CCIE SECURITY V5

TABLE OF CONTENTS
Lab Guidelines ................................................................................................................................................................ 8
Lab Instructions .............................................................................................................................................................. 9
Lab Restrictions .............................................................................................................................................................. 9
About the Trainer......................................................................................................................................................... 12
Loading Initial Config .................................................................................................................................................. 12
Hardware and Software List ....................................................................................................................................... 13

Section 1 – ASA Firewall ............................................................................................................................... 14

Goal of the lab .............................................................................................................................................................. 14

Lab-1.1: - Basic of ASA Configuration........................................................................................................ 15

Lab-Setup ........................................................................................................................................................................ 15
Task-1 Configure the interface of ASA ............................................................................................................................ 17
Task-2 Configure the Telnet and SSH on ASA ................................................................................................................. 23
Task-3 Allow Ping and ICMP ............................................................................................................................................ 28
Task-4 Configure Banner on the ASA firewall ................................................................................................................. 32

Lab-1.2: - Dynamic Routing Protocol ........................................................................................................ 33

Task-1 Configure Eigrp between R1 and ASA1v .............................................................................................................. 33
Task-2 Configure OSPF between R2 and ASA1v.............................................................................................................. 37
Task-3 Configure Redistribution between Routing Protocols......................................................................................... 41

Lab-1.3: - ASA System Management ........................................................................................................ 45

Task-1 Configure ASDM for the GUI of ASA .................................................................................................................... 46

Lab-1.4: - ASA Address Translation and ACL .......................................................................................... 53

Lab-Setup ........................................................................................................................................................................ 54
Lab-Setup ........................................................................................................................................................................ 61
Task-1 Configure the Static Auto NAT on ASA1 for Web-Server1 .................................................................................. 63
Task-2 Configure the Static Auto PAT on ASA1 for Web-Server2 ................................................................................... 65
Task-3 Configure Static Manual NAT on ASA1 Between Web-Server3 and Inside-PC (Identity NAT) ............................ 66
Task-4 Configure Static Auto NAT on ASA1 Between DMZ network and DB Server ..................................................... 70
Task-5 Configure Static Manual NAT on ASA1 Between Outside-PC1 and Web-Server1 (Twice NAT) ......................... 73

Lab-1.5: - Context on the ASA firewall ...................................................................................................... 76

2

Nitiz Sharma
CCIE SEC/DC 48846
 CCIE SECURITY V5

Lab-Setup ........................................................................................................................................................................ 76
Task1 Configure the ASAp1 with Multi-Context mode ................................................................................................... 79
Task2 Configure the class for the context....................................................................................................................... 83
Task3 Make sure from R7 to R5 and R8 to R6 Ping ......................................................................................................... 88

Lab-1.6: - Active/Standby failover (R3, R4, ASAv2 & ASAv3)................................................................ 97

Lab-Setup ........................................................................................................................................................................ 97
Task1 Configure ASA for Active/Standby ...................................................................................................................... 100

Lab-1.7: - Active/Active failover (R9, R10,R11,R12 ASAp2 & ASAp3) .................................................. 109
Lab-Setup ...................................................................................................................................................................... 110
Task1 Configure ASA for Active/Active failover ............................................................................................................ 115
Task2 Configure context on the ASAp2 ........................................................................................................................ 116
Task3 Address Translation ............................................................................................................................................ 118
Task4 Traffic Filtering .................................................................................................................................................... 118
Task4 Monitor Interface ............................................................................................................................................... 133

Lab-1.8: - ASA Clustering........................................................................................................................... 140

Task1 Configure ASA-C1 and ASA-c2 for clustering ...................................................................................................... 140

Lab-1.9: - ASA Firewall IP Services ........................................................................................................... 142

Task1 Configure NTP server and client on ASA1 and DC-Router .................................................................................. 142
Task2 Configure DNS on ASA1 ...................................................................................................................................... 145
Task3 Configure Logging on ASA1 ................................................................................................................................. 146

Section 2 – NGFW Firewall ........................................................................................................................ 148

Goal of the LAB ........................................................................................................................................... 148

Lab-2.1: - Setting Up the Lab Environment ............................................................................................ 149

Task1 Download FMC and FTD from the cisco.com ..................................................................................................... 149
Task2 Configure FMC/FTDv1/ftdv2 and ngips .............................................................................................................. 150
Task3 Cisco FMC- OFF Box Management for the Sensor .............................................................................................. 151
Task4 Smart Licencing ................................................................................................................................................... 152
Task5 FMC Database ..................................................................................................................................................... 153
Task6 Who is and Geolocation Search .......................................................................................................................... 153
Task7 Configure the Platform settings .......................................................................................................................... 153
Task8 Integration with AD............................................................................................................................................. 153

Lab-2.2: - FTD1/FTD2 and ngips Firewall Basic Configuration ........................................................... 154

Task1 Register the FTD1, FTD2 and NGIPS with FMC ................................................................................................... 154

3
 CCIE SECURITY V5

Task2 Configure the FTD HA ......................................................................................................................................... 154

Task3 Configure the FTD Routing.................................................................................................................................. 155
Task4 Configure the NGIPS Rule ................................................................................................................................... 155
Task5 Deploy the configuration .................................................................................................................................... 155

Lab-2.3: - Connect the LAN user to DMZ .............................................................................................. 156

Task1 NAT policy ........................................................................................................................................................... 156
Task2 Testing connectivity to Servers ........................................................................................................................... 157
Task3 Configure the Access Policy with pre-filter rule ................................................................................................. 157
Task4 Configure the Access Policy with Allow rule for icmp ........................................................................................ 157
Task5 Testing connectivity to Servers ........................................................................................................................... 159
Task6 Configure the Access Policy with Allow rule for http ......................................................................................... 159
Task7 Testing connectivity to Servers ........................................................................................................................... 159
Task8 Configure the Access Policy with Allow rule for FTP .......................................................................................... 160
Task9 Testing connectivity to Servers ........................................................................................................................... 160
Task10 Configure the Access Policy with block rule for Geolocation of germany ........................................................ 160
Task11 Testing connectivity to Servers ......................................................................................................................... 161

........................................................................................................................................................................ 161

Lab-2.4: - Configure File and malware policy ....................................................................................... 161

Task1 Configure a new file policy with name “PDF-Malware” to block pdf file ........................................................... 162
Task2 use the same file policy with name “PDF-Malware” to block any malware....................................................... 162
Task3 Call the policy in access control policy................................................................................................................ 162

Lab-2.5: - Configure URL Filtering Policy ............................................................................................... 162

Task1 Block Gambling Content ..................................................................................................................................... 163
Task2 Block Social Media Content ................................................................................................................................ 163
Task3 Allow Facebook access for Client-PC .................................................................................................................. 164

Lab-2.6: - Configure SSL Policy ................................................................................................................ 164

Task1 Self Signed Certificate ......................................................................................................................................... 164
Task2 Create the SSL Policy ........................................................................................................................................... 165
Task3 Apply SSL Policy to ACP ....................................................................................................................................... 166
Task4 FMC Certificate ................................................................................................................................................... 166

Section 3 – VPN .......................................................................................................................................... 166

Goal of the LAB ........................................................................................................................................... 166

Lab-3.1: - Site to Site VPN ......................................................................................................................... 167

Lab-Setup ...................................................................................................................................................................... 167
4
 CCIE SECURITY V5

Task1 Site to Site IPSec VPN (IOS-IOS) R51-R53............................................................................................................ 172

Task2 Site to Site IPSec VPN Aggressive Mode (IOS-IOS) R51-R53 ............................................................................... 201
Lab-Setup ...................................................................................................................................................................... 201

Lab-3.2: - Certificate Authority with crypto route ................................................................................. 207

Lab-Setup ...................................................................................................................................................................... 208
Task1 Configure NTP ..................................................................................................................................................... 214
Task2 IOS Certificate Authority ..................................................................................................................................... 217
Task3 Enroll with the CA - R53 and R54 ........................................................................................................................ 219
Task4 Configure the IPSec tunnel between R53 and R54 ............................................................................................. 224

Lab-3.3: - GRE ............................................................................................................................................. 229

Task1 GRE Tunnel .......................................................................................................................................................... 230
Task2 GRE Tunnel Over IPSec........................................................................................................................................ 236

Lab-3.4: - DMVPN ...................................................................................................................................... 247

Lab-Setup ...................................................................................................................................................................... 249
Task1 DMVPN Phase 1 Basic Configuration .................................................................................................................. 254
Task2 DMVPN Phase 1 with EIGRP ............................................................................................................................... 260
Task3 DMVPN Phase 1 Encrypt the Tunnel Using Ipsec ............................................................................................... 267
Task4 DMVPN Phase 2 with EIGRP ............................................................................................................................... 267
Task5 DMVPN Phase 3 with Eigrp ................................................................................................................................. 280

Lab-3.5: - SSL Clientless VPN ................................................................................................................... 293

Task1 Perform SSL Clientless VPN ................................................................................................................................. 293

Lab-3.6: - Cisco Anyconnect with IKEv2 ................................................................................................. 308

Task1 Perform Anyconnect Clientbased VPN ............................................................................................................... 309

Lab-3.7: - GetVPN with VRF Aware ......................................................................................................... 310

Task1 Perform GetVPN on Key Server and Group Member ........................................................................................ 311

Lab-3.8: - Flex VPN..................................................................................................................................... 352

Task-1 Configure the R14, R15 and R16 ........................................................................................................................ 352
Task-2 Site to Site with PSK - Flex VPN – IKEv2 ............................................................................................................. 354

Section 4 – ISE ............................................................................................................................................. 363

Goal of the lab ............................................................................................................................................................ 364

Lab-4.1: - ISE Installation (Optional) ........................................................................................................ 365

Task1 Access the Cisco ISE ............................................................................................................................................ 366
5
 CCIE SECURITY V5

Task2 Check the application status ............................................................................................................................... 367

Task3 Check the NTP status .......................................................................................................................................... 368
Task4 Check the DNS lookup......................................................................................................................................... 369
Task5 Check the Application ......................................................................................................................................... 370
Task6 Check the ISE version, interface details and routing .......................................................................................... 370
Task7 Check the timezone and clock ............................................................................................................................ 373
Task8 Reset the Password for the GUI to Sanfran!1234............................................................................................... 374

Lab-4.2: - Administrative access to ISE ................................................................................................... 375

Task1 Setup an administrative access to ISE................................................................................................................. 375
Task2 Setup an Helpdesk user access to ISE ................................................................................................................. 382

Lab-4.3: - Integration with Active Directory .......................................................................................... 389

Task1 Setup an ISE with Active Directory ..................................................................................................................... 389
Task2 Setup an ISE with Active Directory ..................................................................................................................... 396

Lab-4.4: - Configure the DC-Router for SSH Authentication ............................................................. 399

Task Setup an Authorization and authentication on router ......................................................................................... 399

Lab-4.4: - Cisco TrustSec........................................................................................................................... 423

Task Configure CTS SXP relationship between TrustSec-ASA and SW_P ...................................................................... 423

Lab-4.5: - Configure ISE for MAB ............................................................................................................ 438

Task Configure Mac Authentication Bypass on Switch and use ISE as Authentication Server ..................................... 438

Lab-4.6: - Configure ISE for MAB VLAN Authorization ....................................................................... 454

Task Configure Mac Authentication Bypass on Switch and use ISE as Authorization Server ....................................... 454

Lab-4.7: - Configure MAB-PC to Access Server 3 and Server 4 ........................................................ 464

Lab-4.8: - Configure ISE and ASA for TrustSec Classification and Enforcement ............................ 469
Task1 Configure ISE SGT tag.......................................................................................................................................... 469
Task2 Configure ASA for ACL......................................................................................................................................... 475
Task3 Configure ISE for Trustsec ................................................................................................................................... 477

Lab-4.9: - Configure ISE for Dot1x ........................................................................................................... 486

Task1 Configure Dot1x user for authentication ............................................................................................................ 486
Task2 Configure 802.1x vlan assignment ...................................................................................................................... 510

Lab-4.10: - Configure WLC with AP......................................................................................................... 531

Task1 Configure Access point with the static ip ........................................................................................................... 532
Task2 Configure Switch for ap ...................................................................................................................................... 533
6
 CCIE SECURITY V5

Task3 Configure WLC .................................................................................................................................................... 535

Task3 Authenticate the ap with ise with mab .............................................................................................................. 541

Lab-4.11: - Cisco Anyconnect with IKEv2 ................................................................................................ 549

Task1 Perform Anyconnect Clientbased VPN ............................................................................................................... 549

Section 5 – WSA.......................................................................................................................................... 555

Goal of the LAB ........................................................................................................................................... 555

Lab-5.1: - WSA Bootstrapping .................................................................................................................. 556

Task1 Perform WSA initial configuration CLI ................................................................................................................ 556
Task2 Perform WSA initial configuration GUI ............................................................................................................... 556

Lab-5.2: - WSA Integration with ad ......................................................................................................... 557

Lab-5.3: - WCCP configuration on the Router and WSA .................................................................... 557

Lab-5.4: - Creating URL list for allowing and blocking traffic ............................................................. 557

Lab-5.5: - Create the Quato based policies ........................................................................................... 557

Lab-5.6: - Creating the Identification profile for allowing Mozilla firefox......................................... 557

Lab-5.7: - Creating the Identification profile for Blocking Internet Explorer.................................... 557

Lab-5.8: - Access policies on WSA .......................................................................................................... 557

Section 6 – StealthWatch........................................................................................................................... 558

Lab-6.1: - Setup the stealthwatch appliance tool .................................................................................. 558

Lab-6.2: - Setup stealthwatch management console .......................................................................... 558

Lab-6.3: - Setup stealthwatch flow collector ......................................................................................... 558

Lab-6.4: - Adding flow collector to SMC ................................................................................................ 558

Lab-6.5: - Configuring netflow on Router, Switch, ASA ...................................................................... 558

Lab-6.6: - Organizing host and host groups ......................................................................................... 558

7
 CCIE SECURITY V5

Lab-6.7: - Analyzing the flows .................................................................................................................. 558

Lab-6.8: - Creating custom policies ........................................................................................................ 559

Lab-6.9: - Setup stealthwatch flow collector ......................................................................................... 559

Lab-6.10: - Configuring backup ............................................................................................................... 559

LAB GUIDELINES

The following scenarios are practice labs designed to test your readiness for the Cisco Systems
CCIE Security Lab Exam. However, remember, these practice labs should be used as a learning tool.
Instead of rushing through the labs to complete all the configuration steps, take the time to research the
networking technology and gain a deeper understanding of the principles behind its operation. For
each lab of the CCIE Security Practice Labs Workbook, follow these guidelines:

 Read the entire lab before starting the configuration, and correlate tasks within a section to get a
complete overview of the lab objectives.
 There are dependencies between tasks of the same section and between tasks from different
sections. Carefully read throughout the lab to identify and make notes of it
 The lab consists of Seven sections that don't necessarily need to be completed in the presented
order. However, some tasks must be completed before others (such as initialization of ASA
firewalls).
 Some tasks present a set of requirements for implementing a technology, and some tasks present
outputs to be matched.
 Labs include both configuration and troubleshooting tasks; the number of faults relevant to each
troubleshooting task may or not be specified.

8
 CCIE SECURITY V5

 Before starting, verify that all equipment is functional, powered up and that you can access it at the
console.
 Routers and switches are preconfigured, do not change it unless specifically allowed by the task.
On troubleshooting tickets, you may change any of the initial configurations.
 IPv4/IPv6 static and default routes are allowed to complete any task, but only if this is the only
available option, and unless otherwise stated in any task.
 Make sure you do not to lock yourself out of any device, because password recovery or device
reset is not available in the lab.

 At the end of the Lab, ensure that all devices are accessible at the console by using preconfigured
credentials or the ones from specific task requirements.

LAB INSTRUCTIONS

Before you begin, make sure that the initial configuration scripts for each lab have been applied.
If you have any questions related to the scenario solutions, send an email to our support team at
[email protected]. Refer to the attached physical and logical diagrams on each
lab for interface and protocol assignments. Upon lab completion, end-to-end IPv4 connectivity is
not a requirement unless specifically asked for, but you are required to meet task requirements
and restrictions

LAB RESTRICTIONS

Each lab scenario contains explicit general restrictions that you must conform to while configuring
the lab. These restrictions are defined in the introductory section for each scenario. Examples of
such restrictions include, but are not limited to, not adding additional IP addressing, not changing
the default authentication methods, etc. There may also be certain restrictions for particular tasks
within a lab scenario. Examples of these restrictions include, but are not limited to, not issuing a
particular configuration command, not using the legacy configuration for a technology, etc.

9
 CCIE SECURITY V5

TIP

You may do whatever is necessary to complete a task unless the general requirements for the lab
scenario or the specific requirements for the task explicitly prohibit you from doing so. All routers
and switches are accessible at the console without requiring any authentication; do not change this.
To access other devices within the lab, use the following tables as a reference:

Device Username Password IP

Candidate-PC student username Sanfran@1234 150.1.7.20

CA-Server administrator Sanfran@1234 150.1.7.160

Esxi-Server root Sanfran@1234 150.1.7.161

SW_P (3850) admin Sanfran@1234 150.1.7.162

Enable password

Sanfran@1234

DC-Router admin Sanfran@1234 150.1.7.163

Enable password

Sanfran@1234

AD-DNS administrator Sanfran@1234 150.1.7.164

Client-PC administrator Sanfran@1234 150.1.7.165

ASA1 admin Sanfran@1234 150.1.7.166

FTP-Server admin Sanfran@1234 150.1.7.167

WLC admin Sanfran1234 150.1.7.168

10
 CCIE SECURITY V5

TrustSec-ASA admin Sanfran@1234 (If 150.1.7.169

needed)

WSA-PC admin Sanfran@1234 150.1.7.170

MAB-PC mab Sanfran@1234 150.1.7.171

DOT1x-PC Dot1x Sanfran@1234 150.1.7.172

Eve-NG admin Sanfran1234 150.1.7.174

FMC admin Sanfran@1234 150.1.7.175

FTD1 admin Sanfran@1234 150.1.7.176

NGIPS admin Sanfran@1234 150.1.7.177

ISE-P admin Sanfran@1234 150.1.7.179

FTD2 admin Sanfran@1234 150.1.7.178

R100 admin Sanfran@1234 150.1.7.180

R200 admin Sanfran@1234 150.1.7.181

R300 admin Sanfran@1234 150.1.7.182

Guest-PC admin Sanfran@1234 150.1.7.183

R51 admin Sanfran@1234 150.1.7.184

R52 admin Sanfran@1234 150.1.7.185

R53 admin Sanfran@1234 150.1.7.186

R54 admin Sanfran@1234 150.1.7.187

WSA admin Sanfran@1234 150.1.7.188

ISE-S admin Sanfran@1234 150.1.7.189

11
 CCIE SECURITY V5

StealthWatch-SMC admin Sanfran@1234 150.1.7.195

StealthWatch-Flow admin Sanfran@1234 150.1.7.196

Collector

Jumper-PC admin Sanfran@1234 150.1.7.199

ABOUT THE TRAINER

Nitiz Sharma

Senior Technical Instructor. Cisco 2 x CCIE # (DC/Sec)

Over 13 Years of experience in Cisco Network Technology. More than 6 years of proficiency in

CISCO Data Centre and Security Network Implementation, installation, configuration, support and

maintaining Cisco. Strong hands on experience on Cisco Devices like ASA, NGFW Firepower, ISE,

WSA, ESA, VPN, StealthWatch, Umbrella, SD-WAN, SDA, Cisco ACI, Nexus, UCS, Cloud Centre, as

well VMware 6.X

LOADING INITIAL CONFIG

12
 CCIE SECURITY V5

All the devices can be loaded with the initial script, by logging into the ESXI Server with the

username and password mentioned in the reference sheet. Once login, revert the Base-config

Snapshot for all the device(VM) present in the server. How to revert the snapshot, you must be

received a video from [email protected]. If not, contact immediately, before doing

any experiment.

HARDWARE AND SOFTWARE LIST

 Virtual Machines

 Security Appliances

 Cisco Identity Services Engine (ISE): 2.4

 Cisco Web Security Appliance (WSA): 10.1 .0
 Cisco Wireless Controller (WLC): 8.2.130.0
 Cisco Firepower Management Center Virtual Appliance: 6.2.3
 Cisco Firepower NGIPSv: 6.2.3
 Cisco Firepower Threat Defense: 6.2.3

 Core Devices

 IOSv L2: 15.2

 IOSv L3: 15.5(2)T
 Cisco CSR 1000V Series Cloud Services Router: 3.16.02.S
 Cisco Adaptive Security Virtual Appliance (ASAv): 9.8(3)

 Others

 Test PC: Microsoft Windows 7

 Active Directory: Microsoft Windows Server 2012

13
 CCIE SECURITY V5

 AnyConnect 4.2

 Physical Devices

 Cisco Catalyst Switch

 WS-C3850-24U 03.07.04E

 Cisco Adaptive Security Appliance

 5516-X: 9.8(2)4

 Cisco Aironet
 3500 Series

Section 1 – ASA Firewall

GOAL OF THE LAB

The most Common and effective way to implement a security domain is to place a firewall at the boundary
between the trusted and untrusted parts of a network.

Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can
also protect inside networks from each other, for example, by keeping a human resources network separate
from a user network.

In this Section we will configure all the Firewall related labs and clear our concepts.

14
 CCIE SECURITY V5

LAB-1.1: - BASIC OF ASA CONFIGURATION

LAB-SETUP
 Configure R1 and R2 with the IP mentioned in the table
 Configure the telnet on the respective routers using password “cisco”

Device Interface IP

R1 Fa0/0 10.1.1.10/24
Loopback0 1.1.1.1/24

R2 Fa0/0 20.1.1.10/24
Loopback0 2.2.2.2/24

15
 CCIE SECURITY V5

Configuration of Router

R1:

hostname R1
interface f0/0
no shutdown
ip address 10.1.1.10 255.255.255.0

interface loop0
ip address 1.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

line vty 0 4
password cisco
transport input all
login

enable secret cisco

R2:

16
 CCIE SECURITY V5

hostname R2
interface f0/0
no shutdown
ip address 20.1.1.10 255.255.255.0

interface loop0

ip address 2.2.2.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.1.1

line vty 0 4

password cisco

transport input all

login

enable secret cisco

TASK-1 CONFIGURE THE INTERFACE OF ASA

 Configure ASAv1 with the following settings:

o Hostname: ASAv1

17
 CCIE SECURITY V5

o Interface: gi0/0 – name - outside – ip 20.1.1.1/24 – sec-level 0

o Interface: gi0/1 – name - inside – ip 10.1.1.1/24 – sec-level 100
o Configure ASA, with default route towards R2 and static route towards R1
o On R1 and R2, configure the default routes pointing to the ASA.
o Configure the Telnet on R1 and R2, use password “cisco”.
o Use enable secret password “cisco”

Verification

 Check the arp table on R1, R2 and ASAv-FW

 Ping 10.1.1.1 from R1
 Ping 20.1.1.1 from R2
 Check Telnet 20.1.1.10 from R1
 Check Telnet 2.2.2.2 /source lo0 from R1
 Ping 20.1.1.10 from R1
 Ping 10.1.1.10 from R2
 Telnet 10.1.1.10 from R2

Configuration of Firewall

ASAv1:

hostname ASAv1

18
 CCIE SECURITY V5

interface g0/0

no shutdown

nameif outside

ip address 20.1.1.1 255.255.255.0

interface g 0/1

no shutdown

nameif inside

ip address 10.1.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 20.1.1.10

route inside 1.1.1.0 255.255.255.0 10.1.1.10

Verifications:

R1#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

19
 CCIE SECURITY V5

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/39/64 ms

R2#ping 20.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/51/72 ms

ASAv1# show arp

outside 20.1.1.10 c202.5608.0000 34

inside 10.1.1.10 c201.5757.0000 187

R1#telnet 20.1.1.10

Trying 20.1.1.10 ... Open

User Access Verification

Password:

R2>

20
 CCIE SECURITY V5

ASAv1# show conn

1 in use, 1 most used

TCP outside 20.1.1.10:23 inside 10.1.1.10:15427, idle 0:00:52, bytes 102, flags UIO

R1#telnet 2.2.2.2

Trying 2.2.2.2 ... Open

User Access Verification

Password:

R2>

ASAv1# show conn

1 in use, 1 most used

TCP outside 2.2.2.2:23 inside 10.1.1.10:55738, idle 0:00:03, bytes 106, flags UIO

R1#telnet 2.2.2.2 /source-interface loopback 0

Trying 2.2.2.2 ... Open

User Access Verification

Password:

R2>

ASAv1# show conn

21
 CCIE SECURITY V5

1 in use, 1 most used

TCP outside 2.2.2.2:23 inside 1.1.1.1:17916, idle 0:00:21, bytes 102, flags UIO

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R1#ping 20.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.10, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R2#ping 1.1.1.1

Type escape sequence to abort.

22
 CCIE SECURITY V5

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R2#ping 10.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R2#telnet 1.1.1.1

Trying 1.1.1.1 ...

% Connection timed out; remote host not responding

R2#telnet 10.1.1.10

Trying 10.1.1.10 ...

% Connection timed out; remote host not responding

TASK-2 CONFIGURE THE TELNET AND SSH ON ASA

23
 CCIE SECURITY V5

 Configure ASAv1 with the following settings:

o Create the object name as R1-loop and R2-loop for 1.1.1.1 & 2.2.2.2
o Create the object-group name as TELNET-SSH for telnet and ssh service
o Create the ACL with name OUT-IN
o We are allowed to add only one line access-list to allow the telnet and ssh
o Enable Telnet on ASA inside and outside interface
o Enable SSH on ASA inside and outside interface
o Make sure for SSH, user logged out after 10 mins of inactivity
o Create the username admin password cisco privilege 15 and create the rsa key with 1024
bits
o Use Domain-name cisco.com.

Verification

 Telnet 10.1.1.1 inside interface of ASA from R1

 Telnet 20.1.1.1 outside interface of ASA from R2
 SSH 10.1.1.1 inside interface of ASA from R1
 SSH 20.1.1.1 outside interface of ASA from R2
 telnet 1.1.1.1 from R2 with the source loopback 0

Configuration of ASA Firewall

24
 CCIE SECURITY V5

ASAv1:

object network R1-loop

host 1.1.1.1

object network R2-loop

host 2.2.2.2

object-group service TELNET-SSH tcp

port-object eq telnet

port-object eq ssh

access-list OUT-IN extended permit tcp object R2-loop object R1-loop object-group
TELNET-SSH

access-group OUT-IN in interface outside

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

passwd cisco

domain-name cisco.com

crypto key generate rsa modulus 1024

25
 CCIE SECURITY V5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

username admin password cisco privilege 15

aaa authentication ssh console LOCAL

Verifications:

R1#telnet 10.1.1.1

Trying 10.1.1.1 ... Open

User Access Verification

Password:

User enable_1 logged in to ASAv1

Logins over the last 1 days: 2. Last login: 11:05:33 UTC Aug 28 2018 from console

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

ASAv1>

R1#ssh -l admin 10.1.1.1

26
 CCIE SECURITY V5

Password:

User admin logged in to ASAv1

Logins over the last 1 days: 1.

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

ASAv1>

R2#telnet 20.1.1.1

Trying 20.1.1.1 ...

% Connection timed out; remote host not responding

“Telnet is not going to happen on the Outside interface of the ASA firewall”

R2#ssh -l admin 20.1.1.1

Password:

User admin logged in to ASAv1

Logins over the last 1 days: 2. Last login: 18:39:30 UTC Aug 28 2018 from 10.1.1.10

27
 CCIE SECURITY V5

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

ASAv1>

R2#telnet 1.1.1.1 /source-interface loopback 0

Trying 1.1.1.1 ... Open

User Access Verification

Password:

R1>

ASAv1# show conn

2 in use, 2 most used

TCP outside 2.2.2.2:11605 inside 1.1.1.1:23, idle 0:00:22, bytes 102, flags UIOB

TASK-3 ALLOW PING AND ICMP

 Configure ASAv1 with the following settings

o Ping is allowed from Inside to Outside
28
 CCIE SECURITY V5

o Create the ACL with name i-o-icmp

o Ping is allowed from Outside to Inside
o Create the ACL with name o-i-icmp

o ACL should be Host or Network Specific.

Configuration of ASA Firewall

Permit ICMP from R2 loopback to R1 Loopback

R2#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

.....

Success rate is 0 percent (0/5)

ASAv1:

access-list OUT-IN extended permit icmp host 2.2.2.2 host 1.1.1.1 echo

access-group OUT-IN in interface outside

29
 CCIE SECURITY V5

R2#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/12 ms

Permit ICMP from R1 loopback to R2 loopback

***NOTE: In the previous task, we allowed the ICMP traffic only from R2 to R1

If R1 sends ICMP to R2 it would not be successful as the traffic is not allowed in ASAv1. ***

R1#ping 2.2.2.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

30
 CCIE SECURITY V5

.....

Success rate is 0 percent (0/5)

ASAv1:

access-list OUT-IN extended permit icmp host 2.2.2.2 host 1.1.1.1 echo-reply

access-group OUT-IN in interface outside

R1#ping 2.2.2.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

ASAv1# show conn

2 in use, 2 most used

ICMP outside 2.2.2.2:0 inside 1.1.1.1:9, idle 0:00:00, bytes 19008, flags

31
 CCIE SECURITY V5

TASK-4 CONFIGURE BANNER ON THE ASA FIREWALL

 Configure ASAv1 with the following settings:

o Configure banner message so that it will display for successful remote connection via SSH.
o The banner should include the following message:

o *

o Welcome to Netmetric-Solutions
o Only authorized users are allowed to connect.
o *

Configuration of ASA Firewall

ASAv1:

banner motd *

banner motd Welcome to Netmetric-Solutions

banner motd Only authorized users are allowed to connect

banner motd *

32
 CCIE SECURITY V5

Verification:

ASA1(config)# show banner

motd:

Welcome to Netmetric-Solutions

Only authorized users are allowed to connect

LAB-1.2: - DYNAMIC ROUTING PROTOCOL

TASK-1 CONFIGURE EIGRP BETWEEN R1 AND ASA1V

33
 CCIE SECURITY V5

 Remove the Default route from R1 and static route from ASA1v.
 Configure Eigrp AS 10 on R1 and ASA1v
 Addresses the Loopback and 10.1.1.0 network in AS
 Eigrp Messages should be authenticate using MD5 with key “CCNP” and key-id as 1 on ASAv1
 Create the Key chain and key string name as “CCNP” along with key 1 on R1.

Verification

 Check the Eigrp Neighbourship

 Check the routes on ASAv1 and R1

Configuration on Router

R1:

no ip route 0.0.0.0 0.0.0.0 10.1.1.1

R2:

no ip route 0.0.0.0 0.0.0.0 20.1.1.1

Configuration on ASA

ASAv1:
34
 CCIE SECURITY V5

ASAv1(config)#show running-config route

route outside 0.0.0.0 0.0.0.0 20.1.1.10 1

route inside 1.1.1.0 255.255.255.0 10.1.1.10 1

ASAv1(config)# no route outside 0.0.0.0 0.0.0.0 20.1.1.10 1

ASAv1(config)# no route inside 1.1.1.0 255.255.255.0 10.1.1.10 1

R1-ASA:EIGRP

R1:

router eigrp 10

network 1.1.1.0 0.0.0.255

network 10.1.1.10 0.0.0.0

no auto-summary

key chain CCNP

key 1

key-string CCNP

35
 CCIE SECURITY V5

interface FastEthernet0/0

ip authentication mode eigrp 10 md5

ip authentication key-chain eigrp 10 CCNP

ASAv1:

router eigrp 10

no auto-summary

network 10.1.1.1 255.255.255.255

interface GigabitEthernet0/1

authentication key eigrp 10 CCNP key-id 1

authentication mode eigrp 10 md5

Verification:

ASAv1#show eigrp neighbors

EIGRP-IPv4 Neighbors for AS(10)

H Address Interface Hold Uptime SRTT RTO Q Seq

36
 CCIE SECURITY V5

0 10.1.1.10 inside 13 00:01:12 21 200 0 3

ASAv1(config-if)# show route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

D 1.1.1.0 255.255.255.0 [90/130816] via 10.1.1.10, 00:01:02, inside

TASK-2 CONFIGURE OSPF BETWEEN R2 AND ASA1V

 Remove the Default route from R1 and static route from ASA1v.
 Configure OSPF Area 0 on the outside interface.
 Authenticate using the interface authentication with password of “CCNP” and key ID 1.

37
 CCIE SECURITY V5

 Use 20.20.20.20 as OSPF Router ID on ASA1v

 Use 2.2.2.2. as a Router ID on R2.

Verification

 Check the OSPF Neighbourship

 Check the routes on ASAv1 and R2

Configuration on ASA

ASAv1:

router ospf 1

router-id 20.20.20.20

network 20.1.1.1 255.255.255.255 area 0

interface GigabitEthernet0/0

ospf authentication message-digest

ospf message-digest-key 1 md5 CCNP

38
 CCIE SECURITY V5

Configuration on Router

R2:

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

network 2.2.2.0 0.0.0.255 area 0

network 20.1.1.10 0.0.0.0 area 0

interface FastEthernet0/0

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 CCNP

Verifications:

ASAv1# show ospf neighbor

39
 CCIE SECURITY V5

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1 FULL/BDR 0:00:31 20.1.1.10 outside

ASAv1# show route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

O 2.2.2.2 255.255.255.255 [110/11] via 20.1.1.10, 00:00:58, outside

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

40
 CCIE SECURITY V5

20.20.20.20 1 FULL/DR 00:00:37 20.1.1.1 FastEthernet0/0

TASK-3 CONFIGURE REDISTRIBUTION BETWEEN ROUTING PROTOCOLS

 Configure the route redistribution between the OSPF and EIGRP.

 So that entire network gain the full reachability.

Configuration on Firewall

Redistribute OSPF --- EIGRP on ASAv1

ASAv1:

router eigrp 10

redistribute ospf 1 metric 10000 100 255 1 1500

router ospf 1

redistribute eigrp 10 subnets

41
 CCIE SECURITY V5

Verification:

R1:

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/32 is subnetted, 1 subnets

D EX 2.2.2.2 [170/307200] via 10.1.1.1, 00:01:04, FastEthernet0/0

20.0.0.0/24 is subnetted, 1 subnets

D EX 20.1.1.0 [170/307200] via 10.1.1.1, 00:01:04, FastEthernet0/0

42
 CCIE SECURITY V5

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, FastEthernet0/0

R2:

R2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

O E2 1.1.1.0 [110/20] via 20.1.1.1, 00:02:32, FastEthernet0/0

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Loopback0

20.0.0.0/24 is subnetted, 1 subnets

C 20.1.1.0 is directly connected, FastEthernet0/0

10.0.0.0/24 is subnetted, 1 subnets

O E2 10.1.1.0 [110/20] via 20.1.1.1, 00:02:32, FastEthernet0/0

43
 CCIE SECURITY V5

R2#ping 1.1.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/44 ms

R2#telnet 1.1.1.1 /source-interface loopback 0

Trying 1.1.1.1 ... Open

User Access Verification

Password:

R1>

R1#ping 2.2.2.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

44
 CCIE SECURITY V5

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/19/32 ms

R1#telnet 2.2.2.2 /source-interface loopback 0

Trying 2.2.2.2 ... Open

User Access Verification

Password:

R2>

LAB-1.3: - ASA SYSTEM MANAGEMENT

45
 CCIE SECURITY V5

TASK-1 CONFIGURE ASDM FOR THE GUI OF ASA

 Use ASA1 and candidate-pc for this Task

 ASDM image is present on the candidate-pc c:/TFTP-Root folder.
 Push ASDM image to the ASA1 flash using TFTP server
 TFTP server is present on the desktop Solar Wind.
 Use the Management Interface for pushing the ASDM image to the ASA.
 Once the ASDM image is there in the flash, configure it before the first use.

