CCIE Security Tech Lab Wkbk v3.0 eBook Updated

CCBOOTCAMP’sCCIE Security Technology Lab Workbook

for the CCIE Security Lab Exam version 3.0

For questions about this workbook please visit: www.securityie.com

CCBOOTCAMP375 N. Stephanie StreetBuilding 21, Suite 2111Henderson, NV 89014

1.877.654.2243 Toll Free

www.ccbootcamp.com

“Cisco,” the “Cisco Logo,” “CCNA,” “CCNP,” “CCDP,” “CCDA,” “CCIE,” “Cisco CertifiedNetwork Associate,” “Cisco Certified Design Professional,” “Cisco Certified Design

Associate,” “and “Cisco Certified Network Professional,” are registered trademarks ofCisco Systems, Inc. The contents contained wherein, is not associated or endorsed by

Cisco Systems, Inc.

http://www.securityie.com/

http://www.ccbootcamp.com/

PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT.THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMP’s CCIE Security TechnologyLab Workbook.

BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT.IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THISPRODUCT.

License Agreement

CCBOOTCAMP’s CCIE Security Technology Lab Workbook is copyrighted. In addition, thisproduct is at all times the property of CCBOOTCAMP, and the customer shall agree touse this product only for themselves, the licensed user. The license for the specificcustomer remains valid from the purchase date until they pass their CCIE Security labexam.

CCBOOTCAMP’s CCIE Security Technology Lab Workbook materials are licensed byindividual customer. This material cannot be resold, transferred, traded, sold, orhave the price shared in any way. Each specific individual customer must have alicense to use this product. The customer agrees that this product is always theproperty of CCBOOTCAMP, and they are just purchasing a license to use it. A Customer’slicense will be revoked if they violate this licensing agreement in any way.

Copies of this material in any form or fashion are strictly prohibited. If for anyreason a licensed copy of this material is lost or damaged a new copy will be providedfree of charge, except for the cost of printing, shipping and handling.

Individuals or entities that knowingly violate the terms of this licensing agreementmay be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damageswill be limited to a maximum of $500,000.00 per individual and $2,000,000.00 perentity. In addition, individuals or entities that knowingly violate the terms of thislicense agreement may be subject to criminal penalties as are allowed by law.

The venue of any dispute, controversy, litigation or proceeding (formal or informal)arising out of or pertaining to this licensing agreement or the subject hereof shalllie exclusively in the County of Clark, State of Nevada. Provided, however, that ifany such dispute, controversy, litigation or proceeding requires or permitsjurisdiction in a federal court or agency of the United States, then venue shall liein no federal court or agency other than those located in (or nearest to) the Countyof Clark, State of Nevada.

Term and Termination of License Agreement

This License is effective until terminated. Customer may terminate this License at anytime by destroying all copies of written and electronic material of said product.Customer's rights under this License will terminate immediately without notice fromCCBOOTCAMP, if Customer fails to comply with any provision of this License. Upontermination, Customer must destroy all copies of material in its possession orcontrol. The license for the specific user remains valid from the purchase date untilthe user passes their lab exam pertaining to the purchased subscription. Once thecustomer passes the relevant lab exam the license is terminated and all materialwritten or electronic in their possession or control must be destroyed or returned toCCBOOTCAMP.

Warranty

No warranty of any kind is provided with this product. There are no guarantees thatthe use of this product will help a customer pass any exams, tests, or certifications,or enhance their knowledge in any way. The product is provided on an “AS IS” basis.In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for anyincurred costs, lost revenue, lost profit, lost data, or any other damages regardlessof the theory of liability arising out of use or inability to use this product.

For questions: www.securityie.coms.f.wb.09.04.sm.r08.09.07.doc

1

www.ccbootcamp.com Toll Free 877.654.2243 [email protected]

Copyright ©2009, Network Learning, Incorporated

Table of Contents:

