.1.10 DMZ 50

Configure a default Route on both the routers pointing towards ASA

Device Interface Ip Address Subnet Mask

R1 FastEthernet 0/0 10.0.1.10 255.0.0.0

R2 Fast Ethernet 0/0 192.168.1.10 255.255.255.0

R3 Fast Ethernet 0/0 172.16.0.10 255.255.0.0

When we call the interconnection of people as a network then we have different type

of people available in network and all the people who utilize the network are not same. Basically I

just want to say we have multiple types of users available in a same network but we always want our

network to behave uniquely for each user example a normal user should be restricted with a certain

bandwidth but a superior user should get a high bandwidth .This is how we always desire that

behavior of the same network should change depending on the user and the usage.

To facilitate us by this desired functionality of network we have a full framework available

which is called as Modular Policy Framework (MPF).Majorly MPF is depended on its three

components

1. Class-Map where we catch interesting traffic

2. Policy-Map Where We define Desired Action On interesting traffic

3. Service-Policy where we apply the condition on select interface


etm

etric

So

luti

ons


TASK 1

Configure ASA to catch the traffic from inside subnet and restrict the bandwidth usage to 8000

bits per second when its destination is R2


1. Create a class-map

2. Create a policy-map

3. Define Service-policy

A class-map is a tool used to catch interesting on more granular level where we are allowed not

only to catch interesting traffic on the basis of layer 3 addresses (ip address) but even we can catch the

traffic not only by access-list but even by Its Precedence, Tunnel group, RTP and DSCP values as well.

Create an access-list to define flow of traffic here we want to catch the traffic when it’s starting

from Inside subnet and visiting Site-A

ASA(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

Create a class-map with any name and call the access-list in class-map

ASA(config)# class-map c-map

ASA(config-cmap)# match access-list 101

ASA(config-cmap)# exit

Now we are done with catching of interesting traffic then our next step is to define the action

over that interesting traffic to do that we are creating a policy-map

Policy map is a place where we define our desired action on the cached interesting traffic where

you have more granular options available apart from permitting and denying traffic. You have actions

like police, priority and inspect etc...

ASA(config)# policy-map p-map

We created a policy map with the name “p-map” here then under that policy-map we are

calling the class-map which we created. By this we’ll binding our class-map and our policy-map then we

define the action over that

ASA(config-pmap)# class c-map

ASA(config-pmap-c)# police input 8000

Final step our configuration is to apply the created policy here we can apply the policy over a

single interface or globally over all interfaces

ASA(config)# service-policy p-map interface outside


etm

etric

So

luti

ons


Verification

We can verify our applied policy by generating an extended Ping for the destination of Site-A

R1#ping

Protocol [ip]:

Target IP address: 192.168.1.10

Repeat count [5]: 30

Datagram size [100]: 1000 Increase the size of datagram to generate huge traffic

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:



!!.!!.!!.!.!!.!.!!.!!.!.!!.!!. Here we can observe the packet drop when they are exceeding policy


If we further Increase the size of datagram then more packets gets droped

R1#ping

Protocol [ip]:

Target IP address: 192.168.1.10

Repeat count [5]: 30

Datagram size [100]: 2000

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:



!.!..!..!...!...!...!..!...!..



etm

etric

So

luti

ons


TASK 2

Configure ASA to catch the telnet traffic from inside subnet and prioritize that when its

destination is R3

Create a class map to catch telnet traffic here I am catching the traffic using an extended ACL

ASA(config)#access-list 102 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0eq telnet

ASA(config)# class-map telnet-traffic

ASA(config-cmap)# match access-list 102

Create a policy-map to define priority action over the class

ASA(config-cmap)# policy-map inspect-telnet

ASA(config-pmap)# class telnet-traffic

ASA(config-pmap-c)# priority

Apply that policy map created on interface

Before applying the priority type policy map over the interface we have to enable priority-queue

over that interface and set the queue-limit

ASA(config)# priority-queue dmz

ASA(config-priority-queue)# queue-limit 1024

ASA(config-priority-queue)# exit

Now we can apply that policy-map over interface dmz as we have configured the priority-queue

over that interface

ASA(config)# service-policy inspect-telnet interface dmz


etm

etri

c S

olu

tio

ns

Netmetric CCNP Security Workbook 2.0 Virtual Firewalls

LAB 13 Virtual Firewall

One of the major advancement which was made from PIX to ASA is the capability of

virtual Firewallingover ASA.

The virtual firewall methodology enables a physical firewall to be partitioned into multiple

standalone firewalls. Each standalone firewall acts and behaves as an independent entity with its own

configuration, interfaces, security policies, routing table, and administrators.

In Cisco ASA, these virtual firewalls are known as Security contexts.

But two major features of ASA doesn’t supports on when you make it into virtual Firewalls are

=>VPN

=>Dynamic Routing Protocols

Connect your firewall using console port and start configuring the virtual firewalls

Before making your ASA into virtual firewall make sure that you take backup of your all running

configuration, because when you change the mode of your ASA into virtual firewalls or from virtual firwall to

single mode, you will lose all the running configuration of your device.

Even if you won’t take the backup by default your ASA saves the current running configuration to the flash of

ASA with file name as “old_running.cfg”

Context 1

Context 2


etm

etri

c S

olu

tio

ns


To check the current mode of your ASA

ciscoasa(config)# show mode

Security context mode: single

To checkout weather your ASA is capable of virtual firewalling you can see the details in show

version output or you can filter that output by issuing following options

ciscoasa# show version | grep Security Contexts

Security Contexts : 2

The output here gives the capability of the device to make into virtual firewalls;the above output

here gives the value as 2 that mean I am allowed to create two security contexts.

To change the mode of ASA from single to virtual

ciscoasa(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Convert the system configuration? [confirm]

As soon as you issue this command your ASA will be reloaded itself and your entire current

configuration will be erased.

ciscoasa# show mode

Security context mode: multiple

As we know that ASA will make backup of running configuration in flash its visible when we see the

files on flash.

ciscoasa# show flash:

Directory of flash:/

9 -rw- 2076 07:45:11 Oct 17 2011 old_running.cfg

10 -rw- 1446 07:45:12 Oct 17 2011 admin.cfg

16128000 bytes total (16119296 bytes free)


etm

etri

c S

olu

tio

ns


To see the current context on ASA we can issue the command

ciscoasa# show context

Context Name Class Interfaces URL

*admin default Ethernet0 flash:/admin.cfg

Total active Security Contexts: 1

From the above output we can observe that we have one Context by the name “admin” which we

haven’t created. When we change our mode from single to multiple we will be having one context created by

default and the name of that context will “admin” context which will have certain more preferences then

other context.

A very special property of this admin context is that the whole configurations of your physical device

will be copied to this admin context. And this context will replace the actual device. Excluding this admin

context we can make two more contexts (as on this device) then totally we’ll be having 3 contexts (as admin

context is not counted in created context list)

If we want to configure any context then we have enter into that particular context and configure

that context

To enter the context

ciscoasa(config)# changeto context admin

ciscoasa/admin(config)#

Now we are in the context admin which we can observe by change in Hostname

And to get back to system

ciscoasa/admin(config)# changeto system

ciscoasa(config)#


etm

etri

c S

olu

tio

ns


Task 1

Create two context by the names CTX1 and CTX2 and allocate two interfaces to each context and

assign IP Addresses to the interfaces as per below credentials. And save the configuration of those contexts

in flash with respective names of context.

CTX 1

Interface IP Address Subnet Mask Security level Name of interface

Ethernet 0 1.1.1.1 255.0.0.0 100 Inside

Ethernet 1 192.168.1.1 255.255.255.0 0 Outside

CTX 2 Ethernet 2 2.2.2.2 255.0.0.0 100 Inside

Ethernet 3 172.16.1.1 255.255.0.0 0 Outside

Steps to Configure:-

Create context

Allocate interfaces

Assign configuration location

Creating Context

Remember that the names which we assign to context will be case-sensitive

ciscoasa(config)# context CTX1

Creating context 'CTX1'... Done. (2)

ciscoasa(config-ctx)# exit


Creating context 'CTX2'... Done. (3)

Allocating Interfaces to Context

To allocate interface to a context get into that context and assign the desired interface and even we

can assign one interface two different context that is called as shared interface.


ciscoasa(config-ctx)# allocate-interface ethernet0








etm

etri

c S

olu

tio

ns


Assigning Configuration location to context


ciscoasa(config-ctx)# config-url flash:CTX1

INFO: Converting flash:CTX1 to flash:/CTX1

WARNING: Could not fetch the URL flash:/CTX1

INFO: Creating context with default config



ciscoasa(config-ctx)# config-url flash:CTX2

INFO: Converting flash:CTX2 to flash:/CTX2

WARNING: Could not fetch the URL flash:/CTX2



Assigning Ip addresses to contexts.

ciscoasa(config)# changeto context CTX1

ciscoasa/CTX1(config)# interface ethernet0

ciscoasa/CTX1(config-if)# ip address 1.1.1.1 255.0.0.0

ciscoasa/CTX1(config-if)# nameif inside


ciscoasa/CTX1(config-if)# no shutdown

ciscoasa/CTX1(config-if)# interface ethernet1

ciscoasa/CTX1(config-if)# ip add 192.168.1.1 255.255.255.0

ciscoasa/CTX1(config-if)# nameif outside



ciscoasa/CTX1(config-if)# changeto system


ciscoasa/CTX2(config)# interface ethernet2


ciscoasa/CTX2(config-if)# nameif inside



ciscoasa/CTX2(config-if)# interface ethernet3


ciscoasa/CTX2(config-if)# nameif outside




etm

etri

c S

olu

tio

ns


Verifying the configurations

ciscoasa(config)# show context

Context Name Class Interfaces URL

*admin default flash:/admin.cfg

CTX1 default Ethernet0,Ethernet1 flash:/CTX1

CTX2 default Ethernet2,Ethernet3 flash:/CTX2

ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# show run interface ! interface Ethernet0 nameif inside security-level 100 ip address 1.1.1.1 255.0.0.0 ! interface Ethernet1 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 ciscoasa/CTX1# changeto system ciscoasa(config)#

ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# show run interface ! interface Ethernet2 nameif inside security-level 100 ip address 2.2.2.2 255.0.0.0 ! interface Ethernet3 nameif outside security-level 0 ip address 172.16.1.1 255.255.0.0 ciscoasa/CTX2(config)# changeto system ciscoasa(config)#


etm

etri

c S

olu

tio

ns


Task 2

Configure context CTX1 to inspect icmp and configure an access-list to deny any traffic from inside to

outside subnets


Get into specific context

Then apply the desired rules


ciscoasa/CTX1(config)# policy-map global_policy

ciscoasa/CTX1(config-pmap)# class inspection_default

ciscoasa/CTX1(config-pmap-c)# inspect icmp

PC-A#ping192.168.1.10



.!!!!


As soon as the inspection of icmp is on we can see that icmp traffic is allowed to transact

ciscoasa/CTX1(config)# changeto context CTX2

ciscoasa/CTX2(config)# access-list 101 deny ip any 172.16.0.0 255.255.0.0

ciscoasa/CTX2(config)# access-group 101 in interface inside

R2#ping 172.16.1.10



.....


We can see here no traffic is being allowed from inside to outside subnets but still the traffic from PC

is allowed to R1

PC-A#ping 1.1.1.1



!!!!!


As we did this configuration on context CTX2 it will not effect on other context CTX1by this we can

conclude that each context maintains its own configurations


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Transparent Firewall

Lab 14 Transparent Firewall

To view the current mode of working of ASA issue the following command

ASA# show firewall

Firewall mode: Router

To change the mode of ASA from router mode to transparent mode issue the following

command

ASA(config)# firewall transparent

!!As soon as we issue the above command to ASA we’ll lose our entire running configuration

ASA(config)# show firewall

Firewall mode: Transparent

As now we are working with transparent mode of firewall we don’t have any ip addresses

configured so we need an IP address for our firewall to manage our device remotely.