Device Interface IP

ASA1 management 150.1.7.166

Nameif mgmt.
Security-level 100

Configuration on Firewall

Start by checking the flash of ASA1

ASA1# show flash:

--#-- --length-- -----date/time------ path

12 4096 Aug 13 2018 13:08:52 smart-log

16 7937 Aug 18 2018 10:02:14 smart-log/agentlog

46
 CCIE SECURITY V5

7 4096 Aug 13 2018 13:07:52 log

9 500 Aug 17 2018 11:43:22 log/asa-appagent.log

10 4096 Aug 13 2018 13:08:56 coredumpinfo

11 58 Aug 13 2018 13:08:56 coredumpinfo/coredump.cfg

“C Drive, TFTP-Root folder the image of asdm-782-151.bin is present.”

“Check the IP address is configured on the ASA firewall”

ASA1# show int ip br

47
 CCIE SECURITY V5

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset administratively down up

GigabitEthernet0/1 unassigned YES unset administratively down up

GigabitEthernet0/2 unassigned YES unset administratively down up

GigabitEthernet0/3 unassigned YES unset administratively down up

GigabitEthernet0/4 unassigned YES unset administratively down up

GigabitEthernet0/5 unassigned YES unset administratively down up

GigabitEthernet0/6 unassigned YES unset administratively down up

GigabitEthernet0/7 unassigned YES unset administratively down up

GigabitEthernet0/8 unassigned YES unset administratively down up

Management0/0 150.1.7.166 YES manual up up

ASA1# show nameif

Interface Name Security

Management0/0 mgmt 100

“Check the connectivity between the candidate PC and the ASA1 firewall”

ASA1# ping 150.1.7.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.7.20, timeout is 2 seconds:

48
 CCIE SECURITY V5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Start copying the asdm image through the TFTP server.

ASA1# copy tftp://150.1.7.20/asdm-782-151.bin flash:

Address or name of remote host [150.1.7.20]? Enter

Source filename [asdm-782-151.bin]? Enter

Destination filename [asdm-782-151.bin]? Enter

Accessing tftp://150.1.7.20/asdm-782-151.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Verifying file disk0:/asdm-782-151.bin...

!!!!!!!!!!!!!!!!!!!!!!!!!

Writing file disk0:/asdm-782-151.bin...

26975568 bytes copied in 66.690 secs (408720 bytes/sec)

49
 CCIE SECURITY V5

Verification: -

ASA1# show flash:

--#-- --length-- -----date/time------ path

12 4096 Aug 13 2018 13:08:52 smart-log

16 7937 Aug 18 2018 10:02:14 smart-log/agentlog

7 4096 Aug 13 2018 13:07:52 log

9 500 Aug 17 2018 11:43:22 log/asa-appagent.log

10 4096 Aug 13 2018 13:08:56 coredumpinfo

11 58 Aug 13 2018 13:08:56 coredumpinfo/coredump.cfg

93 26975568 Aug 23 2018 16:42:19 asdm-782-151.bin

After installing the ASDM to the flash, lets enable the ASDM feature for the ASA firewall

http server enable

http 150.1.7.0 255.255.255.0 mgmt

asdm image boot:/asdm-79150.bin

Once Done go to the desktop and double click on the ASDM icon and give the IP add
150.1.7.166
50
CCIE SECURITY V5

51
 CCIE SECURITY V5

Once done the ASDM gui will open. You can explore the GUI for the moment.

52
 CCIE SECURITY V5

LAB-1.4: - ASA ADDRESS TRANSLATION AND ACL

53
 CCIE SECURITY V5

LAB-SETUP

 Configure R100, R200 and R300 as per the below mentioned addressing scheme.
 Configure Telnet on All the router, with the password “Sanfran@1234”
 Configure the default route on all the router, pointing towards ASA.

Device Interface IP Address

R100 Gi5 10.1.1.10/24

Loopback0 2.2.2.2/24
Loopback 1 12.12.12.12/24
Loopback 2 122.122.122.122/24

54
 CCIE SECURITY V5

R200 Gi5 20.1.1.10/24

Loopback0 8.8.8.8/24
Loopback 1 4.4.4.4/24
Loopback 2 45.45.45.45/24

Loopback 3 55.55.55.55/24

R300 Gi5 30.1.1.10/24

Loopback0 3.3.3.3/24

Loopback 1 13.13.13.13/24
Loopback 2 133.133.133.133/24

Configuration on Router

R100:

int gi5

no sh

ip address 10.1.1.10 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 10.1.1.1

int lo0

55
 CCIE SECURITY V5

ip address 2.2.2.2 255.255.255.0

description DB-Server

int lo1

ip address 12.12.12.12 255.255.255.0

description App-Server

int lo2

ip address 122.122.122.122 255.255.255.0

description Inside-PC

Verification: -

R100#show ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 unassigned YES TFTP up up

GigabitEthernet2 unassigned YES TFTP up up

GigabitEthernet3 150.1.7.180 YES manual up up

GigabitEthernet4 unassigned YES unset up up

56
 CCIE SECURITY V5

GigabitEthernet5 10.1.1.10 YES manual up up

GigabitEthernet0 unassigned YES TFTP up up

Loopback0 2.2.2.2 YES manual up up

Loopback1 12.12.12.12 YES manual up up

Loopback2 122.122.122.122 YES manual up up

Configuration on Router

R200:

int gi5

no sh

ip address 20.1.1.10 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 20.1.1.1

int lo0

ip add

ip address 8.8.8.8 255.255.255.0

description google.com

57
 CCIE SECURITY V5

int lo1

ip address 4.4.4.4 255.255.255.0

int lo2

ip address 45.45.45.45 255.255.255.0

description Outside-PC1

int lo3

ip address 55.55.55.55 255.255.255.0

description Outside-PC2

Verification

R200#show ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 unassigned YES NVRAM administratively down down

GigabitEthernet2 unassigned YES NVRAM administratively down down

GigabitEthernet3 150.1.7.181 YES manual up up

GigabitEthernet4 unassigned YES unset administratively down down

GigabitEthernet5 20.1.1.10 YES manual up up

58
 CCIE SECURITY V5

GigabitEthernet0 unassigned YES NVRAM administratively down down

Loopback0 8.8.8.8 YES manual up up

Loopback1 4.4.4.4 YES manual up up

Loopback2 45.45.45.45 YES manual up up

Loopback3 55.55.55.55 YES manual up up

Configuration on Router

R300:

int gi5

ip add

ip address 30.1.1.10 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 30.1.1.1

int lo0

ip address 3.3.3.3 255.255.255.0

description Web-Server1

int lo1

ip address 13.13.13.13 255.255.255.0

59
 CCIE SECURITY V5

description Web-Server2

int lo2

ip address 133.133.133.133 255.255.255.0

description Web-Server3

Verification

R300#show ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 unassigned YES NVRAM administratively down down

GigabitEthernet2 unassigned YES NVRAM administratively down down

GigabitEthernet3 150.1.7.182 YES manual up up

GigabitEthernet4 unassigned YES unset administratively down down

GigabitEthernet5 30.1.1.10 YES manual up up

Loopback0 3.3.3.3 YES manual up up

Loopback1 13.13.13.13 YES manual up up

Loopback2 133.133.133.133 YES manual up up

Configuration On R100,R200,R300

60
 CCIE SECURITY V5

line vty 0 4

password Sanfran@1234

login

LAB-SETUP

 Configure ASA1 as per the below mentioned addressing scheme.

Device Interface IP

ASA1 Gi0/4 20.1.1.1

Nameif outside

ASA1 Gi0/5 10.1.1.1

Nameif inside

ASA1 Gi0/6 30.1.1.1

Nameif dmz

Sec-50

Configuration Firewall

ASA1

interface GigabitEthernet0/4

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

61
 CCIE SECURITY V5

ASA1# ping 10.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:

?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/10 ms

interface GigabitEthernet0/5

nameif outside

security-level 0

ip address 20.1.1.1 255.255.255.0

ASA1# ping 20.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.10, timeout is 2 seconds:

?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

interface GigabitEthernet0/6

nameif dmz

62
 CCIE SECURITY V5

security-level 50

ip address 30.1.1.1 255.255.255.0

ASA1# ping 30.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.10, timeout is 2 seconds:

?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

TASK-1 CONFIGURE THE STATIC AUTO NAT ON ASA1 FOR WEB-SERVER1

 Configure ASA so that when someone from the outside (network segment behind ASA’s
OUTSIDE interface) tries to connect to IP address of 20.1.1.50 he/she will be pointed to Web-

Server1.

Configuration on Firewall

ASA1:

object network Web-Server1

host 3.3.3.3

nat (dmz,outside) static 20.1.1.50

63
 CCIE SECURITY V5

access-list OUT-IN extended permit ip any host 3.3.3.3

access-group OUT-IN in interface outside

route dmz 3.3.3.0 255.255.255.0 30.1.1.10

R200#telnet 20.1.1.50

Trying 20.1.1.50 ... Open

User Access Verification

Password:

R300>show users

Line User Host(s) Idle Location

2 vty 0 idle 00:09:07 150.1.7.20

* 3 vty 1 idle 00:00:00 20.1.1.10

ASA1# show nat

Auto NAT Policies (Section 2)

64
 CCIE SECURITY V5

1 (dmz) to (outside) source static Web-Server1 20.1.1.50

translate_hits = 0, untranslate_hits = 1

ASA1# show conn

TCP outside 20.1.1.10:46594 dmz 3.3.3.3:23, idle 0:03:46, bytes 553, flags UIOB

TASK-2 CONFIGURE THE STATIC AUTO PAT ON ASA1 FOR WEB-SERVER2

 Configure ASA so that when someone from the outside (network segment behind ASA’s
OUTSIDE interface) tries to connect to IP address of 20.1.1.51 using TELNET he/she will be pointed
to Web-Server2.

Configuration on Firewall

ASA1:

object network Web-Server2

host 13.13.13.13

nat (dmz,outside) static 20.1.1.51 service tcp 23 23

65
 CCIE SECURITY V5

access-list OUT-IN extended permit tcp any host 13.13.13.13 eq 23

route dmz 13.13.13.0 255.255.255.0 30.1.1.10

Verification

R200#telnet 20.1.1.51

Trying 20.1.1.51 ... Open

User Access Verification
Password:

R300>show user
Line User Host(s) Idle Location

* 2 vty 0 idle 00:00:00 20.1.1.10

ASA1# show conn

2 in use, 15 most used

TCP outside 20.1.1.10:23554 dmz 13.13.13.13:23, idle 0:01:42, bytes 466, flags UIOB

TASK-3 CONFIGURE STATIC MANUAL NAT ON ASA1 BETWEEN WEB-SERVER3

AND INSIDE-PC (IDENTITY NAT)

 Configure ASA so that when Inside-PC from the inside network tries to connect to Web-Server3,
the Inside-PC ip should change to mapped interface, and Web-Server3 ip should remain same
and intact.
 The translation must be enforced only for traffic going between Inside-PC and Web-Server3 only.

66
 CCIE SECURITY V5

Configuration on Firewall

ASA1:

object network Web-Server3

host 133.133.133.133

object network Inside-PC

host 122.122.122.122

nat (inside,dmz) source static Inside-PC interface destination static Web-Server3 Web-
Server3

route dmz 3.3.3.0 255.255.255.0 30.1.1.10 1

route inside 12.12.12.0 255.255.255.0 10.1.1.10 1
route dmz 13.13.13.0 255.255.255.0 30.1.1.10 1

route inside 122.122.122.0 255.255.255.0 10.1.1.10 1

route dmz 133.133.133.0 255.255.255.0 30.1.1.10 1

Verification:

R100#telnet 133.133.133.133

Trying 133.133.133.133 ... Open

User Access Verification
Password:

R300>show user
67
 CCIE SECURITY V5

Line User Host(s) Idle Location

2 vty 0 idle 00:06:59 150.1.7.20

* 3 vty 1 idle 00:00:00 10.1.1.10

As we can see that the it is using the interface ip of R100 instead of 122.122.122.122.

Verification:

ASA1# show nat

Manual NAT Policies (Section 1)

1 (inside) to (dmz) source static Inside-PC interface destination static Web-Server3 Web-
Server3
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static Web-Server1 20.1.1.50

translate_hits = 0, untranslate_hits = 1
2 (dmz) to (outside) source static Web-Server2 20.1.1.51 service tcp telnet telnet

translate_hits = 0, untranslate_hits = 1

ASA1# show nat

Manual NAT Policies (Section 1)
1 (inside) to (dmz) source static Inside-PC interface destination static Web-Server3 Web-
Server3
translate_hits = 1, untranslate_hits = 1

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static Web-Server1 20.1.1.50
translate_hits = 0, untranslate_hits = 0
68
 CCIE SECURITY V5

2 (dmz) to (outside) source static Web-Server2 20.1.1.51 service tcp telnet telnet
translate_hits = 0, untranslate_hits = 0

ASA1# show xlate

4 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from dmz:3.3.3.3 to outside:20.1.1.50
flags s idle 19:07:32 timeout 0:00:00
TCP PAT from dmz:13.13.13.13 23-23 to outside:20.1.1.51 23-23
flags sr idle 18:45:55 timeout 0:00:00
NAT from inside:122.122.122.122 to dmz:30.1.1.1
flags sT idle 0:01:41 timeout 0:00:00
NAT from dmz:133.133.133.133 to inside:133.133.133.133
flags sIT idle 0:01:41 timeout 0:00:00

ASA1# show conn

2 in use, 15 most used

TCP dmz 133.133.133.133:23 inside 122.122.122.122:47106, idle 0:02:14, bytes 540, flags
UIO

R100#telnet 133.133.133.133 /source-interface lo2

Trying 133.133.133.133 ... Open

User Access Verification

Password:

R300>

R300>show users

69
 CCIE SECURITY V5

Line User Host(s) Idle Location

* 2 vty 0 idle 00:00:00 30.1.1.1

TASK-4 CONFIGURE STATIC AUTO NAT ON ASA1 BETWEEN DMZ NETWORK AND
DB SERVER

 Configure ASA so that when someone from the DMZ network segment tries to connect to DB-
Server using port 2323, he/she will be redirected to DB-Server using port 23.

Configuration on Firewall

ASA1:

object network DB-Server

host 2.2.2.2

nat (inside,dmz) static interface service tcp telnet 2323

access-list DMZ-IN extended permit tcp any host 2.2.2.2 eq telnet

access-group DMZ-IN in interface dmz

route inside 2.2.2.0 255.255.255.0 10.1.1.10

70
 CCIE SECURITY V5

R300#telnet 30.1.1.1 2323

Trying 30.1.1.1, 2323 ...

% Connection timed out; remote host not responding

R300#telnet 30.1.1.1 2323

Trying 30.1.1.1, 2323 ... Open

User Access Verification

Password:

R100>show users

Line User Host(s) Idle Location

* 3 vty 1 idle 00:00:00 30.1.1.10

ASA1# show nat

Manual NAT Policies (Section 1)

1 (inside) to (dmz) source static Inside-PC interface destination static Web-Server3 Web-
Server3

translate_hits = 1, untranslate_hits = 1

71
 CCIE SECURITY V5

Auto NAT Policies (Section 2)

1 (inside) to (dmz) source static DB-Server interface service tcp telnet 2323

translate_hits = 0, untranslate_hits = 5

2 (dmz) to (outside) source static Web-Server1 20.1.1.50

translate_hits = 0, untranslate_hits = 0

3 (dmz) to (outside) source static Web-Server2 20.1.1.51 service tcp telnet telnet

translate_hits = 0, untranslate_hits = 0

ASA1# show xlate

5 in use, 5 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

TCP PAT from inside:2.2.2.2 23-23 to dmz:30.1.1.1 2323-2323

flags sr idle 0:00:44 timeout 0:00:00

NAT from dmz:3.3.3.3 to outside:20.1.1.50

flags s idle 19:32:14 timeout 0:00:00

TCP PAT from dmz:13.13.13.13 23-23 to outside:20.1.1.51 23-23

flags sr idle 19:10:38 timeout 0:00:00

NAT from inside:122.122.122.122 to dmz:30.1.1.1

72
 CCIE SECURITY V5

flags sT idle 0:16:12 timeout 0:00:00

NAT from dmz:133.133.133.133 to inside:133.133.133.133

flags sIT idle 0:16:12 timeout 0:00:00

ASA1# show conn

2 in use, 15 most used

TCP dmz 30.1.1.10:57346 inside 2.2.2.2:23, idle 0:00:47, bytes 524, flags UIOB

TASK-5 CONFIGURE STATIC MANUAL NAT ON ASA1 BETWEEN OUTSIDE-PC1

AND WEB-SERVER1 (TWICE NAT)

 Configure ASA so that when someone from the Outside-PC1 try to do telnet to DMZ Web-Server1,
the Outside-PC1 identity should change to 20.1.1.100 and the Web-Server1 identity should change
to 30.1.1.100. (Twice NAT)

Configuration on Firewall

ASA1:

73
 CCIE SECURITY V5

object network Web-Server1

host 3.3.3.3

object network Outside-PC1

host 45.45.45.45

object network Mapped-Web-Server1

host 30.1.1.100

object network Mapped-Outside-PC1

host 20.1.1.100

nat (dmz,outside) source static Web-Server1 Mapped-Web-Server1 destination static

Mapped-Outside-PC1 Outside-PC1

route outside 0.0.0.0 0.0.0.0 20.1.1.10 1

access-list OUT-IN extended permit ip any host 3.3.3.3

access-group OUT-IN in interface outside

Verification:

ASA1# show nat

1 (dmz) to (outside) source static Web-Server1 Mapped-Web-Server1 destination static

Mapped-Outside-PC1 Outside-PC1
74
 CCIE SECURITY V5

translate_hits = 1, untranslate_hits = 1

ASA1# show conn

2 in use, 15 most used

TCP outside 20.1.1.100(45.45.45.45):30210 dmz 3.3.3.3:23, idle 0:02:14, bytes 484, flags
UIOB

ASA1# show xlate

NAT from outside:45.45.45.45 to dmz:20.1.1.100

flags sT idle 0:02:35 timeout 0:00:00

R200#telnet 30.1.1.100 /source-interface lo2

Trying 30.1.1.100 ... Open

User Access Verification

Password:

R300>show users

Line User Host(s) Idle Location

* 2 vty 0 idle 00:00:00 20.1.1.100

75
 CCIE SECURITY V5

LAB-1.5: - CONTEXT ON THE ASA FIREWALL

LAB-SETUP

 Configure R5, R6, R7 and R8 as per the below mentioned addressing scheme.
 Configure Telnet on All the router, with the password “cisco”
 Configure the default route on all the router, pointing towards ASA.

76
 CCIE SECURITY V5

Device Interface IP Address

R5 Fa0/0 50.1.1.10/24

Loopback0 5.5.5.5/24

R6 Fa0/0 60.1.1.10/24
Loopback0 6.6.6.6/24

R7 Fa0/0 70.1.1.10/24
Loopback0 7.7.7.7/24

R8 Fa0/0 80.1.1.10/24

Loopback0 8.8.8.8/24

Note :- Diagram CNTX1 context instead of c1

Configuration on Router

R5:

interface f0/0
no shut
ip address 50.1.1.10 255.255.255.0

interface loopback 0
ip address 5.5.5.5 255.255.255.0

ip route 0.0.0.0 0.0.0.0 50.1.1.1

R6:
77
 CCIE SECURITY V5

interface f0/0
no shut
ip address 60.1.1.10 255.255.255.0

interface loopback 0
ip address 6.6.6.6 255.255.255.0

ip route 0.0.0.0 0.0.0.0 60.1.1.1

R7:

interface f0/0
no shut
ip address 70.1.1.10 255.255.255.0

interface loopback 0
ip address 7.7.7.7 255.255.255.0

ip route 0.0.0.0 0.0.0.0 70.1.1.1

R8:

interface f0/0
no shut
ip address 80.1.1.10 255.255.255.0
78
 CCIE SECURITY V5

interface loopback 0
ip address 8.8.8.8 255.255.255.0

ip route 0.0.0.0 0.0.0.0 80.1.1.1

TASK1 CONFIGURE THE ASAP1 WITH MULTI-CONTEXT MODE

 Configure the ASAp1 with the following

o Use the hostname ASAp1
o Change the mode of the firewall to multiple.
o Create context as per the below mentioned table

Context Name Interface IP Address

CNTX1 Eth2 – outside -visible 50.1.1.1/24

Eth0 – inside -invisible 70.1.1.1/24

Url :- CNTX1

CNTX2 Eth2 – outside -visible 60.1.1.1/24

Eth1 – inside –invisible 80.1.1.1/24

Url :- CNTX2

 Context information should be stored in the flash memory.

 Assigned interface should be named as given in the table.

79
 CCIE SECURITY V5

Configuration on Firewall

ASAp1:

hostname ASAp1

mode multiple

interface Ethernet0

no shutdown

interface Ethernet1

no shutdown

interface Ethernet2

no shutdown

context CNTX1

Creating context 'CNTX1'... Done. (2)

allocate-interface Ethernet0 inside invisible

allocate-interface Ethernet2 outside visible

80
 CCIE SECURITY V5

config-url disk0:/CNTX1.cfg

context CNTX2

Creating context 'CNTX2'... Done. (2)

allocate-interface Ethernet1 inside invisible

allocate-interface Ethernet2 outside visible

config-url disk0:/CNTX2.cfg

Verification

ASAp1(config)# show context

Context Name Class Interfaces Mode URL

*admin default Routed disk0:/admin.cfg

CNTX1 default Ethernet0,Ethernet2 Routed disk0:/CNTX1.cfg

CNTX2 default Ethernet1,Ethernet2 Routed disk0:/CNTX2.cfg

ASAp1(config)# show context detail

Context "system", is a system resource

81
 CCIE SECURITY V5

Config URL: startup-config

Real Interfaces:

Mapped Interfaces: Ethernet0, Ethernet1, Ethernet2, Ethernet3,

Virtual254

Class: default, Flags: 0x00000819, ID: 0

Context "admin", has been created

Config URL: disk0:/admin.cfg

Real Interfaces:

Mapped Interfaces:

Real IPS Sensors:

Mapped IPS Sensors:

Class: default, Flags: 0x00000813, ID: 1

Context "CNTX1", has been created

Config URL: disk0:/CNTX1.cfg

Real Interfaces: Ethernet0, Ethernet2

Mapped Interfaces: inside, outside

Real IPS Sensors:

Mapped IPS Sensors:

Class: default, Flags: 0x00000811, ID: 2

82
 CCIE SECURITY V5

Context "CNTX2", has been created

Config URL: disk0:/CNTX2.cfg

Real Interfaces: Ethernet1, Ethernet2

Mapped Interfaces: inside, outside

Real IPS Sensors:

Mapped IPS Sensors:

Class: default, Flags: 0x00000811, ID: 3

Context "null", is a system resource

Config URL: ... null ...

Real Interfaces:

Mapped Interfaces:

Real IPS Sensors:

Mapped IPS Sensors:

Class: default, Flags: 0x00000809, ID: 257

TASK2 CONFIGURE THE CLASS FOR THE CONTEXT

 Configure the ASAp1 with the following resources

83
 CCIE SECURITY V5

Context CNTX1Policy ASDM Connections 2

Connections 1500
SSH Sessions 3

Telnet Sessions 1
Xlate Objects 200

Context CNTX2 Policy ASDM Connections 4

Connections 2000
SSH Sessions 4
Telnet Sessions 1
Xlate Objects 300

Configuration on Firewall

ASAp1:

class CNTX1

limit-resource asdm 2

limit-resource conns 1500

limit-resource ssh 3

limit-resource telnet 1

limit-resource xlate 200

84
 CCIE SECURITY V5

class CNTX2

limit-resource asdm 4

limit-resource conns 2000

limit-resource ssh 4

limit-resource telnet 1

limit-resource xlate 300

Verification: -

ASAp1# sh run all class

class default

limit-resource All 0

limit-resource Mac-addresses 65535

limit-resource ASDM 5

limit-resource SSH 5

limit-resource Telnet 5

class CNTX1

limit-resource ASDM 2

limit-resource Conns 1500

limit-resource SSH 3

85
 CCIE SECURITY V5

limit-resource Telnet 1

limit-resource Xlates 200

class CNTX2

limit-resource ASDM 4

limit-resource Conns 2000

limit-resource SSH 4

limit-resource Telnet 1

limit-resource Xlates 300

ASAp1# show class default

Class Name Members ID Flags

default All 1 0001

ASAp1# show class CNTX1

Class Name Members ID Flags

CNTX1 0 2 0000

ASAp1# show class CNTX2

Class Name Members ID Flags

CNTX2 0 3 0000

86
 CCIE SECURITY V5

ASAp1(config)# context CNTX1

ASAp1(config-ctx)# member CNTX1

ASAp1(config-ctx)# context CNTX2

ASAp1(config-ctx)# member CNTX2

ASAp1# show class CNTX1

Class Name Members ID Flags

CNTX1 1 2 0000

ASAp1# show class CNTX2

Class Name Members ID Flags

CNTX2 1 3 0000

ASAp1(config)# changeto context CNTX1

ASAp1#show int ip brief

Interface IP-Address OK? Method Status Protocol

outside unassigned YES unset up up

87
 CCIE SECURITY V5

inside unassigned YES unset up up

Check the difference between the output, with respect to visible and invisible interface.

Verification:

ASAp1/CNTX1(config)# show interface outside

Interface outside "", is up, line protocol is up

System name Ethernet2

Available but not configured via nameif

ASAp1/CNTX1(config)# show interface inside

Interface inside "", is up, line protocol is up

Available but not configured via nameif

TASK3 MAKE SURE FROM R7 TO R5 AND R8 TO R6 PING

88
 CCIE SECURITY V5

 Ensure the ping from the Higher Security Level to Lower Security level from R7to R5 and R8 to R6.
 We are not allowed to configure any type of access list or address translation to make this ping
happen.

Configuration on ASA

ASAp1

interface inside

nameif inside

security-level 100

ip address 70.1.1.1 255.255.255.0

interface outside

nameif outside

security-level 0

ip address 50.1.1.1 255.255.255.0

Verification:
89
 CCIE SECURITY V5

ASAp1/CNTX1# ping 70.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 70.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASAp1/CNTX1# ping 50.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 50.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASAp1/CNTX2# show nameif

Interface Name Security

inside inside 100

outside outside 0

ASAp1/CNTX2# show int ip b

Interface IP-Address OK? Method Status Protocol

90
 CCIE SECURITY V5

inside 80.1.1.1 YES manual up up

outside 60.1.1.1 YES manual up up

ASAp1/CNTX2# ping 60.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 60.1.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

ASAp1/CNTX2# ping 80.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 80.1.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 m

policy-map global_policy

class inspection_default

inspect icmp

91
 CCIE SECURITY V5

changeto context CNTX2

Allow the ICMP inspection on the ASA firewall

policy-map global_policy

class inspection_default

inspect icmp

Verification:

R7#ping 50.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 50.1.1.10, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R8#ping 60.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 60.1.1.10, timeout is 2 seconds:

.....

92
 CCIE SECURITY V5

Success rate is 0 percent (0/5)

ASAp1/CNTX1(config)# show interface outside

Interface outside "outside", is up, line protocol is up

System name Ethernet2

MAC address 5000.001a.0002, MTU 1500

IP address 50.1.1.1, subnet mask 255.255.255.0

Traffic Statistics for "outside":

4 packets input, 130 bytes

8 packets output, 584 bytes

0 packets dropped

ASAp1/CNTX1(config)# changeto context CNTX2

Verification:

ASAp1/CNTX2(config)# show interface outside

Interface outside "outside", is up, line protocol is up

System name Ethernet2

MAC address 5000.001a.0002, MTU 1500

IP address 60.1.1.1, subnet mask 255.255.255.0

Traffic Statistics for "outside":

93
 CCIE SECURITY V5

9 packets input, 630 bytes

12 packets output, 1056 bytes

0 packets dropped

Because of the shared interface, the mac address on both the context, for the outside
interface is same. To change the mac address on both the context we need to use either auto
or manual option.

ASAp1/CNTX2(config)# changeto system

ASAp1(config)# mac-address auto

Verification:

ASAp1(config)# changeto context CNTX1

ASAp1/CNTX1(config)# show interface outside

Interface outside "outside", is up, line protocol is up

System name Ethernet2

MAC address a200.0000.0008, MTU 1500

IP address 50.1.1.1, subnet mask 255.255.255.0

Traffic Statistics for "outside":

94
 CCIE SECURITY V5

22 packets input, 824 bytes

9 packets output, 612 bytes

16 packets dropped

ASAp1/CNTX1(config)# changeto context CNTX2

Verification:

ASAp1/CNTX2(config)# show interface outside

Interface outside "outside", is up, line protocol is up

System name Ethernet2

MAC address a200.0000.0006, MTU 1500

IP address 60.1.1.1, subnet mask 255.255.255.0

Traffic Statistics for "outside":

37 packets input, 2085 bytes

13 packets output, 1084 bytes

26 packets dropped

Verification:

95
 CCIE SECURITY V5

R7#ping 50.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 50.1.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/103/436 ms

R8#ping 60.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 60.1.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

R7#telnet 50.1.1.10

Trying 50.1.1.10 ... Open

User Access Verification

Password:

R5>

R8#telnet 60.1.1.10

96
 CCIE SECURITY V5

Trying 60.1.1.10 ... Open

User Access Verification

Password:

R6>

LAB-1.6: - ACTIVE/STANDBY FAILOVER (R3, R4, ASAV2 & ASAV3)

LAB-SETUP

 Configure R3 and R4 as per the below mentioned addressing scheme.

 Configure Telnet on All the router, with the password “cisco”
97
 CCIE SECURITY V5

 Configure the default route on all the router, pointing towards ASA.

Device Interface IP Address

R3 Fa0/0 10.1.1.10/24
Loopback0 3.3.3.3/24

R4 Fa0/0 20.1.1.10/24
Loopback0 4.4.4.4/24

Configuration on Router

R3:

hostname R3

interface f 0/0

no shut

ip address 10.1.1.10 255.255.255.0

interface loopback 0

98
 CCIE SECURITY V5

ip address 3.3.3.3 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

R4:

hostname R4

interface f 0/0

no shut

ip address 20.1.1.10 255.255.255.0

interface loopback 0

ip address 4.4.4.4 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.1.1

99
 CCIE SECURITY V5

TASK1 CONFIGURE ASA FOR ACTIVE/STANDBY

 Configure hostname as ASAv2 and ASAv3

 Configure ASAv3 device to back up ASAv2 in the event of failure
 Configure gi0/2 as the failover link
 Configure gi0/3 as the Stateful link
 Authenticate the failover control messages using a key “cisco”

Physical Interface Interface name Security Level IP Address

Gi0/0 Outside 0 Pri – 20.1.1.1/24

Sec – 20.1.1.2/24

Gi0/1 Inside 100 Pri- 10.1.1.1/24

Sec- 10.1.1.2/24

Gi0/2 FO Pri- 10.10.10.10/24

100
 CCIE SECURITY V5

Sec – 10.10.10.11/24

Gi0/3 STATE Pri – 20.20.20.20/24

Sec- 20.20.20.21/24

Configuration on ASA

ASAv2

hostname ASAv2

interface g 0/0

no shut

nameif outside

ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2

interface g0/1

no shut

nameif inside

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

101
 CCIE SECURITY V5

interface g 0/2

no shut

description failover link

interface g0/3

no shut

description statefull link

route outside 0.0.0.0 0.0.0.0 20.1.1.10

route inside 3.3.3.0 255.255.255.0 10.1.1.10

Configure the failover

failover lan unit primary

failover lan interface FO GigabitEthernet0/2

failover key cisco

failover link STATE GigabitEthernet0/3

failover interface ip FO 10.10.10.10 255.255.255.0 standby 10.10.10.11

failover interface ip STATE 20.20.20.20 255.255.255.0 standby 20.20.20.21

102
 CCIE SECURITY V5

failover

ASAv3:

hostname ASAv3

interface g 0/2

no shut

interface g0/3

no shut

failover lan unit secondary

failover lan interface FO GigabitEthernet0/2

failover key cisco

failover link STATE GigabitEthernet0/3

failover interface ip FO 10.10.10.10 255.255.255.0 standby 10.10.10.11

failover interface ip STATE 20.20.20.20 255.255.255.0 standby 20.20.20.21

failover

103
 CCIE SECURITY V5

Start the failover

ASAv2

ASAv2(config)# failover

ASAv3(config)# failover

No Active mate detected

Beginning configuration replication: Sending to mate.

End Configuration Replication to mate

ASAv2(config)# prompt hostname state

ASAv3(config)# .

104
 CCIE SECURITY V5

Detected an Active mate

Beginning configuration replication from mate.

WARNING: Disabling auto import may affect Smart Licensing

WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.

Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.

WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.

End configuration replication from mate.

ASAv2/stby#

Verifications: -

ASAv2/act# show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

105
 CCIE SECURITY V5

Standby Ready None

====Configuration State===

Sync Done

====Communication State===

Mac set

====VM Properties Compatibility===

vCPUs - This host: 1

Other host: 1

Memory - This host: 2048 Mhz

Other host: 2048 Mhz

Interfaces - This host: 7

Other host: 7

ASAv2/act# show failover

Failover On

Failover unit Primary

Failover LAN Interface: FO GigabitEthernet0/2 (up)

Reconnect timeout 0:00:00

Unit Poll frequency 1 seconds, holdtime 15 seconds

106
 CCIE SECURITY V5

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 61 maximum

MAC Address Move Notification Interval not set

Version: Ours 9.8(1), Mate 9.8(1)

Serial Number: Ours 9AND6971AK0, Mate 9ASDWDV3DE6

Last Failover at: 00:02:07 UTC Sep 1 2018

This host: Primary - Active

Active time: 177 (sec)

slot 0: empty

Interface outside (20.1.1.1): Normal (Monitored)

Interface inside (10.1.1.1): Normal (Monitored)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

Interface outside (20.1.1.2): Normal (Monitored)

Interface inside (10.1.1.2): Normal (Monitored)

Stateful Failover Logical Update Statistics

Link : STATE GigabitEthernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 23 0 22 0

107
 CCIE SECURITY V5

sys cmd 22 0 22 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 0 0 0 0

VPN IKEv2 P2 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

SIP Tx 0 0 0 0

SIP Pinhole 0 0 0 0

Route Session 0 0 0 0

Router ID 0 0 0 0

User-Identity 1 0 0 0

108
 CCIE SECURITY V5

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

STS Table 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 17 192

Xmit Q: 0 37 184

LAB-1.7: - ACTIVE/ACTIVE FAILOVER (R9, R10,R11,R12 ASAP2 & ASAP3)

109
 CCIE SECURITY V5

LAB-SETUP

 Configure R9, R10, R11 and R12 as per the below mentioned addressing scheme.
 Configure Telnet on All the router, with the password “cisco”
 Configure the default route on all the router, pointing towards ASA.