Getting Started: ............................................ 7

Loading the Initial Configurations .................... 8

Sections .............................................. 9

Connectivity .......................................... 9

Join the Discussion .................................. 10

Chapter 1 - ASA Technology ................................. 11

Configure Device Management .......................... 26

Configure IP Routing ................................. 28

Configure Address Translation ........................ 29

Configure ACLs ....................................... 31

Configure Object Groups .............................. 32

Configure Sub Interfaces with VLANs .................. 33

Configure Filtering .................................. 34

Configure Modular Policy Framework ................... 35

Configure Application-Aware Inspection ............... 36

Configure Quality of Service ......................... 37

Configure Layer 2 Transparent Firewall ............... 37

Configure Security Contexts .......................... 39

Configure Failover ................................... 41

Configure High Availability Solutions ................ 42

ASA Technology Solutions ................................... 43

Basic Firewall Configuration ......................... 43

Configure Device Management .......................... 49

Configure IP Routing ................................. 53

Configure Address Translation ........................ 58

Configure ACLs ....................................... 63

Configure Object Groups .............................. 66



mailto:sales:@ccbootcamp.com


2



Configure Sub Interfaces with VLANs .................. 68

Configure Filtering .................................. 71

Configure Modular Policy Framework ................... 74

Configure Application-Aware Inspection ............... 79

Configure Quality of Service ......................... 85

Configure Layer 2 Transparent Firewall ............... 87

Configure Security Contexts .......................... 93

Configure Failover .................................. 103

Configure High Availability Solutions ............... 107

Chapter 2 - IOS Firewall .................................. 115

Configure CBAC ...................................... 123

Configure Zone-Based Firewall ....................... 126

Configure Auth-Proxy ................................ 129

Configure Access Control ............................ 130

IOS Firewalls Solutions ................................... 131

Configure CBAC ...................................... 131

Configure Zone-Based Firewall ....................... 151

Configure Auth-Proxy ................................ 158

Configure Access Control ............................ 165

Chapter 3 - VPN Technology ................................ 173

Configure IPsec lan to lan (IOS/ASA) ................ 181

DMVPN ............................................... 181

GET VPN ............................................. 182

Easy VPN ............................................ 183

QoS for VPN ......................................... 185

WebVPN(clientless) .................................. 186

High availability ................................... 187

VPN Technologies Solutions ................................ 187

Configure IPsec lan to lan (IOS/ASA) ................ 187





3



DMVPN ............................................... 199

GET VPN ............................................. 214

Easy VPN ............................................ 223

QoS for VPN ......................................... 232

WebVPN(clientless) .................................. 234

High availability ................................... 236

Chapter 4 - Intrusion Prevention Sensor ................... 244

Initialize the Sensor ............................... 251

Configure Sensor Appliance Management ............... 251

Configure SPAN and RSPAN ............................ 255

Configure Promiscuous and Inline Monitoring ......... 256

Configure and Tune Signatures ....................... 257

Configure Custom Signatures ......................... 258

Configure Blocking .................................. 259

Configure TCP Resets ................................ 260

Configure Rate Limiting ............................. 261

Configure Event Actions ............................. 262

Configure Event Monitoring .......................... 263

Configure Advanced Features ......................... 264

Intrusion Prevention Sensor Solutions ..................... 264

Initialize the Sensor ............................... 265

Configure Sensor Appliance Management ............... 272

Configure Security Policy ........................... 277

Configure Virtual Sensors ........................... 279

Configure SPAN and RSPAN ............................ 280

Configure Promiscuous and Inline Monitoring ......... 283

Configure and Tune Signatures ....................... 288

Configure Custom Signatures ......................... 293

Configure Blocking .................................. 301





4



Configure TCP Resets ................................ 306

Configure Rate Limiting ............................. 309

Configure Event Actions ............................. 314

Configure Event Monitoring .......................... 318

Configure Advanced Features ......................... 321

Configure TACACS+ ................................... 334

Configure Secure ACS ................................ 335

Configure LDAP ...................................... 337

Configure Proxy Authentication ...................... 338

Configure 802.1x .................................... 339

Configure Advanced Identity Management .............. 340

Identity Management Solutions ............................. 340

Configure TACACS+ ................................... 340

Configure Secure ACS ................................ 343

Configure LDAP ...................................... 353

Configure Proxy Authentication ...................... 358

Configure 802.1x .................................... 362

Configure Advanced Identity Management .............. 367

Chapter 6 - Control Plane and Management Plane Security ... 374

Implement routing plane security features ........... 382

Configure Control Plane Policing .................... 383

Configure Broadcast Control and Switchport Security . 384

Configure CPU Protection Mechanisms ................. 387