To Assign IP address to a firewall in Transparent mode new virtual interfaces have to be

configured named Bridge Virtual Interface and IP address to the firewall is assigned to that particular

interface

If you look at a layer 2 switch it doesn’t require any ip addresses as they are layer 2

device they work with MAC Address and even they behave as a hidden device into the network they

never exhibits there existence in the network

From the basics of our firewall we know that our firewall is basically a layer 3 device which

works with IP addresses and exhibits there existence into network.

Transparent Firewall is a device where you configure your layer 3 firewall to work as a layer 2

Firewall which doesn’t work with IP addresses but works with MAC addresses. As it works with MAC

Addresses it doesn’t exhibits his existence in the network and still capable of filtering and managing

traffic from layer 2

We have to remember here that when we are making our ASA as a transparent firewall then

few services doesn’t work on ASA Firewall

Dynamic routing protocols

IPv6

Quality of Service

Multicast


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Transparent Firewall

LAB Topology


R1 Fast Ethernet 0/0 10.1.1.1 255.0.0.0

R2 FastEthernet 0/0 10.1.1.2 255.0.0.0

Task 1 : Configure ASA as Transparent Firewall and Assign the interface credentials as follows

Create a Transparent Firewall Interface (Bridge Virtual Interface) for management and

activation of device and assign IP Address 10.1.1.10

ASA(config)# firewall transparent

Creating a Bridge Virtual Interface and assigning IP address to it

ASA(config)# interface BVI1


Configuring Interfaces and associating then to Bridge Virtual Interface 1

ASA(config)# interface GigabitEthernet0

ASA(config-if)# nameif outside

ASA(config-if)# bridge-group 1


ASA(config)# interface GigabitEthernet1

ASA(config-if)# nameif inside

ASA(config-if)# bridge-group 1


Interface Name Security level

Giga Ethernet 0 Outside 0

Giga Ethernet 1 Inside 100


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby

LAB 15 Failover Active/Standby

failover configuration

ASA is very important device of every network which is mostly perimeter device failure of

which may let whole network to go down. considering this criticalness Failover of ASA has been

introduced which is an Automated process of swapping the Active Device when It goes down.


etm

etric

So

luti

ons


LAB TOPOLOGY


R1 Fast Ethernet 0/0 10.1.1.1 255.0.0.0

R2 FastEthernet 0/0 192.168.1.1 255.0.0.0

Task 1 : Configure Failover for ASA such that when ASA1 crashes ASA2 should automatically

replace itself with ASA1

Before proceeding with failover configuration make sure Devices are licensed for it.

ASA1(config)# show version | grep Failover

Failover : Active/Active

ASA2(config)# show version | grep Failover

Failover : Active/Active

While making failover configuration make sure you define a standby IP Address over

every interface.

ASA1(config)# interface GigaEthernet0

ASA1(config-if)# no shutdown

ASA1(config-if)# nameif outside


ASA1(config-if)# ip add 192.168.1.10 255.255.255.0 standby 192.168.1.7


etm

etric

So

luti

ons


ASA1(config-if)# interface GigaEthernet 1


ASA1(config-if)# nameif inside


ASA1(config-if)# ip add 10.1.1.10 255.0.0.0 standby 10.1.1.7

After making Basic ASA interface configuration start making Failover Interface

the interface which is being dedicated for failover should enabled



Here Interface GigaEthernet 2 is being dedicated for failover

Enable Failover and define ASA1 as primary unit.

ASA1(config)# failover lan enable

ASA1(config)# failover lan unit primary

Define the interface name which is being used as failover interface and allocate a logical

name to that interface and assign an unused IP address to the interface

ASA1(config)# failover lan interface failint GigaEthernet 2

INFO: Non-failover interface config is cleared on GigaEthernet 2 and its sub-interfaces

ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7

ASA1(config)# failover

Configuring ASA2 to be the secondary mate to ASA1

Enable all the interfaces participating in failover before making any configurations on ASA2








etm

etric

So

luti

ons


Configure the secondary failover configurations here as well

ASA2(config)# failover lan enable

ASA2(config)# failover lan unit secondary

ASA2(config)# failover lan interface failint GigaEthernet2

INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfaces


ASA2(config)#failover

As soon we issue command failover it activates the failover and look for the mate

ASA2(config)# .

Detected an Active mate

Beginning configuration replication from mate.

End configuration replication from mate

ASA1# sh failover

Failover On

Cable status: N/A - LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: failint GigaEthernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 8.0(4), Mate 8.0(4)

Last Failover at: 08:37:46 UTC Nov 25 2012

This host: Primary - Active

Active time: 585 (sec)

Interface outside (192.168.1.10): Normal

Interface inside (10.1.1.10): Normal

Other host: Secondary - Standby Ready




Stateful Failover Logical Update Statistics

Link : Unconfigured.


etm

etric

So

luti

ons


ASA1(config)# show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Standby Ready Comm Failure 18:04:15 UTC Dec 29 2012

====Configuration State===

Sync Done

====Communication State===

Mac set


etm

etric

So

luti

ons


Task 2 : Change the Active/Standby Failover into Stateful Failover

ASA1(config)# failover link failint GigaEthernet2

ASA1# show failover Failover On

Cable status: N/A - LAN-based failover enabled


Failover LAN Interface: failint GigaEthernet2 (up)



Interface Policy 1



Last Failover at: 08:37:46 UTC Nov 25 2012

This host: Primary - Active




Other host: Secondary - Standby Ready




Stateful Failover Logical Update Statistics

Link : failint GigaEthernet2 (up)

Stateful Obj xmit xerr rcv rerr

General 9 0 8 0

sys cmd 8 0 8 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 1 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 8

Xmit Q: 0 2 59


etm

etric

So

luti

ons


LAB 15 Failover Active/Active

failover configuration

Active / Active failover Configuring is failover facility for Context and making sure that when

one context goes down another one should replicate and deployment of failover happens on virtual

firewalls rather than physical.


etm

etric

So

luti

ons


LAB TOPOLOGY


R1 Fast Ethernet 0/0 10.1.1.1 255.0.0.0

R2 FastEthernet 0/0 192.168.1.1 255.0.0.0

R3 FastEthernet 0/0 11.1.1.1 255.0.0.0

R4 FastEthernet 0/0 172.16.1.1 255.0.0.0

Task 1 : Configure Change the mode of ASA from Single to multiple

ASA1(config)# mode multiple

ASA2(config)# mode multiple

ASA1# show mode


ASA2# show mode



etm

etric

So

luti

ons


Task 2 :Create two Context on ASA1 as following Credentials

Name Interface Config-Url

Ctx1 GigaEthernet 0 GigaEthernet 1

Flash:/ctx1


Flash:/ctx2

ASA1(config)# context Ctx1

Creating context 'ctx1'... Done. (2)

ASA1(config-ctx)# config-url ctx1

INFO: Converting ctx1 to disk0:/ctx1

WARNING: Could not fetch the URL disk0:/ctx1


ASA1(config-ctx)# allocate-interface g0


ASA1(config)# context ctx2

Creating context 'ctx2'... Done. (3)

ASA1(config-ctx)# config-url ctx2

INFO: Converting ctx2 to disk0:/ctx2

WARNING: Could not fetch the URL disk0:/ctx2





etm

etric

So

luti

ons


Task 3 : Configure Context CTX1 and CTX2 as follows

Name Interface Nameif IP Address Standby IP


Outside Inside

192.168.1.10 10.1.1.10

192.168.1.11 10.1.1.11


Inside Outside

11.1.1.10 172.16.1.10

11.1.1.11 172.16.1.11

ASA1(config)# changeto context ctx1

ASA1/ctx1(config)# interface gigabitEthernet 0

ASA1/ctx1(config-if)# ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11

ASA1/ctx1(config-if)# no shutdown

ASA1/ctx1(config-if)# nameif outside





ASA1/ctx1(config-if)# nameif inside


ASA1/ctx1(config)# changeto context ctx2




ASA1/ctx2(config-if)# nameif inside





ASA1/ctx2(config-if)# nameif outside



etm

etric

So

luti

ons


Task 4 : Configure Failover on Such that Context ctx1 should be active on ASA1 and CTX2

should be active on ASA2

ASA1(config)# failover lan unit primary

ASA1(config)# failover lan interface failint g4

INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces

ASA1(config)# failover link failint g4



Create Failover Groups and associate context to each group

ASA1(config)# failover group 1

ASA1(config-fover-group)# primary

ASA1(config-fover-group)# exit

ASA1(config)# failover group 2

ASA1(config-fover-group)# secondary

ASA1(config-fover-group)# exit

Associating Groups to context created so that ctx1 can be primary and ctx2 should be

secondary on ASA1


ASA1(config-ctx)# join-failover-group 1

ASA1(config-ctx)# exit


ASA1(config-ctx)# join-failover-group 2

ASA1(config-ctx)# exit


etm

etric

So

luti

ons


Configuring Failover Link ASA2

ASA2(config)# failover lan unit secondary

ASA2(config)# failover lan interface failint g4

INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces

ASA2(config)# failover link failint g4



Failover LAN became OK

Switchover enabled

Configuration has changed, replicate to mate.


etm

etric

So

luti

ons


Verification:

ASA1(config)# show failover

Failover On


Failover LAN Interface: failint GigabitEthernet4 (up)



Interface Policy 1



Group 1 last failover at: 05:36:55 UTC Dec 30 2012

Group 2 last failover at: 05:36:55 UTC Dec 30 2012

This host: Primary

Group 1 State: Active


Group 2 State: Active


ctx1 Interface outside (192.168.1.10): Normal (Waiting)

ctx1 Interface inside (10.1.1.10): Normal (Waiting)



Other host: Secondary

Group 1 State: Standby Ready


Group 2 State: Standby Ready







etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN

LAB - 1 Making Site to Site IPSec Virtual Private Network

Points to Remember:

Majorly we used VPN technology is IPsec (Internet Protocol Security)

IPsec is a protocol suite which is designed to provide the solution for remote connectivity over an insecure

network

IPsec Provides Confidentiality and Integrity to the ip packets traversing over internet

An another supporting protocols which is always associated with IPsec is ISAKMP (Internet security

Association Key Management Protocol)

ISAKMP is purely dedicated to transfer the security keys from one device to another

ISAKMP works on UDP port no.500

For making of site to site VPN using IPSec technology, it requires

Devices which support VPN services and are licensed for it

A Static IP Address on both ends which is routable


etm

etric

So

luti

ons


LAB Topology

In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B

Respectively and R2 is acting as Internet

Loopbacks here demonstrates Local LAN

Interface Configuration on Router

Device Interface Ip Address Subnet

R1 F0/0 1.1.1.1 255.0.0.0

R1 loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

R3 F0/0 2.2.2.2 255.0.0.0

R3 loopback 33.33.33.33 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3

Verification for routing

R1#ping 2.2.2.2



!!!!!