Device Interface IP Address

R9 Fa0/0 10.1.1.10/24

R10 Fa0/0 30.1.1.10/24

110
 CCIE SECURITY V5

R11 Fa0/0 20.1.1.10/24

R12 Fa0/0 40.1.1.10/24

Configuration on Router

R9:

in f0/0

no shut

ip address 10.1.1.10 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

R10:

in f0/0

no shut

ip address 30.1.1.10 255.255.255.0

ip route 0.0.0.0 0.0.0.0 30.1.1.1

111
 CCIE SECURITY V5

R11:

in f0/0

no shut

ip address 20.1.1.10 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.1.1

R12:

in f0/0

no shut

ip address 40.1.1.10 255.255.255.0

ip route 0.0.0.0 0.0.0.0 40.1.1.1

R9-11:

line vty 0 4

password cisco

login

112
 CCIE SECURITY V5

Configuration on the Switch

SW4

vlan 20

vlan 40

interface range GigabitEthernet0/0-1

switchport trunk encapsulation dot1q

switchport mode trunk

no sh

interface GigabitEthernet0/2

no sh

switchport access vlan 20

switchport mode access

interface GigabitEthernet0/3

113
 CCIE SECURITY V5

switchport access vlan 40

switchport mode access

no sh

SW5

vlan 10

vlan 30

interface range GigabitEthernet0/2-3

switchport trunk encapsulation dot1q

switchport mode trunk

no sh

interface GigabitEthernet0/0

no sh

switchport access vlan 10

switchport mode access

114
 CCIE SECURITY V5

interface GigabitEthernet0/1

switchport access vlan 30

switchport mode access

no sh

TASK1 CONFIGURE ASA FOR ACTIVE/ACTIVE FAILOVER

 Configure hostname as ASAp2 and ASAp3

 Your configuration should meet the following requirements:

o ASAp2‐ system

 Interface eth0.20
 vlan: 20

 Interface eth0.40
 vlan: 40

 Interface eth1.10
 vlan: 10
 Interface eth1.30
 vlan: 30

 Failover:

o Unit: Primary
o Lan Interface: eth2

o Primary‐ Standby:1.1.1.1-1.1.1.2/24
o Name: LAN
o Link Interfaces: eth3
o Primary‐ Standby:2.2.2.1-2.2.2.2

115
 CCIE SECURITY V5

o Name: STATE
 Failover Group1: Primary
 Failover Group2: Secondary

 Failover:
o ASAp3‐ system
o Failover:

o Unit: Secondary
o Lan Interface: eth2
o Primary‐ Standby:1.1.1.1-1.1.1.2/24
o Name: LAN

o Link Interfaces: eth3

o Primary‐ Standby:2.2.2.1-2.2.2.2

o Name: STATE

 Failover Group1: Secondary

 Failover Group2: Primary

TASK2 CONFIGURE CONTEXT ON THE ASAP2

 Configure the Context on the ASAp2

 Name: c1
o Allocate Interfaces: eth0.20, eth1.10 and provide Labels Respectively: outside_c1, inside_c1
o Join Failover Group: 1
o URL: c1.cfg

o For Inside Interface -- Make it visible

o For Outside Interface - Make it invisible
 Name: c2

116
 CCIE SECURITY V5

o Allocate Interfaces: eth0.40, eth1.30 Labels Respectively: outside_c2, inside_c2

o Join Failover Group:2
o URL: c2.cfg

o For Inside Interface -- Make it visible

o For Outside Interface - Make it invisible
 ASA1‐ c1
o Interface inside_c1:

o Address Primary‐ Standby:10.1.1.1-10.1.1.2

o Name: inside
o Interface outside_c1:
o Address Primary‐ Standby:20.1.1.1-20.1.1.2
o Name: outside

 ASA1‐ c2
o Interface inside_c2:
o Address Primary‐ Standby:30.1.1.1-30.1.1.2
o Name: inside

o Interface outside_c2:
o Address Primary‐ Standby:40.1.1.1-40.1.1.2

o Name: outside

Context Name Interface

C1 Eth1.10 – inside -visible

Eth0.20 – outside-invisible
Url :- c1.cfg

C2 Eth1.30 – inside -visible

Eth0.40 – outside-invisible
Url :- c1.cfg

117
 CCIE SECURITY V5

TASK3 ADDRESS TRANSLATION

 For c1 context

 R9 (10.1.1.10) should be accessible from outside using outside interface with NAT IP 50.50.50.50. Network
object used for the translation should be named "R9_c1". Use Auto NAT
 For c2 context

 R10 (30.1.1.10) should be accessible from outside using the outside interface with NAT IP 60.60.60.60. Use the

network object for the translation, can use any name. Use Manual NAT

TASK4 TRAFFIC FILTERING

 For c1context

 R9 should be accessible only from 20.1.1.10/24 network for the telnet traffic at port 23 and ICMP Echo
message.

 ACL for the traffic filtering should be named "O-I".

 ACL should be network and host specific.

 For c2 context

 R10 should be accessible only from 40.1.1.10/24 network for the telnet traffic at port 23 and ICMP Echo
message.
 ACL for the traffic filtering should be named "O-I".
 ACL should be network and host specific.

Configuration on the Firewall

ASA2p/ASA3p
118
 CCIE SECURITY V5

Mode Multiple should be enabled if not, convert it into mode multiple

ASAp2 & ASAp3:

ASAp2# show mode

Security context mode: multiple

ASAp3# show mode

Security context mode: multiple

If not give global command

mode multiple

ASA2p

hostname ASAp2

interface Ethernet 0

no shut

119
 CCIE SECURITY V5

interface Ethernet 1

no shut

interface Ethernet 2

no shut

interface Ethernet 3

no shut

interface Ethernet 0.20

vlan 20

interface Ethernet 0.40

vlan 40

interface Ethernet 1.10

vlan 10

interface Ethernet 1.30

vlan 30

Configuration on the Failover for ASAp2

failover lan unit primary

failover lan interface LAN e2

120
 CCIE SECURITY V5

failover link STATE e3

failover interface ip LAN 1.1.1.1 255.255.255.0 standby 1.1.1.2

failover interface ip STATE 2.2.2.1 255.255.255.0 standby 2.2.2.2

failover group 1

preempt

primary

failover group 2

preempt

secondary

Creating on the Context –ASAp2

context c1

allocate-interface ethernet0.20 outside_c1

allocate-interface ethernet1.10 inside_c1 visible

config-url c1.cfg

join-failover-group 1

121
 CCIE SECURITY V5

context c2

allocate-interface ethernet0.40 outside_c2

allocate-interface ethernet1.30 inside_c2 visible

config-url c2.cfg

join-failover-group 2

Configuration on the Context

changeto context c1

interface inside_c1

nameif inside

ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2

no sh

interface outside_c1

nameif outside

ip add 20.1.1.1 255.255.255.0 standby 20.1.1.2

no sh

122
 CCIE SECURITY V5

Configuration on the NAT

object network R9_c1

host 10.1.1.10

nat (inside,outside) static 50.50.50.50

Configuration on the Access-list

access-list O-I extended permit tcp 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq

23

access-list O-I extended permit icmp 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

echo

access-group O-I in interface outside

Configuration on the Context

changeto context c2

123
 CCIE SECURITY V5

interface inside_c2

nameif inside

ip add 30.1.1.1 255.255.255.0 standby 30.1.1.2

no sh

interface outside_c2

nameif outside

ip add 40.1.1.1 255.255.255.0 standby 40.1.1.2

no sh

Configuration on the NAT

object network R10_c2

host 30.1.1.10

nat (inside,outside) static 60.60.60.60

Configuration on the Access-list

access-list O-I extended permit tcp 40.1.1.0 255.255.255.0 30.1.1.0 255.255.255.0 eq

23

124
 CCIE SECURITY V5

access-list O-I extended permit icmp 40.1.1.0 255.255.255.0 30.1.1.0 255.255.255.0

echo

access-group O-I in interface outside

changeto system

Configuration on the Firewall

ASAp3:

interface e 2

no shut

interface e 3

no shut

Configuration on the Failover

125
 CCIE SECURITY V5

failover lan unit secondary

failover lan interface LAN e2

failover link STATE e3

failover interface ip LAN 1.1.1.1 255.255.255.0 standby 1.1.1.2

failover interface ip STATE 2.2.2.1 255.255.255.0 standby 2.2.2.2

failover group 1

preempt

secondary

failover group 2

preempt

primary

ASAp2 & ASAp3:

Enabling the failover

failover

126
 CCIE SECURITY V5

Verifications:

ASAp2# show context

Context Name Class Interfaces Mode URL

*admin default Routed disk0:/admin.cfg

c1 default Ethernet0.20, Routed disk0:/c1.cfg

Ethernet1.10

c2 default Ethernet0.40, Routed disk0:/c2.cfg

Ethernet1.30

Total active Security Contexts: 3

ASAp2# show failover state

State Last Failure Reason Date/Time

This host - Primary

Group 1 Active None

Group 2 Standby Ready None

127
 CCIE SECURITY V5

Other host - Secondary

Group 1 Standby Ready None

Group 2 Active None

====Configuration State===

Sync Done

====Communication State===

Mac set

R9#telnet 20.1.1.10

Trying 20.1.1.10 ... Open

User Access Verification

Password:

R11>show user

R11>show users

Line User Host(s) Idle Location

* 98 vty 0 idle 00:00:00 50.50.50.50

Interface User Mode Idle Peer Address

128
 CCIE SECURITY V5

prompt context hostname state

c1/ASAp2/act(config)# show conn

5 in use, 5 most used

TCP outside 20.1.1.10:23 inside 10.1.1.10:57020, idle 0:00:20, bytes 474, flags UIO

c1/ASAp2/stby(config)# show conn

5 in use, 5 most used

TCP outside 20.1.1.10:23 inside 10.1.1.10:57020, idle 0:00:13, bytes 474, flags U

c1/ASAp2/act(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static R9_c1 50.50.50.50

translate_hits = 1, untranslate_hits = 0

R10#telnet 40.1.1.10

Trying 40.1.1.10 ... Open

User Access Verification

129
 CCIE SECURITY V5

Password:

R12>show user

Line User Host(s) Idle Location

* 98 vty 0 idle 00:00:00 60.60.60.60

Interface User Mode Idle Peer Addres

c2/ASAp2/act# show conn

5 in use, 5 most used

TCP outside 40.1.1.10:23 inside 30.1.1.10:25837, idle 0:00:26, bytes 340, flags UIO

c2/ASAp2/stby(config)# show conn

5 in use, 5 most used

TCP outside 40.1.1.10:23 inside 30.1.1.10:25837, idle 0:00:15, bytes 340, flags U

c2/ASAp2/act# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static R10_c2 60.60.60.60

translate_hits = 1, untranslate_hits = 0

130
 CCIE SECURITY V5

R11#ping 50.50.50.50

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 50.50.50.50, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/96/336 ms

R11#telnet 50.50.50.50

Trying 50.50.50.50 ... Open

User Access Verification

Password:

R9>show user

Line User Host(s) Idle Location

0 con 0 idle 00:01:36

* 98 vty 0 idle 00:00:00 20.1.1.10

Interface User Mode Idle Peer Address

c1/ASAp2/act(config)# show conn

5 in use, 6 most used

TCP outside 20.1.1.10:19973 inside 10.1.1.10:23, idle 0:00:30, bytes 396, flags UIOB

131
 CCIE SECURITY V5

R12#ping 60.60.60.60

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 60.60.60.60, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/36 ms

R12#telnet 60.60.60.60

Trying 60.60.60.60 ... Open

User Access Verification

Password:

R10>show user

Line User Host(s) Idle Location

0 con 0 40.1.1.10 00:06:35

* 98 vty 0 idle 00:00:00 40.1.1.10

Interface User Mode Idle Peer Address

c2/ASAp2/act# show conn

132
 CCIE SECURITY V5

5 in use, 8 most used

TCP outside 40.1.1.10:28941 inside 30.1.1.10:23, idle 0:00:41, bytes 395, flags UIOB

TASK4 MONITOR INTERFACE

 Make sure that all the interfaces are being monitored for this failover implementation on both context.

Goto the system context and give command

ASAp2/act(config)# show failover

Failover On

Failover unit Primary

Failover LAN Interface: LAN Ethernet2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 60 maximum

Version: Ours 9.1(5)16, Mate 9.1(5)16

Group 1 last failover at: 14:48:55 UTC Sep 17 2018

Group 2 last failover at: 14:49:02 UTC Sep 17 2018

133
 CCIE SECURITY V5

This host: Primary

Group 1 State: Active

Active time: 1477 (sec)

Group 2 State: Standby Ready

Active time: 6 (sec)

c1 Interface inside (10.1.1.1): Normal (Not-Monitored)

c1 Interface outside (20.1.1.1): Normal (Not-Monitored)

c2 Interface inside (30.1.1.2): Normal (Not-Monitored)

c2 Interface outside (40.1.1.2): Normal (Not-Monitored)

Other host: Secondary

Group 1 State: Standby Ready

Active time: 0 (sec)

Group 2 State: Active

Active time: 1481 (sec)

c1 Interface inside (10.1.1.2): Normal (Not-Monitored)

c1 Interface outside (20.1.1.2): Normal (Not-Monitored)

c2 Interface inside (30.1.1.1): Normal (Not-Monitored)

134
 CCIE SECURITY V5

c2 Interface outside (40.1.1.1): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : STATE Ethernet3 (up)

Stateful Obj xmit xerr rcv rerr

General 211 0 204 0

sys cmd 197 0 197 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 9 0 5 0

UDP conn 0 0 0 0

ARP tbl 2 0 2 0

Xlate_Timeout 0 0 0 0

IPv6 ND tbl 0 0 0 0

VPN IKEv1 SA 0 0 0 0

VPN IKEv1 P2 0 0 0 0

VPN IKEv2 SA 0 0 0 0

VPN IKEv2 P2 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

SIP Session 0 0 0 0

135
 CCIE SECURITY V5

Route Session 0 0 0 0

User-Identity 3 0 0 0

CTS SGTNAME 0 0 0 0

CTS PAC 0 0 0 0

TrustSec-SXP 0 0 0 0

IPv6 Route 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 3 2502

Xmit Q: 0 3 2533

changeto context c1 on ASA2p

c1/ASAp2/act(config)# monitor-interface inside

c1/ASAp2/act(config)# monitor-interface outside

changeto context c2 on ASA3p

c2/ASAp2/act(config)# monitor-interface inside

c2/ASAp2/act(config)# monitor-interface outside

136
 CCIE SECURITY V5

Verification

ASAp2/act# show failover

Failover On

Failover unit Primary

Failover LAN Interface: LAN Ethernet2 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 60 maximum

Version: Ours 9.1(5)16, Mate 9.1(5)16

Group 1 last failover at: 14:48:55 UTC Sep 17 2018

Group 2 last failover at: 14:49:02 UTC Sep 17 2018

This host: Primary

Group 1 State: Active

Active time: 1508 (sec)

Group 2 State: Standby Ready

Active time: 6 (sec)

137
 CCIE SECURITY V5

c1 Interface inside (10.1.1.1): Normal (Monitored)

c1 Interface outside (20.1.1.1): Normal (Monitored)

c2 Interface inside (30.1.1.2): Normal (Monitored)

c2 Interface outside (40.1.1.2): Normal (Monitored)

Other host: Secondary

Group 1 State: Standby Ready

Active time: 0 (sec)

Group 2 State: Active

Active time: 1512 (sec)

c1 Interface inside (10.1.1.2): Normal (Monitored)

c1 Interface outside (20.1.1.2): Normal (Monitored)

c2 Interface inside (30.1.1.1): Normal (Monitored)

c2 Interface outside (40.1.1.1): Normal (Monitored)

Stateful Failover Logical Update Statistics

Link : STATE Ethernet3 (up)

Stateful Obj xmit xerr rcv rerr
138
 CCIE SECURITY V5

General 216 0 209 0

sys cmd 201 0 201 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 10 0 6 0
UDP conn 0 0 0 0
ARP tbl 2 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 3 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0

139
 CCIE SECURITY V5

Logical Update Queue Information

Cur Max Total
Recv Q: 0 3 2555
Xmit Q: 0 3 2587

LAB-1.8: - ASA CLUSTERING

TASK1 CONFIGURE ASA-C1 AND ASA-C2 FOR CLUSTERING

140
 CCIE SECURITY V5

 Configure ASA-C1 and ASA-C2 with the following requirement

o Interface Mode : Spanned
o Interface Port channel ID : 1

o Sub Interface Po 1.10 : vlan: 10

o Sub Interface Po 1.20 : vlan: 20
o Interface for Po1 : eth1/eth2
o Cluster Group Name : ccnp

o CCL : eth3

o CCL IP ASA-C1 : 5.5.5.5/24

o CCL IP ASA-C2 : 5.5.5.6/24
o Master Unit : ASA-C1
o Management Pool : 150.1.7.159-150.1.7.160

o Management Pool Name : mgmt-pool

 Configure the interface of the ASA with the following requirements
o Interface Po1.10
 Nameif : Inside

 IP Add : 10.100.10.1/24
o Interface Po.1.20

 Nameif : Outside
 IP Add : 10.100.20.1/24
o Interface Mgmt
 Nameif : Management

 Ip Add : 150.1.7.158
 Sec-Level : 100

 Type : Management-Only
 Configure the Router
o Router R31
 Interface : fa0/0

 IP add : 10.100.10.10/24
 Default Route: 10.100.10.1

o Router R32
 Interface : fa0/0
141
 CCIE SECURITY V5

 IP add : 10.100.20.20/24
 Default Route: 10.100.20.1
 Configure the Switch

o Switch-C
 Vlan : 10,20,150
 Po : Po1 - Trunk
 Interface : eth0/1-1/0-0/3-1/2

 Inteface : eth1/1 and eth1/3

 Vlan : 150 (Mgmt port towards ASA)

 SVI
 Vlan150 : 150.1.7.157/24
 Vlan 10 : 10.100.10.100/24

 Vlan 20 : 10.100.20.100/24

 Follow the Topology for the Links information.

LAB-1.9: - ASA FIREWALL IP SERVICES

TASK1 CONFIGURE NTP SERVER AND CLIENT ON ASA1 AND DC-ROUTER

 Configure DC-Router as NTP Server and ASA1 as the NTP client

 Both the devices should be in the same time zone of PST -8

 NTP protocol should uses MD5 authentication with the key-id 1and password of “cisco”

Configuration on Router
142
 CCIE SECURITY V5

DC-Router:

clock timezone PST -8

clock set (hh:mm:ss)(DAY<1-31>)(MONTH)(YEAR) -> (privilege exec mode) 


ntp authentication-key 1 md5 cisco

ntp authenticate

ntp trusted-key 1

ntp master

Configuration on Firewall

ASA1:

ntp authentication-key 1 md5 cisco

ntp authenticate

ntp trusted-key 1

ntp server 150.1.7.163 key 1 prefer

clock timezone PST -8

Verification:

143
 CCIE SECURITY V5

ASA1# show ntp status

Clock is synchronized, stratum 9, reference is 150.1.7.163

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is df3b53d3.7e7ba2d9 (23:20:51.494 PST Wed Sep 5 2018)

clock offset is -0.2000 msec, root delay is 1.74 msec

root dispersion is 15893.17 msec, peer dispersion is 15890.63 msec

ASA1# show ntp associations

address ref clock st when poll reach delay offset disp

*~150.1.7.163 127.127.1.1 8 2 64 3 1.9 -0.06 7890.7

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

ASA1# show ntp associations detail

150.1.7.163 configured, authenticated, our_master, sane, valid, stratum 8

ref ID 127.127.1.1, time df3b5408.4f5c29d0 (23:21:44.310 PST Wed Sep 5 2018)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 2.33, reach 3, sync dist 7893.951

delay 1.86 msec, offset -0.0642 msec, dispersion 7890.69

precision 2**10, version 3

org time df3b5413.7e76ca10 (23:21:55.494 PST Wed Sep 5 2018)

144
 CCIE SECURITY V5

rcv time df3b5413.7eb87874 (23:21:55.495 PST Wed Sep 5 2018)

xmt time df3b5413.7e3d85cb (23:21:55.493 PST Wed Sep 5 2018)

filtdelay = 1.86 1.74 0.00 0.00 0.00 0.00 0.00 0.00

filtoffset = -0.06 -0.20 0.00 0.00 0.00 0.00 0.00 0.00

filterror = 15.63 16.60 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

TASK2 CONFIGURE DNS ON ASA1

 Configure ASA1to perform dns lookup.

 The DNS Server ip is 150.1.7.164

 Domain Name is cisco.com and use MGMT Interface

Configuration on Firewall

ASA1:

dns domain-lookup mgmt

dns name-server 150.1.7.164

domain-name cisco.com

145
 CCIE SECURITY V5

Verification:

ASA1# ping ISE-P.cisco.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.7.169, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1# show dns-hosts

Host Flags Age Type Address(es)

ISE-P.cisco.com (temp, OK) 0 IP 150.1.7.169

TASK3 CONFIGURE LOGGING ON ASA1

 Create a log filter list to send all IKE, IPSec, and VPN client warning messages to a syslog server at 10.1.1.101.


 Send only critical EIGRP and RIP messages to the buffer and change the buffer size to 32768. Messages
should be saved to the flash when the buffer gets full.

 Send debug messages to the ASDM. The ASA should buffer 300 messages. 

146
 CCIE SECURITY V5

Confuguration on Firewall

ASA1:

loggin enable

“Create logging Lists”

logging list IPSEC level warnings class vpn

logging list IPSEC level warnings class vpnc

logging list FAILOVER level errors class ha

Send the logs to syslog server

logging host dmzserver 150.1.7.164

logging trap IPSEC

Send logs buffer and change the buffer logging parameters

logging class rip buffered critical

logging class eigrp buffered critical
logging buffer-size 32768

147
 CCIE SECURITY V5

logging flash-bufferwrap

Section 2 – NGFW Firewall

GOAL OF THE LAB

The goal of this hands-on lab is to give a deployment engineer the skills necessary to

successfully install and configure Cisco’s latest version of Next Generation Firewall

(NGFW). You will deploy Firepower Management Center (FMC) and Firepower Threat

Defence (FTD) devices in a realistic network topology. Once the devices have a basic

configuration you will learn how to use some of the new features and benefits of the

integrated Firewall (FW) and Intrusion Prevention System (IPS). Though this lab is geared

to teach the basics of FTD, throughout this lab there are questions and roadblocks to help

you learn what should/shouldn’t (or can/can’t) be done. When approaching this lab

come with your thinking caps on and engaged.

148
 CCIE SECURITY V5

LAB-2.1: - SETTING UP THE LAB ENVIRONMENT

TASK1 DOWNLOAD FMC AND FTD FROM THE CISCO.COM

 Download the FMC, NGIPS and FTD from the cisco.com, with the valid credentials.
 Once being downloaded, Install the OVF template on the VMware ESXI Server.
149
 CCIE SECURITY V5

 Allocate the Logical Resources to the FMC, NGIPS and FTD.

 Power on all the Devices.

“The Firepower Threat Defence (FTD) devices are not configurable via their CLI beyond

setting up their Management Interfaces. In order to configure the data plane, you must

either use the Firepower Device Manager (a new feature in Firepower version 6.1) or the

Firepower Management Centre (FMC).”

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK2 CONFIGURE FMC/FTDV1/FTDV2 AND NGIPS

 Configure the all devices

o Login to the NGFW, with the Username/pass – admin/Admin123

o After login change the password to Sanfran@1234

o Manage locally

o Use the IP Scheme as mentioned in the IP reference sheet

Interface Name IP

Default Gateway MGMT gateway 150.1.7.1/24

Mgmt. FMC 150.1.7.175/24

150
 CCIE SECURITY V5

Mgmt. FTDv1 150.1.7.176/24

Mgmt. NGIPSv 150.1.7.177/24

Mgmt. FTDv2 150.1.7.178/24

Domain-name cisco.com 150.1.7.164

 For detail solution please refer to the “avi” file uploaded on the resource portal

The Firepower Threat Defense (FTD) devices are not configurable via their CLI beyond setting up their

Management Interfaces. In order to configure the data plane, you must either use the Firepower Device

Manager (a new feature in Firepower version 6.1) or the Firepower Management Center (FMC).

TASK3 CISCO FMC- OFF BOX MANAGEMENT FOR THE SENSOR

 Give the Management IP for the FMC 150.1.7.175/24

 Connecting the FMC for the First time to Administration Page.

o Change the password to Sanfran@1234
o Change the Time-Zone to Asia/Kolkata
o Primary DNS 8.8.8.8

o Secondary DNS 8.8.4.4

o Tertiary DNS 150.1.7.164

 Initial Task Setup
o Check the Access-list
o Enable the VMware Tools
o Process

o Login Banner

151
 CCIE SECURITY V5

 Change it to “Welcome to the Netmetric NGFW Lab”

o HTTPS Certificate
o Management Interface

o Time Synchronization
 NTP Server :- 150.1.7.164
 Time Zone :- ASIA/Kolkatta
o Email Notification

o Check and Create a new users

 Bob : Network Access : Password – Sanfran@1234

 For detail solution please refer to the “avi” file uploaded on the resource portal

TASK4 SMART LICENCING

 Activate the Evaluation Mode Licensing on the FMC

Notes: -

Here is a brief description of the licenses:

Base: A perpetual license that is automatically included. This license covers anything that isn’t considered an “optional
term license”. In other words, it covers everything but that which is discussed (covered) by the following term-based licenses.

Threat: A term-based license that analyzes network traffic for intrusions and exploits. It also has the ability to identify the
file type of files being sent through the FTD device, such as documents, executables, PDFs, etc.

Malware: A term-based license that allows file policies to check for malware. This license is required if the use of
Advanced Malware Protection (AMP) or AMP Threat Grid is desired.

152
URL: A term-based license that allows the use of categories and/or reputation-based URL filtering, such as gambling,
social media, or using a “5 star” reputation system to filter URLs.
 CCIE SECURITY V5

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK5 FMC DATABASE

 Product Update

 Rule Update
 Geolocation Update

TASK6 WHO IS AND GEOLOCATION SEARCH

 Check the respective ip address and check who owns it, and from what part of the world is it from
o 1.1.1.1
o 2.2.2.2

o 5.5.5.5

o 64.1.1.1

TASK7 CONFIGURE THE PLATFORM SETTINGS

 Create a new policy for “Threat Defence Settings” with the name “Test Platform”
o Add Banner : Welcome to Netmetric NGFW
o Secure Shell : Management interface

TASK8 INTEGRATION WITH AD

 Configure FMC, so that it will be integrated with the Active Directory.

 Username and Password are mentioned below

o Username : administrator
o Password : Sanfran@1234

153
 CCIE SECURITY V5

LAB-2.2: - FTD1/FTD2 AND NGIPS FIREWALL BASIC CONFIGURATION

TASK1 REGISTER THE FTD1, FTD2 AND NGIPS WITH FMC

 FTD1, FTD2 and NGIPS should be managed from the FMC.

 The shared secret key used for the registration between the FTD1, FTD2 and NGIPS and FMC should be
cisco123
 Add a group name as HA for FTD1 and FTD2, and DMZ_NGIPS for NGIPS

 Name of the policy should be “HA_Base-Policy” and “NGIPS_Base-Policy”

 Default action should be “Block all traffic”

 Enable all the license option.

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK2 CONFIGURE THE FTD HA

 Do the configuration as per the below mentioned table

Interface Name Zone IP

Gi0/0 ISP_Out Outside 150.1.7.190/24 – Secondary IP : 150.1.7.191

Gi0/1 LAN_Inside Inside 100.1.1.100/24 – Secondary IP : 100.1.1.101

Gi0/2 DMZ_Server DMZ 200.1.1.200/24 – Secondary IP : 200.1.1.101

Gi0/3 FO 10.10.10.10 – Secondary IP : 10.10.10.10

For detail solution please refer to the “avi” file uploaded on the resource portal

154
 CCIE SECURITY V5

TASK3 CONFIGURE THE FTD ROUTING

 Configure the OSPF on the Inside and DMZ zone of the HA FTD.
 OFPF area should be 0 in ABR, use Topology to advertise the required network.
 R100 and R200 are already configured for the same.

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK4 CONFIGURE THE NGIPS RULE

 Make the EIGRP Routing process up between R200 and R300 through NGIPS.

 R300 should in the Internal Zone of the NGIPS and R200 should be in the External Zone of the NGIPS.
 Enable the logging at the beginning of the connection
 Allow HTTP, ICMP and FTP traffic from Client-PC to the respective servers.

TASK5 DEPLOY THE CONFIGURATION

 Deploy and push all the configuration to the FTD.

 Verify all the configuration has been pushed or not.
 Check all the reachability to the devices.
 Verify & Test the configuration

For detail solution please refer to the “avi” file uploaded on the resource portal

155
 CCIE SECURITY V5

LAB-2.3: - CONNECT THE LAN USER TO DMZ

TASK1 NAT POLICY

 Configure the Static NAT, with the DMZ as the “destination” interface and implementation should be
AUTO NAT, going from Inside Zone to DMZ Zone.
 Web Server1 (1.1.1.1) should be accessible through the ip of 50.50.50.50.

 Web Server2 (2.2.2.2) should be accessible through the ip of 60.60.60.60.

 FTP Server1 (3.3.3.3) should be accessible through the ip of 70.70.70.70.

A Note about Auto NAT and Manual NAT

Cisco recommends you use Auto NAT unless you need the extra features of Manual NAT. It is easier to configure and might
be more stable for services such as VoIP.

Comparing Auto NAT and Manual NAT. The main differences between these two NAT types are:

How you define the real addresses:

Auto NAT – The NAT rule becomes a parameter for a network object. The network object IP address serves as
the original (real) address.

Manual NAT – You identify a network object, or network group, for both the real and mapped addresses. In this case NAT
is not a parameter of the network object; the network object (or network group) is a parameter of the NAT configuration. The ability
to use a network object group for the real address means that manual NAT is more scalable.

How source and destination NAT is implemented: 156

Auto NAT – Each rule can apply to either the source or destination of the packet. So two rules might be used; one for
the source IP address and one for the destination IP address. These two rules cannot be tied together to enforce a specific
translation for a source/destination combination.
 CCIE SECURITY V5

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK2 TESTING CONNECTIVITY TO SERVERS

 Check the connectivity from the Client-PC.

 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70

Though your routing and interfaces are correct the Access Control Policy assigned to this FTD,
currently the Base Policy Access Control Policy, has no rules so it takes the Default Action rule which
is BLOCK All the Traffic.

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK3 CONFIGURE THE ACCESS POLICY WITH PRE-FILTER RULE

 Pre-Filter Rule

 Create a New rule in Pre-Filter Policy

o Name :- Fastpath_Policy
o Action :- Fastpath
o Apply :- Base Policy of FTD

 Check the Connectivity now and ping 50.50.50.50, 60.60.60.60, 70.70.70.70

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK4 CONFIGURE THE ACCESS POLICY WITH ALLOW RULE FOR ICMP

157
 CCIE SECURITY V5

 Remove the previously created the Pre-filter policy and continue with the task.
 Create a New rule in Mandatory Category of the ACP base Policy.
o Name :- ICMP

o Insert :- Into Mandatory

o Action :- Allow
o Source Zone :- Inside
o Destination Zone :- DMZ

o Source Network :- Lan_Subnet :- 6.6.6.0/24

o Destination Network :- WebServer1 :- 1.1.1.1

o Destination Network :- FTPServer :- 3.3.3.3
o Port :- icmp
o Logging :- Beginning of the Connection

Notes :-

For detail solution please refer to the “avi” file uploaded on the resource portal

When you click the dropdown menu button notice all the options you have to choose from. A whole
lab could be created around implementing and testing all these combinations of options. In short
use the following list to get an idea of what each are for:

Allow: Permit through the Firewall but check it against the SNORT rules.

Trust: Check it against the Firewall rules but don’t check it against the SNORT rules.

Monitor: Send the traffic to SNORT for analysis and then determine whether to process through
the Firewall rules.

Block: Don’t allow through the Firewall (and thus don’t sent to SNORT either) and don’t send any
sort of acknowledgement back to the source that you are blocking.

Block with Reset: Don’t allow through the Firewall and let the source know its connection has
been terminated.

Interactive Block: Notify the user that the action that triggered this rule is recommended to be
blocked but that the user

can choose to continue with this action should they feel it is okay to proceed.

Interactive Block with reset: The same as the Interactive Block but this time, if the user chooses
to not proceed with their action send a reset to the source.
158
 CCIE SECURITY V5

TASK5 TESTING CONNECTIVITY TO SERVERS

 Check the connectivity from the Client-PC.
 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK6 CONFIGURE THE ACCESS POLICY WITH ALLOW RULE FOR HTTP

 Create a New rule in Mandatory Category of the ACP base Policy.

o Name :- HTTP
o Insert :- Into Mandatory

o Action :- Allow
o Source Zone :- Inside

o Destination Zone :- DMZ

o Source Network :- Lan_Subnet :- 6.6.6.0/24

o Destination Network :- WebServer1 :- 1.1.1.1

o Destination Network :- WebServer2 :- 2.2.2.2

o Port :- http 80
o Logging :- Beginning of the Connection

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK7 TESTING CONNECTIVITY TO SERVERS

 Check the connectivity from the Client-PC.
 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70

For detail solution please refer to the “avi” file uploaded on the resource portal

159
 CCIE SECURITY V5

TASK8 CONFIGURE THE ACCESS POLICY WITH ALLOW RULE FOR FTP

 Create a New rule in Mandatory Category of the ACP base Policy.

o Name :- FTP
o Insert :- Into Mandatory
o Action :- Allow
o Source Zone :- Inside

o Destination Zone :- DMZ

o Source Network :- Lan_Subnet :- 6.6.6.0/24
o Destination Network :- FTPServer :- 3.3.3.3
o Port :- http 21
o Logging :- Beginning of the Connection

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK9 TESTING CONNECTIVITY TO SERVERS

 Check the connectivity from the Client-PC.
 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK10 CONFIGURE THE ACCESS POLICY WITH BLOCK RULE FOR GEOLOCATION OF
GERMANY

 Create a New rule in Mandatory Category of the ACP base Policy.

o Name :- Block Germany

o Insert :- Into Mandatory
o Action :- Block
160
 CCIE SECURITY V5

o Source Zone :- Inside

o Destination Zone :- DMZ
o Source Network :- Lan_Subnet :- 6.6.6.0/24

o Destination Network :- Germany :- Europe Continent

o Logging :- Beginning of the Connection

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK11 TESTING CONNECTIVITY TO SERVERS

 Check the connectivity from the Client-PC.