Disable Unnecessary Services ........................ 388

Control Device Access ............................... 389

Configure SNMP, SYSLOG, AAA, NTP .................... 390

Control Plane and Management Plane Security Solutions ..... 390

Implement routing plane security features ........... 391

Configure Control Plane Policing .................... 405





5



Configure Broadcast Control and Switchport Security . 413

Configure CPU Protection Mechanisms ................. 421

Disable Unnecessary Services ........................ 423

Control Device Access ............................... 425

Configure SNMP, SYSLOG, AAA, NTP .................... 431

Chapter 7 - Advanced Security ............................. 435

Configure Packet Marking Techniques ................. 444

Implement Security RFCs ............................. 445

Configure Black Hole and Sink Hole Solutions ........ 446

Configure Remote Triggered Black Hole Filtering ..... 447

Configure Traffic Filtering using Access-Lists ...... 448

Configure IOS NAT ................................... 449

Configure TCP Intercept ............................. 450

Configure uRPF ...................................... 451

Configure CAR ....................................... 451

Configure NBAR ...................................... 452

Configure NetFlow ................................... 453

Configure Policing .................................. 454

Capture and Utilize Packet Captures ................. 455

Configure Transit Traffic Control and Congestion

Management .......................................... 456

Advanced Security Solutions ............................... 456

Configure Packet Marking Techniques ................. 456

Implement Security RFCs ............................. 460

Configure Black Hole and Sink Hole Solutions ........ 461

Configure Remote Triggered Black Hole Filtering ..... 464

Configure Traffic Filtering using Access-Lists ...... 468

Configure IOS NAT ................................... 473

Configure TCP Intercept ............................. 475





6



Configure uRPF ...................................... 479

Configure CAR ....................................... 480

Configure NBAR ...................................... 481

Configure NetFlow ................................... 483

Configure Policing .................................. 486

Capture and Utilize Packet Captures ................. 487

Configure Transit Traffic Control and Congestion

Management .......................................... 488

Chapter - 8 Network Attacks ............................... 493

Identify and protect against fragmentation attacks .. 502

Identify and protect against malicious IP option usage

.................................................... 503

Identify and protect against network reconnaissance

attacks ............................................. 504

Identify and protect against IP spoofing attacks .... 505

Identify and protect against MAC spoofing and flooding

attacks ............................................. 505

Identify and protect against DHCP attacks ........... 507

Identify and protect against ARP spoofing attacks ... 508

Identify and protect against VLAN hopping attacks ... 509

Identify and protect against Denial of Service (DoS)

attacks ............................................. 510

Mitigate Man in the Middle attack ................... 511

Identify and protect against port redirection attacks 512

Identify and protect against DNS attacks ............ 513

Identify and protect against Smurf attacks .......... 514

Network Attacks Solutions ................................. 514

Identify and protect against fragmentation attacks .. 514





7



Identify and protect against malicious IP option usage

.................................................... 516

Identify and protect against network reconnaissance

attacks ............................................. 516

Identify and protect against IP spoofing attacks .... 518

Identify and protect against MAC spoofing and flooding

attacks ............................................. 519

Identify and protect against DHCP attacks ........... 521

Identify and protect against ARP spoofing attacks ... 522

Identify and protect against VLAN hopping attacks ... 522

Identify and protect against Denial of Service (DoS)

attacks ............................................. 523

Mitigate Man in the Middle attack ................... 525

Identify and protect against port redirection attacks 527

Identify and protect against DNS attacks ............ 529

Identify and protect against Smurf attacks .......... 530

The FAQ for rack access can be downloaded from

beneath the security section.

You should download and review this document before rack

access.





8



Verify that all configurations have been cleared, before

you load initial configurations onto the devices in your

rack. For the ASA, verify that the correct mode,

single/multiple as well as routed/transparent, is in place

before applying the initial configuration. By loading the

startup configurations, you have a starting point only; the

lab requires you to complete these configurations and

verify that all network components are operating. Unless

otherwise specified, use only the existing networks within

your lab. Additional networks, static and default routes,

may not be configured unless specified in a task.

You must load initial configurations onto the devices in

your pod for each section. Occasionally you may be asked

to load initial configurations at a specific time within a

section. All initial configurations are available for

download from beneath the

security folder. Use the initial configuration files that

match the workbook version you are using. The workbook

version is in the upper right hand corner of most pages in

the workbook. For users of SecureCRT, you may use the File

Transfer | Send Ascii option, and select the local initial

configuration file from the local drive you downloaded it

to, to apply each initial configuration. This can be

easier than a copy and paste. All pre-configurations

should be assumed to be correct and should not be changed

unless explicitly stated in a question. When creating





9



passwords, use “cisco” unless indicated otherwise in a

specific task.

The default username on the IPS is “cisco”, with a password

of “ccie5796”. On the ACS computer, you may add static

routes for connectivity. Do not change the default route on

the ACS.