R3#ping 1.1.1.1



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure a IPSec site-to-site vpn between R1 and R3 to make the secure connection between

LAN of R1 (11.11.11.11) and R3(33.33.33.33)

Process of making an IPSec VPN can be simplified by following the sequence of configuration.

o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange

o Define IPSec Credentials, which are used in data Exchange

o Define interesting traffic using an access-list

o Map all the credentials of VPN in a crypto map

o Apply the Map on Interface

Defining ISAKMP Policy which is also called as phase 1 parameters of VPN

R1(config)#crypto isakmp enable

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

R1(config-isakmp)#hash md5

As part of device authentication we need to define a shared secret key on both side in this lab

scenario netmetric is the shared key

R1(config)#crypto isakmp key netmetric address 2.2.2.2

This Concludes Phase 1 Configuration

Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN

R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac

R1(cfg-crypto-trans)#exit

As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33

definition of it can be done by an simple extended access-list

R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33


etm

etric

So

luti

ons


Binding credentials using crypto map

R1(config)#crypto map vpn-map 10 ipsec-isakmp

R1(config-crypto-map)#set peer 2.2.2.2

R1(config-crypto-map)#set transform-set t-set-1

R1(config-crypto-map)#match address 101

A crypto map binds the interesting traffic and peer with a specific transform set

Application of this crypto map over as interface

R1(config)#int f 0/0

R1(config-if)#crypto map vpn-map

Over other side we need to define exactly the same credentials of phase 1 & 2 without any

change but difference in names of policies and transform-set is negligible.










R3(config)#crypto map vpn-map-2 10 ipsec-isakmp





R1(config-if)#crypto map vpn-map-2


etm

etric

So

luti

ons


Verification

Generating Interesting Traffic

R1#ping 33.33.33.33 source 11.11.11.11




.!!!!


As soon as VPN starts the traffic between two local LAN starts Transactions.

R1#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: vpn-net, local addr 1.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)

current_peer 2.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pktscompr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0

current outbound spi: 0x0(0)

R1#sh crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 2.2.2.2 port 500

IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active

IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255


etm

etric

So

luti

ons


Task 2 : Modify Existing VPN connection to secure the telnet access between two peers

An IPSec VPN Always catch interesting traffic based on crypto ACL (Access-list matched in crypto map is

termed as crypto ACL) , Whatever traffic is supposed to pass through VPN it need to added into ACL

Modifying Access-list of Router R1

R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet

Modifying Access-list of Router R3

R3(config)#access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

Task 3 : Imagine there is one more Peer by name Site C (R4) at ip address 3.3.3.3 with loopback ip

address 55.55.55.55, Secure the Access between Loopbacks of R1 and R4.

Create a new Access-list for catching traffic between Loopbacks


Create a Crypto map with same name but different ID ( No Need to Add a Different named VPN

Map as you can not apply more than one Map on an interface)






etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA

LAB - 2 Making Site to Site IPSec Virtual Private Network Over ASA

LAB Topology

In Above topology two ASA are acting as border devices of two sites Site A & Site B

Respectively and R2 is acting as Internet where as Router R1 and Router R3 are Local LAN of their

respective sites


Device Interface Name-if Ip Address Subnet

ASA Site A E0/0 Outside 1.1.1.1 255.0.0.0

ASA Site A E0/1 Inside 11.11.11.10 255.0.0.0

ASA Site B E0/0 Outside 2.2.2.2 255.0.0.0

ASA Site B E0/1 Inside 33.33.33.10 255.0.0.0

R1 F0/0 -- -- 11.11.11.11 255.0.0.0

R3 F0/0 -- -- 33.33.33.33 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA


ciscoasa-site-A# ping 2.2.2.2



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1

ciscoasa-Site-B# ping 1.1.1.1



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure a IPSec site-to-site vpn between Site A and Site B to make the secure connection

between LAN of R1 (11.11.11.11) and R3(33.33.33.33)

By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services,

In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2

IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with

Site to Site VPN we need to enable IKEv1 here

ciscoasa-site-A(config)# crypto ikev1 enable Outside

Configure all the Credentials of ISAKMP in a policy

ciscoasa-site-A(config)# crypto ikev1 policy 10

ciscoasa-site-A(config-ikev1-policy)# encryption aes

ciscoasa-site-A(config-ikev1-policy)# hash sha

ciscoasa-site-A(config-ikev1-policy)# group 2

ciscoasa-site-A(config-ikev1-policy)# authentication pre-share

ciscoasa-site-A(config-ikev1-policy)# lifetime 6000

Defining Pre-share key using Tunnel Group options

A tunnel group specially designed to define the attributes related to VPN and its Functionality, The name

of tunnel group of type L2L should be always the Peer Address

ciscoasa-site-A(config)# tunnel-group 2.2.2.2 type ipsec-l2l

ciscoasa-site-A(config)# tunnel-group 2.2.2.2 ipsec-attributes

ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123

Configure IPSec Credentials for both devices

ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac

Definition of Interesting Traffic using Access-list

ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33


etm

etric

So

luti

ons


Create a Crypto map and bind all the credentials with that MAP

ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2

ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set

ciscoasa-site-A(config)# crypto map mymap 10 match address 101

Apply The MAP on interface facing to Internet

ciscoasa-site-A(config)# crypto map mymap interface Outside

Make the VPN Configuration on Other Side As well

ciscoasa-Site-B(config)# crypto ikev1 enable Outside

ciscoasa-Site-B(config)# crypto ikev1 policy 10

ciscoasa-Site-B(config-ikev1-policy)# authentication pre-share

ciscoasa-Site-B(config-ikev1-policy)# encryption aes

ciscoasa-Site-B(config-ikev1-policy)# hash sha

ciscoasa-Site-B(config-ikev1-policy)# group 2

ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600

ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 type ipsec-l2l

ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 ipsec-attributes

ciscoasa-Site-B(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123

ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac

Define interesting traffic by means of an access-list again which is mirrored to other side

ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11

Crypto MAP Creation and Application

ciscoasa-Site-B(config)# crypto map mymap 10 match address 109

ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1

ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set

ciscoasa-Site-B(config)# crypto map mymap interface outside


etm

etric

So

luti

ons


Verification

Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN

R1#ping 33.33.33.33



.!!!!


Verification of ISAKMP functionality

ciscoasa-site-A# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 2.2.2.2

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Verification if IPSec Functionality

ciscoasa-site-A# show crypto ipsec sa

interface: Outside

Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1

access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33



current_peer: 2.2.2.2

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442


#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 80

local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0

path mtu 1500, ipsec overhead 58, media mtu 1500


etm

etric

So

luti

ons


ciscoasa-Site-B# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 1.1.1.1

Type : L2L Role : responder


ciscoasa-Site-B# show crypto ipsec sa

interface: outside















etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server

LAB - 3 Making Site to Site IPSec Virtual Private Network with

Points to Remember:

Digital Certificate is issued by an external Authority after Verification

Any Other Device who have the certificate from same authority can form VPN with each other

A Certificate Authority can be any server flavor Operating system or a Cisco router

The process of requesting and enrolling a certificate is done over SCEP protocol

Simple Certificate Enrollment Protocol(SCEP) is devoloped over HTTP so it also work on TCP/80

This Authentication which is done by an External Authentication Server is also called as PKI (Public Key

Infrastucture)

Whenever the authentication of VPN is set to Digital Certificates Peers Exchange there

certificates As Soon as they confirm that the issuer is same for both the certificates they form vpn with

each other


etm

etric

So

luti

ons


LAB Topology


Respectively and R2 is acting as Internet as well as Certificate Authority.




R1 F0/0 1.1.1.1 255.0.0.0

R1 loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

R3 F0/0 2.2.2.2 255.0.0.0

R3 loopback 33.33.33.33 255.0.0.0



R1#ping 2.2.2.2



!!!!!


R3#ping 1.1.1.1



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure Router R1 to Act as Certificate Authority, and request Certificates From Router R1

and R3

Prerequisite

Make sure that you have enabled HTTP services on the router which is acting as CA Server

And Ensure proper clock is synchronized between peers and Server before making CA

Thus Configure NTP on all the Routers Participating in VPN and make sure they are sync.

Verification

R1#show clock

11:41:56.595 UTC Sat Jan 5 2013

R2#show clock

11:42:02.871 UTC Sat Jan 5 2013

R3#show clock

11:42:04.805 UTC Sat Jan 5 2013

R2(config)#ip http server

R2#show ip http server status

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: enable

once verify the services and pre-requisite start making router R2 as Certificate Authority (CA)

R2(config)#crypto pki server ios_ca

R2(cs-server)#grant auto

R2(cs-server)#no shutdown

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password:********

Re-enter password:********

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

% Exporting Certificate Server signing certificate and keys...

Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled

% Certificate Server enabled.

Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.


etm

etric

So

luti

ons


To enroll a certificate on Router R1 create a Trust point where all the properties of local Router and

address of CA is to be defined

R1(config)#crypto pki trustpoint ca_r1

R1(ca-trustpoint)#enrollment url http://1.1.1.2

R1(ca-trustpoint)#revocation-check none

After we define the CA Server Address we need get certificate from CA

To Enroll yourself and Get CA Certificate into your Router

R1(config)#crypto pki authenticate ca_r1

Certificate has the following attributes:

Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A

Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

To enroll the certificate from the CA Server

R1(config)#crypto pki enroll ca_r1

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:*******

Re-enter password:*******

% The subject name in the certificate will include: R1.lab.local

% Include the router serial number in the subject name? [yes/no]: no

% The IP address in the certificate is 1.1.1.1

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate ca_r1 verbose' command will show the fingerprint.

Jan 5 15:51:37.984: %PKI-6-CERTRET: Certificate received from Certificate Authority


etm

etric

So

luti

ons


Repeat the process with Router R3 as well

R3(config)#crypto pki trustpoint ca_r3

R3(ca-trustpoint)#enrollment url http://1.1.1.2

R3(ca-trustpoint)#serial-number none

R3(ca-trustpoint)#ip-address 2.2.2.2

R3(ca-trustpoint)#revocation-check none

Authenticate Router R3 to CA

R3(config)#crypto pki authenticate ca_r3

Certificate has the following attributes:

Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A

Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD

% Do you accept this certificate? [yes/no]: yes


Enroll Router R3 to CA

R3(config)#crypto pki enroll ca_r3

%






Password:********

Re-enter password:*********

% The subject name in the certificate will include: R3.lab.local

% The IP address in the certificate is 2.2.2.2



% The 'show crypto ca certificate ca_r3 verbose' command will show the fingerprint.

Jan 5 16:03:58.279: %PKI-6-CERTRET: Certificate received from Certificate Authority


etm

etric

So

luti

ons


Verify certificates

R1#show crypto pki certificates Certificate

Status: Available

Certificate Serial Number: 02

Certificate Usage: General Purpose

Issuer:

cn=ios_ca

Subject:

Name: R1.lab.local

IP Address: 1.1.1.1

ipaddress=1.1.1.1+hostname=R1.lab.local

Validity Date:

start date: 15:51:36 UTC Jan 5 2013

end date: 15:51:36 UTC Jan 5 2014

Associated Trustpoints: ca_r1

R3#show crypto pki certificates Certificate

Status: Available



Issuer:

cn=ios_ca

Subject:

Name: R3.lab.local

IP Address: 2.2.2.2

ipaddress=2.2.2.2+hostname=R3.lab.local

Validity Date:


end date: 16:03:56 UTC Jan 5 2014

Associated Trustpoints: ca_r3

R1#sh crypto pki trustpoints Trustpoint ca_r1:

Subject Name:

cn=ios_ca

Serial Number: 01

Certificate configured.

SCEP URL: http://1.1.1.2:80/cgi-bin

Verification on CA Server i.e Router R2

R2#show crypto pki server

Certificate Server ios_ca:

Status: enabled

State: enabled


etm

etric

So

luti

ons


Task 2 : Configure a IPSec site-to-site vpn between R1 and R3 using PKI authentication to make the

secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)

Process of making an IPSec VPN can be simplified by following the sequence of configuration.

o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange

o Define IPSec Credentials, which are used in data Exchange

o Define interesting traffic using an access-list

o Map all the credentials of VPN in a crypto map

o Apply the Map on Interface





R1(config-isakmp)#authentication rsa-sig



As part of device authentication we are using rsa-signatures here so no need to define any pre-

share key.