 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70

For detail solution please refer to the “avi” file uploaded on the resource portal

Here is a quick reference list of the different actions and some of their extended options:

Detect = checks first 1460 Bytes, determines the type of file and generates a log

Block = blocks the file based on first 1460 Bytes

Malware Cloud Lookup = Sends the SHA-256 hash of a file to the cloud for analysis and depending on the answer
generates a log if the file is bad. Optionally, msexe files can be sent to cloud for Dynamic Analysis and/or SPERO
analysis.

Block Malware = Sends the SHA-256 hash of a file to the cloud for analysis and depending on the answer blocks it if the
f ile is bad. Optionally, msexe files can be sent to cloud for Dynamic Analysis and/or SPERO analysis.

Spero analysis = checks apart from SHA-256 also some other parameters (e.g. DLLs that are called etc)

Dynamic analysis = sends the file to the cloud for analysis. This can take 20-30 minutes

LAB-2.4: - CONFIGURE FILE AND MALWARE POLICY

161
 CCIE SECURITY V5

TASK1 CONFIGURE A NEW FILE POLICY WITH NAME “PDF-MALWARE” TO BLOCK

PDF FILE
 Create and add new Rule

o Application Protocol :- Any

o Direction of Transfer :- Download
o Action :- Block Files
o File Type Categorries :- PDF
o File Type :- All types in selected Categories

TASK2 USE THE SAME FILE POLICY WITH NAME “PDF-MALWARE” TO BLOCK ANY
MALWARE
 Create and add new Rule
o Application Protocol :- Any

o Direction of Transfer :- Download

o Action :- Block Malware

o Options :- Spero Analysis for MSEXE, Local Malware Analysis

o File Type Categorries :- All

o File Type :- All types in selected Categories

TASK3 CALL THE POLICY IN ACCESS CONTROL POLICY

 Add the above created “PDF-Malware” policy into the access control policy, which we created in the TASK
8.

LAB-2.5: - CONFIGURE URL FILTERING POLICY

162
 CCIE SECURITY V5

TASK1 BLOCK GAMBLING CONTENT

 Create the general block rule, so that the user cannot open the Gambling sites.

 Create the Rule

o Name :- No Gambling For You!!
o Insert :- Into Gambling

o Action :- Block

o Source Zone :- Inside

o Destination Zone :- Outside
o Source Network :- Lan_Subnet :- 10.1.1.0/24
o URL :- Gambling

o Logging :- Beginning of the Connection

 HTTP Response should be used as System Provided for Block Response Page.

 Verify and Test URL filtering

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK2 BLOCK SOCIAL MEDIA CONTENT

 Create the general block rule, so that the user cannot open the Social Media sites.
 Create the Rule

o Name :- Block Social Media

o Insert :- Into Social Media

o Action :- Block
o Source Zone :- Inside

o Destination Zone :- Outside

o Source Network :- Lan_Subnet :- 10.1.1.0/24
o URL :- Social Network
163
 CCIE SECURITY V5

o Logging :- Beginning of the Connection

 Verify and Test URL filtering

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK3 ALLOW FACEBOOK ACCESS FOR CLIENT-PC

 Create the general Allow rule, so that the user can open the Facebook site.

 Create the Rule

o Name :- Permit Facebook

o Insert :- Into Social Media

o Action :- Allow
o Source Zone :- Inside

o Destination Zone :- Outside

o Source Network :- Lan_Subnet :- 10.1.1.0/24

o URL :- www.facebook.com
o Logging :- Beginning of the Connection
 Verify and Test URL filtering

For detail solution please refer to the “avi” file uploaded on the resource portal

LAB-2.6: - CONFIGURE SSL POLICY

TASK1 SELF SIGNED CERTIFICATE

164
 CCIE SECURITY V5

 Generate the Self Signed Certificate:

o Name :- FMC_CA
o Country :- IN

o State :- KR
o City :- Bangalore
o Org :- Netmetric
o Dep :- Training

o Comman Name :- FMC as CA

 Download the Certificate into the Client-PC and Use password as Sanfran1234.
 Associate the SSL Policy to the ACP and Deploy the configuration

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK2 CREATE THE SSL POLICY

 Generate the Self Signed Certificate:

o Name :- SSL MITM Policy

o Default Action :- Do not decrypt

 Add Rule as follows

o Name :- MITM
o Action :- Decrypt-Resign

o With :- FMC_CA

o Zone :- Source – Inside

o Zone :- Destination – Outside
o Network :- Source – Lab_Subnet

o Logging :- At the beginning of the connection

165
 CCIE SECURITY V5

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK3 APPLY SSL POLICY TO ACP

 Edit the SSL Policy to ACP and save the configuration then Deploy.
 Edit the SSL Policy to ACP and save the configuration then Deploy.

For detail solution please refer to the “avi” file uploaded on the resource portal

TASK4 FMC CERTIFICATE

 Install the FMC CA certificate into the Client-PC

 Trust the FMC as the Certificate Authority CA within your browser

 Verify the end to end connectivity

For detail solution please refer to the “avi” file uploaded on the resource portal

Section 3 – VPN

GOAL OF THE LAB

166
 CCIE SECURITY V5

Virtual Private Networks is intended to help you master the VPN technologies that are available on IOS
and the ASA. You will be configuring Site-to-Site, Remote Access, DMVPN, GetVPN, CA and Flex VPNs
along with some advanced features related to these technologies.

It is recommended that you create your own diagram at the beginning of each lab so any potential
information you find useful during your preparations can be reflected on this drawing, making it much
easier when you step into the real lab.

Multiple topology drawings are available for this chapter.

General Rules: - This lab will focus strictly on the Virtual Private Networks. You will need to pre-configure
the network with the base configuration files.

LAB-3.1: - SITE TO SITE VPN

LAB-SETUP

 Configure R51, R53 & R52(ISP) with the IP mentioned in the table

167
 CCIE SECURITY V5

 Configure the telnet on the respective routers using password “cisco”

 For the Internet, the Default routes on R51 and R53 with the next hop as corresponding interface IP of R52.

Device Interface IP

R51 Gi1 20.1.14.1/24

Loopback0 14.14.14.14/24

R53 Gi1 20.1.15.1/24

Loopback0 15.15.15.15/24

R52 Gi1 20.1.14.2/24

Gi3 20.1.15.2/24

Configuration on Router: -

R51:

hostname R51

interface gi1

no shut

ip address 20.1.14.1 255.255.255.0

168
 CCIE SECURITY V5

interface loop 0

ip address 14.14.14.14 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.14.2

R53:

hostname R53

interface gi1

no shut

ip address 20.1.15.1 255.255.255.0

interface loop 0

ip address 15.15.15.15 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.15.2

R52:

hostname R52

169
 CCIE SECURITY V5

interface gi1

no shut

ip address 20.1.14.2 255.255.255.0

interface gi3

no shut

ip address 20.1.15.2 255.255.255.0

Verifications:

R51#show ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 20.1.14.1 YES manual up up

GigabitEthernet4 150.1.7.184 YES manual up up

Loopback0 14.14.14.14 YES manual up up

R51#show ip route static

170
 CCIE SECURITY V5

S* 0.0.0.0/0 [1/0] via 20.1.14.2

R53#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 20.1.15.1 YES manual up up

Loopback0 15.15.15.15 YES manual up up

R53#show ip route static

S* 0.0.0.0/0 [1/0] via 20.1.15.2

R52#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 20.1.14.2 YES manual up up

FastEthernet0/1 20.1.15.2 YES manual up up

171
 CCIE SECURITY V5

R51#ping 20.1.15.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.15.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

R53#ping 20.1.14.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.14.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/32 ms

TASK1 SITE TO SITE IPSEC VPN (IOS-IOS) R51-R53

 Configure basic Site to Site IPSec VPN in Main Mode to protect traffic between IP addresses 14.14.14.14 and
15.15.15.15 using the following policy:

ISAKMP Policy IPSec Policy

Authentication: Pre-share Encryption: esp-aes

Encryption: AES

172
 CCIE SECURITY V5

Hash: SHA Hash: SHA

DH Group: 5
Lifetime: 1800

Configuration on Router: -

R51:

crypto isakmp policy 10

encryption aes

authentication pre-share

hash sha

group 5

lifetime 1800

crypto isakmp key cisco address 20.1.15.1

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode tunnel

ip access-list extended VPN

173
 CCIE SECURITY V5

permit ip 14.14.14.0 0.0.0.255 15.15.15.0 0.0.0.255

crypto map CMAP 10 ipsec-isakmp

set transform-set TS

set peer 20.1.15.1

match address VPN

interface gi1

crypto map CMAP

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol, port 500) for establishing
ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec tunnel.

R53:

crypto isakmp policy 10

encryption aes

authentication pre-share

hash sha

group 5

174
 CCIE SECURITY V5

lifetime 1800

crypto isakmp key cisco address 20.1.14.1

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode tunnel

ip access-list extended VPN

permit ip 15.15.15.0 0.0.0.255 14.14.14.0 0.0.0.255

crypto map CMAP 10 ipsec-isakmp

set transform-set TS

set peer 20.1.14.1

match address VPN

interface gi1

crypto map CMAP

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol, port 500) for establishing
ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec tunnel.

175
 CCIE SECURITY V5

R51#debug crypto isakmp

Crypto ISAKMP debugging is on

R51#ping 15.15.15.15 source loop 0

“The first ICMP packet triggers ISAKMP process as this is our interesting traffic matching our ACL. Before actually start
sending IKE packets to the peer the router first checks if there is any local SA (Security Association) matching that traffic.
Note that this check is against IPSec SA not IKE SA.
OK, no SA means there must be IKE packet send out.”

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 15.15.15.15, timeout is 2 seconds:

Packet sent with a source address of 14.14.14.14

*Mar 1 00:19:47.067: ISAKMP:(0): SA request profile is (NULL)

“The router has tried to find any IPSec SA matching outgoing connection but no valid SA has been found in Security
Association Database (SAD) on the router. “

*Mar 1 00:19:47.067: ISAKMP: Created a peer struct for 20.1.15.1, peer port 500

*Mar 1 00:19:47.071: ISAKMP: New peer created peer = 0x66B340CC peer_handle =

0x80000002

*Mar 1 00:19:47.071: ISAKMP: Locking peer struct 0x66B340CC, refcount 1 for

isakmp_initiator
176
 CCIE SECURITY V5

*Mar 1 00:19:47.071: ISAKMP: local port 500, remote port 500

*Mar 1 00:19:47.071: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 00:19:47.087: insert sa successfully sa = 666BB04C

*Mar 1 00:19:47.087: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

“The router has started IKE Main Mode (it is a default)”

*Mar 1 00:19:47.087: ISAKMP:(0):found peer pre-shared key matching 20.1.15.1

“Pre-shared key for remote peer has been found. ISAKMP will use it to authenticate the peer during one of the last stages
of IKE Phase 1. “

*Mar 1 00:19:47.091: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 1 00:19:47.091: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 1 00:19:47.091: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 1 00:19:47.095: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 1 00:19:47.095: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 1 00:19:47.095: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 00:19:47.095: ISAKMP:(0): beginning Main Mode exchange

*Mar 1 00:19:47.099: ISAKMP:(0): sending packet to 20.1.15.1 my_port 500 peer_port 500
(I) MM_NO_STATE

177
 CCIE SECURITY V5

“The router initiating IKE exchange is called “the initiator”.
The router responding to IKE request is called “the
responder”.
The initiator (R1) has sent ISAKMP policy along with vendor specific IDs which are a part of IKE packet
payload. MM_NO_STATE indicates that ISAKMP SA has been created, but nothing else has happened yet. “

*Mar 1 00:19:47.099: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 00:19:47.503: ISAKMP (0:0): received packet from 20.1.15.1 dport 500 sport 500
Global (I) MM_NO_STATE

“The responder (R2) has responded with IKE packet that contains negotiated ISAKMP policy along with its vendor specific
IDs. Note that the IKE Main Mode state is still MM_NO_STATE. “

*Mar 1 00:19:47.515: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:19:47.515: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Mar 1 00:19:47.523: ISAKMP:(0): processing SA payload. message ID = 0.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/46/84 ms

R14#

*Mar 1 00:19:47.523: ISAKMP:(0): processing vendor id payload

*Mar 1 00:19:47.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 1 00:19:47.523: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Mar 1 00:19:47.527: ISAKMP:(0):found peer pre-shared key matching 20.1.15.1

*Mar 1 00:19:47.527: ISAKMP:(0): local preshared key found

*Mar 1 00:19:47.527: ISAKMP : Scanning profiles for xauth ...

*Mar 1 00:19:47.527: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

178
 CCIE SECURITY V5

*Mar 1 00:19:47.531: ISAKMP: encryption AES-CBC

*Mar 1 00:19:47.531: ISAKMP: keylength of 128

*Mar 1 00:19:47.531: ISAKMP: hash SHA

*Mar 1 00:19:47.531: ISAKMP: default group 5

*Mar 1 00:19:47.531: ISAKMP: auth pre-share

*Mar 1 00:19:47.531: ISAKMP: life type in seconds

*Mar 1 00:19:47.535: ISAKMP: life duration (basic) of 1800

*Mar 1 00:19:47.535: ISAKMP:(0):atts are acceptable. Next payload is 0

“The router is processing ISAKMP parameters that have been sent as the reply.
Vendor IDs are processed to determine
if peer supports e.g. NAT- Traversal, Dead Peer Detection feature. ISAKMP policy is checked against policies defined
locally.

“atts are acceptable” indicates that ISAKMP policy matches with remote peer. Remember that comparing the policy that
has been obtained from remote peer with locally defined polices starting from the lowest index (number) of policy
defined in the running config. “

*Mar 1 00:19:47.535: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar 1 00:19:47.535: ISAKMP:(0):Acceptable atts:life: 0

*Mar 1 00:19:47.535: ISAKMP:(0):Basic life_in_seconds:1800

*Mar 1 00:19:47.539: ISAKMP:(0):Returning Actual lifetime: 1800

*Mar 1 00:19:47.539: ISAKMP:(0)::Started lifetime timer: 1800.

“The lifetime timer has been started. Note that default value of “lifetime” is used (86400 seconds). This is lifetime for
ISAKMP SA. Note that IPSEC SAs have their own lifetime parameters which may be defined as number of seconds or
kilobytes of transmitted traffic.”
179
 CCIE SECURITY V5

*Mar 1 00:19:47.539: ISAKMP:(0): processing vendor id payload

*Mar 1 00:19:47.539: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 1 00:19:47.543: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Mar 1 00:19:47.543: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 00:19:47.543: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

“IKE Phase 1 (Main Mode) message 3
The third message is sent out containing KE (Key Exchange)
information for DH (Diffie-Hellman) secure key exchange process. “

*Mar 1 00:19:47.587: ISAKMP:(0): sending packet to 20.1.15.1 my_port 500 peer_port 500
(I) MM_SA_SETUP

*Mar 1 00:19:47.587: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 00:19:47.591: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:19:47.591: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

4th message has been received from the peer. This message contains KE payload and base on that
information both peers can generate a common session key to be used in securing further
communication. The pre-shared key configured locally for the peer is used in this
calculation.
After receiving this message peers can also be able to determine if there is a NAT
along the path.

*Mar 1 00:19:48.043: ISAKMP (0:0): received packet from 20.1.15.1 dport 500 sport 500
Global (I) MM_SA_SETUP

*Mar 1 00:19:48.043: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

180
 CCIE SECURITY V5

*Mar 1 00:19:48.047: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

“MM_SA_SETUP” idicates that the peers have agreed on parameters for the ISAKMP SA.

*Mar 1 00:19:48.051: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 1 00:19:48.399: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 1 00:19:48.399: ISAKMP:(0):found peer pre-shared key matching 20.1.15.1

*Mar 1 00:19:48.403: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:19:48.407: ISAKMP:(1001): vendor ID is Unity

*Mar 1 00:19:48.407: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:19:48.407: ISAKMP:(1001): vendor ID is DPD

*Mar 1 00:19:48.407: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:19:48.411: ISAKMP:(1001): speaking to another IOS box!

*Mar 1 00:19:48.411: ISAKMP:received payload type 20

*Mar 1 00:19:48.411: ISAKMP:received payload type 20

*Mar 1 00:19:48.411: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 1 00:19:48.415: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4

“IKE Phase 1 (Main Mode) message 5
Fifth message is used for sending out authentication
information the peer. This information is transmitted under the protection of the common shared
secret. “
181
 CCIE SECURITY V5

*Mar 1 00:19:48.419: ISAKMP:(1001):Send initial contact

*Mar 1 00:19:48.423: ISAKMP:(1001):SA is doing pre-shared key authentication using id

type ID_IPV4_ADDR

*Mar 1 00:19:48.423: ISAKMP (0:1001): ID payload

next-payload : 8

type :1

address : 20.1.14.1

protocol : 17

port : 500

length : 12

*Mar 1 00:19:48.423: ISAKMP:(1001):Total payload length: 12

*Mar 1 00:19:48.427: ISAKMP:(1001): sending packet to 20.1.15.1 my_port 500 peer_port

500 (I) MM_KEY_EXCH

“MM_KEY_EXCH” indicates that the peers have exchanged Diffie-Hellman public keys and have generated a shared
secret. The ISAKMP SA remains unauthenticated. Note that the process of authentication has been just started.

*Mar 1 00:19:48.427: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:19:48.431: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 1 00:19:48.431: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5

182
 CCIE SECURITY V5

IKE Phase 1 (Main Mode) message 6
The peer identity is verified by the local router and SA is
established.
This message finishes ISAKMP Main Mode (Phase I) and the status is changed to
IKE_P1_COMPLETE.

*Mar 1 00:19:48.467: ISAKMP (0:1001): received packet from 20.1.15.1 dport 500 sport 500
Global (I) MM_KEY_EXCH

“Note that the process of peer authentication is still in progress (MM_KEY_EXCH). Remember that there is also one IKE
Main Mode state which is not visible in the debug output. It is “MM_KEY_AUTH” which indicates that the ISAKMP SA has
been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode
exchange begins. “

*Mar 1 00:19:48.471: ISAKMP:(1001): processing ID payload. message ID = 0

*Mar 1 00:19:48.471: ISAKMP (0:1001): ID payload

next-payload : 8

type :1

address : 20.1.15.1

protocol : 17

port : 500

length : 12

*Mar 1 00:19:48.471: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 1 00:19:48.475: ISAKMP:(1001): processing HASH payload. message ID = 0

*Mar 1 00:19:48.475: ISAKMP:(1001):SA authentication status:

authenticated
183
 CCIE SECURITY V5

*Mar 1 00:19:48.479: ISAKMP:(1001):SA has been authenticated with 20.1.15.1

*Mar 1 00:19:48.479: ISAKMP: Trying to insert a peer 20.1.14.1/20.1.15.1/500/, and

inserted successfully 66B340CC.

“The peer has been authenticated now. Note that SA number has been generated and inserted into SADB along with the
information relevant to the peer which has been agreed during IKE Main Mode.”

*Mar 1 00:19:48.479: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:19:48.483: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 1 00:19:48.487: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 1 00:19:48.487: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Mar 1 00:19:48.495: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 1 00:19:48.495: ISAKMP:(1001):Old State = IKE_I_MM6 New State =

IKE_P1_COMPLETE

*Mar 1 00:19:48.499: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of -

1496356104

*Mar 1 00:19:48.503: ISAKMP:(1001):QM Initiator gets spi

*Mar 1 00:19:48.507: ISAKMP:(1001): sending packet to 20.1.15.1 my_port 500 peer_port

500 (I) QM_IDLE

184
 CCIE SECURITY V5

*Mar 1 00:19:48.507: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:19:48.507: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_INTERNAL,

IKE_INIT_QM

*Mar 1 00:19:48.511: ISAKMP:(1001):Old State = IKE_QM_READY New State =

IKE_QM_I_QM1

*Mar 1 00:19:48.511: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PHASE1_COMPLETE

*Mar 1 00:19:48.511: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State =

IKE_P1_COMPLETE

IKE Phase 2 (Quick Mode) message 2
Second QM message is a response from the peer. It contains
IPSec policy chosen by the peer and peer’s proxy ID. This is a next place where something can go
wrong if the Proxy IDs are different on both sides of the tunnel. The router cross-checks if its Proxy
ID is a mirrored peer’s Proxy ID.

*Mar 1 00:19:48.559: ISAKMP (0:1001): received packet from 20.1.15.1 dport 500 sport 500
Global (I) QM_IDLE

“The state of IKE is “QM_IDLE”. This indicates that the ISAKMP SA is idle. It remains authenticated with its peer and may
be used for subsequent quick mode exchanges. It is in a quiescent state. “

*Mar 1 00:19:48.563: ISAKMP:(1001): processing HASH payload. message ID = -1496356104

*Mar 1 00:19:48.567: ISAKMP:(1001): processing SA payload. message ID = -1496356104

*Mar 1 00:19:48.567: ISAKMP:(1001):Checking IPSec proposal 1

*Mar 1 00:19:48.567: ISAKMP: transform 1, ESP_AES

185
 CCIE SECURITY V5

*Mar 1 00:19:48.567: ISAKMP: attributes in transform:

*Mar 1 00:19:48.567: ISAKMP: encaps is 1 (Tunnel)

*Mar 1 00:19:48.571: ISAKMP: SA life type in seconds

*Mar 1 00:19:48.571: ISAKMP: SA life duration (basic) of 3600

*Mar 1 00:19:48.571: ISAKMP: SA life type in kilobytes

*Mar 1 00:19:48.571: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Mar 1 00:19:48.575: ISAKMP: authenticator is HMAC-SHA

*Mar 1 00:19:48.575: ISAKMP: key length is 128

*Mar 1 00:19:48.575: ISAKMP:(1001):atts are acceptable.

“The routers are negotiating parameters for IPSec tunnel which will be used for traffic transmission. These parameters
are defined by “crypto ipsec transform-set” command. Note that lifetime values of IPSec SA are visible at this moment.
You are able to set it both: globally or in the crypto map entry.
“Attr are acceptable” indicates that IPSec parameters
defined as IPSec transform-set match at the both sides. “

*Mar 1 00:19:48.579: ISAKMP:(1001): processing NONCE payload. message ID = -

1496356104

*Mar 1 00:19:48.579: ISAKMP:(1001): processing ID payload. message ID = -1496356104

*Mar 1 00:19:48.579: ISAKMP:(1001): processing ID payload. message ID = -1496356104

*Mar 1 00:19:48.587: ISAKMP:(1001): Creating IPSec SAs

*Mar 1 00:19:48.587: inbound SA from 20.1.15.1 to 20.1.14.1 (f/i) 0/ 0

(proxy 15.15.15.0 to 14.14.14.0)

*Mar 1 00:19:48.591: has spi 0x56923AE3 and conn_id 0

186
 CCIE SECURITY V5

*Mar 1 00:19:48.591: lifetime of 3600 seconds

*Mar 1 00:19:48.591: lifetime of 4608000 kilobytes

*Mar 1 00:19:48.591: outbound SA from 20.1.14.1 to 20.1.15.1 (f/i) 0/0

(proxy 14.14.14.0 to 15.15.15.0)

*Mar 1 00:19:48.591: has spi 0x1BCBC824 and conn_id 0

*Mar 1 00:19:48.595: lifetime of 3600 seconds

*Mar 1 00:19:48.595: lifetime of 4608000 kilobytes

The IPSec SA have been created and inserted in the router’s security associations database (SADB). SAs are distinguished
by SPI values which are also used to differentiate many tunnels terminated on the same router. Note that two SPI values
are generated for one tunnel: one SPI for inbound SA and one SPI for outbound SA. SPI value is inserted in the ESP header
of the packet leaving the router. At the second side of the tunnel, SPI value inserted into the ESP header enables the
router to reach parameters and keys which have been dynamically agreed during IKE negotiations or session key
refreshment in case of lifetime timeout. The SPI value is an index of entities in the router’s SADB.

*Mar 1 00:19:48.595: ISAKMP:(1001): sending packet to 20.1.15.1 my_port 500 peer_port

500 (I) QM_IDLE

*Mar 1 00:19:48.599: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:19:48.599: ISAKMP:(1001):deleting node -1496356104 error FALSE reason "No

Error"

*Mar 1 00:19:48.599: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_FROM_PEER,

IKE_QM_EXCH

*Mar 1 00:19:48.603: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State =

IKE_QM_PHASE2_COMPLETE

All the negotiations have been completed. The tunnel is up and ready to pass the traffic.

187
 CCIE SECURITY V5

R53#debug crypto isakmp

Crypto ISAKMP debugging is on

*Mar 1 00:16:09.371: ISAKMP (0:0): received packet from 20.1.14.1 dport 500 sport 500
Global (N) NEW SA

*Mar 1 00:16:09.375: ISAKMP: Created a peer struct for 20.1.14.1, peer port 500

*Mar 1 00:16:09.375: ISAKMP: New peer created peer = 0x66EBF3DC peer_handle =

0x80000002

*Mar 1 00:16:09.375: ISAKMP: Locking peer struct 0x66EBF3DC, refcount 1 for

crypto_isakmp_process_block

*Mar 1 00:16:09.375: ISAKMP: local port 500, remote port 500

*Mar 1 00:16:09.379: insert sa successfully sa = 661E8044

*Mar 1 00:16:09.391: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:16:09.391: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Mar 1 00:16:09.395: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 1 00:16:09.399: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.399: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 1 00:16:09.399: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Mar 1 00:16:09.399: ISAKMP:(0): processing vendor id payload

188
 CCIE SECURITY V5

*Mar 1 00:16:09.403: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 00:16:09.403: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 00:16:09.403: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.403: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 00:16:09.407: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 1 00:16:09.407: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.407: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 00:16:09.407: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 1 00:16:09.411: ISAKMP:(0):found peer pre-shared key matching 20.1.14.1

*Mar 1 00:16:09.411: ISAKMP:(0): local preshared key found

*Mar 1 00:16:09.411: ISAKMP : Scanning profiles for xauth ...

*Mar 1 00:16:09.411: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 00:16:09.411: ISAKMP: encryption AES-CBC

*Mar 1 00:16:09.415: ISAKMP: keylength of 128

*Mar 1 00:16:09.415: ISAKMP: hash SHA

*Mar 1 00:16:09.415: ISAKMP: default group 5

*Mar 1 00:16:09.415: ISAKMP: auth pre-share

*Mar 1 00:16:09.415: ISAKMP: life type in seconds

*Mar 1 00:16:09.415: ISAKMP: life duration (basic) of 1800

*Mar 1 00:16:09.419: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar 1 00:16:09.419: ISAKMP:(0):Acceptable atts:actual life: 0

189
 CCIE SECURITY V5

*Mar 1 00:16:09.419: ISAKMP:(0):Acceptable atts:life: 0

*Mar 1 00:16:09.419: ISAKMP:(0):Basic life_in_seconds:1800

*Mar 1 00:16:09.423: ISAKMP:(0):Returning Actual lifetime: 1800

*Mar 1 00:16:09.423: ISAKMP:(0)::Started lifetime timer: 1800.

*Mar 1 00:16:09.423: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.423: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 1 00:16:09.427: ISAKMP (0:0): vendor ID is NAT-T RFC 3947

*Mar 1 00:16:09.427: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.427: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar 1 00:16:09.427: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar 1 00:16:09.431: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.431: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 00:16:09.431: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 1 00:16:09.431: ISAKMP:(0): processing vendor id payload

*Mar 1 00:16:09.435: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 00:16:09.435: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 1 00:16:09.435: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 1 00:16:09.439: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Mar 1 00:16:09.447: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

190
 CCIE SECURITY V5

*Mar 1 00:16:09.447: ISAKMP:(0): sending packet to 20.1.14.1 my_port 500 peer_port 500
(R) MM_SA_SETUP

*Mar 1 00:16:09.447: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 1 00:16:09.451: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 00:16:09.451: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Mar 1 00:16:09.751: ISAKMP (0:0): received packet from 20.1.14.1 dport 500 sport 500
Global (R) MM_SA_SETUP

*Mar 1 00:16:09.755: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:16:09.755: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Mar 1 00:16:09.759: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 1 00:16:10.127: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 1 00:16:10.127: ISAKMP:(0):found peer pre-shared key matching 20.1.14.1

*Mar 1 00:16:10.135: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:16:10.135: ISAKMP:(1001): vendor ID is Unity

*Mar 1 00:16:10.135: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:16:10.135: ISAKMP:(1001): vendor ID is DPD

*Mar 1 00:16:10.139: ISAKMP:(1001): processing vendor id payload

*Mar 1 00:16:10.139: ISAKMP:(1001): speaking to another IOS box!

*Mar 1 00:16:10.139: ISAKMP:received payload type 20

*Mar 1 00:16:10.139: ISAKMP:received payload type 20

191
 CCIE SECURITY V5

*Mar 1 00:16:10.143: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 1 00:16:10.143: ISAKMP:(1001):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Mar 1 00:16:10.151: ISAKMP:(1001): sending packet to 20.1.14.1 my_port 500 peer_port

500 (R) MM_KEY_EXCH

*Mar 1 00:16:10.155: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:16:10.155: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 1 00:16:10.155: ISAKMP:(1001):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Mar 1 00:16:10.563: ISAKMP (0:1001): received packet from 20.1.14.1 dport 500 sport 500
Global (R) MM_KEY_EXCH

*Mar 1 00:16:10.563: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:16:10.563: ISAKMP:(1001):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Mar 1 00:16:10.567: ISAKMP:(1001): processing ID payload. message ID = 0

*Mar 1 00:16:10.567: ISAKMP (0:1001): ID payload

next-payload : 8

type :1

address : 20.1.14.1

protocol : 17

port : 500
192
 CCIE SECURITY V5

length : 12

*Mar 1 00:16:10.567: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 1 00:16:10.567: ISAKMP:(1001): processing HASH payload. message ID = 0

*Mar 1 00:16:10.567: ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 661E8044

*Mar 1 00:16:10.567: ISAKMP:(1001):SA authentication status:

authenticated

*Mar 1 00:16:10.567: ISAKMP:(1001):SA has been authenticated with 20.1.14.1

*Mar 1 00:16:10.571: ISAKMP:(1001):SA authentication status:

authenticated

*Mar 1 00:16:10.571: ISAKMP:(1001): Process initial contact,

bring down existing phase 1 and 2 SA's with local 20.1.15.1 remote 20.1.14.1 remote port
500

*Mar 1 00:16:10.571: ISAKMP: Trying to insert a peer 20.1.15.1/20.1.14.1/500/, and

inserted successfully 66EBF3DC.

*Mar 1 00:16:10.571: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 1 00:16:10.571: ISAKMP:(1001):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Mar 1 00:16:10.575: ISAKMP:(1001):SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR

*Mar 1 00:16:10.575: ISAKMP (0:1001): ID payload

next-payload : 8
193
 CCIE SECURITY V5

type :1

address : 20.1.15.1

protocol : 17

port : 500

length : 12

*Mar 1 00:16:10.575: ISAKMP:(1001):Total payload length: 12

*Mar 1 00:16:10.575: ISAKMP:(1001): sending packet to 20.1.14.1 my_port 500 peer_port

500 (R) MM_KEY_EXCH

*Mar 1 00:16:10.575: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:16:10.575: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 1 00:16:10.575: ISAKMP:(1001):Old State = IKE_R_MM5 New State =

IKE_P1_COMPLETE

*Mar 1 00:16:10.579: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PHASE1_COMPLETE

*Mar 1 00:16:10.583: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State =

IKE_P1_COMPLETE

*Mar 1 00:16:10.655: ISAKMP (0:1001): received packet from 20.1.14.1 dport 500 sport 500
Global (R) QM_IDLE

*Mar 1 00:16:10.655: ISAKMP: set new node -1496356104 to QM_IDLE

*Mar 1 00:16:10.659: ISAKMP:(1001): processing HASH payload. message ID = -1496356104

194
 CCIE SECURITY V5

*Mar 1 00:16:10.659: ISAKMP:(1001): processing SA payload. message ID = -1496356104

*Mar 1 00:16:10.659: ISAKMP:(1001):Checking IPSec proposal 1

*Mar 1 00:16:10.659: ISAKMP: transform 1, ESP_AES

*Mar 1 00:16:10.663: ISAKMP: attributes in transform:

*Mar 1 00:16:10.663: ISAKMP: encaps is 1 (Tunnel)

*Mar 1 00:16:10.663: ISAKMP: SA life type in seconds

*Mar 1 00:16:10.663: ISAKMP: SA life duration (basic) of 3600

*Mar 1 00:16:10.663: ISAKMP: SA life type in kilobytes

*Mar 1 00:16:10.663: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Mar 1 00:16:10.667: ISAKMP: authenticator is HMAC-SHA

*Mar 1 00:16:10.667: ISAKMP: key length is 128

*Mar 1 00:16:10.667: ISAKMP:(1001):atts are acceptable.

*Mar 1 00:16:10.667: ISAKMP:(1001): processing NONCE payload. message ID = -

1496356104

*Mar 1 00:16:10.667: ISAKMP:(1001): processing ID payload. message ID = -1496356104

*Mar 1 00:16:10.671: ISAKMP:(1001): processing ID payload. message ID = -1496356104

*Mar 1 00:16:10.675: ISAKMP:(1001):QM Responder gets spi

*Mar 1 00:16:10.675: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_FROM_PEER,

IKE_QM_EXCH

*Mar 1 00:16:10.675: ISAKMP:(1001):Old State = IKE_QM_READY New State =

IKE_QM_SPI_STARVE

*Mar 1 00:16:10.683: ISAKMP:(1001): Creating IPSec SAs

195
 CCIE SECURITY V5

*Mar 1 00:16:10.683: inbound SA from 20.1.14.1 to 20.1.15.1 (f/i) 0/ 0

(proxy 14.14.14.0 to 15.15.15.0)

*Mar 1 00:16:10.683: has spi 0x1BCBC824 and conn_id 0

*Mar 1 00:16:10.683: lifetime of 3600 seconds

*Mar 1 00:16:10.683: lifetime of 4608000 kilobytes

*Mar 1 00:16:10.683: outbound SA from 20.1.15.1 to 20.1.14.1 (f/i) 0/0

(proxy 15.15.15.0 to 14.14.14.0)

*Mar 1 00:16:10.683: has spi 0x56923AE3 and conn_id 0

*Mar 1 00:16:10.683: lifetime of 3600 seconds

*Mar 1 00:16:10.683: lifetime of 4608000 kilobytes

*Mar 1 00:16:10.683: ISAKMP:(1001): sending packet to 20.1.14.1 my_port 500 peer_port

500 (R) QM_IDLE

*Mar 1 00:16:10.683: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Mar 1 00:16:10.687: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_INTERNAL,

IKE_GOT_SPI

*Mar 1 00:16:10.687: ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State =

IKE_QM_R_QM2

*Mar 1 00:16:10.703: ISAKMP (0:1001): received packet from 20.1.14.1 dport 500 sport 500
Global (R) QM_IDLE

*Mar 1 00:16:10.707: ISAKMP:(1001):deleting node -1496356104 error FALSE reason "QM

done (await)"

*Mar 1 00:16:10.707: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_FROM_PEER,

IKE_QM_EXCH

196
 CCIE SECURITY V5

Verification:

R51#show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
20.1.15.1 20.1.14.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

This is the normal state of established IKE tunnel.