1. ASA Firewalls

2. IOS Firewalls

3. VPNs

4. IPS

5. Identity Management

6. Control/Management Plane Security

7. Advanced Security

8. Network Attack Mitigation

Each section is autonomous. At the beginning of each

section there are 2 copies of the lab and physical

topologies. 1 is for you to remove and have as a resource

without needing to go back and forth in your workbook to

review your diagram. The other copy may remain in your

workbook as a permanent resource.

You may access your rack via TELNET, as described in the

FAQ document, or you may open a single RDP session to your





10



racks ACS Server, and SecureCRT from there to open all your

sessions there. Access via RDP is described in the FAQ.

Discussions about CCIE Security blueprint 3 technology and

workbook scenarios may be directed to

website. Membership is free. SecurityIE.com is a valuable

resource for everyone preparing for a CCIE in security.

We are committed to your satisfaction. If you find any

errors in this workbook, or have recommendations on how we

can make our services better in the future, please email

them to [email protected]

Copyright Information

Copyright © 2009 Network Learning, Inc. All rights

reserved.

Cisco©, Cisco© Systems and CCIE are registered trademarks

of Cisco© Systems.




mailto:kbarker:@ccbootcamp.com


11







12







13







14







15



This page intentionally blank





16







17







18








19







20







21








22



Fa0/1 Fa0/1SW1 SW2Fa0/0 Fa0/1R1






Fa0/9 Fa0/9SW1 SW2Fa0/0 Fa0/1BB1


Fa0/12 Fa0/12SW1 SW2E0/0 E0/2

Fa0/14 Fa0/14SW1 SW2Gi0/0: sense Gi0/1: c&cIDS

Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS

Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1

Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





23








24











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





25



Basic Firewall Configuration

Task 1.1

Set the hostname of ASA1 to ASA1

Task 1.2

Configure interface E0/0; name it inside and use the IP

address 192.168.2.100/16. Use the default security level.

Bring the interface up.

Task 1.3

Configure interface E0/3; name it outside and use the IP

24.234.0.100/24. Use the default security level. Bring the

interface up.

Task 1.4

Verify that your interfaces are functional.

Task 1.5

Set the domain name to ccbootcamp.com

Task 1.6

Set the clock to the current time.

Task 1.7

Configure logging so that information level and above

messages are sent to the local buffer. Log messages should

contain a time-stamp.





26



Task 1.8

Configure logging to send messages of information level and

above to syslog on the ACS server. Enable

Task 1.9

Verify logging is operational both to the buffer and to the

ACS server.

Task 1.10

Configure the management0/0 interface with an IP of address

50.50.50.100 255.255.255.0 and name it management. Ensure

that only management traffic will be allowed to this

interface without using an ACL.

Task 1.11

Configure the ASA to use the ASDM image stored on disk0.

Enable the HTTP server and permit *ONLY* the ACS server to

access it.

Task 1.12

Configure SSH and *ONLY* allow R4 to connect via SSH on the

inside interface. Do not use an ACL to accomplish this.





27



Task 1.13

Setup a local user called cisco with a password of cisco

and a privilege level of 15. Setup AAA so that SSH will use

local authentication.

Task 1.14

Verify that you can connect to the ASA using ASDM from the

ACS server and with SSH from R4.





28



Task 1.15

Setup a default route so that traffic not matching any

other routes will be sent to the next hop of R1.

Task 1.16

Configure EIGRP on the ASA so that it becomes a neighbor

with R4. Ensure that the loopback network of R4 appears in

the ASA’s routing table.

Task 1.17

Configure OSPF on the ASA so that it becomes a neighbor

with R1. Verify that the 1.1.1.0/24 network is reachable.

Task 1.18

Configure EIGRP so that the default route is sent into

EIGRP 1. Configure the ASA so that the EIGRP routes are

sent into OSPF area 100 without summarizing them. Verify

that R4 has received the default route and that R1 has

received the EIGRP routes.





29



Task 1.19

Configure ASA1 to require a NAT rule for traffic passing

through it.

Task 1.20

Configure dynamic address translation so that any outbound

traffic from the 192.168.0.0/16 network translated to the

outside interface’s IP address.

Task 1.21

Configure NAT so that the ACS server is reachable from the

outside as 24.234.0.101. This host is sensitive to DoS

attacks, so set the total number of TCP connections allowed

to no more than 100 and the number of embryonic connections

allowed per host to 20.

Task 1.22

Configure NAT so that hosts on the outside who telnet to

24.234.0.4 on port 2323 are able to reach R4 on port 23.

Task 1.23

Allow SW1 (192.168.2.11) to send traffic to the outside

without changing its IP address.