As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33




etm

etric

So

luti

ons







A crypto map binds the interesting traffic and peer with a specific transform set

Application of this crypto map over as interface








R3(config-isakmp)#authentication rsa-sig




No Need to define any pre-share key as we are using Authentication as rsa-sig(i.e Digital

Certificates)









etm

etric

So

luti

ons


Verification


R1#ping 33.33.33.33 source 11.11.11.11




.!!!!


As soon as VPN starts the traffic between two local LAN starts Transactions.






















Peer: 2.2.2.2 port 500


IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255


etm

etric

So

luti

ons


LAB - 4 Making Site to Site IPSec VPN Over ASA with PKI

LAB Topology

In Above topology two ASA are acting as border devices of two sites Site A & Site B

Respectively and R2 is acting as Internet as well as a CA server where as Router R1 and Router R3 are

Local LAN of their respective sites


Device Interface Name-if Ip Address Subnet

ASA Site A E0/0 Outside 1.1.1.1 255.0.0.0

ASA Site A E0/1 Inside 11.11.11.10 255.0.0.0

ASA Site B E0/0 Outside 2.2.2.2 255.0.0.0

ASA Site B E0/1 Inside 33.33.33.10 255.0.0.0

R1 F0/0 -- -- 11.11.11.11 255.0.0.0

R3 F0/0 -- -- 33.33.33.33 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA


ciscoasa-site-A# ping 2.2.2.2



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1

ciscoasa-Site-B# ping 1.1.1.1



!!!!!


Task 1 : Configure Router R2 as CA server and Enroll ASA Site A and Site B to that CA Server


etm

etric

So

luti

ons


R2(config)#ip http server

R2#show ip http server status

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: enable

once verify the services and pre-requisite start making router R2 as Certificate Authority (CA)

R2(config)#crypto pki server ios_ca

R2(cs-server)#grant auto

R2(cs-server)#no shutdown

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password:********

Re-enter password:********

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

% Exporting Certificate Server signing certificate and keys...

Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled

% Certificate Server enabled.

Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.

To verify the certificate server

R2#sh crypto pki server

Certificate Server ios_ca:

Status: enabled

State: enabled

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=ios_ca

CA cert fingerprint: B853F5E4 1DEFC727 3C2FFF84 994AA49A

Granting mode is: auto

Last certificate issued serial number: 0x3

CA certificate expiration timer: 15:00:58 UTC Jan 5 2016

CRL NextUpdate timer: 21:00:59 UTC Jan 5 2013

Current primary storage dir: nvram:

Database Level: Minimum - no cert data written to storage

To enroll a certificate on ASA1 create a Trust point where all the properties of ASA1 is configured and



etm

etric

So

luti

ons


ciscoasa-site-A (config)# crypto ca trustpoint ios_ca

ciscoasa-site-A (config-ca-trustpoint)# enrollment url http://1.1.1.2

ciscoasa-site-A (config-ca-trustpoint)# revocation-check none

Authenticate to CA Server

ciscoasa-site-A (config)# crypto ca authenticate ios_ca

INFO: Certificate has the following attributes:

Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a

Do you accept this certificate? [yes/no]: yes


Generate RSA Keys and then Enroll to CA Server

ciscoasa-site-A (config)# crypto key generate rsa

ciscoasa-site-A (config)# crypto ca enroll ios_ca

%






Password: ********

Re-enter password: ********

% The fully-qualified domain name in the certificate will be: ciscoasa-site-A

% Include the device serial number in the subject name? [yes/no]: no



The certificate has been granted by CA!

To enroll a certificate on ASA2 create a Trust point where all the properties of ASA2 is configured and



etm

etric

So

luti

ons


ciscoasa-site-B (config)# crypto ca trustpoint ios_ca

ciscoasa-site-B (config-ca-trustpoint)# enrollment url http://2.2.2.1

ciscoasa-site-B (config-ca-trustpoint)# revocation-check none

Authenticate to CA Server

ciscoasa-site-B (config)# crypto ca authenticate ios_ca

INFO: Certificate has the following attributes:

Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a

Do you accept this certificate? [yes/no]: yes


Generate RSA Keys and then Enroll to CA Server

ciscoasa-site-B (config)# crypto key generate rsa

ciscoasa-site-B (config)# crypto ca enroll ios_ca

%






Password: ********

Re-enter password: ********

% The fully-qualified domain name in the certificate will be: ciscoasa-site-B

% Include the device serial number in the subject name? [yes/no]: no



The certificate has been granted by CA!


etm

etric

So

luti

ons


Verification

ciscoasa-site-A(config)# show crypto ca certificates

Certificate

Status: Available



Public Key Type: RSA (1024 bits)

Issuer Name:

cn=ios_ca

Subject Name:

hostname=ciscoasa

Validity Date:


end date: 18:18:26 UTC Jan 5 2014

Associated Trustpoints: ios_ca

ciscoasa-site-B(config)# show crypto ca certificates

Certificate

Status: Available



Public Key Type: RSA (1024 bits)

Issuer Name:

cn=ios_ca

Subject Name:

hostname=ciscoasa

Validity Date:


end date: 18:18:26 UTC Jan 5 2014

Associated Trustpoints: ios_ca


etm

etric

So

luti

ons


Task 2 : Configure a IPSec site-to-site vpn between Site A and Site B using PKI to make the secure

connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)

By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services,

In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2

IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with

Site to Site VPN we need to enable IKEv1 here

ciscoasa-site-A(config)# crypto ikev1 enable Outside

Configure all the Credentials of ISAKMP in a policy

ciscoasa-site-A(config)# crypto ikev1 policy 10

ciscoasa-site-A(config-ikev1-policy)# encryption aes

ciscoasa-site-A(config-ikev1-policy)# hash sha

ciscoasa-site-A(config-ikev1-policy)# group 2

ciscoasa-site-A(config-ikev1-policy)# authentication rsa-sig

ciscoasa-site-A(config-ikev1-policy)# lifetime 6000

As we have certificates as authentication no need to define pre-share key

Configure IPSec Credentials for both devices

ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac

Definition of Interesting Traffic using Access-list

ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33

Create a Crypto map and bind all the credentials with that MAP

ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2

ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set

ciscoasa-site-A(config)# crypto map mymap 10 match address 101

Apply The MAP on interface facing to Internet

ciscoasa-site-A(config)# crypto map mymap interface Outside

Make the VPN Configuration on Other Side As well


etm

etric

So

luti

ons


ciscoasa-Site-B(config)# crypto ikev1 enable Outside

ciscoasa-Site-B(config)# crypto ikev1 policy 10

ciscoasa-Site-B(config-ikev1-policy)# authentication rsa-sig

ciscoasa-Site-B(config-ikev1-policy)# encryption aes

ciscoasa-Site-B(config-ikev1-policy)# hash sha

ciscoasa-Site-B(config-ikev1-policy)# group 2

ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600

ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac

Define interesting traffic by means of an access-list again which is mirrored to other side

ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11

Crypto MAP Creation and Application

ciscoasa-Site-B(config)# crypto map mymap 10 match address 109

ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1

ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set

ciscoasa-Site-B(config)# crypto map mymap interface outside


etm

etric

So

luti

ons


Verification

Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN

R1#ping 33.33.33.33



.!!!!


Verification of ISAKMP functionality

ciscoasa-site-A# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 2.2.2.2

Type : L2L Role : initiator


Verification if IPSec Functionality

ciscoasa-site-A# show crypto ipsec sa

interface: Outside
















etm

etric

So

luti

ons


ciscoasa-Site-B# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 1.1.1.1

Type : L2L Role : responder


ciscoasa-Site-B# show crypto ipsec sa

interface: outside















etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Site-to-Site GRE VPN

LAB - 5 Making Site to Site GRE Virtual Private Network

Points to Remember:

GRE is an only tunneling protocol which is used to form a tunnel between two sites

GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite

It adds an extra interface for each peer which allows us to configure Routing and QoS

GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE

GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly

connected

we need a static IP on both peers who are participation in a GRE tunnel


etm

etric

So

luti

ons


LAB Topology






R1 F0/0 1.1.1.1 255.0.0.0

R1 loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

R3 F0/0 2.2.2.2 255.0.0.0

R3 loopback 33.33.33.33 255.0.0.0



R1#ping 2.2.2.2



!!!!!


R3#ping 1.1.1.1



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their

public IP address as peer address to each other.

o GRE VPN's is always configured using virtual interfaces called as tunnels which do have an ip address

which is to be assigned by administrator,

o Apart from ip address a Tunnel interface needs its association with physical interfaces which is done

by defining tunnel source and tunnel destination

o Tunnel source is association of your tunnel with a physical interface you have, it can be associated by

defining an ip address or the name of interface it defines the starting point of tunnel.

o Tunnel destination is defining the end point of the tunnel which physical ip address of remote device

generally termed as peer address

R1(config)#interface tunnel 0

R1(config-if)#ip add 6.6.6.1 255.0.00.0

R1(config-if)#tunnel source 1.1.1.1

R1(config-if)#tunnel destination 2.2.2.2

If authentication is desired over tunnel, then we can configure a pre-share key over tunnel.

In GRE Authentication is Optional unlike IPSec where its mandatory.

R1(config-if)#tunnel key 123456

Configure the following configuration over other side device as well


R2(config-if)#ip add 6.6.6.32255.0.00.0

R2(config-if)#tunnel source FastEthernet 0/0



R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP



C 6.0.0.0/8 is directly connected, Tunnel0


S* 0.0.0.0/0 [1/0] via 1.1.1.2

Tunnel Is Acting as a Directly connected network to other side


etm

etric

So

luti

ons


R1#ping 6.6.6.2



!!!!!


R3#ping 6.6.6.1



!!!!!


Tunnel Communication is working well, But when local lan communication is desired its not working.

R1#ping 33.33.33.33



U.U.U


R3#ping 11.11.11.11



U.U.U



etm

etric

So

luti

ons


Task 2 : Route the traffic of both side local LAN using static routing via tunnel to make the local LAN

reachable.

R1(config)#ip route 33.33.33.0 255.255.255.0 6.6.6.2

Adding a static route reachable via tunnel will make the local LAN communication work well either next

hop can be tunnel or the ip of Next hop Tunnel Address

R3(config)#ip route 11.11.11.0 255.255.255.0 tunnel 0

As soon routes are added in routing table local LAN will be Reachable

R1#show ip route


33.0.0.0/24 is subnetted, 1 subnets

S 33.33.33.0 [1/0] via 6.6.6.2



S* 0.0.0.0/0 [1/0] via 1.1.1.2

R1#ping 33.33.33.33



!!!!!


R3#ping 11.11.11.11



!!!!!


Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map

LAB - 6 GRE Over IPSec VPN with Crypto-Map

Points to Remember:

GRE is an only tunneling protocol which is used to form a tunnel between two sites

GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite

It adds an extra interface for each peer which allows us to configure Routing and QoS

GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE

GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly

connected

we need a static IP on both peers who are participation in a GRE tunnel


etm

etric

So

luti

ons


LAB Topology






R1 F0/0 1.1.1.1 255.0.0.0

R1 loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

R3 F0/0 2.2.2.2 255.0.0.0

R3 loopback 33.33.33.33 255.0.0.0



R1#ping 2.2.2.2



!!!!!


R3#ping 1.1.1.1



!!!!!



etm

etric

So

luti

ons





R1(config-if)#ip add 6.6.6.1 255.0.00.0






R2(config-if)#ip add 6.6.6.32255.0.00.0




R1#ping 6.6.6.2



!!!!!