R51#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 20.1.14.1 20.1.15.1 ACTIVE aes sha psk 5 00:27:45

Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

Negotiated ISAKMP policy is visible. This command is useful to figure out which policy has been used for establishing
the IKE tunnel when there are several polices matching at the both sides.

R51#show crypto ipsec sa

interface: FastEthernet0/0
197
 CCIE SECURITY V5

This command shows information regarding the interfaces and defined crypto.

Crypto map tag: CMAP, local addr 20.1.14.1

protected vrf: (none)

local ident (addr/mask/prot/port): (14.14.14.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer 20.1.15.1 port 500

The proxies (source and destination of interesitng traffic) are displayed. “0/0” after IP address and netmask indicates
that IP protocol is transported in the tunnel.

PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Very important output usefull for the IPSec debugging and troubleshooting. This indicates that outgoing packets are:
encapsulated by ESP, encrypted and digested (the hash has been made to discover any alterations). The second marked
line indicates that incomming packets are: decapsulated (the IPSec header have been extracted), decrypted and
hash/digest has been verified.

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 20.1.14.1, remote crypto endpt.: 20.1.15.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x1BCBC824(466339876)

inbound esp sas:

spi: 0x56923AE3(1452423907)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: CMAP

198
 CCIE SECURITY V5

sa timing: remaining key lifetime (k/sec): (4496797/3459)

IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

This output contains useful information relevant to unidirectional SA. This shows the following: used IPSec protocol
(ESP), SPI value, used transform-set (encryption algorithm along with hash function), ESP mode (tunnel or transport),
connection ID, crypto map and lifetime values in second and kilobytes which remains to session key refreshment
(tunnel will be terminated instead of key refreshment if no packets need to be transported via tunnel when SA expired).

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x1BCBC824(466339876)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4496797/3459)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R51#show crypto ipsec sa address

fvrf/address: (none)/20.1.14.1
protocol: ESP
spi: 0x56923AE3(1452423907)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
199
 CCIE SECURITY V5

conn id: 1, flow_id: SW:1, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4496797/3399)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

fvrf/address: (none)/20.1.15.1
protocol: ESP
spi: 0x1BCBC824(466339876)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4496797/3399)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

R51#show crypto engine connections active

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

1 Fa0/0 IPsec AES+SHA 0 4 20.1.14.1
2 Fa0/0 IPsec AES+SHA 4 0 20.1.14.1
1001 Fa0/0 IKE SHA+AES 0 0 20.1.14.1

R51#show crypto engine connections dh

Number of DH's pregenerated = 2
DH lifetime = 86400 seconds

Software Crypto Engine:

Conn Status Group Time left
1 Used Group 5 1544
200
 CCIE SECURITY V5

2 Pregen Group 5 --
The Diffie-Hellman group and the time that remains to next DH key generation.

Verification performed on The responder.

Refer the Same in R51 also

TASK2 SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) R51-R53

LAB-SETUP

 Configure R51, R54 & R52(ISP) with the IP mentioned in the table
 Configure the telnet on the respective routers using password “cisco”

 For the Internet, configure the Default routes on R51 and R53 with the next hop as corresponding interface
IP of R52.

Device Interface IP

R51 Gi2 20.1.144.1/24

201
 CCIE SECURITY V5

Loopback0 14.14.14.14/24

R54 Gi1 20.1.16.1/24

Loopback0 16.16.16.16/24

R52 Gi2 20.1.144.2/24

Gi5 20.1.16.2/24

 Configure basic Site to Site IPSec VPN in Aggressive Mode to protect traffic between IP addresses 14.14.14.14
and 16.16.16.16 using the following policy:

ISAKMP Policy IPSec Policy

Policy : 20 Transform-set : TSET

Authentication: Pre-share (cisco) Encryption: esp-aes
Encryption: 3des Hash: SHA
Hash: md5
DH Group: 2
Lifetime: 1800

Configuration on Router: -

R51:

202
 CCIE SECURITY V5

hostname R51

interface gi2

no shut

ip address 20.1.144.1 255.255.255.0

interface loop 0

ip address 14.14.14.14 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.144.2

R54:

hostname R54

interface gi1

no shut

ip address 20.1.16.1 255.255.255.0

interface loop 0

ip address 16.16.16.16 255.255.255.0

203
 CCIE SECURITY V5

ip route 0.0.0.0 0.0.0.0 20.1.16.2

R52:

hostname R52

interface gi2

no shut

ip address 20.1.144.2 255.255.255.0

interface gi5

no shut

ip address 20.1.16.2 255.255.255.0

Verification

R51#ping 20.1.16.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.16.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/10 ms

204
 CCIE SECURITY V5

Configuration on Routers:

R51:

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

lifetime 1800

crypto isakmp peer address 20.1.16.1

set aggressive-mode password cisco

set aggressive-mode client-endpoint ipv4-address 20.1.16.1

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

mode tunnel

ip access-list extended VPN2

permit ip 14.14.14.0 0.0.0.255 16.16.16.0 0.0.0.255

205
 CCIE SECURITY V5

crypto map MAP 10 ipsec-isakmp

set peer 20.1.16.1

set transform-set TSET

match address VPN2

crypto map MAP

R54:

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

lifetime 1800

crypto isakmp peer address 20.1.144.1

set aggressive-mode password cisco

set aggressive-mode client-endpoint ipv4-address 20.1.144.1

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

mode tunnel

206
 CCIE SECURITY V5

ip access-list extended VPN2

permit ip 16.16.16.0 0.0.0.255 14.14.14.0 0.0.0.255

crypto map MAP 10 ipsec-isakmp

set peer 20.1.144.1

set transform-set TSET

match address VPN2

crypto map MAP

LAB-3.2: - CERTIFICATE AUTHORITY WITH CRYPTO ROUTE

207
 CCIE SECURITY V5

LAB-SETUP
 Configure R51[CA], R53, R54, R52[ISP] with the IP mentioned in the table
 Configure the telnet on the respective routers using password “cisco”
 For the Internet, the BGP configuration should be as follows.
o R51 is in the BGP AS 3

o R53 is in the BGP AS 4

o R54 is in the BGP AS 5

o R52 is in the BGP AS 345

o Peer all the sites with the ISP using BGP
o Use the BGP authentication password as “cisco” [without quotes] and encrypt using md5

Device Interface IP

R51 Gi1 20.13.13.1/24

Loopback0 192.168.13.1/24

R53 Gi1 20.14.14.1/24

Loopback1 192.168.14.1/24

R54 Gi1 20.15.15.1/24

Loopback1 192.168.15.1/24

R52 Gi3 20.14.14.2/24

Gi5 20.15.15.2/24
Gi1 20.13.13.2/24

208
 CCIE SECURITY V5

Configuration on Routers:

R51(CA):

interface gi1

no shut

ip address 20.13.13.1 255.255.255.0

interface loop 0

ip address 192.168.13.1 255.255.255.0

router bgp 3

bgp router-id 3.3.3.3

nei 20.13.13.2 remote-as 345

network 192.168.13.0 mask 255.255.255.0

network 20.13.13.0 mask 255.255.255.0

R53:

interface gi1

209
 CCIE SECURITY V5

no shut

ip address 20.14.14.1 255.255.255.0

interface loop 1

ip address 192.168.14.1 255.255.255.0

router bgp 4

bgp router-id 4.4.4.4

nei 20.14.14.2 remote-as 345

network 192.168.14.0

network 20.14.14.0 mask 255.255.255.0

R54:

interface gi1

no shut

ip address 20.15.15.1 255.255.255.0

interface loop 1

210
 CCIE SECURITY V5

ip address 192.168.15.1 255.255.255.0

router bgp 5

bgp router-id 5.5.5.5

nei 20.15.15.2 remote-as 345

network 192.168.15.0

network 20.15.15.0 mask 255.255.255.0

R52(ISP):

interface gi3

no shut

ip address 20.14.14.2 255.255.255.0

interface gi5

no shut

ip address 20.15.15.2 255.255.255.0

interface gi1

no shut

ip address 20.13.13.2 255.255.255.0

211
 CCIE SECURITY V5

interface loop0

ip address 192.168.16.1 255.255.255.0

router bgp 345

bgp router-id 17.17.17.17

nei 20.14.14.1 remote-as 4

nei 20.15.15.1 remote-as 5

nei 20.13.13.1 remote-as 3

network 192.168.16.0 mask 255.255.255.0

Verification:

R51#ping 20.15.15.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.15.15.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/12 ms

R51#ping 20.14.14.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.14.14.1, timeout is 2 seconds:

212
 CCIE SECURITY V5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/7 ms

R51#ping 20.13.13.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.13.13.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

R52#show ip bgp summary

BGP router identifier 17.17.17.17, local AS number 345

BGP table version is 9, main routing table version 9

4 network entries using 992 bytes of memory

5 path entries using 600 bytes of memory

4/4 BGP path/bestpath attribute entries using 1024 bytes of memory

3 BGP AS-PATH entries using 72 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 2688 total bytes of memory

BGP activity 4/0 prefixes, 7/2 paths, scan interval 60 secs

213
 CCIE SECURITY V5

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

20.13.13.1 4 3 18 21 9 0 0 00:11:54 2

20.14.14.1 4 4 17 21 9 0 0 00:11:57 1

20.15.15.1 4 5 10 15 9 0 0 00:04:58 1

TASK1 CONFIGURE NTP

 To ensure all devices in the network have the same time configure NTP server on R51.
 The server should authenticate the clients with a password of “cisco”.
 Configure rest of devices as NTP clients to the R51 as NTP source.

 Make sure the time zone for all the device is PST with zone name as ccnp.

Configuration on Router

R51:

ntp authentication-key 1 md5 cisco

ntp authenticate

ntp trusted-key 1

ntp source GigabitEthernet4

ntp master 1
214
 CCIE SECURITY V5

clock timezone ccnp -8

clock set 14:15:00 9 Sep 2018 change to the curent date

R53 & 54:

ntp server 150.1.7.184 key 1

ntp authentication-key 1 md5 cisco

ntp authenticate

ntp trusted-key 1

clock timezone ccnp -8

Verification

R51#show ntp status

Clock is synchronized, stratum 1, reference is .LOCL.

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10

ntp uptime is 93000 (1/100 of seconds), resolution is 4000

reference time is DF401A24.218937A8 (14:16:04.131 ccnp Sun Sep 9 2018)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 439.67 msec, peer dispersion is 438.64 msec

215
 CCIE SECURITY V5

loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s

system poll interval is 16, last update was 4 sec ago.

R51#show ntp associations

address ref clock st when poll reach delay offset disp

*~127.127.1.1 .LOCL. 0 15 16 377 0.000 0.000 1.204

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

R54#show ntp associations

address ref clock st when poll reach delay offset disp

*~150.1.7.184 .LOCL. 1 53 64 1 3.000 4.500 7938.4

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

216
 CCIE SECURITY V5

R53#show ntp associations

address ref clock st when poll reach delay offset disp

*~150.1.7.184 .LOCL. 1 46 64 1 3.000 3.500 7938.4

* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

TASK2 IOS CERTIFICATE AUTHORITY

 Configure IOS Certificate Authority server on R51

o RSA key :- R51

o PKI Server :- caserver

 The server should have self-signed certificate with a lifetime of 5 years and grant certificates to the clients
with a lifetime of 3 years.

 The server should service all certificate requests automatically.

Configuration on Router

R51:

crypto key generate rsa label R51 modulus 1024

ip http server

217
 CCIE SECURITY V5

crypto pki server caserver

database level complete

grant auto

issuer-name CN=r51, O=cisco.com

lifetime certificate 1095

lifetime ca-certificate 1825

no shutdown

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password: Sanfran@1234

Re-enter password: Sanfran@1234

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 1 seconds)

Verification

R51#show crypto pki server

Certificate Server caserver:

218
 CCIE SECURITY V5

Status: enabled

State: enabled

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=netmetric, O=cisco.com

CA cert fingerprint: E25DD56A 609047F7 05EF50A8 72EEB2B4

Granting mode is: auto

Last certificate issued serial number (hex): 1

CA certificate expiration timer: 14:26:48 ccnp Sep 8 2023

CRL NextUpdate timer: 20:26:51 ccnp Sep 9 2018

Current primary storage dir: nvram:

Database Level: Complete - all issued certs written as <serialnum>.cer

TASK3 ENROLL WITH THE CA - R53 AND R54

 On both devices enrol a certificate for IPSec peer authentication.

 Certificate uses for IPSec authentication should have at least 1024 bytes keys with rsa key as r53 and r54
 Configure trustpoint with name trustr53 & trustr54

 Configure domain name of cisco.com and name server as 150.1.7.164 (AD/DNS)

Configuration on Router

R53:
219
 CCIE SECURITY V5

Ip http server

ip domain-name cisco.com

ip name-server 150.1.7.164

crypto key generate rsa label r53 modulus 1024

crypto pki trustpoint trustr53

enrollment url http://192.168.13.1:80

revocation-check none

rsakeypair r53

crypto pki authenticate trustr53

Certificate has the following attributes:

Fingerprint MD5: ED8C3F90 A4D0AB86 DD12AFA0 92EA3C55

Fingerprint SHA1: 61A9CC05 C7C4CD74 A07723DB 4AA0943E B6A951A0

% Do you accept this certificate? [yes/no]: yes

220
 CCIE SECURITY V5

Trustpoint CA certificate accepted.

crypto pki enroll trustr53

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: R53.cisco.com

% Include the router serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 91H57NEE1UA

% Include an IP address in the subject name? [no]: yes

Enter Interface name or IP Address[]:

% Skipping IP address

221
 CCIE SECURITY V5

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose trustr53' command will show the
fingerprint.

R54:

Ip http server

ip domain-name cisco.com

ip name-server 150.1.7.164

crypto key generate rsa label r54 modulus 1024

crypto pki trustpoint trustr54

enrollment url http://192.168.13.1:80

revocation-check none

rsakeypair r54

crypto pki authenticate trustr54

Certificate has the following attributes:

222
 CCIE SECURITY V5

Fingerprint MD5: ED8C3F90 A4D0AB86 DD12AFA0 92EA3C55

Fingerprint SHA1: 61A9CC05 C7C4CD74 A07723DB 4AA0943E B6A951A0

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

crypto pki enroll trustr54

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: R54.cisco.com

% Include the router serial number in the subject name? [yes/no]: yes

223
 CCIE SECURITY V5

% The serial number in the certificate will be: 9EO5P38C3QA

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose trustr54' command will show the
fingerprint.

TASK4 CONFIGURE THE IPSEC TUNNEL BETWEEN R53 AND R54

 On both devices secure the traffic for 192.168.15.1 and 192.168.14.1

 Use the pre-share key cisco for the isakmp

Configuration on Route

R53

crypto isakmp policy 10

encr aes

authentication rsa-sig

group 2

crypto ipsec transform-set ts esp-aes esp-sha-hmac

224
 CCIE SECURITY V5

mode tunnel

ip access-list extended VPN

permit ip 192.168.14.0 0.0.0.255 192.168.15.0 0.0.0.255

crypto map CMAP 10 ipsec-isakmp

set peer 20.15.15.1

set transform-set ts

match address VPN

reverse-route static

int gi1

crypto map CMAP

R54:

crypto isakmp policy 10

encr aes

authentication rsa-sig

group 2

crypto ipsec transform-set ts esp-aes esp-sha-hmac

mode tunnel

ip access-list extended VPN

permit ip 192.168.15.0 0.0.0.255 192.168.14.0 0.0.0.255

225
 CCIE SECURITY V5

crypto map CMAP 10 ipsec-isakmp

set peer 20.14.14.1

set transform-set ts

match address VPN

reverse-route static

int gi1

crypto map CMAP

Verification

R53#ping 192.168.15.1 source 192.168.14.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.15.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.14.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 3/10/25 ms

R53#show crypto isakmp sa

226
 CCIE SECURITY V5

IPv4 Crypto ISAKMP SA

dst src state conn-id status

20.15.15.1 20.14.14.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R53#show crypto ipsec sa

interface: GigabitEthernet1

Crypto map tag: CMAP, local addr 20.14.14.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)

current_peer 20.15.15.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

227
 CCIE SECURITY V5

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.14.14.1, remote crypto endpt.: 20.15.15.1

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1

current outbound spi: 0xB76F1473(3077510259)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x23EFC520(602916128)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4607999/3538)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

228
 CCIE SECURITY V5

inbound pcp sas:

outbound esp sas:

spi: 0xB76F1473(3077510259)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4607999/3538)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

LAB-3.3: - GRE

229
 CCIE SECURITY V5

TASK1 GRE TUNNEL

 Configure GRE Point to Point tunnel between R18 and R19.

 The tunnel should pass EIGRP AS 100

 The multicast packets exchanging information about Loopback0 networks.

 Use 192.168.189.x/24 as tunnel IP addresses.

 R21 being ISP.

 Point simple default routes from R18 and R19 towards the R21.

 Configure using the below mentioned table:

Device Interface IP

R18 F0/0 20.18.18.1/24

Loopback0 192.168.18.18/24
Tunnel 0 192.168.189.18/24

R19 Fa0/0 20.19.19.1/24

Loopback0 192.168.19.19/24
Tunnel 0 192.168.189.19/24

R21 Fa0/0 20.18.18.2/24

230
 CCIE SECURITY V5

Fa0/1 20.19.19.2/24

Configuration on Routers

R18:

hostname R18

interface f 0/0

no shut

ip address 20.18.18.1 255.255.255.0

interface loop 0

ip address 192.168.18.18 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.18.18.2

interface tunnel 0

tunnel source f0/0

tunnel destination 20.19.19.1

231
 CCIE SECURITY V5

ip address 192.168.189.18 255.255.255.0

router eigrp 100

no auto-summary

network 192.168.189.0

network 192.168.18.0

R19:

hostname R19

interface f 0/0

no shut

ip address 20.19.19.1 255.255.255.0

interface loop 0

ip address 192.168.19.19 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.19.19.2

232
 CCIE SECURITY V5

interface tunnel 0

tunnel source f0/0

tunnel destination 20.18.18.1

ip address 192.168.189.19 255.255.255.0

router eigrp 100

no auto-summary

network 192.168.189.0

network 192.168.19.0

R21:

hostname R21

interface f 0/0

no shut

ip address 20.18.18.2 255.255.255.0

interface f 0/1

no shut

ip address 20.19.19.2 255.255.255.0

233
 CCIE SECURITY V5

Verifications:

R18#ping 20.19.19.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.19.19.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/28 ms

R19#ping 20.18.18.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.18.18.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/36 ms

R18#show ip interface brief | exclude unassigned

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 20.18.18.1 YES manual up up

234
 CCIE SECURITY V5

Loopback0 192.168.18.18 YES manual up up

Tunnel0 192.168.189.18 YES manual up up

-------------------------------------------------------------------------------------------------------------------------

R19#show ip interface brief | exclude unassigned

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 20.19.19.1 YES manual up up

Loopback0 192.168.19.19 YES manual up up

Tunnel0 192.168.189.19 YES manual up up

R18#ping 192.168.189.19

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.189.19, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/33/80 ms

R19#ping 192.168.189.18

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.189.18, timeout is 2 seconds:

235
 CCIE SECURITY V5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/40 ms

-------------------------------------------------------------------------------------------------------------------------

R18#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 192.168.189.19 Tu0 11 00:00:35 1049 5000 0 3

R19#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 192.168.189.18 Tu0 13 00:01:07 163 5000 0 5

TASK2 GRE TUNNEL OVER IPSEC

236
 CCIE SECURITY V5

 Protect the tunnel we configured on the previous task and ensure the traffic passing by the tunnel is
encrypted. Use the following parameters for IPSec protocol:
 ISAKMP Parameters

o Authentication : Pre-shared
o Group :5
o Encryption : AES
o Hash : SHA

o Lifetime : 1800

o Key : Netmetric

 IPSec Parameters

o Encryption : ESP-AES
o Authentication : ESP-SHA-HMAC

o Lifetime : 1800

Configuration on Routers

R18:

crypto isakmp policy 10

encryption aes

authentication pre-share

hash sha

group 5
237
 CCIE SECURITY V5

lifetime 1800

crypto isakmp key Netmetric address 20.19.19.1

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode transport

crypto ipsec security-association lifetime seconds 1800

crypto ipsec profile GRE

set transform-set TS

interface tunnel 0

tunnel protection ipsec profile GRE

R19:

crypto isakmp policy 10

encryption aes

authentication pre-share

hash sha

238
 CCIE SECURITY V5

group 5

lifetime 1800

crypto isakmp key Netmetric address 20.18.18.1

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode transport

crypto ipsec security-association lifetime seconds 1800

crypto ipsec profile GRE

set transform-set TS

interface tunnel 0

tunnel protection ipsec profile GRE

Verifications:

R18#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

239
 CCIE SECURITY V5

dst src state conn-id slot status

20.19.19.1 20.18.18.1 QM_IDLE 1002 0 ACTIVE

R18#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1002 20.18.18.1 20.19.19.1 ACTIVE aes sha psk 5 00:28:41

Engine-id:Conn-id = SW:2

1001 20.18.18.1 20.19.19.1 ACTIVE aes sha psk 5 00:28:41

Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

240
 CCIE SECURITY V5

R18#ping 192.168.19.19 source loopback 0 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.19.19, timeout is 2 seconds:

Packet sent with a source address of 192.168.18.18

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 12/24/44 ms

R18#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 20.18.18.1

protected vrf: (none)

local ident (addr/mask/prot/port): (20.18.18.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (20.19.19.1/255.255.255.255/47/0)

current_peer 20.19.19.1 port 500

241
 CCIE SECURITY V5

PERMIT, flags={origin_is_acl,}

#pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137

#pkts decaps: 136, #pkts decrypt: 136, #pkts verify: 136

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 14, #recv errors 0

local crypto endpt.: 20.18.18.1, remote crypto endpt.: 20.19.19.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x93BAD181(2478494081)

inbound esp sas:

spi: 0x9C392EFD(2620993277)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 3, flow_id: SW:3, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4566192/1642)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

242
 CCIE SECURITY V5

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x93BAD181(2478494081)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 4, flow_id: SW:4, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4566192/1642)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R19#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

243
 CCIE SECURITY V5

20.18.18.1 20.19.19.1 QM_IDLE 1001 0 ACTIVE

R19#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 20.19.19.1 20.18.18.1 ACTIVE aes sha psk 5 00:28:11

Engine-id:Conn-id = SW:1

1002 20.19.19.1 20.18.18.1 ACTIVE aes sha psk 5 00:28:12

Engine-id:Conn-id = SW:2

IPv6 Crypto ISAKMP SA

244
 CCIE SECURITY V5

R19#ping 192.168.18.18 source loopback 0 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.18.18, timeout is 2 seconds:

Packet sent with a source address of 192.168.19.19

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 12/25/40 ms

R19#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 20.19.19.1

protected vrf: (none)

local ident (addr/mask/prot/port): (20.19.19.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (20.18.18.1/255.255.255.255/47/0)

current_peer 20.18.18.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 247, #pkts encrypt: 247, #pkts digest: 247

245
 CCIE SECURITY V5

#pkts decaps: 248, #pkts decrypt: 248, #pkts verify: 248

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 20.19.19.1, remote crypto endpt.: 20.18.18.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x9C392EFD(2620993277)

inbound esp sas:

spi: 0x93BAD181(2478494081)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 3, flow_id: SW:3, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4471468/1604)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

246
 CCIE SECURITY V5

inbound pcp sas:

outbound esp sas:

spi: 0x9C392EFD(2620993277)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 4, flow_id: SW:4, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4471469/1604)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

LAB-3.4: - DMVPN

247
 CCIE SECURITY V5

Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by Cisco in late 2000. This technology has
been developed to address needs for automatically created VPN tunnels when dynamic IP addresses on the spokes are
in use.
In GRE over IPSec (described in the previous lab) both ends of the connection must have static/unchangeable IP address.
It is possible however, to create many GRE Site-to-Site tunnels from company’s branches to the Headquarters. This is
pure Hub-and-Spoke topology where all branches may communicate with each other securely through the Hub.
In DMVPN may have dynamic IP addresses on the spokes, but there must be static IP address on the Hub. There is also
an additional technology used to let the hub know what dynamic IP addresses are in use by the spokes. This is NHRP
(Next Hop Resolution Protocol) which works like ARP but for layer 3. All it does is building a dynamic database stored on
the hub with information about spokes’ IP addresses. Now the Hub knows IPSec peers and can build the tunnels with
them.
The Hub must be connected to many spokes at the same time so there was another issue to solve: how to configure the
Hub to not have many Tunnel interfaces (each for Site-to-Site tunnel with spoke). The answer is: use GRE multipoint type
of tunnel, where we do not need to specify the other end of the tunnel statically.
That being said, there are three DMVPN mutations called phases:

Phase 1: simple Hub and Spoke topology were dynamic IP addresses on the spokes may be used

Phase 2: Hub and Spoke with Spoke to Spoke direct communication allowed


Phase 3: Hub and Spoke with Spoke to Spoke direct communication allowed with better scalability using NHRP
Redirects


All above phases will be described in more detail in the next few labs.

248
 CCIE SECURITY V5

LAB-SETUP
 Configure R18 (HUB), R19 (Spoke1), R20 (Spoke2), R21 (ISP) with the IP mentioned in the table
 For the Internet, the BGP configuration should be as follows.
o R18 is in the BGP AS 3
o R19 is in the BGP AS 4

o R20 is in the BGP AS 5

o R21 is in the BGP AS 345

o Peer all the sites with the ISP using BGP

o Use the BGP authentication password as “cisco” [without quotes] and encrypt using md5

Device Interface IP

R18 gi0/0 18.18.18.18/24

Loopback0 192.168.18.1/24

R19 gi0/0 19.19.19.19/24

Loopback1 192.168.19.1/24

R20 gi0/0 20.20.20.20/24

Loopback1 192.168.20.1/24

R21 gi0/0 18.18.18.21/24

gi0/1 19.19.19.21/24
gi0/2 20.20.20.21/24

Note: Erase the configuration of Basic GRE from R18 & R19

Configuration on Router

249
 CCIE SECURITY V5

R18:

Hostname HUB

interface gi0/0

no shut

ip address 18.18.18.18 255.255.255.0

interface loop 0

ip address 192.168.18.1 255.255.255.0

router bgp 3

neighbor 18.18.18.21 remote-as 345

network 18.18.18.0 mask 255.255.255.0

R19:

Hostname Spoke1

interface gi0/0

no shut

ip address 19.19.19.19 255.255.255.0

250
 CCIE SECURITY V5

interface loop 0

ip address 192.168.19.1 255.255.255.0

router bgp 4

neighbor 19.19.19.21 remote-as 345

network 19.19.19.0 mask 255.255.255.0

R20:

Hostname Spoke2

interface gi0/0

no shut

ip address 20.20.20.20 255.255.255.0

interface loop 0

ip address 192.168.20.1 255.255.255.0

router bgp 5

neighbor 20.20.20.21 remote-as 345

network 20.20.20.0 mask 255.255.255.0

251
 CCIE SECURITY V5

R21(ISP):

Hostname ISP

interface gi0/0

no shut

ip address 18.18.18.21 255.255.255.0

interface gi0/1

no shut

ip address 19.19.19.21 255.255.255.0

interface gi0/2

no shut

ip address 20.20.20.21 255.255.255.0

router bgp 345

nei 18.18.18.18 remote-as 3

nei 19.19.19.19 remote-as 4

nei 20.20.20.20 remote-as 5

252
 CCIE SECURITY V5

Verification

ISP#show ip bgp summary

BGP router identifier 20.20.20.21, local AS number 345

BGP table version is 7, main routing table version 7

3 network entries using 360 bytes of memory

3 path entries using 156 bytes of memory

4/3 BGP path/bestpath attribute entries using 496 bytes of memory

3 BGP AS-PATH entries using 72 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory

BGP using 1116 total bytes of memory

BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

18.18.18.18 4 3 5 7 7 0 0 00:00:12 1

19.19.19.19 4 4 4 6 7 0 0 00:00:31 1

20.20.20.20 4 5 4 6 7 0 0 00:00:40 1

253
 CCIE SECURITY V5

TASK1 DMVPN PHASE 1 BASIC CONFIGURATION

 Configure Hub-and-Spoke GRE tunnels between R18, R19 and R20, where R18
is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted securely via the Hub to the

other spokes.

 Use the following settings when configuring tunnels

o Tunnel Parameters:
 IP address : 1.1.1.0/24

 IP MTU : 1400
 Tunnel Authentication Key : 12345
o NHRP Parameters

 NHRP ID : 12345
 NHRP Authentication key : DMVPN

 NHRP Hub : R18

 NHRP Holdtime : 5 Minutes
254
 CCIE SECURITY V5

Configuration on Routers:-

R18 (HUB):

interface tunnel 1

ip address 1.1.1.1 255.255.255.0

tunnel source gi0/0

tunnel mode gre multipoint

ip nhrp map multicast dynamic

ip nhrp network-id 12345

ip nhrp authentication DMVPN

tunnel key 12345

ip nhrp holdtime 300

ip mtu 1400

R19 (Spoke1):

interface tunnel 1

255
 CCIE SECURITY V5

ip address 1.1.1.2 255.255.255.0

ip nhrp authentication DMVPN

ip nhrp map 1.1.1.1 18.18.18.18

ip nhrp map multicast 18.18.18.18

ip nhrp network-id 12345

ip nhrp nhs 1.1.1.1

tunnel source gi0/0

tunnel destination 18.18.18.18

tunnel key 12345

ip nhrp holdtime 300

ip mtu 1400

R20 (Spoke2):

interface tunnel 1

ip address 1.1.1.3 255.255.255.0

ip nhrp authentication DMVPN

ip nhrp map 1.1.1.1 18.18.18.18

256
 CCIE SECURITY V5

ip nhrp map multicast 18.18.18.18

ip nhrp network-id 12345

ip nhrp nhs 1.1.1.1

tunnel source gi0/0

tunnel destination 18.18.18.18

tunnel key 12345

ip mtu 1400

ip nhrp holdtime 300

Verification:

HUB#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

257
 CCIE SECURITY V5

Interface: Tunnel1, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 19.19.19.19 1.1.1.2 UP 00:00:33 D

1 20.20.20.20 1.1.1.3 UP 00:00:06 D

Spoke1#traceroute ip 1.1.1.3 source 1.1.1.2

Type escape sequence to abort.

Tracing the route to 1.1.1.3

1 1.1.1.1 16 msec 36 msec 20 msec

2 1.1.1.3 52 msec 36 msec *

HUB#show ip nhrp

258
 CCIE SECURITY V5

1.1.1.2/32 via 1.1.1.2

Tunnel1 created 00:01:01, expire 00:03:58

Type: dynamic, Flags: unique registered nhop

NBMA address: 19.19.19.19

1.1.1.3/32 via 1.1.1.3

Tunnel1 created 00:00:34, expire 00:04:25

Type: dynamic, Flags: unique registered nhop

NBMA address: 20.20.20.20

HUB#show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

-------------- Interface Tunnel1 info: --------------

Intf. is up, Line Protocol is up, Addr. is 1.1.1.1

Source addr: 18.18.18.18, Dest addr: MGRE

Protocol/Transport: "multi-GRE/IP", Protect "",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details:

259
 CCIE SECURITY V5

Type:Hub, NBMA Peers:2

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 19.19.19.19 1.1.1.2 UP 00:16:21 D 1.1.1.2/32

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 20.20.20.20 1.1.1.3 UP 00:06:56 D 1.1.1.3/32

Pending DMVPN Sessions:

TASK2 DMVPN PHASE 1 WITH EIGRP

 Routing Protocol Parameters

o EIGRP 1
o Use split horizon rule

Configuration on the Router

R18(HUB) :

260
 CCIE SECURITY V5

router eigrp 1

network 1.1.1.0 0.0.0.255

network 192.168.18.0

no auto-summary

R19:

router eigrp 1

network 1.1.1.0 0.0.0.255

network 192.168.19.0

no auto-summary

R20:

router eigrp 1

network 1.1.1.0 0.0.0.255

network 192.168.20.0

no auto-summary

Verification:

261
 CCIE SECURITY V5

HUB#show ip route eigrp

D 192.168.20.0/24 [90/297372416] via 1.1.1.3, 00:00:29, Tunnel1

D 192.168.19.0/24 [90/297372416] via 1.1.1.2, 00:01:30, Tunnel1

HUB#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1
L 1.1.1.1/32 is directly connected, Tunnel1
18.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 18.18.18.0/24 is directly connected, GigabitEthernet0/0
L 18.18.18.18/32 is directly connected, GigabitEthernet0/0
19.0.0.0/24 is subnetted, 1 subnets

262
 CCIE SECURITY V5

B 19.19.19.0 [20/0] via 18.18.18.21, 00:04:09

20.0.0.0/24 is subnetted, 1 subnets
B 20.20.20.0 [20/0] via 18.18.18.21, 00:04:09
192.168.18.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.18.0/24 is directly connected, Loopback0
L 192.168.18.1/32 is directly connected, Loopback0
D 192.168.19.0/24 [90/27008000] via 1.1.1.2, 00:01:14, Tunnel1
D 192.168.20.0/24 [90/27008000] via 1.1.1.3, 00:01:08, Tunnel1

Spoke1#show ip route eigrp

D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:03:07, Tunnel1

Spoke2#show ip route eigrp

D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:02:33, Tunnel1

EIGRP is a distance vector routing protocol so we have split horizon issues. The spoke routers don’t see each other’s
networks. Let’s fix this for now:

int tunnel1

no ip split-horizon eigrp 1

Since we use EIGRP between the Hub and the Spokes, we need to disable Split Horizon for that protocol to be able to
send routes gathered from one Spoke to the other Spoke. The Split Horizon rule says: “information about the routing is
never sent back in the direction from which it was received”. This is basic rule for loop prevention.
263
 CCIE SECURITY V5

Spoke1#show ip route eigrp

D 192.168.20.0/24 [90/310172416] via 1.1.1.1, 00:00:10, Tunnel1

D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:04:44, Tunnel

Spoke1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1

L 1.1.1.2/32 is directly connected, Tunnel1

18.0.0.0/24 is subnetted, 1 subnets

264
 CCIE SECURITY V5

B 18.18.18.0 [20/0] via 19.19.19.21, 00:06:33

19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 19.19.19.0/24 is directly connected, GigabitEthernet0/0

L 19.19.19.19/32 is directly connected, GigabitEthernet0/0

20.0.0.0/24 is subnetted, 1 subnets

B 20.20.20.0 [20/0] via 19.19.19.21, 00:06:33

192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.19.0/24 is directly connected, Loopback0

L 192.168.19.1/32 is directly connected, Loopback0

Spoke2#show ip route eigrp

D 192.168.19.0/24 [90/310172416] via 1.1.1.1, 00:00:30, Tunnel1

D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:04:04, Tunnel1

Spoke1#ping 192.168.20.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.19.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/52 ms

265
 CCIE SECURITY V5

Spoke1#show ip cef 192.168.20.1

192.168.20.0/24

nexthop 1.1.1.1 Tunnel1

The CEF entries displayed for Spoke loopback network. This indicates an IP address of next hop which have to be used for
reaching 192.168.20.0/24.