R3#ping 6.6.6.1



!!!!!



etm

etric

So

luti

ons


Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to

make the local LAN reachable.

we need to advertise the tunnel address as common address between peers

R1(config)#router eigrp 100

R1(config-router)#net 11.0.0.0


!! Do not Advertise Physical networks in Dynamic Routing





R1#show ip route


D 33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0



S* 0.0.0.0/0 [1/0] via 1.1.1.2

R3#show ip route




D 11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0

S* 0.0.0.0/0 [1/0] via 2.2.2.1

R1#ping 33.33.33.33



!!!!!




etm

etric

So

luti

ons


Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPsec VPN

solution with crypto-maps.















As per task our interesting traffic as all GRE Traffic sourced from 1.1.1.1 and destinies at 2.2.2.2


Make sure that your access list catches GRE Traffic.

R1(config)#access-list 101 permit gre host 1.1.1.1 host 2.2.2.2






Appling the crypto map to interface




etm

etric

So

luti

ons












R1(config)#access-list 101 permit gre host 2.2.2.2 host 1.1.1.1








etm

etric

So

luti

ons


Verification


R1#ping 33.33.33.33




.!!!!























Peer: 2.2.2.2 port 500


IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255


etm

etric

So

luti

ons


LAB - 7 GRE Over IPSec VPN with IPSec Profiles




R1(config-if)#ip add 6.6.6.1 255.0.00.0






R2(config-if)#ip add 6.6.6.32255.0.00.0




R1#ping 6.6.6.2



!!!!!


R3#ping 6.6.6.1



!!!!!



etm

etric

So

luti

ons


Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to

make the local LAN reachable.

we need to advertise the tunnel address as common address between peers




!! Do not Advertise Physical networks in Dynamic Routing





R1#show ip route


D 33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0



S* 0.0.0.0/0 [1/0] via 1.1.1.2

R3#show ip route




D 11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0

S* 0.0.0.0/0 [1/0] via 2.2.2.1

R1#ping 33.33.33.33



!!!!!




etm

etric

So

luti

ons


Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPSec Profile.















As per task we are supposed to use IPSEC PROFILE to protect the traffic of tunnel thus creating

an IPSec Profile.

An IPSec Profile is a replacement of crypto-map which is used to apply a security policy only for

tunnel interfaces, An IPSec Profile doesn't need any access-list or peer address

R1(config)#crypto ipsec profile demo-profile

R1(ipsec-profile)#set transform-set t-set-1

IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing

through that tunnel


R1(config-if)#tunnel protection ipsec profile demo-profile


etm

etric

So

luti

ons












IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing

through that tunnel




etm

etric

So

luti

ons


Verification


R1#ping 33.33.33.33




.!!!!























Peer: 2.2.2.2 port 500


IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN

LAB - 8 Site-to-Site Dynamic Multipoint VPN (DMVPN)

DMVPN is a Cisco proprietary VPN service.

DMVPN make use of NHRP and MGRE as two special services to make a Dynamic VPN service successful.

Next Hop Resolution Protocol (NHRP) is a special query process designed to inquire unknown address of peers

MGRE is a multi-point GRE tunnel which is capable to work without a fixed tunnel destination

Its mandatory for a hub to be always on a static IP address to be reachable to spokes. A spoke either can

be on static IP or on Dynamic IP Address.

whenever VPN process starts from a spoke to another spoke the Query of unknown address reaches to

HUB. HUB resolves the query as per it NHRP Database and back to spoke with current address using

which the Peering will be formed.


etm

etric

So

luti

ons


LAB Topology

In Above topology Router R4 is acting as HUB, Router R1 & R3 are acting as spokes and R2 is

acting as Internet

Loopbacks on routers here demonstrates Local LAN of each site.

Interface Configuration on Devices


R1 F0/0 1.1.1.1 255.0.0.0

R1 Loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.2 255.0.0.0

R2 F1/0 3.3.3.2 255.0.0.0

R3 F0/0 2.2.2.3 255.0.0.0

R3 Loopback 33.33.33.33 255.0.0.0

R4 F0/0 3.3.3.3 255.0.0.0

R4 Loopback 44.44.44.44 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on all routers


R1#ping 3.3.3.3



!!!!!


R3#ping 3.3.3.3



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure Dynamic Multipoint tunnels between Router R1, R2,R3 R4 where R4 Acting as HUB

and R1 and R3 are spokes do not use a static peer address or fixed tunnel destination.

configure GRE Tunnels on all the routers (HUB and Spokes both in same subnet) as the fixed

tunnel destination is not allowed

Make the mode of tunnel as Multipoint GRE, When a tunnel is configured in Multipoint mode its capable

to be terminated on different destinations


R1(config-if)#ip address 6.6.6.1 255.0.00.0

R1(config-if)#tunnel source fastEthernet 0/0

R1(config-if)#tunnel mode gre multipoint


Configure the following configuration over other side device as well with different IP address of same

subnet


R3(config-if)#ip address 6.6.6.3 2255.0.00.0




R4(config)#interface Tunnel 0

R4(config-if)#ip add 6.6.6.4 255.0.0.0





etm

etric

So

luti

ons


Make NHRP configurations on HUB and Spokes

Configuring NHRP for HUB router


R4(config-if)#ip nhrp network-id 123

R4(config-if)#ip nhrp map multicast dynamic

Configuring NHRP for spoke routers

while configuring NHRP over spoke we need to define the Next Hop Server (NHS) which is HUB

and bind the tunnel and physical IP address of HUB



R1(config-if)#ip nhrp nhs 6.6.6.4

R1(config-if)#ip nhrp map 6.6.6.4 3.3.3.3

R1(config-if)#ip nhrp map multicast 3.3.3.3

R3(config)#interface Tunnel0


R3(config-if)#ip nhrp nhs 6.6.6.4

R3(config-if)#ip nhrp map 6.6.6.4 3.3.3.3

R3(config-if)#ip nhrp map multicast 3.3.3.3

As we complete NHRP configuration the HUB device records all the addresses in its database

R4#show ip nhrp detail

6.6.6.1/32 via 6.6.6.1, Tunnel0 created 00:14:30, expire 01:45:29

Type: dynamic, Flags: unique nat registered

NBMA address: 1.1.1.1

6.6.6.3/32 via 6.6.6.3, Tunnel0 created 00:10:10, expire 01:49:49

Type: dynamic, Flags: unique nat registered

NBMA address: 2.2.2.3

And when all ip addresses are registered in database all the tunnels will be reachable to each

other's even without a strict tunnel destination


etm

etric

So

luti

ons


Verification:

Connectivity between Spoke to others

R1#ping 6.6.6.4



!!!!!


R1#ping 6.6.6.3



!!!!!


Connectivity between HUB and others

R4#ping 6.6.6.1



!!!!!


R4#ping 6.6.6.3



!!!!!



etm

etric

So

luti

ons


Task 2 : Configure Dynamic Routing between peers using EIGRP as routing protocols and make all the

loopbacks reachable to each others










To make the routes reachable to other spoke we need to break the split horizon on tunnel

interface and disable the next hop changes on tunnel so that the routes from one spoke should reach to

other spokes without any change


R4(config-if)#no ip split-horizon eigrp 100

R4(config-if)#no ip next-hop-self eigrp 100

Verification

R3#show ip route




D 11.0.0.0/8 [90/310172416] via 6.6.6.1, 00:25:46, Tunnel0

D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:25:53, Tunnel0

S* 0.0.0.0/0 [1/0] via 2.2.2.2

R1#sh ip route


D 33.0.0.0/8 [90/310172416] via 6.6.6.3, 00:26:57, Tunnel0



D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:27:05, Tunnel0

S* 0.0.0.0/0 [1/0] via 1.1.1.2


etm

etric

So

luti

ons


Task 3 : Protect The tunnels which is created between HUB and Spokes using IPSec Profile.







As part of device authentication we need to define a shared secret key , on all devices key word

netmetric is the shared key with the address 0.0.0.0 as address is not fixed .

R1(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0








etm

etric

So

luti

ons


Repeat the steps with other devices as well













=====================================================================================














etm

etric

So

luti

ons


Verification:

R4#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

2.2.2.3 3.3.3.3 QM_IDLE 1002 0 ACTIVE

1.1.1.1 3.3.3.3 QM_IDLE 1001 0 ACTIVE

R3#show crypto isakmp sa



2.2.2.3 3.3.3.3 QM_IDLE 1002 0 ACTIVE

1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE




1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE

1.1.1.1 3.3.3.3 QM_IDLE 1002 0 ACTIVE

R1#ping 33.33.33.33 source loopback 0




!!!!!


R3#ping 11.11.11.11 source 33.33.33.33




!!!!!


R3#traceroute 11.11.11.11


Tracing the route to 11.11.11.11

1 6.6.6.1 360 msec * 140 msec


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server

LAB - 9 Remote Access VPN Router as Server (Easy VPN)

When a user gets connected an IP Address needs to be assigned to the user to make him part of LAN

Distinguished rules can be configured for each group of users using ISAKMP Client Groups

AAA must be used to make the VPN User authentication.

Only VPN server is to be configured with all the VPN configurations client doesnt need any specific VPN configs

Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on

internet. VPN Initiation can be done only by clients using an Application called Cisco VPN Client


etm

etric

So

luti

ons


LAB Topology

In Above topology Router R1 is acting as VPN Server and RouterR2 is Internet to make the

connectivity between networks.

Loopback1 on router R1 here demonstrates Local LAN.



R1 F0/0 1.1.1.1 255.0.0.0

R1 Loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

R3 F0/0 2.2.2.2 255.0.0.0

R3 Loopback 33.33.33.33 255.0.0.0

PC NIC 2.2.2.3 255.0.0.0



C:\>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:

Reply from 1.1.1.1: bytes=32 time=232ms TTL=45




Ping statistics for 1.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 229ms, Maximum = 232ms, Average = 230msR3

R3#ping 1.1.1.1



!!!!!



etm

etric

So

luti

ons


Task 1 : Configure Router R1 as a Easy VPN server. Create a Group of Users "Sales" and secure the

access of 11.0.0.0/8 subnet for them.

Configure Basic ISAKMP Credentials for key Exchange process


R1(config-isakmp)#encr 3des

R1(config-isakmp)# hash md5


R1(config-isakmp)# group 2

No need to define a specific pre-share key as the authentication is desired by using username and

password

Define IPSec Transform Set

R1(config)#crypto ipsec transform-set t-set esp-3des esp-sha-hmac

As VPN Authentication is desired by using user accounts AAA Services need to configured with ISAKMP

Enabling AAA services on router and creating a new authentication and authorization methods

R1(config)#aaa new-model

R1(config)#aaa authentication login vpn-users local

R1(config)#aaa authorization network vpn-groups local

As the Authentication is set to Local creating a new user account on local Database

R1(config)#username user1 password 0 cisco123

Interesting traffic to secured can be define in an Access-list which is termed as Split Access-list

R1(config)#access-list 109 permit ip 11.0.0.0 0.255.255.255 any

A pool of IP needs to defined from where the Address is allocated to remote devices

R1(config)#ip local pool vpn 10.1.1.1 10.1.1.50


etm

etric

So

luti

ons


Creating Group for VPN clients where all the credentials defined for client are configured

R1(config)#crypto isakmp client configuration group Sales

R1(config-isakmp-group)# key ciscoabc

R1(config-isakmp-group)# pool vpn

R1(config-isakmp-group)# acl 109

A normal crypto map makes peer address definition as a mandatory credential as we do not mention any

specific peer address we make a dynamic crypto map which is capable of working without Peer as well.

R1(config)#crypto dynamic-map d-map 10

R1(config-crypto-map)#set transform-set t-set

R1(config-crypto-map)#reverse-route

As the dynamic crypto map cannot be applied over interface directly bind the dynamic map with a

Normal Crypto map

R1(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map

Bind the AAA and VPN configuration in Crypto map

R1(config)#crypto map mymap client authentication list vpn-users

R1(config)#crypto map mymap isakmp authorization list vpn-groups

R1(config)#crypto map mymap client configuration address respond

Apply the map to interface connected to internet i.e FastEthernet 0/0

R1(config)#interface FastEthernet0/0

R1(config-if)# crypto map mymap


etm

etric

So

luti

ons


Task 2 : Configure PC as a VPN client of Router R1 and Verify the IP Address Assigned and connectivity

Download and Install Cisco VPN Client Software Select New option

and define all your credentials required to be authenticate

1


etm

etric

So

luti

ons


Select the connection Entry Created and Connect to it

as soon as Connection Initiate the User Authentication Prompt Pops-up

After Successful Authentication VPN Gets Connected and Status of VPN Can be verified in status tab in

Statistics options


etm

etric

So

luti

ons


IP Address Assigned to Client is

10.1.1.5

To check the secured LAN details

select Tab: Route Details




1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE


etm

etric

So

luti

ons


Task 3 : Configure Router R3 as a VPN client of Router R1 to secure the communication of lacal LAN of

R3 and R1 (Loopbacks)and Verify the IP Address Assigned and connectivity

Define the VPN client configuration on Router R3 with all the same user credentials

R3(config)#crypto ipsec client ezvpn ez-remote

R3(config-crypto-ezvpn)# connect auto

R3(config-crypto-ezvpn)# group Sales key ciscoabc

R3(config-crypto-ezvpn)# mode client

R3(config-crypto-ezvpn)# peer 1.1.1.1

R3(config-crypto-ezvpn)# username user1 password cisco123

Apply crypto map on both the interfaces

Interface on which Local LAN traffic is inbound to router Apply it on as inside

R3(config)#interface Loopback0

R3(config-if)#crypto ipsec client ezvpn ez-remote inside

Interface through which router is connected to internet Apply as outside

R3(config)#interface FastEthernet0/0

R3(config-if)#crypto ipsec client ezvpn ez-remote outside


etm

etric

So

luti

ons


Verification:

To Verify Assigned Address on Router

R3#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 2.2.2.2 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down

NVI0 unassigned NO unset up up

Loopback0 33.33.33.33 YES manual up up

Loopback1 10.1.1.3 YES manual up up

To Verify the Connectivity between Loopbacks

R3#ping 11.11.11.11 source 33.33.33.33




!!!!!


Verification of VPN Establishment at Client Router




1.1.1.1 2.2.2.2 QM_IDLE 1002 0 ACTIVE

Verification of VPN Establishment at Server Router




1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE

1.1.1.1 2.2.2.2 QM_IDLE 1002 0 ACTIVE


etm

etric

So

luti

ons


R3#show crypto ipsec sa


Crypto map tag: FastEthernet0/0-head-0, local addr 2.2.2.2









#pkts not compressed: 0, #pkts compr. failed: 0




path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x47AC3BBD(1202469821)


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server

LAB - 10 Remote Access VPN ASA as Server (Easy VPN)

LAB Topology

In Above topology ASA is acting as VPN Server and RouterR2 is Internet to make the


Router R1 here demonstrates Local LAN.



ASA G0 1.1.1.1 255.0.0.0

ASA G1 11.11.11.10 255.0.0.0

R1 F0/0 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

PC NIC 2.2.2.3 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC


C:\>ping 1.1.1.1











etm

etric

So

luti

ons


Task 1 : Configure ASA as a Easy VPN server.

Enable Isakmp IKEv1 and configure its credentials

ciscoasa(config)#crypto ikev1 enable outside

ciscoasa(config)#crypto ikev1 policy 10

ciscoasa(config-ikev1-policy)# authentication pre-share

ciscoasa(config-ikev1-policy)# encryption 3des

ciscoasa(config-ikev1-policy)# hash sha

ciscoasa(config-ikev1-policy)# group 2

ciscoasa(config-ikev1-policy)# lifetime 36000

Define an IPSec Transform Set

ciscoasa(config)#crypto ipsec ikev1 transform-set t-set esp-3des esp-sha-hmac

Defining Pool of IP Address to be allocated to clients

ciscoasa(config)#ip local pool demo-pool 10.1.1.1-10.1.1.50

Creating User Account for VPN Access

ciscoasa(config)#username user1 password cisco123

Creating a VPN Group by name Ra-ASA and defining there attributes

ciscoasa(config)#tunnel-group Ra-ASA type remote-access

ciscoasa(config)#tunnel-group Ra-ASA general-attributes

ciscoasa-site-A(config-tunnel-ipsec)# address-pool demo-pool

ciscoasa(config)#tunnel-group Ra-ASA ipsec-attributes

ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123

Binding all the credentials with a crypto map


etm

etric

So

luti

ons


ciscoasa(config)#crypto dynamic-map d-map1 1 set ikev1 transform-set t-set

ciscoasa(config)#crypto dynamic-map d-map1 1 set reverse-route

ciscoasa(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map1

Applying the Crypto Map over Interface

ciscoasa(config)#crypto map mymap interface outside


etm

etric

So

luti

ons


Task 2: Configure PC to be VPN client for ASA.


etm

etric

So

luti

ons



etm

etric

So

luti

ons


Verification:

ciscoasa(config)# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1


Total IKE SA: 1

1 IKE Peer: 2.2.2.3

Type : user Role : responder

Rekey : no State : AM_ACTIVE

ciscoasa(config)# show crypto ipsec sa

interface: outside

Crypto map tag: d-map1, seq num: 1, local addr: 1.1.1.1



current_peer: 2.2.2.3, username: user1

dynamic allocated peer ip: 10.1.1.1










current outbound spi: 27287AB7

current inbound spi : FBD9BDEF


etm

etric

So

luti

ons


Reverse Route Added in ASA routing table

ciscoasa(config)# show route



S 10.1.1.1 255.255.255.255 [1/0] via 1.1.1.2, outside


S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside

To view protocol specific results

ciscoasa# show crypto protocol statistics ikev1

[IKEv1 statistics]

Encrypt packet requests: 86

Encapsulate packet requests: 86

Decrypt packet requests: 140

Decapsulate packet requests: 140

HMAC calculation requests: 147

SA creation requests: 3

SA rekey requests: 0

SA deletion requests: 2

Next phase key allocation requests: 6

Random number generation requests: 95

Failed requests: 0

ciscoasa# show crypto protocol statistics ipsec

[IPsec statistics]

Encrypt packet requests: 4

Encapsulate packet requests: 4

Decrypt packet requests: 4

Decapsulate packet requests: 4

HMAC calculation requests: 4

SA creation requests: 6

SA rekey requests: 0

SA deletion requests: 4

Next phase key allocation requests: 0

Random number generation requests: 3

Failed requests: 0


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI

LAB - 11 Client Less SSL VPN- Router as Server (CLI)

SSL Works on TCP port number 443

Initially Introduced by Netscape later introduced as standard VPN Protocol by Name TLS(Transport Layer

Security)

It provides security from Transport Layer (i.e. layer 4 ) to Application Layer (i.e. layer 7)

Authentication happens only based on digital certificates. pre-share authentication is not supported.

When SSL VPN is configured to establish using only a web Browser and no other application is required its called

as Client-Less SSL VPN

Only web enabled services like HTTP,FTP and Email are supported Over an Client Less SSL VPN

Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on

internet. VPN Initiation can be done only by clients using a web browser


etm

etric

So

luti

ons


LAB Topology

In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the

connectivity between networks and PC is our client with a browser.




R1 F0/0 1.1.1.1 255.0.0.0

R1 Loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

PC NIC 2.2.2.3 255.0.0.0



C:\>ping 1.1.1.1











etm

etric

So

luti

ons


Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with

port number 443

SSL VPN configuration is mainly divided into two parts

1. Configuring Gateway

2. Configuring Context

Gateway define the interface and the ports where the SSL services are supposed to be enabled

and by default all the newly created gateways will be in disabled mode which can has to be enabled

manuallu using "insiervice"

Creating and Enabling SSL Gateway

R1(config )#webvpn gateway ssl_gw

R1(config-webvpn-gateway)# ip address 1.1.1.1 port 443

R1(config-webvpn-gateway)# inservice

Context define the user policy and the environment of SSL VPN.

Creating a Context and defining the web page properties of that context.

R1(config )#webvpn context ssl_ctx

R1(config-webvpn-context)# title "Netmetric-Infosolutions"

R1(config-webvpn-context)# title-color green

R1(config-webvpn-context)# gateway ssl_gw

R1(config-webvpn-context)# inservice

Creating a user account for SSL access as authentication is mandatory and by default its set to

local authentication

R1(config )#username user1 password cisco123


etm

etric

So

luti

ons


Verification:

Open Browser and enter the url as http://1.1.1.1

As we do not have any digital certificate issued by Certificate authorities a warning is posted

don't worry and select proceed anyways


etm

etric

So

luti

ons


Enter the user credentials when prompted then Login

Once authenticated successfully we get default SSL Page where we are allowed enter the desired

URL to communicate the local LAN


etm

etric

So

luti

ons


Task 2 : Modify Existing SSL VPN connection and provide users a login banner and Bookmark list on

SSL VPN Web Page to ease the access of local services.

URL list can be defined under context configuration

R1(config-webvpn-gateway)#webvpn context ssl_ctx

R1(config-webvpn-context)#url-list "Servers"

R1(config-webvpn-url)#Heading "Business Servers"

R1(config-webvpn-url)#url-text Server1 url-value http://11.11.11.11

R1(config-webvpn-url)#url-text Server2 url-value http://17.14.12.34

R1(config-webvpn-url)#exit

Newly created URL List can be applied to users by associating it to default group policy not only

URL List but also the banner can be defined in Policy it self

R1(config-webvpn-context)#policy group demo_ssl

R1(config-webvpn-group)#url-list "Servers"

R1(config-webvpn-group)#banner "Welcome to Netmetric Solutions"

R1(config-webvpn-group)#exit

Making the policy created as default policy so that it should be applied to all users

R1(config-webvpn-context)#default-group-policy demo_ssl

http://17.14.12.34/


etm

etric

So

luti

ons


Verification:


etm

etric

So

luti

ons


Banner message will be displayed as login succeeds

URL List which is defined under policy is on web page after Login


etm

etric

So

luti

ons


Task 3 : Imagine a Tacacs+ server on address 11.11.11.49, Configure SSL Server to authenticate users

using that Tacacs+ server.

Enable AAA services and define address of Tacacs server

R1(config)#aaa new-model

R1(config)#tacacs-server host 11.11.11.49 key ciscot

Define a new authentication method with Tacacs option

R1(config)#aaa authentication login ssl-auth group tacacs+

Call the authentication method in web VPN Context

R1(config)#webvpn context ssl_ctx

R1(config-webvpn-context)#aaa authentication list ssl-auth


etm

etric

So

luti

ons


LAB - 12 Client Less SSL VPN- Router as Server (GUI)

LAB Topology

In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the

connectivity between networks and PC is our client with a browser.