Spoke1#show ip nhrp

1.1.1.1/32 via 1.1.1.1

Tunnel1 created 00:06:50, never expire

Type: static, Flags:

NBMA address: 18.18.18.18

Spoke1#traceroute 192.168.20.1 source loopback 0

Type escape sequence to abort.

Tracing the route to 192.168.20.1

1 1.1.1.1 36 msec 24 msec 20 msec

2 1.1.1.3 20 msec 28 msec *

266
 CCIE SECURITY V5

TASK3 DMVPN PHASE 1 ENCRYPT THE TUNNEL USING IPSEC

 Use the following settings when configuring tunnels

o ISAKMP Parameters:
 Authentication : Pre-Shared
 Encryption : 3DES
 Hashing : SHA
 DH Group :2
 Pre-Shared Key : cisco
o IPSec Parameters
 Encryption : ESP-aes
 Authentication : ESP-SHA-HMAC

TASK4 DMVPN PHASE 2 WITH EIGRP

267
 CCIE SECURITY V5

 Configure Hub-and-Spoke GRE tunnels between R18, R19 and R20, where R18
 is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted securely directly
to the other spokes.
 You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.
 Use the following settings when configuring tunnels
 Tunnel Parameters:
o IP address : 1.1.1.0/24
o IP MTU : 1400
o Tunnel Authentication Key : 12345
 NHRP Parameters
o NHRP ID : 12345
o NHRP Authentication key : DMVPN
o NHRP Hub : R18

o NHRP Holdtime : 5 Minutes

The difference is in routing protocol behaviour. The DMVPN Phase 2 allows for direct Spoke to Spoke communication.
Hence, one spoke must send the traffic to the other spoke using its routing table information. In DMVPN Phase 1 the
spoke sends all traffic up to the Hub and uses the Hub for Spoke to Spoke communication. However, in DMVPN Phase 2
a spoke must point to the other spoke directly.

This is achieved by changing the routing protocol behaviour. The EIGRP changes next hop in the routing update when
sending it further. So that, the Hub changes the next hop to itself when sending down the routing updates to the Spokes.
This behaviour can be changed by the command “no ip next-hop-self eigrp AS”.

Configuration on Routers: -

268
 CCIE SECURITY V5

R18 (HUB):

Same configuration as of Phase 1 with few changes

interface Tunnel1

ip address 1.1.1.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 1

ip nhrp authentication DMVPN

ip nhrp map multicast dynamic

ip nhrp network-id 12345

ip nhrp holdtime 300

no ip split-horizon eigrp 1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

end

The EIGRP changes next hop in the routing update when sending it further. So that, the Hub changes the next hop to itself
when sending down the routing updates to the Spokes. This behaviour can be changed by the command “no ip next-hop-
self eigrp AS”

269
 CCIE SECURITY V5

R19 (Spoke1)

Show run int tun 1

interface tunnel 1

ip address 1.1.1.2 255.255.255.0

ip nhrp authentication DMVPN

ip nhrp map 1.1.1.1 18.18.18.18

ip nhrp map multicast 18.18.18.18

ip nhrp network-id 12345

ip nhrp nhs 1.1.1.1

tunnel source f0/0

tunnel destination 18.18.18.18

ip mtu 1400

tunnel key 12345

ip nhrp holdtime 300

Remove the tunnel destination command

int tunnel 1

no tunnel destination 18.18.18.18

270
 CCIE SECURITY V5

tunnel mode gre multipoint

R20 (Spoke2):

Show run int tunnel 1

interface tunnel 1

ip address 1.1.1.3 255.255.255.0

ip nhrp authentication DMVPN

ip nhrp map 1.1.1.1 18.18.18.18

ip nhrp map multicast 18.18.18.18

ip nhrp network-id 12345

ip nhrp nhs 1.1.1.1

tunnel source f0/0

tunnel destination 18.18.18.18

ip mtu 1400

tunnel key 12345

ip nhrp holdtime 300

Remove the tunnel destination command

271
 CCIE SECURITY V5

int tunnel 1

no tunnel destination 18.18.18.18

tunnel mode gre multipoint

Verification

HUB# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Tunnel1

19.0.0.0/24 is subnetted, 1 subnets

272
 CCIE SECURITY V5

B 19.19.19.0 [20/0] via 18.18.18.21, 01:43:04

18.0.0.0/24 is subnetted, 1 subnets

C 18.18.18.0 is directly connected, FastEthernet0/0

20.0.0.0/24 is subnetted, 1 subnets

B 20.20.20.0 [20/0] via 18.18.18.21, 01:43:04

D 192.168.20.0/24 [90/297372416] via 1.1.1.3, 00:13:39, Tunnel1

D 192.168.19.0/24 [90/297372416] via 1.1.1.2, 00:13:55, Tunnel1

C 192.168.18.0/24 is directly connected, Loopback0

HUB#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 19.19.19.19 1.1.1.2 UP never D

1 20.20.20.20 1.1.1.3 UP never D

273
 CCIE SECURITY V5

HUB#ping 1.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms

HUB#ping 1.1.1.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/32 ms

HUB#show ip nhrp

1.1.1.2/32 via 1.1.1.2, Tunnel1 created 00:14:22, expire 00:03:57

Type: dynamic, Flags: unique registered

NBMA address: 19.19.19.19

1.1.1.3/32 via 1.1.1.3, Tunnel1 created 00:14:06, expire 00:04:13

Type: dynamic, Flags: unique registered

274
 CCIE SECURITY V5

NBMA address: 20.20.20.20

HUB#show ip eigrp neighbors

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 1.1.1.3 Tu1 10 00:14:35 137 5000 0 14

0 1.1.1.2 Tu1 12 00:14:53 92 5000 0 18

Spoke1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

275
 CCIE SECURITY V5

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Tunnel1

19.0.0.0/24 is subnetted, 1 subnets

C 19.19.19.0 is directly connected, FastEthernet0/0

18.0.0.0/24 is subnetted, 1 subnets

B 18.18.18.0 [20/0] via 19.19.19.21, 01:44:24

20.0.0.0/24 is subnetted, 1 subnets

B 20.20.20.0 [20/0] via 19.19.19.21, 01:44:24

D 192.168.20.0/24 [90/310172416] via 1.1.1.3, 00:14:58, Tunnel1

C 192.168.19.0/24 is directly connected, Loopback0

D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:15:16, Tunnel1

Spoke1#show ip route 192.168.20.1

Routing entry for 192.168.20.0/24

Known via "eigrp 1", distance 90, metric 310172416, type internal

Redistributing via eigrp 1

Last update from 1.1.1.3 on Tunnel1, 00:16:01 ago

Routing Descriptor Blocks:

* 1.1.1.3, from 1.1.1.1, 00:16:01 ago, via Tunnel1

276
 CCIE SECURITY V5

Route metric is 310172416, traffic share count is 1

Total delay is 1005000 microseconds, minimum bandwidth is 9 Kbit

Reliability 255/255, minimum MTU 1400 bytes

Loading 1/255, Hops 2

Spoke1#show ip cef 192.168.20.1

192.168.20.0/24

nexthop 1.1.1.3 Tunnel1

Spoke1#show ip cef 1.1.1.3

1.1.1.0/24

attached to Tunnel1

Spoke1#show ip cef 20.20.20.20

20.20.20.0/24

nexthop 19.19.19.21 GigabitEthernet0/0

Spoke1#show ip nhrp

1.1.1.1/32 via 1.1.1.1

277
 CCIE SECURITY V5

Tunnel1 created 00:03:42, never expire

Type: static, Flags: used

NBMA address: 18.18.18.18

1.1.1.2/32 via 1.1.1.2

Tunnel1 created 00:00:02, expire 00:04:57

Type: dynamic, Flags: router unique local

NBMA address: 19.19.19.19

(no-socket)

1.1.1.3/32 via 1.1.1.3

Tunnel1 created 00:00:02, expire 00:04:56

Type: dynamic, Flags: router used nhop

NBMA address: 20.20.20.20

Spoke1#show adjacency tunnel 1 detail

Protocol Interface Address

IP Tunnel1 1.1.1.1(11)

0 packets, 0 bytes

epoch 0

sourced in sev-epoch 3

Encap length 28

4500000000000000FF2F718513131313

278
 CCIE SECURITY V5

121212122000080000003039

Tun endpt

Next chain element:

IP adj out of GigabitEthernet0/0, addr 19.19.19.21

IP Tunnel1 1.1.1.3(11)

0 packets, 0 bytes

epoch 0

sourced in sev-epoch 3

Encap length 28

4500000000000000FF2F6D8113131313

141414142000080000003039

Tun endpt

Next chain element:

IP adj out of GigabitEthernet0/0, addr 19.19.19.21

Spoke1#traceroute 192.168.20.1 source loopback 0

Type escape sequence to abort.

Tracing the route to 192.168.20.1

1.1.1.3 16 msec 48 msec *

279
 CCIE SECURITY V5

TASK5 DMVPN PHASE 3 WITH EIGRP

 Configure Hub-and-Spoke GRE tunnels between R18, R19 and R20, where R18
 is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted securely directly
to the other spokes.
 You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.
 You must ensure that every traffic is CEF switched.
 Use the following settings when configuring tunnels
o Tunnel Parameters:
 IP address : 1.1.1.0/24
 IP MTU : 1400
 Tunnel Authentication Key : 12345
o NHRP Parameters
 NHRP ID : 12345
 NHRP Authentication key : DMVPN
 NHRP Hub : R18
 NHRP Holdtime : 5 Minutes

DMVPN Phase 3 is the latest method of configuration. It was introduced by Cisco to fix some disadvantages of Phase 2
like:


- Scalability: Phase 2 allows Hubs daisy-chaining, OSPF single area, limited number of hubs due to OSPF DR/BDR
election

- Scalability: Phase 2 does not allow route summarization on the Hub, all prefixes must be distributed to
all spokes to be able to set up 
direct spoke to spoke tunnels. 


280
 CCIE SECURITY V5

- Performance: Phase 2 sends first packets through the Hub using 
process-switching (not CEF) causing
CPU spikes. DMVPN Phase 3 uses two NHRP “hacks” to make it happen: 


- NHRP Redirect (HUB) – a new messages send from the Hub to the Spoke to let the Spoke know that
there is a better path to the other spoke than through the Hub 


- NHRP Shortcut – a new way of changing (overwriting) CEF information on the Spoke 
In DMVPN Phase
3 all Spokes must point to the Hub for the networks behind the other spokes (just like it was in Phase 1). 


 Packet is sent from Spoke’s 19 network to Spoke’s 20 network via Hub (according to routing table)

 Hub routes packet to Spoke2 but in parallel sends back the NHRP Redirect message to Spoke19
containing information about suboptimal path to Spoke20 and tunnel IP of Spoke2

 Spoke19 then issues the NHRP Resolution request of Spoke’s 20 NBMA IP address to NHS with
destination IP of Spoke’s 2 tunnel, this NHRP Resolution request is sent targeted to Spoke20 via
NHS (according to routing table) – it is normal hop by hop NHRP forwarding process

 Spoke2 after receiving resolution request including NBMA IP of Spoke19 sends the NHRP Resolution
reply directly to Spoke19 – Reply does not traverse the Hub!

 Spoke19 after receiving correct NBMA IP of Spoke2 rewrites the CEF entry for destination prefix – this
procedure is called NHRP Shortcut

 Spokes don’t trigger NHRP by glean adjacencies but NHRP replies updates the CEF

Configuration on Routers: -

R18 (HUB):

Same configuration on the HUB, but some additional commands

interface Tunnel1
281
 CCIE SECURITY V5

ip address 1.1.1.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 1

ip nhrp authentication DMVPN

ip nhrp map multicast dynamic

ip nhrp network-id 12345

ip nhrp holdtime 300

no ip split-horizon eigrp 1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

ip nhrp redirect
NHRP Redirect is a special NHRP message sent by the Hub to the spoke to tell the spoke that there is a better path to the
remote spoke than through the Hub. All it does is enforces the spoke to trigger an NHRP resolution request to IP destination.

The “ip nhrp redirect” command should be configured on the Hub only!

R19 (Spoke1):

interface Tunnel1

ip address 1.1.1.2 255.255.255.0

no ip redirects

ip mtu 1400

282
 CCIE SECURITY V5

ip nhrp authentication DMVPN

ip nhrp map 1.1.1.1 18.18.18.18

ip nhrp map multicast 18.18.18.18

ip nhrp network-id 12345

ip nhrp holdtime 300

ip nhrp nhs 1.1.1.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

ip nhrp shortcut

end

The only difference on the spoke is that the spoke has NHRP Shortcut configured. This will work together with NHRP Redirect
on the Hub to send a new Resolution Request NHRP message and overwrite CEF entry to use direct spoke to spoke tunnel
instead of the Hub. This command should be configured on spokes only.

R20 (Spoke2):

interface Tunnel1

ip address 1.1.1.3 255.255.255.0

no ip redirects
283
 CCIE SECURITY V5

ip mtu 1400

ip nhrp authentication DMVPN

ip nhrp map 1.1.1.1 18.18.18.18

ip nhrp map multicast 18.18.18.18

ip nhrp network-id 12345

ip nhrp holdtime 300

ip nhrp nhs 1.1.1.1

ip nhrp shortcut

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

end

HUB#show ip eigrp neighbors

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 1.1.1.3 Tu1 13 00:00:20 50 5000 0 23

0 1.1.1.2 Tu1 14 00:00:27 837 5000 0 28

284
 CCIE SECURITY V5

HUB#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1

L 1.1.1.1/32 is directly connected, Tunnel1

18.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 18.18.18.0/24 is directly connected, GigabitEthernet0/0

L 18.18.18.18/32 is directly connected, GigabitEthernet0/0

19.0.0.0/24 is subnetted, 1 subnets

B 19.19.19.0 [20/0] via 18.18.18.21, 00:20:52

285
 CCIE SECURITY V5

20.0.0.0/24 is subnetted, 1 subnets

B 20.20.20.0 [20/0] via 18.18.18.21, 00:20:52

192.168.18.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.18.0/24 is directly connected, Loopback0

L 192.168.18.1/32 is directly connected, Loopback0

D 192.168.19.0/24 [90/27008000] via 1.1.1.2, 00:01:05, Tunnel1

D 192.168.20.0/24 [90/27008000] via 1.1.1.3, 00:01:03, Tunnel1

HUB#show ip nhrp

1.1.1.2/32 via 1.1.1.2, Tunnel1 created 00:00:57, expire 00:04:02

Type: dynamic, Flags: unique registered

NBMA address: 19.19.19.19

1.1.1.3/32 via 1.1.1.3, Tunnel1 created 00:00:48, expire 00:04:11

Type: dynamic, Flags: unique registered

NBMA address: 20.20.20.20

Before PING

Spoke1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

286
 CCIE SECURITY V5

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1

L 1.1.1.2/32 is directly connected, Tunnel1

18.0.0.0/24 is subnetted, 1 subnets

B 18.18.18.0 [20/0] via 19.19.19.21, 00:21:49

19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 19.19.19.0/24 is directly connected, GigabitEthernet0/0

L 19.19.19.19/32 is directly connected, GigabitEthernet0/0

20.0.0.0/24 is subnetted, 1 subnets

B 20.20.20.0 [20/0] via 19.19.19.21, 00:21:49

D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:02:01, Tunnel1

192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks

287
 CCIE SECURITY V5

C 192.168.19.0/24 is directly connected, Loopback0

L 192.168.19.1/32 is directly connected, Loopback0

D 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:01:56, Tunnel1

Spoke1#show ip cef 192.168.20.1

192.168.20.0/24

nexthop 1.1.1.3 Tunnel1

Before PING

Spoke1#show ip nhrp

1.1.1.1/32 via 1.1.1.1

Tunnel1 created 00:03:17, never expire

Type: static, Flags: used

NBMA address: 18.18.18.18

Spoke1#ping 192.168.20.1 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.19.1

!!!!!

288
 CCIE SECURITY V5

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/68 ms

Spoke1#show ip cef 192.168.20.0

192.168.20.0/24

nexthop 1.1.1.3 Tunnel1

Spoke1#show ip nhrp

1.1.1.1/32 via 1.1.1.1

Tunnel1 created 00:09:10, never expire

Type: static, Flags: used

NBMA address: 18.18.18.18

1.1.1.2/32 via 1.1.1.2

Tunnel1 created 00:00:01, expire 00:04:58

Type: dynamic, Flags: router unique local

NBMA address: 19.19.19.19

(no-socket)

1.1.1.3/32 via 1.1.1.3

Tunnel1 created 00:00:01, expire 00:04:57

Type: dynamic, Flags: router nhop rib

NBMA address: 20.20.20.20

192.168.19.0/24 via 1.1.1.2

289
 CCIE SECURITY V5

Tunnel1 created 00:00:01, expire 00:04:58

Type: dynamic, Flags: router unique local

NBMA address: 19.19.19.19

(no-socket)

192.168.20.0/24 via 1.1.1.3

Tunnel1 created 00:00:01, expire 00:04:57

Type: dynamic, Flags: router used rib nho

NBMA address: 20.20.20.20

The NHRP datatbase shows new dynamic entries for the remote spoke and the “local” entry for Spoke which is created
when sending an NHRP resolution reply.

Spoke1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

290
 CCIE SECURITY V5

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1

L 1.1.1.2/32 is directly connected, Tunnel1

H 1.1.1.3/32 is directly connected, 00:01:21, Tunnel1

18.0.0.0/24 is subnetted, 1 subnets

B 18.18.18.0 [20/0] via 19.19.19.21, 00:30:13

19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 19.19.19.0/24 is directly connected, GigabitEthernet0/0

L 19.19.19.19/32 is directly connected, GigabitEthernet0/0

20.0.0.0/24 is subnetted, 1 subnets

B 20.20.20.0 [20/0] via 19.19.19.21, 00:30:13

D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:10:25, Tunnel1

192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.19.0/24 is directly connected, Loopback0

L 192.168.19.1/32 is directly connected, Loopback0

D % 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:10:20, Tunnel1

Spoke1#show ip route next-hop-override

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

291
 CCIE SECURITY V5

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

1.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1

L 1.1.1.2/32 is directly connected, Tunnel1

H 1.1.1.3/32 is directly connected, 00:00:02, Tunnel1

18.0.0.0/24 is subnetted, 1 subnets

B 18.18.18.0 [20/0] via 19.19.19.21, 00:37:29

19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 19.19.19.0/24 is directly connected, GigabitEthernet0/0

L 19.19.19.19/32 is directly connected, GigabitEthernet0/0

20.0.0.0/24 is subnetted, 1 subnets

292
 CCIE SECURITY V5

B 20.20.20.0 [20/0] via 19.19.19.21, 00:37:29

D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:17:41, Tunnel1

192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.19.0/24 is directly connected, Loopback0

L 192.168.19.1/32 is directly connected, Loopback0

D % 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:17:36, Tunnel1

[NHO][90/255] via 1.1.1.3, 00:00:02, Tunnel1

LAB-3.5: - SSL CLIENTLESS VPN

TASK1 PERFORM SSL CLIENTLESS VPN

293
 CCIE SECURITY V5

 Your configuration should meet the following requirements on ASA1:

 VPN access credentials should be username: cisco password: cisco.
 Connection banner should be Welcome to Netmetric.
 Group alias should be named ccnp
 The Ca trustpoint should be configured as follows:
 Name : trust
 Enrollement : self

 RSA key : ccnp

 Session idle time 24 hours
 Idle Time out 24 hours
 The web ACL implementation should only allow the following URLs:
 http://server1.cisco.com:8080
 http://server2.cisco.com:8080
 The bookmarks for the above servers should appear in the server portal as server1 and server2
respectively.
 Make sure that even when you close the RDP connection to client_pc that should not tear down
the established VPN session.
 The DNS server is at 150.1.7.164
 Note:
Any information not provided for this task can be assumed by the candidate.

Configuration on ASA

ASA1v

int gi0/0

nameif outside

ip address 20.1.1.1 255.255.255.0

no sh
294
 CCIE SECURITY V5

int gi0/1

nameif inside

ip add 10.1.10.1 255.255.255.0

no sh

router eigrp 1

network 10.1.10.0 255.255.255.0

ASA1# show int ip br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 20.1.1.1 YES manual up up

GigabitEthernet0/1 10.1.10.1 YES manual up up

ASA1# show nameif

Interface Name Security

GigabitEthernet0/0 outside 0

GigabitEthernet0/1 inside 100

ASA1# show eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

295
 CCIE SECURITY V5

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 10.1.10.10 inside 14 00:00:14 10 200 0 6

ASA1# show route

D 1.1.1.0 255.255.255.0 [90/130816] via 10.1.10.10, 00:01:25, inside

D 2.2.2.0 255.255.255.0 [90/130816] via 10.1.10.10, 00:01:25, inside

C 10.1.10.0 255.255.255.0 is directly connected, inside

L 10.1.10.1 255.255.255.255 is directly connected, inside

C 20.1.1.0 255.255.255.0 is directly connected, outside

L 20.1.1.1 255.255.255.255 is directly connected, outside

dns domain-lookup mgmt

dns name-server 150.1.7.164

domain-name cisco.com

crypto key generate rsa label ccnp modulus 1024

crypto ca trustpoint trust

enrollment self

keypair ccnp

296
 CCIE SECURITY V5

subject-name CN=asa1.cisco.com

ASA1(config)# crypto ca enroll trust

% The fully-qualified domain name in the certificate will be: ASA1.cisco.com

% Include the device serial number in the subject name? [yes/no]: yes

Generate Self-Signed Certificate? [yes/no]: yes

access-list webacl webtype permit url http://server1.cisco.com:8080

access-list webacl webtype permit url http://server2.cisco.com:8080

group-policy ccnp internal

group-policy ccnp attributes

banner value Welcome to Netmetric

vpn-idle-timeout 1440

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-clientless

webvpn

filter value webacl

exit

tunnel-group ccnp type remote-access

tunnel-group ccnp general-attributes

297
 CCIE SECURITY V5

default-group-policy ccnp

tunnel-group ccnp webvpn-attributes

group-alias ccnp enable

webvpn

enable outside

tunnel-group-list enable

username admin password cisco privilege 15

ssl trust-point trust outside

Repeat Task 1.3 for ASDM image as, we cannot create the bookmarks from the CLI.

copy tftp://150.1.7.20/asdm-782-151.bin flash:

http server enable

http 150.1.7.0 255.255.255.0 mgmt

asdm image boot:/asdm-79150.bin

298
CCIE SECURITY V5

299
CCIE SECURITY V5

300
CCIE SECURITY V5

301
 CCIE SECURITY V5

Click on the Assign

302
CCIE SECURITY V5

303
 CCIE SECURITY V5

from the client-pc open the internet explorer and give https://20.1.1.1

username and password admin/cisco

304
CCIE SECURITY V5

305
 CCIE SECURITY V5

username and password admin/cisco

306
 CCIE SECURITY V5

ASA1# show vpn-sessiondb webvpn

Session Type : WebVPN

Username : admin Index : 3

Public IP : 20.1.1.6

Protocol : Clientless

License : AnyConnect Premium

307
 CCIE SECURITY V5

Encryption : Clientless : (1)AES256 Hashing : Clientless: (1)SHA1

Bytes Tx : 314701 Bytes Rx : 40457

Group Policy : ccnp Tunnel Group : ccnp

Login Time : 14:39:56 UTC Sat Aug 18 2018

Duration : 0h:02m:18s

Inactivity : 0h:00m:00s

VLAN Mapping : N/A VLAN : none

Audt Sess ID : 960107a6000030005b782fbc

Security Grp : none

LAB-3.6: - CISCO ANYCONNECT WITH IKEV2

308
 CCIE SECURITY V5

TASK1 PERFORM ANYCONNECT CLIENTBASED VPN

 Configure the ASA1 with the following IP address and nameif mentioned in the above diagram
 Use Eigrp as the routing protocol between the ASA1 and DC-Router and advertise the 10.1.10.0/24
network with AS 1.
 Your configuration should meet the following requirements on ASA1V:

 The tunnel should negotiate IKEv2 policy and IPsec proposal for AES-256 encryption.
 The tunnel should only secure traffic for server1 and server2.

 The client address pool should be 100.10.1.1-100.10.1.10/24.

 The session tunnel should remain connected for 24 hours even without any activity.
 The connection profile name should be “ConnectionP”
 The group alias for the session should be “ccnpprofile”.
 The trustpoint for the implementation should be named “trust” using RSA key pair “ccnp”
 ASA should authenticate the session locally for Credential :- username cisco password cisco.
 Use the FireFox browser to test your connectivity with server1 and server2
Any information not
provided for this task can be assumed by the candidate.

 For detail solution please refer to the “avi” file uploaded on the resource portal

Configuration on ASA1: -

NOTE: - Use Gi0/0 instead of Fa0/0 on R29 and R30

R27(KS):

Ip vrf mgmt
309
 CCIE SECURITY V5

rd 20:20

LAB-3.7: - GETVPN WITH VRF AWARE

GET VPN is a technology used to encrypt traffic going through unsecured networks. It leverages
IPSec protocol suite to enforce Integrity and Confidentiality of data. Typical GET deployment
consists a router called Key Server (KS) and a couple of routers called Group Members (GMs). The
KS is used to create, maintain and send a “policy” to GMs. The policy is an information what traffic
should be encrypted by GM and what encryption algorithms must be used. The most important
function of KS is generation of encryption keys. There are two keys used:

TEK – Transport Encryption Key – used by GM to encrypt the data
KEK – Key Encryption Key –
used to encrypt information between KS and GM
A very important aspect of GET is that it does
310
 CCIE SECURITY V5

not set up any IPSec tunnels between GMs! It is NOT like DMVPN. Every GM has the policy (what
to encrypt, what encryption algorithm to use, what key is used by the encryption algorithm) and
just encrypt every packet conforming its policy and sends it out to the network using ESP
(Encapsulated Security Payload). Note that it uses original IP addresses to route the packet out
(this is called IP Header Preservation mechanism), hence the packet can be routed towards every
other router in the network as long as the routing table has such information.

TASK1 PERFORM GETVPN ON KEY SERVER AND GROUP MEMBER

 VRF for SITE_A should be site_a 


 VRF for SITE_B should be site_b
 Registration link between the KS and GM should be in vrf mgmt.
 Pre-shared key between the sites should be “cisco”

 ISAKMP policy should have encryption aes and DH Group 5
 Identity number for site_a should be 10
 Identity number for site_b should be 20
 Re-keyring authentication should use RSA key “ccnpkey” for both sites
 Rekey Algorithm should be aes and transport Unicast.
 The implementation should secure traffic site_a between 192.168.29.0/24 and 192.168.30.0/24
networks.

 The implementation should secure traffic site_b between 192.168.29.0/24 and 192.168.30.0/24
networks.
 EIGRP routing process for site_a and site_b should be authenticated using mode MD5 and password
ccnp

 Notes:
Prefer to the topology for addressing VLAN and EIGRP routing information. SW_GET is
preconfigured for this task.


Configuration on Routers: -

311
 CCIE SECURITY V5

NOTE: - Use Gi0/0 instead of Fa0/0 on R29 and R30

R27(KS):

Ip vrf mgmt

rd 20:20

Interface fa0/0

ip vrf forwarding mgmt


ip address 20.1.20.3 255.255.255.0

no shutdown


First we need RSA keys to be used by our KS for Rekey process. The KS must send out a new TEK (and KEK) before TEK is
expired (default is 3600 seconds). It does this in so-called Rekey phase. This phase is authenticated and secured by ISAKMP
SA which is established between KS and GM. This ISAKMP uses GDOI messages (think of this like a mutation of IKE) to build
SA and encrypt GM registration. The GDOI uses UDP/848 instead of UDP/500 like IKE does. The RSA keys are used to
authenticated the KS to GM in the Rekey process.
Remember that to generate new RSA keys you must have Hostname and
Domain-name configured on the router.

crypto key generate rsa label ccnp modulus 2048

ip domain-name cisco.com

312
 CCIE SECURITY V5

Then we need ISAKMP parameters, just like in regular IPSec configuration. Pre-shared key must be specified on both KS and
GM to be able to authenticate. This will be used to establish ISAKMP SA to secure further GDOI messages.

Crypto isakmp policy 10

authentication pre-share

encryption aes

group 5

exit

crypto keyring mgmt vrf mgmt


pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

The IPSec parameters must be configured on KS. These parameters are not used by KS itself. They are part of policy that will
be send down to the GMs. The IPSec profile tells the GM what encryption algorithm use.

crypto ipsec transform-set TS esp-aes esp-sha-hmac

crypto ipsec profile IPSPROFILE

set transform-set TS

Now it’s time to configure KS. To do that we need to specify The Group. One KS may have many groups and each group may
have different security policy.

crypto gdoi group site_a

identity number 10

server local
313
 CCIE SECURITY V5

Here we need to specify Rekey parameters. The Rekey phase can be performed in two ways:

- Unicast Rekey – when we do not have multicast support in our infrastructure (may be a case when ISP
does not support multicast in its IP VPN cloud). The KS sends down a Rekey packet to every GM it knows of. 