R1 F0/0 1.1.1.1 255.0.0.0

R1 Loopback 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

PC NIC 2.2.2.3 255.0.0.0



C:\>ping 1.1.1.1











etm

etric

So

luti

ons


Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with

port number 443 using Cisco Configuration Professional

Configure Prerequisite before getting started with SSL VPN

Select Configure

Select SSL VPN Manager

Select 1

Select 2


etm

etric

So

luti

ons


Enable AAA and generate Self signed certificate


etm

etric

So

luti

ons


After completing Prerequisite starting WebVPN Wizard


etm

etric

So

luti

ons


Its Optional to enable Secure SDM access requires only if in future you plan to use SDM through

same interface.


etm

etric

So

luti

ons


Select Authentication method for users in following options

Select ADD if some

more users are desired


etm

etric

So

luti

ons


Following step allows to configure Bookmark List (URL-LIST) for users


etm

etric

So

luti

ons



etm

etric

So

luti

ons


As we are working with client-less SSL VPN no need to enable full tunnel support thus deselect

option


etm

etric

So

luti

ons


Select Webpage design from drop down themes

As you select finish you are done by making a SSL VPN


etm

etric

So

luti

ons


Verification:


etm

etric

So

luti

ons



etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA

LAB - 13 Clientless SSL VPN ASA as Server (WebVPN)

LAB Topology

In Above topology ASA is acting as SSL VPN Server and RouterR2 is Internet to make the


Router R1 here demonstrates Local LAN.



ASA G0 1.1.1.1 255.0.0.0

ASA G1 11.11.11.10 255.0.0.0

R1 F0/0 11.11.11.11 255.0.0.0

R2 F0/0 1.1.1.2 255.0.0.0

R2 F0/1 2.2.2.1 255.0.0.0

PC NIC 2.2.2.3 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC


C:\>ping 1.1.1.1











etm

etric

So

luti

ons


Task 1 : Configure ASA as a SSL VPN Server.

Get Started with ASDM

Goto tab: Wizards>VPN Wizards> select : Clientless SSL VPN Wizard

A simple six step Wizard help to Configure a SSL VPN


etm

etric

So

luti

ons


Define Connecion Profile name selectthe interface on which SSL Services are to initiated

Select the user authentication method and modify the user account database


etm

etric

So

luti

ons


Either go for a creation of new policy or modify the existing policy which comes by default

The Bookmark List visible for users can be modified and whatever bookmark is created here will

be available after successful login of user


etm

etric

So

luti

ons


Adding a Bookmark LIst by name Local_servers and adding some bookmarks by name Server1

and Server2


etm

etric

So

luti

ons


Conclude the VPN configuration by Hitting Finish


etm

etric

So

luti

ons


Verification:

Login to the ASA with the defines URL in SSL Profile https://1.1.1.1/vpn

A warning is issued by browser as its not a trusted digital certificate


etm

etric

So

luti

ons


Login using the user credentials

Basic SSL VPN Page seen on ASA based VPN with a web Bookmark list

Select Server1to go to that address


etm

etric

So

luti

ons


Monitoring of SSL VPN

Select Monitoring > VPN >VPN Statistics > Sessions

Filter can be set to view only Clientless SSL

VPN Sessions


etm

etric

So

luti

ons


Double Click Session to get a full view of session details


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Cisco IOS Classic Firewall

LAB 1 Classic IOS Firewall (CBAC)

Interface Configuration

Configure RIP on All Devices and advertise all connected network to make reachability

Device Interface IP Address

Outside Fast Ethernet 0/0 2.2.2.2

DMZ Fast Ethernet 0/0 3.3.3.3

CBAC-FW

Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0

1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ)

PC NIC 1.1.1.2

When you say you are working with ACL’s it means you are filtering the traffic on the basis of their names(i.e.

IP Addresses) or services and more over you cannot configure ACL to be such intelligent that it should identify the

originator of traffic and reply traffic. To make the packet filtering more enhanced we came up with Context-based access

control (CBAC) it intelligently filters TCP and UDP packets based on application layer protocol session information.in CBAC

we don’t work with IP Addresses now we allow or deny the services from inside to outside or vise-versa. And even CBAC

maintains a state table in which it makes the record of traffic going out of interface and depending on that it will allow

the incoming traffic


etm

etric

So

luti

ons



Use any routing protocol to make networks reachable we are using rip in this case

Block all the inbound traffic for private or local network

Allow traffic to only DMZ Network from outside

Create an inspection rule depending on the interesting traffic for each interface

Apply the inspection rule on the respective interfaces

By using a simple block statement in access-list we are denying all the traffic for inside network

from other networks

CBAC-FW(config)#access-list 101 deny ip any any

CBAC-FW(config)#int f 0/0

CBAC-FW(config-if)#ip access-group 101 OUT

Now when all the traffic is blocked from other network to inside network then even the reply

traffic for the queries done from inside network is blocked

To allow that reply traffic we are making an inspection rule with desired protocols and services

to be inspected and maintain a state table

CBAC-FW(config)#ip inspect name my-cbac tcp

CBAC-FW(config)#ip inspect name my-cbac icmp

CBAC-FW(config)#ip inspect name my-cbac udp

With the above commands we are starting to maintain the state table for tcp, udp and icmp now

we will apply this inspection rule on the interface which is connected to outside

CBAC-FW(config)#int f 0/1

CBAC-FW(config-if)#ip inspect my-cbac out

Now we don’t want DMZ to interact with any network


CBAC-FW(config)#interface FastEthernet1/0

CBAC-FW(config-if)#ip access-group 102 in

But we want outside network should be able to communicate with dmz so create a separate

inspection for that traffic

Task 1:

We want to make sure that an INSIDER can Access Outside network as well as DMZ

An Outsider Can’t access inside network but can access DMZ network

And DMZ Can’t access any network both Inside and Outside


etm

etric

So

luti

ons


CBAC-FW(config)#ip inspect name cbac-dmz http

CBAC-FW(config)#ip inspect name cbac-dmz telnet

CBAC-FW(config)#ip inspect name cbac-dmz icmp

Apply that inspection rule on the interface in outbound direction on which DMZ is connected


CBAC-FW(config-if)# ip inspect cbac-dmz out


etm

etric

So

luti

ons


From outside allow only the specific traffic which is meant for the DMZ network and block all the

rest traffic

CBAC-FW(config)#access-list 103 permit ip any host 3.3.3.3



CBAC-FW(config-if)#ip access-group 103 in

The traffic which is generated from inside is allowed to go to outside network and reply is

allowed to come back

From outside the connection is not successful to inside but its successful to DMZ

Outside>ping 1.1.1.2



U.U.U


Outside>ping 3.3.3.3



!!!!!



etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Zone Based Firewall

Lab 2 Zone Based Policy IOS Firewall

Somehow using CBAC we succeeded to maintain the state table in our router and even configured our router to work

as firewall. But very soon after working with CBAC Network Admins realized that there are few short comings in working with

CBAC majorly, CBAC failed to filter the applications for specific users (i.e. you cannot configure inspection rule for set of users

rules are applicable on all users) and when you are working with multiple interfaces as the number of interfaces increases the

complications in implementing CBAC increases.to meet these short comings a new method of implementing Firewall has been

introduced Zone Based Firewall herein we are configuring ACL’s to catch interesting traffic and we are configuring a group of

interfaces as a single zone and then the rules will be applied on them.


Use any routing protocol to make networks reachable we are using rip in this case

Create Security Zones and associate interfaces with zones

Create a class map of type inspect to define the interesting traffic

Create a policy map of type inspect to define the action on interesting traffic

Create Zone pairs to define the source and destination of traffic


Device Interface IP Address

Outside Fast Ethernet 0/0 2.2.2.2

DMZ Fast Ethernet 0/0 3.3.3.3

ZBF

Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0

1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ)

PC NIC 1.1.1.2

We are implementing the same typical DMZ network Setup here what we did in previous lab


etm

etric

So

luti

ons


First of all we are configuring RIP on all devices to advertise all networks and making all the

three networks reachable from every one

Check the Reachability from each device to each device then proceed with configuration

Unlike CBAC where I implement the rules depending on the interfaces here I want to implement

the rules on the group of interfaces which I call as a zone, as per our requirement I am creating three

zones named DMZ, OUTSIDE and INSIDE

ZBF(config)#zone security INSIDE

ZBF(config-sec-zone)#exit

ZBF(config)#zone security OUTSIDE


ZBF(config)#zone security DMZ


After Creating of Security zones there will be no change in the behavior of device then you

associate those zones with interfaces

ZBF(config)#int f 0/0

ZBF(config-if)#zone-member security INSIDE

ZBF(config)#int f 0/1

ZBF(config-if)#zone-member security OUTSIDE

ZBF(config-if)#int f 1/0

ZBF(config-if)#zone-member security DMZ

Remember that as soon as we associate those zones with interfaces the communication within

all the zones will be blocked and no two interfaces belongs to different zones can communicate neither

an unzone interface (interface which is not associated with any zone) can communicate to a zoned

interface but two interfaces which belongs to same zone and even the two interfaces which are unzone

can communicate with each other.

Now we need to create a class map of type inspect to identify the interesting traffic. Before

defining interesting traffic in class-map we need to create an access list to define source and destination

of desired inspection traffic and even we need to define the protocol which we want to inspect

ZBF(config)#access-list 101 permit ip any any

ZBF(config)#class-map type inspect c-map-1

ZBF(config-cmap)#match access-group 101

ZBF(config-cmap)#match protocol icmp


etm

etric

So

luti

ons


After defining the traffic in class map now it’s time to define the action on the interesting traffic

for that we need to create a policy map of type inspect then call the class of interesting traffic. In that

class define the desired action. As per our requirement we need inspection to be done on our traffic so

we are defining inspect as our action.

ZBF(config)#policy-map type inspect p-map-1

ZBF(config-pmap)#class c-map-1

ZBF(config-pmap-c)#inspect

Now the only left out task is to apply that policy map and to define the source and the

destination of our traffic this is done by configuring zone-pairs

ZBF(config)#zone-pair security allow-in-out source INSIDE destination OUTSIDE

ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1

ZBF(config-sec-zone-pair)#exit

With this task our insiders can access outside network now but outsiders can’t access inside as

we defined source to be INSIDE and destination to be OUTSIDE. Remember that this zone pair works

unidirectional only

As we want insiders to access DMZ as well and even we want outsiders to access DMZ so we

need to create two more zone pairs with respective source and destinations

ZBF(config)#zone-pair security allow-in-dmz source INSIDE destination DMZ

ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1


ZBF(config)#zone-pair security allow-out-dmz source OUTSIDE destination DMZ

ZBF(config-sec-zone-pair)##service-policy type inspect p-map-1



etm

etric

So

luti

ons


Verification

Beginning from outside I am pinging to inside and DMZ

OUTSIDE>ping 1.1.1.2



.....


OUTSIDE>ping 3.3.3.3



!!!!!


We can observe from above that as per our requirement outsider can visit DMZ but cannot Visit

INSIDE network. Now let’s make a connection from DMZ

DMZ#ping 1.1.1.2



.....


DMZ#ping 2.2.2.2



.....


DMZ is not allowed to visit either INSIDE or OUTSIDE network


etm

etric

So

luti

ons


But An Insider can visit both the other networks DMZ and OUTSIDE

By this we Achieved our desired Network Security


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization

LAB 1 Basic Sensor Initialization

An Intrusion Prevention System has the capability to detect and prevent misuse and

abuse of, and unauthorized access to, network resources

An Intrusion Prevention / Detection system is an advanced filtering device dedicated to

filter the content of network up to layer 7 which is not only capable to filter on basis of content

but also the structure of the packet.

The most common method of filtering traffic over a sensor is using signatures . where

signature can be defined as pre defined pattern or structure of malicious traffic.

A Sensor is a layer 2 device placed mostly behind firewall and configured to filter the

malicious traffic in inbound and outbound directions of network

Basic Configuration of sensor can be done by Command Line Interface through console

port to initiate the sensor and its services.


etm

etric

So

luti

ons


Task 1 : Initiate the sensor and configure the basic services and interface configurations as

following options.