- Multicast Rekey – when we have multicast ready infrastructure, then we can enable multicast Rekey and
the KS generates only one packet and sends it down to all GMs at one time 


rekey algorithm aes 256

rekey authentication mypubkey rsa ccnp
rekey transport unicast


Now it’s time to configure policy for our GMs. Encryption policy is created by IPSec Profile configured earlier. To tell the
GMs what packets they should encrypt, we need another ACL (extended this time). Our ACL is named site_a. The last
parameter important is KS’s IP address. This parameter must as well be send don to the GMs as KS may be run on different
IP address (like Loopback).

sa ipsec 1
profile IPSPROFILE
match address ipv4 site_a
address ipv4 20.1.20.3

Same for Site_b

crypto gdoi group site_b

identity number 20
server local

314
 CCIE SECURITY V5

rekey algorithm aes 256


rekey authentication mypubkey rsa ccnp

rekey transport unicast


sa ipsec 1

profile IPSPROFILE
match address ipv4 site_b
address ipv4 20.1.20.3

ip access-list extended site_a


permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255

ip access-list extended site_b


permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255

R29(GM):

Hostname R29

int gi0/0

no sh

315
 CCIE SECURITY V5

ip vrf mgmt
rd 20:20
ip vrf site_a
rd 100:100
ip vrf site_b
rd 200:200

key chain ccnp

key 1
key-string ccnp

interface Loopback100
ip vrf forwarding site_a
ip address 192.168.29.29 255.255.255.255

interface Loopback200


ip vrf forwarding site_b

ip address 192.168.29.29 255.255.255.255

interface gi0/0.20
encapsulation dot1Q 20

ip vrf forwarding mgmt


316
 CCIE SECURITY V5

ip address 20.1.20.29 255.255.255.0

interface gi0/0.100
encapsulation dot1Q 100

ip vrf forwarding site_a


ip address 20.1.45.29 255.255.255.0


ip authentication mode eigrp 505 md5

ip authentication key-chain eigrp 505 ccnp

interface gi0/0.200
encapsulation dot1Q 200

ip vrf forwarding site_b

ip address 20.1.45.29 255.255.255.0


ip authentication mode eigrp 505 md5

ip authentication key-chain eigrp 505 ccnp

router eigrp 55
address-family ipv4 vrf site_a autonomous-system 505

network 20.1.45.0 0.0.0.255

network 192.168.29.0
exit-address-family


317
 CCIE SECURITY V5

address-family ipv4 vrf site_b autonomous-system 505

network 20.1.45.0 0.0.0.255


network 192.168.29.0
exit-address-family

R30(GM):

Hostname R30

int gi0/0

no sh

ip vrf mgmt
rd 20:20

ip vrf site_a
rd 100:100

ip vrf site_b
rd 200:200

key chain ccnp

318
 CCIE SECURITY V5

key 1
key-string ccnp

interface Loopback100
ip vrf forwarding site_a
ip address 192.168.30.30 255.255.255.255

interface Loopback200


ip vrf forwarding site_b


ip address 192.168.30.30 255.255.255.255

interface gi0/0.20

encapsulation dot1Q 20

ip vrf forwarding mgmt


ip address 20.1.20.30 255.255.255.0

interface gi0/0.100
encapsulation dot1Q 100

ip vrf forwarding site_a


ip address 20.1.45.30 255.255.255.0


ip authentication mode eigrp 505 md5

319
 CCIE SECURITY V5


ip authentication key-chain eigrp 505 ccnp

interface gi0/0.200
encapsulation dot1Q 200

ip vrf forwarding site_b

ip address 20.1.45.30 255.255.255.0


ip authentication mode eigrp 505 md5


ip authentication key-chain eigrp 505 ccnp

router eigrp 55

address-family ipv4 vrf site_a autonomous-system 505

network 20.1.45.0 0.0.0.255
network 192.168.30.0
exit-address-family


address-family ipv4 vrf site_b autonomous-system 505

network 20.1.45.0 0.0.0.255


network 192.168.30.0
exit-address-family

Verification:

R29#show ip route vrf site_a eigrp

Routing Table: site_a

320
 CCIE SECURITY V5

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

192.168.30.0/32 is subnetted, 1 subnets

D 192.168.30.30
[90/130816] via 20.1.45.30, 00:00:23, GigabitEthernet0/0.100

R29#show ip route vrf site_b eigrp

Routing Table: site_b

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
321
 CCIE SECURITY V5

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

192.168.30.0/32 is subnetted, 1 subnets

D 192.168.30.30

[90/130816] via 20.1.45.30, 00:01:16, GigabitEthernet0/0.200

R29# ping vrf site_a 192.168.30.30 source loopback 100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
Packet sent with a source address of 192.168.29.29
!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/27/48 ms

R29#ping vrf site_b 192.168.30.30 source loopback 200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
322
 CCIE SECURITY V5

Packet sent with a source address of 192.168.29.29

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 22/27/36 ms

R29#ping vrf mgmt 20.1.20.3 source gi0/0.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.20.3, timeout is 2 seconds:

Packet sent with a source address of 20.1.20.29

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/19/35 ms

Now Configure The GM to download the policy from the KS

Configuration on R29: -

R29 is our first GM. We need the following to be configured on every GM:

- ISAKMP policy and pre-shared key (in case of PSK) - the Group to which the GM needs to be registered to
- (optional) ACL
to exclude some traffic from encryption

- crypto map type GDOI

323
 CCIE SECURITY V5

Crypto isakmp policy 10

authentication pre-share

encryption aes

group 5

exit

crypto keyring mgmt vrf mgmt


pre-shared-key address 20.1.20.3 key cisco

crypto gdoi group site_a

identity number 10

server address ipv4 20.1.20.3


client registration interface gi0/0.20

crypto gdoi group site_b

identity number 20

server address ipv4 20.1.20.3

client registration interface gi0/0.20

crypto map site_a 10 gdoi

324
 CCIE SECURITY V5

set group site_a

crypto map site_b 10 gdoi
set group site_b

int gi0/0.100
crypto map site_a

int gi0/0.200

crypto map site_b

Configuration on R30:

Crypto isakmp policy 10

authentication pre-share

encryption aes

group 5

exit

crypto keyring mgmt vrf mgmt


pre-shared-key address 20.1.20.3 key cisco

325
 CCIE SECURITY V5

crypto gdoi group site_a

identity number 10

server address ipv4 20.1.20.3


client registration interface gi0/0.20

crypto gdoi group site_b

identity number 20

server address ipv4 20.1.20.3

client registration interface gi0/0.20

crypto map site_a 10 gdoi

set group site_a
crypto map site_b 10 gdoi
set group site_b

int gi0/0.100
crypto map site_a

int gi0/0.200
crypto map site_b

326
 CCIE SECURITY V5

KS#show crypto gdoi group site_a

Group Name : site_a (Unicast)

Group Identity : 10
Group Members :2
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86224 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts :2
Group Retransmit
Remaining Lifetime : 0 secs

IPSec SA Number :1
IPSec SA Rekey Lifetime : 3600 secs
Profile Name : IPSPROFILE
Replay method : Count Based
Replay Window Size : 64
SA Rekey

Remaining Lifetime : 3425 secs

327
 CCIE SECURITY V5

ACL Configured : access-list site_a

Group Server list : Local

KS#show crypto gdoi group site_b

Group Name : site_b (Unicast)

Group Identity : 20
Group Members :2
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86195 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts :2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number :1

IPSec SA Rekey Lifetime : 3600 secs

Profile Name : IPSPROFILE
Replay method : Count Based

Replay Window Size : 64

328
 CCIE SECURITY V5

SA Rekey
Remaining Lifetime : 3396 secs
ACL Configured : access-list site_b

Group Server list : Local

KS#show crypto gdoi ks policy

Key Server Policy:

For group site_a (handle: 2147483650) server 20.1.20.3 (handle: 2147483650):

# of teks : 1 Seq num : 0

KEK POLICY (transport type : Unicast)

spi : 0x26778C2AF4A83B1747C42DAC7CEA8D6

management alg : disabled encrypt alg : AES

crypto iv length : 16 key size : 32

orig life(sec) : 86400 remaining life(sec) : 86165

sig hash algorithm : enabled sig key length : 294

sig size : 256

sig key name : ccnp

TEK POLICY (encaps : ENCAPS_TUNNEL)

spi : 0xD17F4FD5 access-list : site_a

329
 CCIE SECURITY V5

# of transforms :0 transform : ESP_AES

hmac alg : HMAC_AUTH_SHA

alg key size : 16 sig key size : 20

orig life(sec) : 3600 remaining life(sec) : 3366

tek life(sec) : 3600 elapsed time(sec) : 234

antireplay window size : 64

Key Server Policy:

For group site_b (handle: 2147483651) server 20.1.20.3 (handle: 2147483651):

# of teks :1 Seq num : 0

KEK POLICY (transport type : Unicast)

spi : 0x91BA0BFE365FEBEB1CF752BBD5C726ED

management alg : disabled encrypt alg : AES

crypto iv length : 16 key size : 32

orig life(sec) : 86400 remaining life(sec) : 86167

sig hash algorithm : enabled sig key length : 294

sig size : 256

sig key name : ccnp

330
 CCIE SECURITY V5

TEK POLICY (encaps : ENCAPS_TUNNEL)

spi : 0xD4615608 access-list : site_b

# of transforms :0 transform : ESP_AES

hmac alg : HMAC_AUTH_SHA

alg key size : 16 sig key size : 20

orig life(sec) : 3600 remaining life(sec) : 3368

tek life(sec) : 3600 elapsed time(sec) : 232

antireplay window size: 64

See both keys: TEK and KEK.
KEK – for Rekey encryption, default lifetime 24 hours, default enrytpion algorithm 3DES
TEK
– for traffic encryption between GMs, default lifetime 1 hour, encryption elgorith depends on configured policy (no
defaults).

KS# show crypto gdoi ks acl

Group Name: site_a

Configured ACL:

access-list site_a permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list site_a permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255

331
 CCIE SECURITY V5

Group Name: site_b

Configured ACL:

access-list site_b permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list site_b permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255

KS#show crypto gdoi ks members

Group Member Information:

Number of rekeys sent for group site_a :0

Group Member ID : 20.1.20.29

Group ID : 10

Group Name : site_a

Key Server ID : 20.1.20.3

Rekeys sent :0

Rekeys retries :0

Rekey Acks Rcvd :0

Rekey Acks missed :0

332
 CCIE SECURITY V5

Sent seq num : 0 0 0 0

Rcvd seq num : 0 0 0 0

Group Member ID : 20.1.20.30

Group ID : 10

Group Name : site_a

Key Server ID : 20.1.20.3

Rekeys sent :0

Rekeys retries :0

Rekey Acks Rcvd :0

Rekey Acks missed :0

Sent seq num : 0 0 0 0

Rcvd seq num : 0 0 0 0

Number of rekeys sent for group site_b :0

Group Member ID : 20.1.20.29

Group ID : 20

Group Name : site_b

Key Server ID : 20.1.20.3

333
 CCIE SECURITY V5

Rekeys sent :0

Rekeys retries :0

Rekey Acks Rcvd :0

Rekey Acks missed :0

Sent seq num : 0 0 0 0

Rcvd seq num : 0 0 0 0

Group Member ID : 20.1.20.30

Group ID : 20

Group Name : site_b

Key Server ID : 20.1.20.3

Rekeys sent :0

Rekeys retries :0

Rekey Acks Rcvd :0

Rekey Acks missed :0

Sent seq num : 0 0 0 0

Rcvd seq num : 0 0 0 0

KS# show crypto gdoi ks rekey

334
 CCIE SECURITY V5

Group site_a (Unicast)

Number of Rekeys sent :0

Number of Rekeys retransmitted :0

KEK rekey lifetime (sec) : 86400

Remaining lifetime (sec) : 85978

Retransmit period : 10

Number of retransmissions :2

IPSec SA 1 lifetime (sec) : 3600

Remaining lifetime (sec) : 3179

Group site_b (Unicast)

Number of Rekeys sent :0

Number of Rekeys retransmitted :0

KEK rekey lifetime (sec) : 86400

Remaining lifetime (sec) : 85981

Retransmit period : 10

Number of retransmissions :2

IPSec SA 1 lifetime (sec) : 3600

Remaining lifetime (sec) : 3182

We have configured that for Rekey phase. It is very important for Unicast Rekey that KS will retransmit Rekey message if it
335
 CCIE SECURITY V5

didn’t receive ACK from the GM.

KS#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

20.1.20.3 20.1.20.29 GDOI_IDLE 1001 0 ACTIVE

20.1.20.3 20.1.20.30 GDOI_IDLE 1002 0 ACTIVE

Note that ISAKMP SA is established between KS and GMs only. There is no ISAKMP SA between GMs.

KS#show crypto ipsec sa

No SAs found

There are no IPSec SA between KS and GMs. All is done using ISAKMP SA. After IKE Phase 1 establishes the SA, the GDOI
protocol uses it for GM Registration and Rekey.

The same bunch of commands are on GMs.

On R29

R29#show crypto gdoi gm

336
 CCIE SECURITY V5

Group Member Information For Group site_a:

IPSec SA Direction : Both

ACL Received From KS : gdoi_group_site_a_temp_acl

Group member : 20.1.20.29 vrf: mgmt

Local addr/port : 20.1.20.29/848

Remote addr/port : 20.1.20.3/848

fvrf/ivrf : mgmt/mgmt

Version : 1.0.17

Registration status : Registered

Registered with : 20.1.20.3

Re-registers in : 2845 sec

Succeeded registration :1

Attempted registration :1

Last rekey from : 0.0.0.0

Last rekey seq num :0

Unicast rekey received :0

Rekey ACKs sent :0

Rekey Received : never

DP Error Monitoring : OFF

IPSEC init reg executed :0

337
 CCIE SECURITY V5

IPSEC init reg postponed :0

Active TEK Number :1

SA Track (OID/status) : disabled

Group Member Information For Group site_b:

IPSec SA Direction : Both

ACL Received From KS : gdoi_group_site_b_temp_acl

Group member : 20.1.20.29 vrf: mgmt

Local addr/port : 20.1.20.29/848

Remote addr/port : 20.1.20.3/848

fvrf/ivrf : mgmt/mgmt

Version : 1.0.17

Registration status : Registered

Registered with : 20.1.20.3

Re-registers in : 2874 sec

Succeeded registration :1

Attempted registration :1

Last rekey from : 0.0.0.0

Last rekey seq num :0

Unicast rekey received :0

338
 CCIE SECURITY V5

Rekey ACKs sent :0

Rekey Received : never

DP Error Monitoring : OFF

IPSEC init reg executed :0

IPSEC init reg postponed :0

Active TEK Number :1

SA Track (OID/status) : disabled

R29#show crypto gdoi gm acl

Group Name: site_a

ACL Downloaded From KS 20.1.20.3:

access-list permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255

ACL Configured Locally:

ACL of default bypass policy for group-key management traffic:

GigabitEthernet0/0.100: None (registration/rekey occurs via vrf mgmt)

Group Name: site_b

ACL Downloaded From KS 20.1.20.3:

access-list permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

339
 CCIE SECURITY V5

access-list permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255

ACL Configured Locally:

ACL of default bypass policy for group-key management traffic:

GigabitEthernet0/0.200: None (registration/rekey occurs via vrf mgmt)

R29#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

20.1.20.3 20.1.20.29 GDOI_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R29#show crypto ipsec sa

interface: GigabitEthernet0/0.100

Crypto map tag: site_a, local addr 20.1.45.29

protected vrf: site_a

local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

340
 CCIE SECURITY V5

remote ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)

Group: site_a

current_peer 0.0.0.0 port 848

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.1.45.29, remote crypto endpt.: 0.0.0.0

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.100

current outbound spi: 0xD17F4FD5(3514781653)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD17F4FD5(3514781653)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: site_a

341
 CCIE SECURITY V5

sa timing: remaining key lifetime (sec): 2722

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD17F4FD5(3514781653)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: site_a

sa timing: remaining key lifetime (sec): 2722

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

342
 CCIE SECURITY V5

outbound ah sas:

outbound pcp sas:

protected vrf: site_a

local ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

Group: site_a

current_peer 0.0.0.0 port 848

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.1.45.29, remote crypto endpt.: 0.0.0.0

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.100

current outbound spi: 0xD17F4FD5(3514781653)

PFS (Y/N): N, DH group: none

343
 CCIE SECURITY V5

inbound esp sas:

spi: 0xD17F4FD5(3514781653)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: site_a

sa timing: remaining key lifetime (sec): 2722

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD17F4FD5(3514781653)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: site_a

344
 CCIE SECURITY V5

sa timing: remaining key lifetime (sec): 2722

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

interface: GigabitEthernet0/0.200

Crypto map tag: site_b, local addr 20.1.45.29

protected vrf: site_b

local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)

Group: site_b

current_peer 0.0.0.0 port 848

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

345
 CCIE SECURITY V5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.1.45.29, remote crypto endpt.: 0.0.0.0

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.200

current outbound spi: 0xD4615608(3563148808)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD4615608(3563148808)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: site_b

sa timing: remaining key lifetime (sec): 2723

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

346
 CCIE SECURITY V5

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD4615608(3563148808)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: site_b

sa timing: remaining key lifetime (sec): 2723

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: site_b

local ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)

347
 CCIE SECURITY V5

remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

Group: site_b

current_peer 0.0.0.0 port 848

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.1.45.29, remote crypto endpt.: 0.0.0.0

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.200

current outbound spi: 0xD4615608(3563148808)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD4615608(3563148808)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: site_b

348
 CCIE SECURITY V5

sa timing: remaining key lifetime (sec): 2723

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD4615608(3563148808)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: site_b

sa timing: remaining key lifetime (sec): 2723

Kilobyte Volume Rekey has been disabled

IV size: 16 bytes

replay detection support: N

Status: ACTIVE(ACTIVE)

349
 CCIE SECURITY V5

outbound ah sas:

outbound pcp sas:

R29#ping vrf site_a 192.168.30.30 source loopback 100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:

Packet sent with a source address of 192.168.29.29

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/52 ms

R29#show crypto ipsec sa

interface: GigabitEthernet0/0.100

Crypto map tag: site_a, local addr 20.1.45.29

protected vrf: site_a

local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)

Group: site_a

current_peer 0.0.0.0 port 848

350
 CCIE SECURITY V5

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

R29#ping vrf site_b 192.168.30.30 source loopback 200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:

Packet sent with a source address of 192.168.29.29

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 13/25/42 ms

R29#show crypto ipsec sa

interface: GigabitEthernet0/0.200

Crypto map tag: site_b, local addr 20.1.45.29

protected vrf: site_b

local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.29.0/255.255.255.0/0/0)

Group: site_b

351
 CCIE SECURITY V5

current_peer 0.0.0.0 port 848

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

LAB-3.8: - FLEX VPN

TASK-1 CONFIGURE THE R14, R15 AND R16

 Configure the routes according to the topology

Configuration of Routers: -

Note Use GIGA ethernet instead fastethernet in all the routers

R14:

hostname R14
interface gi0/0
352
 CCIE SECURITY V5

ip address 1.1.1.1 255.255.255.0

no sh

interface Loopback1
ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.1.10

R15:

hostname R15

interface GigabitEthernet0/0

ip address 2.2.2.2 255.255.255.0

no sh

interface Loopback1

ip address 192.168.2.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 2.2.2.10

353
 CCIE SECURITY V5

R16:
interface GigabitEthernet0/0
ip address 1.1.1.10 255.255.255.0

no sh

interface GigabitEthernet0/1

ip address 2.2.2.10 255.255.255.0

no sh

TASK-2 SITE TO SITE WITH PSK - FLEX VPN – IKEV2

 Configure the IKEv2 proposal, policy, profile and keyring for the secure communication between
the 192.168.1.1 and 192.168.2.2 device on R14 and R15 respectively.

Configuration of Routers

R14: -

crypto ikev2 proposal ccnp-pro

encryption aes-cbc-128

354
 CCIE SECURITY V5

integrity md5
group 2

crypto ikev2 policy ccnp-policy

proposal ccnp-pro

crypto ikev2 keyring ccnp-key

peer r15
address 2.2.2.2
pre-shared-key cisco

crypto ikev2 profile ccnp-profile

match identity remote address 2.2.2.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local ccnp-key

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode tunnel

ip access-list extended VPN

355
 CCIE SECURITY V5

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto map CMAP 10 ipsec-isakmp

set peer 2.2.2.2
set transform-set TS

set ikev2-profile ccnp-profile

match address VPN
reverse-route static

int gi0/0

crypto map CMAP

R15: -
crypto ikev2 proposal ccnp-pro
encryption aes-cbc-128
integrity md5

group 2

crypto ikev2 policy ccnp-policy

proposal ccnp-pro

356
 CCIE SECURITY V5

crypto ikev2 keyring ccnp-key

peer r14
address 1.1.1.1

pre-shared-key cisco

ip access-list extended VPN

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto ikev2 profile ccnp-profile

match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share

keyring local ccnp-key

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode tunnel

crypto map CMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set TS
set ikev2-profile ccnp-profile

match address VPN

reverse-route static
357
 CCIE SECURITY V5

int gi0/0
crypto map CMAP

R14#ping 192.168.2.2 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1
.!!!!

R14#show crypto ikev2 proposal

IKEv2 proposal : ccnp-pro

Encryption : AES-CBC-128
Integrity : MD596
PRF : MD5
DH Group : DH_GROUP_1024_MODP/Group 2
IKEv2 proposal : default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5
358
 CCIE SECURITY V5

DH_GROUP_1024_MODP/Group 2

R14#show crypto ikev2 policy

IKEv2 policy : ccnp-policy
Match fvrf : global

Match address local : any

Proposal : ccnp-pro

IKEv2 policy : default

Match fvrf : any
Match address local : any

Proposal : default

R14#show crypto ikev2 profile

IKEv2 profile : ccnp-profile

Ref Count :2
Match criteria:
Fvrf : global
359
 CCIE SECURITY V5

Local address/interface : none

Identities : address 2.2.2.2 255.255.255.255
Certificate maps : none

Local identity : none

Remote identity : none
Local authentication method : pre-share

Remote authentication method(s) : pre-share

EAP options : none
Keyring : ccnp-key
Trustpoint(s) : none
Lifetime : 86400 seconds
DPD : disabled

NAT-keepalive : disabled
Ivrf : none
Virtual-template : none
mode auto : none
AAA AnyConnect EAP authentication mlist : none
AAA EAP authentication mlist : none

AAA Accounting : none

AAA group authorization : none
AAA user authorization : none

360
 CCIE SECURITY V5

R14#show crypto ikev2 sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status

1 1.1.1.1/500 2.2.2.2/500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: MD5, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth
verify: PSK

Life/Active Time: 86400/523 sec

IPv6 Crypto IKEv2 SA

R14#show crypto ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 1.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer 2.2.2.2 port 500

PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
361
 CCIE SECURITY V5

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2BDF8145(736067909)
PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xF0070CCE(4026993870)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4162318/3067)
IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

362
 CCIE SECURITY V5

inbound pcp sas:

outbound esp sas:

spi: 0x2BDF8145(736067909)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4162318/3067)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Section 4 – ISE

363
 CCIE SECURITY V5

GOAL OF THE LAB

Implementing and Configuring Cisco Identity Services Engine v2.4 (SISE) is an identity and access control
policy platform that provides a single policy plane across the entire organization, combining multiple
services into a single context-aware identity-based platform. You will learn how to configure and administer
many of the services, including authentication, authorization and accounting (AAA), posture, profiling, and
guest management. You will also learn the knowledge and skills to enforce security posture compliance
for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE. After completing
this course, you should be able to:

Describe Cisco ISE architecture, installation, and distributed deployment options
 Configure Network
Access Devices (NADs), policy components, and basic authentication and authorization policies in Cisco
ISE - Implement Cisco ISE web authentication and guest services
 Deploy Cisco ISE profiling, posture and
client provisioning services
 Describe administration, monitoring, troubleshooting, and TrustSec SGA
security


364
 CCIE SECURITY V5

LAB-4.1: - ISE INSTALLATION (OPTIONAL)

 Verify the Cisco ISE with the following IP address and setup using CLI

365
 CCIE SECURITY V5

Device Interface IP

ISE-P MGMT NIC 150.1.7.179

ISE-S MGMT NIC 150.1.7.189

ASAv MGMT 150.1.7.166

R1 MGMT 150.1.7.163

AD-DNS MGMT 150.1.7.164

CA-Server MGMT 150.1.7.160

Activity Procedure

Complete these steps:

Output of the commands will take some time. Have patience

TASK1 ACCESS THE CISCO ISE

Step 1: - Access the Cisco ISE console according to your lab access procedures provided by
your instructor

Step 2: - At the login prompt, enter a username of admin and password of Sanfran@1234

Step 3: - You should see the following prompt:

Netmetric-ISE/admin#

366
 CCIE SECURITY V5

TASK2 CHECK THE APPLICATION STATUS

Step 1: -Enter the following command and observe the following output and the status of
the services.

Netmetric-ISE/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------------------------------

Database Listener running 19567

Database Server running 53 PROCESSES

Application Server running 24839

Profiler Database running 22668

ISE Indexing Engine running 25304

AD Connector running 26091

M&T Session Database running 22576

M&T Log Collector running 25872

M&T Log Processor running 25775

Certificate Authority Service running 25610

EST Service running 25732

SXP Engine Service disabled

TC-NAC Docker Service disabled

TC-NAC MongoDB Container disabled

367
 CCIE SECURITY V5

TC-NAC RabbitMQ Container disabled

TC-NAC Core Engine Container disabled

VA Database disabled

VA Service disabled

pxGrid Infrastructure Service disabled

pxGrid Publisher Subscriber Service disabled

If there is any other state than “is running” it means that there is something wrong with a
particular ISE subsystem/process. To fix that you can try to restart ISE application using
“application stop ise” and then “application start ise”. Be patient as it is going to take some
time.

TASK3 CHECK THE NTP STATUS

Step 1: - Verify NTP synchronization. At the command prompt, type the following command:

ISE-P/admin# show ntp

Configured NTP Servers:

time.nist.gov
150.1.7.164

synchronised to NTP server (150.1.7.164) at stratum 3

368
 CCIE SECURITY V5

time correct to within 156 ms

polling server every 1024 s

remote refid st t when poll reach delay offset jitter

===========================================================================
127.127.1.0 .LOCL. 10 l 96h 64 0 0.000 0.000 0.000
*150.1.7.164 133.243.238.163 2u 130 1024 377 1.120 -14.943 18.948

* Current time source, + Candidate , x False ticker

Warning: Output results may conflict during periods of changing synchronization.

TASK4 CHECK THE DNS LOOKUP

Step 1: - Observe the following output paying attention to the * at the beginning of the line
and the text above indicating “synchronized to NTP Server...”

Step 2: - Verify DNS Name Resolution. At the command prompt enter the following
command:

ISE-P/admin# nslookup ISE-P.cisco.com

Trying "ISE-P.cisco.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62683

369
 CCIE SECURITY V5

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ISE-P.cisco.com. IN ANY

;; ANSWER SECTION:
ISE-P.cisco.com. 3600 IN A 150.1.7.179

Received 49 bytes from 150.1.7.164#53 in 1 ms

TASK5 CHECK THE APPLICATION

Step 1: - Verify the Netmetric-ISE is properly Installed

Cisco ISE is an application installed on underlying operating system called as Cisco ADE. Once
your connected with the ADE we must check what applications are installed. Then we can
use application name

Netmetric-ISE/admin# show application

<name> <Description>

ise Cisco Identity Services Engine

TASK6 CHECK THE ISE VERSION, INTERFACE DETAILS AND ROUTING

370
 CCIE SECURITY V5

Step 1: - Check ISE version

ISE-P/admin# show application version ise

Cisco Identity Services Engine

---------------------------------------------

Version: 2.4.0.357

Build Date: Wed May 25 04:34:43 2016

Install Date: Mon Dec 3 12:27:05 2018

“The main version is 2.4 and the patch level is 357. The build depends on the development
stage. By default, the ISE is in Evaluation mode of 90 days. You can install production license
or use the evaluation license. We do not need to provide any license file for ISE to be
working.”

Step 2: - Check interface configuration

ISE-P/admin# show interface

GigabitEthernet 0
flags=4163<UP, BROADCAST, RUNNING, MULTICAST> mtu 1500
inet 150.1.7.179 netmask 255.255.255.0 broadcast 150.1.7.255
inet6 fe80::20c:29ff:fe11:61bf prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:11:61:bf txqueuelen 1000 (Ethernet)
RX packets 736959 bytes 69764199 (66.5 MiB)
RX errors 0 dropped 763 overruns 0 frame 0
TX packets 393432 bytes 523838004 (499.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

GigabitEthernet 1
flags=4098<BROADCAST, MULTICAST> mtu 1500
ether 00:0c:29:11:61:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
371
 CCIE SECURITY V5

TX packets 0 bytes 0 (0.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

GigabitEthernet 2
flags=4098<BROADCAST, MULTICAST> mtu 1500
ether 00:0c:29:11:61:d3 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

GigabitEthernet 3
flags=4098<BROADCAST, MULTICAST> mtu 1500
ether 00:0c:29:11:61:dd txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP, LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 7783302 bytes 2956650886 (2.7 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7783302 bytes 2956650886 (2.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Make sure that we see RX and TX packet and no error counters increasing. This is the first
indicator that something can be wrong with connectivity. If we do not see giga0 interface
that usually means the interface is down. We may see more interfaces depending on ISE
installation. Some interfaces may be used for profiling services.

Step 3: - Check routing table and default gateway.

372
 CCIE SECURITY V5

ISE-P/admin# show ip route

Destination Gateway Interface

----------- ------- -----

default 150.1.7.1 eth0

150.1.7.0/24 0.0.0.0 eth0

Step 4: - Check the name server and domain configuration. Verify if the DNS works asking to
resolve the FQDN of Netmetric-ISE.cisco.com

ISE-P/admin# show running-config | inc name

hostname Netmetric-ISE
--
ip domain-name cisco.com
--
ip name-server 150.1.7.164
--
username admin password hash
$5$JRiHrdLV$EryTJHf3UBEhVNIb.SWSTvmaGApOkXNJc.0B6HU
QQm0 role admin

TASK7 CHECK THE TIMEZONE AND CLOCK

Step 1: - Check the time-zone and the clock

ISE-P /admin# show clock

Tue Dec 11 07:52:00 UTC 2018

373
 CCIE SECURITY V5

ISE-P /admin# show timezone

UTC

Activity Verification

You have completed this task when you obtain the following results:

Successfully observed Cisco ISE services status 


Successfully observed NTP synchronization 


Successfully performed a nslookup to verify proper name resolution 


Step 2: - Connect through the GUI and check the license. Open up the web browser (IE or FF)
and enter the following URL https://150.1.7.189 or https://netmetric-ise.cisco.com

 Authenticate as admin/Sanfran@1234
 Login to the GUI

 For detail solution please refer to the “avi” file uploaded on the resource portal

TASK8 RESET THE PASSWORD FOR THE GUI TO SANFRAN!1234

Step 1: - From the CLi

ISE-P /admin# application reset-passwd ISE admin

And Give the new Password

374
 CCIE SECURITY V5

LAB-4.2: - ADMINISTRATIVE ACCESS TO ISE

TASK1 SETUP AN ADMINISTRATIVE ACCESS TO ISE

 Configure the following settings for administrative access to ISE

o Access is allowed from the Candidate-PC (150.1.7.20) only.
o Idle session timeout will be 30 mins.
o The admin account should not be disable automatically.
o Login banner should be “Welcome to Netmetric Lab”

Activity Procedure

Complete these steps:

Connect the GUI with the url https://150.1.7.179 from the Candidate-PC
Connect the GUI with the url https://150.1.7.179 from AD-DNS so that later in the task
we can check, whether the GUI opens from Candidate-PC only.

375
 CCIE SECURITY V5

From the Menu Bar,

o Administration
 System
 Admin Access

376
CCIE SECURITY V5

377
 CCIE SECURITY V5

From the Admin Access,

o Settings
 Access
 Sessions

From the Session,

o Change the Banner
From the IP Access
o Change the IP to 150.1.7.20

378
CCIE SECURITY V5

379
CCIE SECURITY V5

380
 CCIE SECURITY V5

From the Admin Access,

o Settings
 Sessions
 Session Timeout

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Verification
Go Back to Active-Directory and check the ISE gui

381
 CCIE SECURITY V5

TASK2 SETUP AN HELPDESK USER ACCESS TO ISE

 Create the helpdesk administrative user name “Help_User”with the password Help123, with
“Helpdesk”group and access to operations menu only. You can pre-configured user settings.
 Set the following password policy for all the accounts created on the ISE:
o Minimum password length is 6 characters.
o Password must not contain the admin name nor words like “cisco”or “test”.
o Password must contain at least one lowercase alphabetic character and one numeric

382
 CCIE SECURITY V5

character.

Activity Procedure

Complete these steps:

From the Admin Access,

o Authentication
 Password Policy

From the Admin Access,

o Authentication
 Password Policy

383
 CCIE SECURITY V5

From the Admin Access,

o Administrators
 Admin Users
 Add the new user

384
 CCIE SECURITY V5

From the Add,

o Create an Admin User

From the User,

o Name
 Password
 Admin Group

385
CCIE SECURITY V5

386
 CCIE SECURITY V5

Check the User

o You can add the description also, if you want.

387
CCIE SECURITY V5

388
 CCIE SECURITY V5

Check the User options for the Menu

o Explore for the required fields.

LAB-4.3: - INTEGRATION WITH ACTIVE DIRECTORY

TASK1 SETUP AN ISE WITH ACTIVE DIRECTORY

 Configure ISE to join Active Directory domain of cisco.com. Use AD user credentials as
administrator/Sanfran@1234 to join the AD domain.
o Use the AD name as “ad-ccnp”with domain as “cisco.com”
o Check the user credentials bob and password as Sanfran@1234 on ISE, by retrieving the

group called as Lab_Netmetric.

389
 CCIE SECURITY V5

Activity Procedure

Complete these steps:

From the Administration

o External Identity Sources

From the Active Directory

o Add the Join Point Name

390
 CCIE SECURITY V5

Credentials
 Username: administrator
391
 CCIE SECURITY V5

 Password: Sanfran@1234

Joint Operation Status

o Completed should be there and in Operational

Test the USER

o By clicking the test user

392
 CCIE SECURITY V5

Test the USER

o By clicking on the test user
 Username : bob
 Password : As mentioned in the question
o It should be Successful

393
 CCIE SECURITY V5

Test the Administration

o Go to Identity Source Sequences
 All_User_ID_Stores
 Send the ad-ccnp to the Selected option
o Save

394
CCIE SECURITY V5

395
 CCIE SECURITY V5

TASK2 SETUP AN ISE WITH ACTIVE DIRECTORY

 Configure new Identity Source Sequence with the name “ccnp_iss”and call the newly added
active directory into this Source Sequence.

Activity Procedure
396
 CCIE SECURITY V5

Complete these steps:

Go the Administration > Identity Management

o Go to Identity Source Sequences
 Add the new Identity Source Sequence

Identity Source Sequence

o New Name “ccnp-iss”
 Add the selected ad-ccnp
 Chose if want to, the description

397
 CCIE SECURITY V5

Verification

398
 CCIE SECURITY V5

LAB-4.4: - CONFIGURE THE DC-ROUTER FOR SSH AUTHENTICATION

TASK SETUP AN AUTHORIZATION AND AUTHENTICATION ON ROUTER

 The authentication request should be forwarded to RADIUS server ISE.

 ISE should check SSH user in the Active Directory database.
 Active Directory is preconfigured and being integrated in the previous task.
 For SSH user credentials bob/Sanfran@1234.
 Make sure that user “bob” belongs to user
group Lab_Netmetric in ISE.

 To authorize the session ISE should check SSH user belongs to Lab_Netmetric and the NAS IP
address DC-Router.

 The user bob should be assigned privilege level 15 on successful authorization.

 The session should not timeout for 24 hours even without any activity.
 You need to test the SSH from candidate PC where dc-router.cisco.com connection profile has
been created putty client.


Configuration on Router

DC-Router

ip domain name cisco.com

crypto key generate rsa modulus 1024

aaa new-model

aaa authentication login NOISE line none

line con 0
login authentication NOISE

radius server ccnp


399
 CCIE SECURITY V5

address ipv4 150.1.7.189 auth-port 1812 acct-port 1813

key cisco

aaa group server radius ISE

server name ccnp

aaa authentication login SSH group ISE

aaa authorization exec SSH group ISE

line vty 0 98


transport input ssh

login authentication SSH
authorization exec SSH
session-timeout 1440
exec-timeout 1440

Open the ISE

o Add the NAD device
 Administration >Network Resources > Network Devices

400
 CCIE SECURITY V5

Network Devices
o Add the NAD device

Name : DC-Router
o IP Address : 150.1.7.163
 Radius Authentication Password : cisco

401
 CCIE SECURITY V5

Add the Groups

o Administration > Identity Management
 Groups

402
 CCIE SECURITY V5

User Identity Group

o Click on Add

403
 CCIE SECURITY V5

Name : Lab_Netmetric
o Add Description as Per your Choice

Add the Identities

o Identity Management

404
 CCIE SECURITY V5

Users
o Click on Add for the New User

405
 CCIE SECURITY V5

Name : bob
o Password Type : ad-ccnp

Name : bob
o Password Type : ad-ccnp
 Group : Lab_Netmetric

406
CCIE SECURITY V5

407
 CCIE SECURITY V5

Check the User

o Can add the Description as per your choice

Create the Authentication Policy

o Policy
 Authentication

408
 CCIE SECURITY V5

Click on Edit
o Insert new row above

Select Attribute
o Select Existing Condition from Library

409
 CCIE SECURITY V5

Radius Nas-Port-type –{61}

o Equals
 Virtual

Select Network Access

o Allowed Protocol
 Default Network Access

410
CCIE SECURITY V5

411
 CCIE SECURITY V5

Check the Authentication Policy

o Save it

Create the Authorization Profile

o Policy Results

Results
o Authorization Profile
 Add

412
 CCIE SECURITY V5

Name : SSH
o Web Authentication For privilege level 15

Advance Attribute Settings

o Idle timeout 28

413
 CCIE SECURITY V5

Advance Attribute Settings

o Idle timeout 28
 86400

414
 CCIE SECURITY V5

Standard Authorization Profiles

o SSH
 Description as per the choice

415
 CCIE SECURITY V5

Advance Attribute Settings

o Idle timeout 28
 86400
 Description : Will be used for Task 4.3 for SSH

Policy
o Authorization

416
 CCIE SECURITY V5

Policy
o Authorization Policy
 Edit

417
 CCIE SECURITY V5

Policy
o Authorization Policy
 Edit
 Inset New Rule Above or Below

Rule Name : SSH

o Any Group : User Identity Group
 Lab_Netmetric

418
 CCIE SECURITY V5

Rule Name : SSH

o Any Group : User Identity Group
 Lab_Netmetric

Condition
 Create New Condition

419
 CCIE SECURITY V5

Radius: Nas-IP-Address
 Equals
 150.1.7.163

Permissions
o Call the SSH Authorization Profile

420
 CCIE SECURITY V5

From the Candidate PC

421
 CCIE SECURITY V5

 Ping dc-router.cisco.com

Putty on the Desktop

 Open dc-router.cisco.com
 Username : bob

422
 CCIE SECURITY V5

ISE Live Logs from Operation tabs

o Explore for more understanding

LAB-4.4: - CISCO TRUSTSEC

TASK CONFIGURE CTS SXP RELATIONSHIP BETWEEN TRUSTSEC-ASA AND SW_P

 Enable the SXP service between the ASA FW and Switch.
 Session should be authenticated with password ccnp.

423
 CCIE SECURITY V5

 Download the CTS Pac on ASA for environmental data from ISE.
o Download the environment data in every 1 hr
o Re-Authenticate every 4 hr.
o Device-ID password ccnpccnp.
o Encryption Key ccnpccnp.
o Pac time-to-live 1 Day.
 Switch will receive the Authentication and Authorization request.
 Configure TrustSec-ASA with the following settings:
o Hostname: TrustSec-ASA
o Interface: mg0/0- name - mgmt. - ip 150.1.7.169/24 - sec-level 100
o Interface: gi0/1 – name - dmz – ip 10.100.10.100/24 – sec-level 50
o Interface: gi0/0 – name–inside – ip 10.100.8.100/24 – sec-level 100
 Configure the SW_P with the following settings:
o VLAN id (Data) - 80
o VLAN id (Mgmt) - 1
o Int VLAN 80 - 10.100.8.80/24
o Use interface - Gi1/0/2

Configuration on SW_P: -

vlan 80

int vlan 80
Ip add 10.100.8.80 255.255.255.0
no sh

Int gi1/0/2
sw mode trunk
424
 CCIE SECURITY V5

no sh

cts sxp enable

cts sxp default source-ip 10.100.8.80
cts sxp default password ccnp
cts sxp connection peer 10.100.8.100 source 10.100.8.80 password default mode peer
listener

Configuration on TrustSec-ASA: -

hostname Trustsec-ASA

interface Management0/0
management-only
nameif mgmt
security-level 100
ip address 150.1.7.169 255.255.255.0
no sh

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.100.8.100 255.255.255.0
no sh

interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.100.10.100 255.255.255.0
no sh

cts sxp enable

cts sxp default source-ip 10.100.8.100
425
 CCIE SECURITY V5

cts sxp default password ccnp

cts sxp connection peer 10.100.8.80 source 10.100.8.100 password default mode peer
speaker

Verification:-

TrustSec-ASA# ping 150.1.7.189

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.7.189, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

TrustSec-ASA# ping 10.100.8.80

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.100.8.80, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

TrustSec-ASA# show cts sxp connections brief

SXP : Enabled
Highest version :3
Default password : Set
Default local IP : 10.100.8.100
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections :1
Total number of SXP connections shown :1
---------------------------------------------------------------------------------------------------------------
Peer IP Local IP Conn Status Duration (dd:hr:mm:sec)
---------------------------------------------------------------------------------------------------------------
426
 CCIE SECURITY V5

10.100.8.80 10.100.8.100 On 0:00:00:19

Add the NAD in Cisco ISE and Generate the PAC file. Once done download the pac file
to the TrustSec-ASA.

Add the NAD device,

o Go to Administration
 Network Resources
 Network Devices
o Click on Add

Name :- TrustSec-ASA >

o IP – 150.1.7.169 >
 Radius Password : ccnpccnp

427
 CCIE SECURITY V5

Step 3 : Change the field in Advance TrustSec Settings > TrustSec Pass ccnpccnp

428
 CCIE SECURITY V5

Step 4 : Generate the PAC with password> ccnpccnp

Step 5 :- Add the required Field

Step 6 :- It will be Saved in your Browser

Step 7 :- Make sure you Submit the NAD device

429
 CCIE SECURITY V5

Step 8 :- Once the PAC is downloaded, Put it into the C Drive : TFTP-Root folder. Make
sure previous present Pac file should not be there, if there please delete and copy the
new one which is downloaded from the Browser.

Step 9 :- Make sure the TFTP Server is running. It should be Start and before importing
the pac make sure check the ping test with 150.1.7.169

430
CCIE SECURITY V5

431
 CCIE SECURITY V5

Step 11 :- Configure Firewall with Radius Commands

aaa-server ISE protocol radius

aaa-server ISE (mgmt) host 150.1.7.189
key cisco

cts server-group ISE


Step 12 :- Import the PAC file on ASA

TrustSec-ASA# copy tftp://150.1.7.20/TrustSec-ASA.pac flash:

Address or name of remote host [150.1.7.20]?

Source filename [TrustSec-ASA.pac]?

Destination filename [TrustSec-ASA.pac]?

Accessing tftp://150.1.7.20/TrustSec-ASA.pac...!!!
Writing file disk0:/TrustSec-ASA.pac...
!
360 bytes copied in 0.170 secs

TrustSec-ASA# show cts pac

432
 CCIE SECURITY V5

PAC-Info:
Valid until: May 27 2019 19:37:12
AID: 7e556b3865dc073012f8d9ce8e29514c
I-ID: TrustSec-ASA
A-ID-Info: ISE
PAC-type: Cisco Trustsec
PAC-Opaque:

000200b800030001000400107e556b3865dc073012f8d9ce8e29514c0006009c00030
100410404a4c36b74fead87b867cfa77d38000000135ce2a26f00093a80e5b06361d8d
f9613bf15b1d1b526cdb2df15c8ea18a6cc3eee42fc1df762054e15925fcb31319e3694
eb10bf0db93e772f225e884b74412afd550e6d74c39cb0a8ad6b10137d08aa1df33594
b0903958f7450a937a77fc5286eb0005ef613be81ce01d459766939922b07e469af0dd
06b104d754e13d3a2244fd1508

WARNING: The PAC will expire in less than 7 days

Trustsec-ASA# show cts environment-data

CTS Environment Data
=====================================================
Status : Active
Last download attempt : Successful
Environment Data Lifetime : 86400 secs
Last update time : 15:53:51 UTC May 27 2019
Env-data expires in : 0:23:59:50 (dd:hr:mm:sec)
Env-data refreshes in : 0:23:49:50 (dd:hr:mm:sec)

Step 13 :- In case it not uploading from the CLI, use ASDM to import the pac

433
 CCIE SECURITY V5

o Goto the Configuration option on the TOP Left.

 Click on Firewall Bottom Left
 Click on Identify by TrustSec
 And Import PAC

434
CCIE SECURITY V5

435
CCIE SECURITY V5

436
CCIE SECURITY V5

437
 CCIE SECURITY V5

LAB-4.5: - CONFIGURE ISE FOR MAB

TASK CONFIGURE MAC AUTHENTICATION BYPASS ON SWITCH AND USE ISE AS

AUTHENTICATION SERVER

 Authenticate the MAB-PC (Windows 7 host) using the MAC address on SW_P port 2/0/47 in a group of

“NetMetric-Workstation”.
 Configure the SW_P to authenticate the MAB-PC on its MAC address.

 Enable the Radius authentication, authorization and accounting.

 Use ISE ports UDP 1812/1813 with a secret key “cisco” and use radius server name as “ccnp”and
group name as “ISE”

 Sourcing the Radius packets from VLAN 1 interface

 Add SW_P as the NAD device in the ISE.

 Create the Authentication Policy for “wired_mab”and allow only PEAP protocol.

 After authentication, MAB-PC should get the IP from the DHCP pool name as “DATA” from SW_P in

vlan 80 network.

 Make sure your implementation of AAA should not impact the console of the SW_P.

Configuration on SW_P: -

Step 1 :- Configure SW_P for the AAA commands and Dot1x configuration

Vlan 80

interface Vlan80

438
 CCIE SECURITY V5

ip address 10.100.8.80 255.255.255.0

ip dhcp excluded-address 10.100.8.100

ip dhcp excluded-address 10.100.8.80

ip dhcp pool data

network 10.100.8.0 255.255.255.0

default-router 10.100.8.100

aaa new-model

aaa authentication login NOISE line none

line console 0

login authentication NOISE

radius server ccnp

address ipv4 150.1.7.189 auth-port 1812 acct-port 1813

key cisco

aaa group server radius ISE

server name ccnp

ip radius source vlan 1

439
 CCIE SECURITY V5

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send accounting

radius-server vsa send authentication

ip routing

ip device tracking

dot1x system-auth-control

interface GigabitEthernet2/0/47

switchport access vlan 80

switchport mode access

authentication host-mode multi-auth

440
 CCIE SECURITY V5

authentication port-control auto

mab

no sh

---------------------------------------------------------------------------------------
---------------------

MAB-PC – Check the MAC address of the MAB-PC 00-50-56-AF-47-0E

---------------------------------------------------------------------------------------
---------------------

Go to the ISE add the mac address/groups

441
CCIE SECURITY V5

442
 CCIE SECURITY V5

Click on the Mac Address and Edit

443
 CCIE SECURITY V5

Add the NAD device as SW_P

444
 CCIE SECURITY V5

Now do the Authentication Policy

445
 CCIE SECURITY V5

Select the Existing Condition from the Library

Compound Condition

Select Wired MAB

446
 CCIE SECURITY V5

Select Network Access – Allowed Protocols- Default Network Access

447
 CCIE SECURITY V5

And Use Internal Endpoints for MAB Authentication

Save it.

Goto the MAB PC and enable Disable the NIC Adapter

448
 CCIE SECURITY V5

Once Done Go to the ISE - Operations  Radius Live Logs

Check the detail Report of the ISE

449
 CCIE SECURITY V5

SW2_P#show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FB967A7ABAE

Session count = 1

Key to Session Events Blocked Status Flags:

450
 CCIE SECURITY V5

A - Applying Policy (multi-line status for details)

D - Awaiting Deletion

F - Final Removal in progress

I - Awaiting IIF ID allocation

N - Waiting for AAA to come up

P - Pushed Session

R - Removing User Profile (multi-line status for details)

U - Applying User Profile (multi-line status for details)

X - Unknown Blocker

SW2_P#show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type State Interface

Hardware address/

User name

10.100.8.1 0100.5056.af47.0e May 22 2019 06:09 AM Automatic Active Vlan80

SW2_P#show ip device tracking all

Global IP Device Tracking for clients = Enabled

Global IP Device Tracking Probe Count = 3

Global IP Device Tracking Probe Interval = 30

451
 CCIE SECURITY V5

Global IP Device Tracking Probe Delay Interval = 0

------------------------------------------------------------------------------------------------------------------------

IP Address MAC Address Vlan Interface Probe-Timeout State Source

------------------------------------------------------------------------------------------------------------------------

10.100.8.1 0050.56af.470e 80 GigabitEthernet2/0/47 30 ACTIVE ARP

Total number interfaces enabled: 1

Enabled interfaces:

Gi2/0/47

452
CCIE SECURITY V5

453
 CCIE SECURITY V5

LAB-4.6: - CONFIGURE ISE FOR MAB VLAN AUTHORIZATION

TASK CONFIGURE MAC AUTHENTICATION BYPASS ON SWITCH AND USE ISE AS

AUTHORIZATION SERVER

 Once the MAB-PC is authenticated in the previous question, create an Authorization Profile “MAB”
allowing it to access in VLAN 80.

 ISE should do the authorization on the basis of the NAS-IP-Address of the Switch and with proper Internal

Endpoint Group of Workstation.

 ISE should push the DACL to permit ip traffic from any source to any destination.

454
CCIE SECURITY V5

455
CCIE SECURITY V5

456
CCIE SECURITY V5

457
CCIE SECURITY V5

458
CCIE SECURITY V5

459
 CCIE SECURITY V5

Go to SW_P and remove the vlan and put the port in shut status

460
 CCIE SECURITY V5

int gi2/0/47

no switchport access vlan 80

sh

no sh

461
CCIE SECURITY V5

462
 CCIE SECURITY V5

SW2_P#show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FBD67C1BD8C

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)

D - Awaiting Deletion

F - Final Removal in progress

I - Awaiting IIF ID allocation

N - Waiting for AAA to come up

P - Pushed Session

R - Removing User Profile (multi-line status for details)

U - Applying User Profile (multi-line status for details)

X - Unknown Blocker

SW2_P#show authentication sessions interface gigabitEthernet 2/0/47 details

Interface : GigabitEthernet2/0/47

IIF-ID : 0x1070D8000000093

MAC Address : 0050.56af.470e

IPv6 Address : Unknown

IPv4 Address : 10.100.8.1

User-Name : 00-50-56-AF-47-0E

Status : Authorized
463
 CCIE SECURITY V5

Domain : DATA

Oper host mode : multi-auth

Oper control dir : both

Session timeout : N/A

Restart timeout : N/A

Common Session ID: 960107A200000FBD67C1BD8C

Acct Session ID : 0x00000FA3

Handle : 0x0200000D

Current Policy : POLICY_Gi2/0/47

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Security Policy : Should Secure

Security Status : Link Unsecure

Server Policies:

Vlan Group : Vlan: 80

ACS ACL : xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910

Method status list:

Method State

mab Authc Success

LAB-4.7: - CONFIGURE MAB-PC TO ACCESS SERVER 3 AND SERVER 4

 Create the ISE-Router with HTTP services to access the Server 3 and Server 4 and create user/password
“cisco/cisco”privledge 15

464
 CCIE SECURITY V5

 Give the static route towards next hop

 Create the Loopback 100 for Server 3 and loopback 200 for server 4, IP 192.168.1.1 and 192.168.2.2
respectively

 Configure fa0/0 with 10.100.10.200/24.

 Configure ASA with the Static Route to access the Server 3 and Server 4

Configuration on ISE-Router

Hostname ISE-Router

interface FastEthernet0/0

ip address 10.100.10.200 255.255.255.0

no sh

interface Loopback100

ip address 192.168.1.1 255.255.255.0

interface Loopback200

ip address 192.168.2.2 255.255.255.0

ip http server

ip http authentication local

ip http secure-server

username cisco privilege 15 password cisco

ip route 10.100.8.0 255.255.255.0 10.100.10.100

465
 CCIE SECURITY V5

Configuration on TrustSec-ASA

route dmz 192.168.1.1 255.255.255.255 10.100.10.200

route dmz 192.168.2.2 255.255.255.255 10.100.10.200

Open the MAB-PC and Browse http://192.168.1.1 and http://192.168.2.2

466
 CCIE SECURITY V5

Click on 15 in Monitor the router

467
 CCIE SECURITY V5

Repeat the same for Server 4

468
 CCIE SECURITY V5

LAB-4.8: - CONFIGURE ISE AND ASA FOR TRUSTSEC CLASSIFICATION AND

ENFORCEMENT

TASK1 CONFIGURE ISE SGT TAG

 Create the Security Group Name for the MAB-PC with the name “MAB_CCNP”

469
 CCIE SECURITY V5

 Assign the static Security Group Tag of 16/0016.

470
CCIE SECURITY V5

471
CCIE SECURITY V5

472
CCIE SECURITY V5

473
 CCIE SECURITY V5

Trustsec-ASA# show cts environment-data sg-table

Security Group Table:

Valid until: 15:53:51 UTC May 28 2019

Showing 18 of 18 entries

SG Name SG Tag Type

------- ------ -------------

474
 CCIE SECURITY V5

ANY 65535 unicast

Auditors 9 unicast

BYOD 15 unicast

Contractors 5 unicast

Developers 8 unicast

Development_Servers 12 unicast

Employees 4 unicast

Guests 6 unicast

MAB_CCNP 16 unicast

Network_Services 3 unicast

PCI_Servers 14 unicast

Point_of_Sale_Systems 10 unicast

Production_Servers 11 unicast

Production_Users 7 unicast

Quarantined_Systems 255 unicast

Test_Servers 13 unicast

TrustSec_Devices 2 unicast

Unknown 0 unicast

In Case the TAG is not showing make sure give this command

Trustsec-ASA# cts refresh environment-data

TASK2 CONFIGURE ASA FOR ACL

 Create the SGFW acl for the MAB-PC.

 Server3 192.168.1.1 should be accessible only from security-group name MAB_CCNP for the HTTP traffic

at port 80.
 Create the Object-Group with name MAB_CCNP.
475
 CCIE SECURITY V5

 Name of the Access-List should be server1-2

object-group security MAB_CCNP

security-group name MAB_CCNP

access-list server3-4 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www

access-group server3-4 in interface inside

Trustsec-ASA(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list server3-4; 1 elements; name hash: 0x672bf53c

access-list server3-4 line 1 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www (hitcnt=0) 0xe5300721

access-list server3-4 line 1 extended permit tcp security-group name MAB_CCNP(tag=16) 10.100.8.0
255.255.255.0 host 192.168.1.1 eq www (hitcnt=0) 0x99daeb4c

Check

Trustsec-ASA# show cts sgt-map detail

Trustsec-ASA# show cts sgt-map brief

476
 CCIE SECURITY V5

TASK3 CONFIGURE ISE FOR TRUSTSEC

 Call the Security Tag created in the ISE, into the authorization Profile of the MAB

477
CCIE SECURITY V5

478
CCIE SECURITY V5

479
 CCIE SECURITY V5

SW2_P#clear authentication sessions

480
 CCIE SECURITY V5

Have patience over here, it can take appro 2-3 mins to come up.

SW2_P#show authentication sessions

Interface MAC Address Method Domain Status Session ID

Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FC2878B25CC

SW2_P#show authentication sessions interface gi2/0/47 details

----------------------------------------
481
 CCIE SECURITY V5

Interface : GigabitEthernet2/0/47

IIF-ID: 0x104F38000000097

MAC Address: 0050.56af.470e

IPv6 Address: Unknown

IPv4 Address: 10.100.8.1

User-Name: 00-50-56-AF-47-0E

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Common Session ID: 960107A200000FC2878B25CC

Acct Session ID: 0x00000FA5

Handle: 0xCA000011

Current Policy: POLICY_Gi2/0/47

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Security Policy: Should Secure

Security Status: Link Unsecure

482
 CCIE SECURITY V5

Server Policies:

Vlan Group: Vlan: 80

ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910

SGT Value: 16

Method status list:

Method State

mab Authc Success

Trustsec-ASA# show cts sgt-map brief

IP-SGT Active Bindings Summary

============================================

Total number of SXP bindings = 1

Total number of active bindings = 1

Total number of shown bindings = 1

Trustsec-ASA# show cts sgt-map detail

Active IP-SGT Bindings Information

483
 CCIE SECURITY V5

IP Address Security Group Source

================================================================

10.100.8.1 16:MAB_CCNP SXP

IP-SGT Active Bindings Summary

============================================

Total number of SXP bindings = 1

Total number of active bindings = 1

Total number of shown bindings = 1

484
 CCIE SECURITY V5

Trustsec-ASA# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list server1-2; 1 elements; name hash: 0x672bf53c

access-list server1-2 line 1 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www (hitcnt=8) 0xe5300721
485
 CCIE SECURITY V5

access-list server1-2 line 1 extended permit tcp security-group name MAB_CCNP(tag=16)

10.100.8.0 255.255.255.0 host 192.168.1.1 eq www (hitcnt=8) 0x99daeb4c

Check the HITCOUNTS on the Access-list.

LAB-4.9: - CONFIGURE ISE FOR DOT1X

TASK1 CONFIGURE DOT1X USER FOR AUTHENTICATION

 Authenticate Windows PC Dot1x host connected to gi2/0/47, same port of MAB PC.
 Configure Dot1x PC to use the native supplicant with PEAP/MS-CHAPv2 only.

 User name should be “dot1x_ccnp”with password Cisco123 belongs to group “Dot1x”present in the
Internal Database

 Upon successful authentication the user and machine should get full access to the network
 Enable 802.1x low impact mode on the port and allow only DHCP, DNS, TFTP and ICMP traffic

 Ensure the following order

o 802.1x

o MAB

 The switch should time out 802.1x authentication method after 15 seconds.

Configuration on SW_P

ip access-list extended DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark TFTP

permit udp any any eq tftp

486
 CCIE SECURITY V5

remark PING

permit icmp any any

check the previous configuration on port gi2/0/47

interface GigabitEthernet2/0/47

switchport mode access

authentication host-mode multi-auth

authentication port-control auto

mab

end

Now do the necessary changes

Int gi2/0/47

Ip access-group DEFAULT in

authentication open

authentication order dot1x mab

dot1x timeout tx-period 15

dot1x pae authenticator

spanning-tree portfast

487
 CCIE SECURITY V5

Final commands on gi2/0/47

interface GigabitEthernet2/0/47

switchport mode access

ip access-group DEFAULT in

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 15

spanning-tree portfast

end

488
CCIE SECURITY V5

489
CCIE SECURITY V5

490
CCIE SECURITY V5

491
CCIE SECURITY V5

492
CCIE SECURITY V5

493
CCIE SECURITY V5

494
CCIE SECURITY V5

495
CCIE SECURITY V5

496
CCIE SECURITY V5

497
CCIE SECURITY V5

498
CCIE SECURITY V5

499
CCIE SECURITY V5

500
CCIE SECURITY V5

501
CCIE SECURITY V5

502
CCIE SECURITY V5

503
CCIE SECURITY V5

504
CCIE SECURITY V5

505
CCIE SECURITY V5

506
CCIE SECURITY V5

507
CCIE SECURITY V5

508
CCIE SECURITY V5

509
 CCIE SECURITY V5

SW2_P#show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

Gi2/0/47 0050.56af.470e mab DATA Auth 960107A2000010158AF8B288

Gi2/0/47 0050.56af.5649 dot1x DATA Auth 960107A2000010148AF8B288

TASK2 CONFIGURE 802.1X VLAN ASSIGNMENT

 Configure ISE so that it authorizes user dot1x_ccnp to vlan 80.
 Nas-Ip address should be from the Switch by which it is wired connected.
510
 CCIE SECURITY V5

 Make sure after the connection is established you can browse to “server2.cisco.com” and not
“server1.cisco.com” from “dot1x_pc”.
 Re-authentication should be there in every 6 minutes.

Current configuration on SW_P

SW2_P#show run int gi2/0/47

Building configuration...

Current configuration : 297 bytes

interface GigabitEthernet2/0/47

switchport mode access

ip access-group DEFAULT in

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 15

spanning-tree portfast

end
511
 CCIE SECURITY V5

Add the commands on the interface

int gi2/0/47

authentication periodic

authentication timer reauthenticate server

512
CCIE SECURITY V5

513
CCIE SECURITY V5

514
CCIE SECURITY V5

515
CCIE SECURITY V5

516
CCIE SECURITY V5

517
CCIE SECURITY V5

518
CCIE SECURITY V5

519
CCIE SECURITY V5

520
 CCIE SECURITY V5

SW2_P(config)#int gi2/0/47

SW2_P(config-if)#shut

SW2_P#clear authentication sessions

SW2_P#clear ip dhcp binding *

SW2_P#clear ip device tracking all

521
 CCIE SECURITY V5

interface GigabitEthernet2/0/47

switchport mode access

ip access-group DEFAULT in

shutdown

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 15

spanning-tree portfast

end

SW2_P(config)#int gi2/0/47

SW2_P(config-if)#no sh

522
CCIE SECURITY V5

523
CCIE SECURITY V5

524
 CCIE SECURITY V5

SW2_P#show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

Gi2/0/47 0000.0000.0003 N/A UNKNOWN Unauth 960107A2000010228BAAF858

Gi2/0/47 0050.56af.5649 dot1x DATA Auth 960107A2000010258BAAFF1A

Gi2/0/47 0050.56af.470e mab DATA Auth 960107A2000010238BAAF858

525
 CCIE SECURITY V5

SW2_P#show authentication sessions int gigabitEthernet 2/0/47 details

Interface: GigabitEthernet2/0/47

IIF-ID: 0x1035FC0000000FA

MAC Address: 0050.56af.5649

IPv6 Address: Unknown

IPv4 Address: 10.100.8.9

User-Name: dot1x_ccnp

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: 360s (server), Remaining: 201s

Timeout action: Reauthenticate

Restart timeout: N/A

Common Session ID: 960107A2000010258BAAFF1A

Acct Session ID: 0x00000FCC

Handle: 0x41000074

Current Policy: POLICY_Gi2/0/47

526
 CCIE SECURITY V5

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Security Policy: Should Secure

Security Status: Link Unsecure

Server Policies:

Vlan Group: Vlan: 80

ACS ACL: xACSACLx-IP-Dot1x_ACL-5ced14f0

Method status list:

Method State

dot1x Authc Success

make sure on the Trustsec-ASA give an acl which permit all TCP connections

Trustsec-ASA(config)# access-list server1-2 extended permit tcp any any eq www

Trustsec-ASA# show run access-list

access-list server1-2 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www

access-list server1-2 extended permit tcp any any eq www

527
 CCIE SECURITY V5

Trustsec-ASA# show run access-group

access-group server1-2 in interface inside

From the Dot1x PC

528
CCIE SECURITY V5

529
CCIE SECURITY V5

530
 CCIE SECURITY V5

LAB-4.10: - CONFIGURE WLC WITH AP

531
 CCIE SECURITY V5

TASK1 CONFIGURE ACCESS POINT WITH THE STATIC IP

 Configure the Cisco Access Point with capwap protocol

532
 CCIE SECURITY V5

o Hostname : ccnpap
o IP : 10.100.202.100
o Default Gateway : 10.100.202.1
o Primary Controller : ccnp_wlc
o Controller Ip : 10.100.202.1
o Username : cisco
o Password : Cisco
o Enable Password : Cisco

capwap ap controller ip address 10.100.202.1

capwap ap hostname ccnpap

capwap ap ip address 10.100.202.100 255.255.255.0

capwap ap ip default-gateway 10.100.202.1

capwap ap primary-base ccnp_wlc 10.100.202.1

ccnpap#show capwap ip config

LWAPP Static IP Configuration

IP Address 10.100.202.100

IP netmask 255.255.255.0

Default Gateway 10.100.202.1

Primary Controller 10.100.202.1

TASK2 CONFIGURE SWITCH FOR AP

533
 CCIE SECURITY V5

 Configure the Switch for AP on the port gi2/0/7

o Vlan : 202
o Interface : gi2/0/7

o Mode : Access
o Int vlan : 10.100.202.11/24

Create the Vlan

vlan 202

!Create the SVI

int vlan 202

ip add 10.100.202.11 255.255.255.0

no sh

Configure Port 2/0/7

int gi2/0/7

sw mode access

sw access vlan 202

no sh

SW2_P#show ip int br

Interface IP-Address OK? Method Status Protocol

Vlan1 150.1.7.162 YES manual up up

Vlan80 10.100.8.80 YES manual up up

Vlan202 10.100.202.22 YES manual up up

534
 CCIE SECURITY V5

SW2_P#ping 10.100.202.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.100.202.100, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

If ping not working go back to AP and check it should be up and running, not in booting
phase.

TASK3 CONFIGURE WLC

 Re-initialize the WLC if required by using the Recover-config command from the CLI.

Initialize the WLC based on the following parameters:

o Hostname : WLC 


o Admin Username : admin 


o Admin Password : Sanfran@1234

o Service Interface IP Address : 150.1.7.168 

o Subnet Mask : 255.255.255.0
o Management Interface IP Address 
 : 10.100.202.1

o Default Gateway : 10.100.202.22

o Management VLAN : 202


o Management DHCP Server : 10.100.202.22


o Virtual-IP : 1.1.1.1 

o Mobility Group : Netmetric_Group 

o Network Name (SSID) : ccnp
o DHCP Bridging Mode : No
535
 CCIE SECURITY V5

o Allow Static IP : Yes

o Radius Server : No 

o Country : US 


o Radio : Enable all Radio 


o Auto RF : Yes 

o NTP Server : Yes- 150.1.7.164

o Polling interval : 3600. 


Open the WLCv Console from the vSphere client

Enter the wlc with the username and password mentioned in the reference sheet

Reset the controller with the command reset, Hit enter and then system. We can give
one command also reset system also.

Once done, the system will reboot and once the wlcv is up give the username as
Recover-Config

Once the system will come’s up again after the reboot star giving the details from the
task.

Ignore the messages coming in between: Give the system name as WLC

536
 CCIE SECURITY V5

Provide the username and password

Give the service interface detail

Give the management interface detail

Configure the remaining options as per the task

Configure the Radio related stuff and NTP

537
 CCIE SECURITY V5

Save the configuration in the last and no IPv6 configuration

Configure the WLC so that we can take the GUI of the WLC

(Cisco Controller) >config network webmode enable

(Cisco Controller) >config network secureweb enable


Restart the wlc after giving these commands

538
 CCIE SECURITY V5

Click on Advance, Right corner

539
 CCIE SECURITY V5

We will see the Main Login Page of the WLC Controller

540
 CCIE SECURITY V5

TASK3 AUTHENTICATE THE AP WITH ISE WITH MAB

 Authenticate the AP with ISE and provide the access vlan 202 from the ISE.
 Use the MAC address of the AP for MAB authentication
 Do Enable the Cisco AP Profiling in ISE.

Check the mac address of the AP from the switch

SW_P#show mac address-table dynamic interface gi2/0/7

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

541
 CCIE SECURITY V5

---- --------------------- ---------- -----

202 c89c.1d1b.0bba DYNAMIC Gi2/0/7

Total Mac Addresses for this criterion: 1

542
CCIE SECURITY V5

543
 CCIE SECURITY V5

interface GigabitEthernet2/0/7

switchport access vlan 202

switchport mode access

end

Remove the vlan 202 and add the mab commands on the interface

interface GigabitEthernet2/0/7

switchport mode access

544
 CCIE SECURITY V5

authentication port-control auto

mab

end

After giving the commands on the switch, have patience, AP take a while to come up.

Go to the ISE again

545
CCIE SECURITY V5

546
 CCIE SECURITY V5

Once Done go back to switch and bounce the interface gi2/0/7. Once done check the
authentication sessions

SW_P#show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

Gi2/0/7 c89c.1d1b.0bba mab DATA Auth 960107A200000FEE3DDA0FE2

Gi2/0/47 0050.56af.5649 dot1x DATA Auth 960107A200000FEA3D01EFC2

Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FEB3D021ABA

547
 CCIE SECURITY V5

SW_P#show authentication sessions interface gigabitEthernet 2/0/7 details

Interface: GigabitEthernet2/0/7

IIF-ID: 0x1041B00000000C1

MAC Address: c89c.1d1b.0bba

IPv6 Address: Unknown

IPv4 Address: 10.100.202.100

User-Name: C8-9C-1D-1B-0B-BA

Status: Authorized

Domain: DATA

Oper host mode: single-host

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Common Session ID: 960107A200000FEF3DE2AB66

Acct Session ID: 0x00000FC5

Handle: 0xD2000036

Current Policy: POLICY_Gi2/0/7

Local Policies:

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Security Policy: Should Secure

548
 CCIE SECURITY V5

Security Status: Link Unsecure

Server Policies:

Vlan Group: Vlan: 202

ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910

Method status list:

Method State

mab Authc Success

LAB-4.11: - CISCO ANYCONNECT WITH IKEV2

TASK1 PERFORM ANYCONNECT CLIENTBASED VPN

 Configure the ASA1 with the following IP address and nameif mentioned in the above diagram
 Use Eigrp as the routing protocol between the ASA1 and DC-Router and advertise the 10.1.10.0/24
network with AS 1.
 Your configuration should meet the following requirements on ASA1V:
.
 The tunnel should only secure traffic for server1 and server2.

 The client address pool should be 172.16.1.1-172.16.1.20/24.

 The session tunnel should remain connected for 24 hours even without any activity.
 The connection profile name should be “CP”
 The group alias for the session should be “CP”.
 The trustpoint for the implementation should be named “trust” using RSA key pair “ccnp”

549
 CCIE SECURITY V5

 ASA should authenticate the session from radius server ISE (150.1.7.189) for Credential :- username
bob password Sanfran@1234.
 Use the FireFox browser to test your connectivity with server1 and server2
Any information not
provided for this task can be assumed by the candidate.

 For detail solution please refer to the “avi” file uploaded on the resource portal

550
CCIE SECURITY V5

551
CCIE SECURITY V5

552
CCIE SECURITY V5

553
CCIE SECURITY V5

554
 CCIE SECURITY V5

Section 5 – WSA

GOAL OF THE LAB

The Web Security appliance is a robust, secure, efficient device that protects corporate networks
against web-based malware and spyware programs that can compromise corporate security and

555
 CCIE SECURITY V5

expose intellectual property. The Web Security appliance includes protection for standard
communication protocols, such as HTTP, HTTPS, and FTP.

LAB-5.1: - WSA BOOTSTRAPPING

TASK1 PERFORM WSA INITIAL CONFIGURATION CLI

 Configure WSA installation and bootstrapping. Provide the following information during the
installation process.
o Username/Password :- Admin/ironport
o Hostname :- WSA.cisco.com
o Inteface :- M1
o IP :- 150.1.7.188/24
o Management Access :- HTTP/8081, HTTPS/8443, SSH/22, FTP/21
o Gateway :- 150.1.7.1

 For detail solution please refer to the “avi” file uploaded on the resource portal

TASK2 PERFORM WSA INITIAL CONFIGURATION GUI

 Configure WSA initial setup wizard from the GUI. Provide the following information during the
installation process.
o DNS :- 150.1.7.164
o NTP server :- 150.1.7.164
o Upstream Proxy :- No Available
o Network interface :- M1 Already Configured
o Default Gateway :- Already configured (150.1.7.1)
o Transparent Setting :- Leave Blank will be done later task
o Administrator Password :- Sanfran@1234

556
 CCIE SECURITY V5

o Email Alert :- [email protected]

o Security Settings :- Leave all Option Default

 For detail solution please refer to the “avi” file uploaded on the resource portal

LAB-5.2: - WSA INTEGRATION WITH AD

 Create the NTLMSSP type of connection between the WSA and AD. Use the Domain controller ip
as 150.1.7.164, and user credentials as “administrator/Sanfran@1234.
 Make sure the FQDN of all the hosts in cisco.com is resolved using DNS server 150.1.7.164

 For detail solution please refer to the “avi” file uploaded on the resource portal

LAB-5.3: - WCCP CONFIGURATION ON THE ROUTER AND WSA

LAB-5.4: - CREATING URL LIST FOR ALLOWING AND BLOCKING TRAFFIC

LAB-5.5: - CREATE THE QUATO BASED POLICIES

LAB-5.6: - CREATING THE IDENTIFICATION PROFILE FOR ALLOWING MOZILLA

FIREFOX

LAB-5.7: - CREATING THE IDENTIFICATION PROFILE FOR BLOCKING INTERNET

EXPLORER

LAB-5.8: - ACCESS POLICIES ON WSA

557
 CCIE SECURITY V5

Section 6 – StealthWatch

LAB-6.1: - SETUP THE STEALTHWATCH APPLIANCE TOOL

LAB-6.2: - SETUP STEALTHWATCH MANAGEMENT CONSOLE

LAB-6.3: - SETUP STEALTHWATCH FLOW COLLECTOR

LAB-6.4: - ADDING FLOW COLLECTOR TO SMC

LAB-6.5: - CONFIGURING NETFLOW ON ROUTER, SWITCH, ASA

LAB-6.6: - ORGANIZING HOST AND HOST GROUPS

LAB-6.7: - ANALYZING THE FLOWS

558
 CCIE SECURITY V5

LAB-6.8: - CREATING CUSTOM POLICIES

LAB-6.9: - SETUP STEALTHWATCH FLOW COLLECTOR

LAB-6.10: - CONFIGURING BACKUP

559
CCIE SECURITY V5

560
CCIE SECURITY V5

561