Host Name NMSIPS

Ip Address 10.1.1.10

Subnet Mask 255.0.0.0

Default Gateway 10.1.1.1

Https port 443

Telnet Enabled

Permitted Host 10.0.0.0 255.0.0.0

Step 1

Connect IPS Console port to Com port of computer using a Console Cable to access the CLI of

Device

Step 2

Open a terminal Emulator application like Hyper terminal or putty.


etm

etric

So

luti

ons


Step 3 : Login Sensor using user credentials.

Sensor login: Cisco Password: *********** sensor#

Step 4: As sensor initializes issue the SETUP option to make basic configuration and follow the

interactive mode of Sensor

sensor# setup — — — System Configuration Dialog — — — At any point you may enter a question mark '?' for help . User ctrl—c to abort configuration dialog at any prompt . Default settings are in square brackets ' [] ' . Current Configuration: service host network—settings host—ip 192.168.1.10/24,192.168.1.1 host-name sensor telnet —option disabled ftp-timeout 300 no login-banner-text exit time—zone-settings offset 0 standard- time-zone —name UTC exit summertime-option disabled

ntp—option disabled

exit

service web—server

port 443

exit

Setup Configuration last modified: Sat Nov 24 09:37:20 2012

Continue with configuration dialog?[yes]: Yes

As the Setup command executes current configuration of device is displayed and prompt

for modification of current configuration appears type YES to make changes as desired.


etm

etric

So

luti

ons


Continue with configuration dialog?[yes]: Yes

Enter host name [sensor] : NMSIPS

Enter IP interface []; 10.1.1.10/24,10.1.1.1

Enter telnet—server status [disabled] : enabled

Enter web-server port [443]; <Enter>

Modify current access list? [no] yes

Current access list entries :

No entries

Permit: 10.0.0.0/8

Permit:

Modify system clock setting?[no]: no

Modify interface/virtual sensor configuration? [No]: no

Modify default threat prevention settings? [No]: no

the following configuration was entered.

service host

network—settings

host—ip 10.1.1.10/24,10.1.1.1

host-name nms

telnet —option enabled

access-list 10.0.0.0/32

ftp-timeout 300

no login-banner-text

exit

time—zone-settings

offset 0

standard- time-zone —name UTC

exit

summertime-option disabled

ntp—option disabled

exit

Enter Hostname

IP Address of

Sensor

port number on

which GUI is

supposed to work

Access-list here defines the

list of users permitted to

access the sensor remotely


etm

etric

So

luti

ons


[0] Go to the command prompt without saving this config

[1] Return to setup without saving this config

[2] save this configuration and exit setup

Enter you selection [2]: 2

Select second option to save basic config and end setup utility

-----Configuration saved---------------

select desired options

as per requrement


etm

etric

So

luti

ons


Task 2 : Initiate web access of sensor through web browser.

Step 1 : Connect the computer to Sensor via Ethernet and assign the IP Address on computer in

same subnet to sensor.

C:\>ipconfig

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::79b9:ae4b:fc78:88fd%16

IPv4 Address. . . . . . . . . . . . : 10.1.1.2

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . : 10.1.1.1

Step 2: Start a browser (Internet Explorer/Firefox)

go to url (https://<ip address of sensor>) https://10.1.1.10 accept security

warning message then type Username & password of your sensor when prompted.


etm

etric

So

luti

ons


After successful logging you should see Sensor Dashboard


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor

LAB 2 Promiscuous Mode - IDS

An Intrusion Detection System has the capability to only detect misuse and abuse of,

and unauthorized access to, network resources

An Intrusion Detection system is always placed in offline mode or promiscuous mode

where device does not have capability to drop any traffic but it informs about the misuse to

administrator and Admin takes the action immediately. As IDS is not inline device it will not add

any latency in network.

In Promiscuous mode, Sensor is not Placed in between the transit path of network

rather its connected to switch and a copy of the traffic is sent to Sensor.

LAB Topology


R1 => FastEthernet 10.1.1.1

R2 =>FastEthernet 10.1.1.2


etm

etric

So

luti

ons


Task 1 : Configure Sensor in Promiscuous mode to work as Intrusion Detection System .

A Promiscuous mode device need a copy of traffic thus always the switch in network is

used to monitor the traffic and send the copy of packet from a port another.

Step: 1 Enable SPAN on the switch interfaces

SW1(config)#monitor session 1 source interface fa0/1

SW1(config)#monitor session 1 destination interface fa0/23

Step: 2 On IDS Sensor

Go to configure → Interfaces; Select interface on which switch is connected

(e.v.Ethernet 2/0) and click enable button then Apply.

Click

here

Click

here


etm

etric

So

luti

ons


Go to configure → Analysis Engine → Virtual Sensor → then Click “vs0” and edit

Highlight Fastethernet 2/0 interface on the list and click Assign button. Then

click OK and Apply the changes to the sensor

Click

here


etm

etric

So

luti

ons


Verification: Switch#sh monitor session 1

Session 1

---------

Source Ports:

RX Only: None

TX Only: None

Both: Fa0/1

Source VLANs:

RX Only: None

TX Only: None

Both: None

Destination Ports: Fa0/23

Filter VLANs: None

Click

here

Click

here


etm

etric

So

luti

ons


To Test it, let's simulate an attack. Ping from your PC to Router R1

C:\>ping 10.1.1.1

Pinging 10.1.1.1with 32 bytes of data:








Minimum = 1ms, Maximum = 1ms, Average = 1ms

Go to monitoring →Events, check show past events radio button and select 1

minute. then click on view button


etm

etric

So

luti

ons


See the signatures Logs on the Event viewer to get logs click Refresh tab

Highlight the Event log and click Details to see more log details. Here the

picture output for Event details.

Click

here

Click

here


etm

etric

So

luti

ons


Attacker student Pc

IP

aaaa

Target Router IP

aaaa


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 IPS-Inline mode of Sensor

LAB 3 Inline Mode - IPS

An Intrusion Prevention System has the capability to only detect misuse and abuse of,

and unauthorized access to, network resources

An Intrusion Prevention system is always placed in inline mode in transit path of network

such that all data traffic is supposed to pass through the sensor, then it do have capability to

drop any traffic and also it informs about the misuse to administrator.

An IPS is inline device it will add some latency in network for traffic filtering.

In Promiscuous mode, Sensor is not Placed in between the transit path of network

rather its connected to switch and a copy of the traffic is sent to Sensor.

LAB Topology




Connect Fast Ethernet 2/0 and Fast Ethernet 2/1 of sensor to Router R1 and R2 Respectively


etm

etric

So

luti

ons


Task 1 : Configure Sensor in Inline mode to work as Intrusion Prevention System .

Step 1 : Enable Interfaces of Sensor.

Go to configuration → Interface, select Fastethernet 2/0 & Fastethernet 2/1 and Enable then

Apply to Sensor


etm

etric

So

luti

ons


Step 2 : Define a Interface Pair

Go to configuration → Interface configuration → Select Interface Pairs → Add.

Then enter a name for interface pair, Select fa2/0 and 2/1 interface on the list, make

some description and click on OK Apply to the sensor.

1

2

3

4

5


etm

etric

So

luti

ons


Step 3 : Associate Interface Pair with Analysis Engine

Go to configuration → analysis Engine → Virtual Sensors → Select vs0 and click

Edit select newly created interface pair {pair-1} on the list and click Assign. Then

click OK and apply changes to the sensor.

2

1

4

5

6


etm

etric

So

luti

ons


Verification:


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 IPS-Inline VLAN mode of Sensor

LAB 4 Inline VLAN Mode - IPS

Inline interface mode of Sensor requires two dedicated interfaces for monitoring traffic

but in a case we have only single interface and we are in need of inline filtering we can devide

our network in VLANs and filter the traffic based on VLAN where.

an Inline VLAN mode of filtering traffic divides network into two different VLANS and

enforce the traffic to pass through IPS using a VLAN pairing over it. and an IPS here act as Inter

VLAN Router.




Switch=> FastEthernet 0/1 VLAN10

Switch => FastEthernet 0/2 VLAN20

Connect

R1- F0/1 ==> SW F0/1

R2 F0/1 to SW F0/2


etm

etric

So

luti

ons


Task 1 : Configure Sensor in Inline VLAN mode to work as Intrusion Prevention System .

Step 1 : Configure VLANs on Switch

Switch(config)#vlan 10

Switch(config-vlan)#exit

Switch(config)#vlan 20

Switch(config-vlan)#exit

Step 2 : Associate VLANs with Interfaces respectively

Switch(config)#interface range fa0/1

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport access vlan 10

Switch(config)#interface range fa0/2

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport access vlan 20

Step 3 : Enable Interface on Sensor

Go to configuration → interface configuration → Interfaces → select

Fastethernet 2/0 and click enable button and apply changes to the sensor

1

2

3 4


etm

etric

So

luti

ons


Step 4 : Create a VLAN pair

Go to configuration → interface configuration → Vlan pair → then Click Add

button.

1

2

3


etm

etric

So

luti

ons


Step 5 : Associate VLAN Pair with Analysis Engine

Go to configuration → Analysis Engine → Virtual sensor → select “vs0” virtual

sensor 0 on the list and click edit. Highlight Fastethernet 2/0.1 interface on the list

and click assign button. Then Click ok and apply the changes to the sensor.

1

2

3 4

5


etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures

Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com

LAB 5 Signature Tuning

Task 1: Change the status of signatures by enabling or disabling the signature and

define the action to be taken as desired

A signature which comes from Cisco and utilized as it is are known as Default Signatures but

if the parameters of default signatures are tuned as per requirement then such signatures as termed

as Tuned Signatures

A signature which comes from Cisco and utilized as it is are known as Default Signatures but

if the parameters of default signatures are tuned as per requirement then such signatures as termed

as Tuned Signatures


etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons



Task:2 The network security administrator discovers signature 6250, the FTP

Authorization Failure signature.

After examining the parameters for signature 6250, the administrator decides to

tune the signature as follows Change the severity level from informational to high

Add the Deny Connection Inline action to the default action of Produce Alert


etm

etric

So

luti

ons




etm

etric

So

luti

ons

Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures


LAB 6 Custom Signature

Task 1:Create a custom signature that is triggered by SYN packets destined for port

23. The administrator decides to use the ATOMIC IP engine for the following

reasons:

Atomic signatures can trigger on the contents of a single packet.

The ATOMIC IP engine allows you to select a Layer 4 protocol.

You can use the TCP Flags and TCP Mask parameters to specify the flag of interest.

You can use the Destination Port Range parameter to specify the destination port of interest

A Signature which is created by Administrator to match user defined traffic and apply action

over it is termed as Custom Signature. The Signature id 1 to 59999 is reserved for default signatures

and ID 60000 to 65535 is Open for a custom Signatures.


etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons



Task 2: Create a signature that can detect and drop traffic containing the word

“confidential.” The administrator wants the signature to fire if the traffic is directed

to the following ports: FTP: 20 and 21, Telnet: 23, SMTP: 25, HTTP: 80, POP3: 110

The administrator wants to configure the signature to send alerts to the Event Store

as follows:

Send an alert to the Event Store every time the signature fires.

This alert should fire when a single victim triggers 3 events in a 60-second

period.

If the alert rate exceeds 20 alerts in 30 seconds, dynamically change its

response as follows:

Send a summary alert for firings of the signature on the same

victim address during the interval.

If the alert rate exceeds 25 in the 30-second interval, send a global

summary alert, which counts the number of times the signature

fires for all attacker and victim IP addresses and ports.


etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons




etm

etric

So

luti

ons



Technology

CCNP security