30



Task 1.24

Dynamically translate R4’s address to 24.234.0.254 only

when pings are sent from R4 to R1.

Task 1.25

Verify that your PAT configuration is working, and that the

static and policy NATs are in the ASA’s translation table.





31



Task 1.27

On ASA1, create a standard ACL called R1 to permit all

traffic from R1. Do not apply it to any interface.

Task 1.28

On ASA1, setup an ACL called OUTSIDE that will protect your

network from outside attacks. When it is complete, apply it

for traffic incoming to the outside interface. All traffic

should be denied EXCEPT for:

• Telnet from any outside host to R4’s outside address

on port 2323

• RADIUS from R1 to the ACS server’s outside IP address

Task 1.29

All traffic from R4 to anywhere should be allowed during

business hours (9am to 5pm) but should be denied at all

other times. Create an ACL called INSIDE that will meet

these criteria and apply it to traffic inbound to the

inside interface. Log all denied traffic.





32



Task 1.30

When a traffic flow matches the INSIDE ACL time based

entry, the flow is cached. Configure the ASA so that an

error message is generated when the number of these cached

flows exceeds 2000.

Task 1.31

Verify that the OUTSIDE ACL is applied and working by

telnetting from R1 to 24.234.0.4 on port 2323.

Task 1.32

Create a network object group called MAILERS and add both

R4 and SW1 (192.168.2.11) to it.

Task 1.33

Create a service object group called MAIL_PORTS and add DNS

(TCP) and SMTP to it.

Task 1.34

Add a single line to the INSIDE ACL that will block R4 and

SW1 from sending e-mail or DNS to servers outside the local

network.





33



Task 1.35

Configure E0/1.11 on VLAN 11. Name it DMZ1 and give it an

IP address of 172.16.11.100/24. Set the security level to

50.

Task 1.36



50.

Task 1.37

Bring up interface E0/1.

Task 1.38

Ping to both R2 and R3 to verify connectivity to the DMZ

hosts. Ping from R2 to R3.

Task 1.39

Correct the issue that is stopping pings between the DMZ

routers.





34



Task 1.40

Remove activex objects from http traffic going from any

source to any destination.

Task 1.41

Stop hosts on the 192.168.0.0/16 network from downloading

java applets via http.

Task 1.42

Configure the ASA to use a URL filtering server in the DMZ.

The server will use the IP address of R2 and will be

running WebSense with the default settings.

Task 1.43

Filter URLs using the newly setup websense server. Do this

for all traffic from the 192.168.0.0/16 network. Block

attempts to use a proxy server and remove any cgi-

parameters.

Task 1.44

The ACS server should be exempt from the URL filtering

policy.





35



Task 1.45

Ping from R4 to R1. Use logging to determine why the pings

are failing.

Task 1.46

View the default modular policy framework configuration on

the ASA and then correct it to solve the ping issue. Do not

use an ACL to accomplish this. Verify that R4 can ping R1.

Task 1.47

Configure the ASA so that R2 is not allowed multiple telnet

sessions to R3.

Task 1.48

Verify that R2 is limited to 1 telnet connection at a time.

The password is cisco.





36



Task 1.49

Allow R1 to FTP to the ACS server’s outside IP address.

Ensure that this traffic conforms to the RFCs for FTP.

Reset the connection if R1 attempts to use the ‘PUT’

command.

Task 1.50

Create and test regular expressions that will match the

domains “illegal.com” and “spam.net”

Task 1.51

Drop and log outgoing http traffic from the ACS server when

it contains either of the domain names identified by the

regular expressions.

Task 1.52

Verify that both of your layer 3/4 policies are applied to

the correct interfaces and are using the correct layer 7

policies.





37



Task 1.53

DMZ2 contains mail servers. The mail servers send an

excessive amount of SMTP traffic causing connectivity and

speed problems for the entire network. Because of this,

police outgoing SMTP bandwidth to no more than 20mbps. If

the SMTP traffic exceeds this rate, drop it.

Task 1.54

Clients on the inside network run streaming audio/video

applications that use RTP on UDP ports 10000-20000. Because

of its time sensitive nature, this traffic should be given

priority over other traffic. The queue size for these

packets should be increased to the maximum size.

Task 1.55

Setup ASA2 as a transparent firewall. Set the hostname to

ASA2. Set the management IP to 24.234.2.200. Enable

buffered logging with time-stamps at level 6.





38



Task 1.56

Configure interface e0/2.55 as the inside interface and set

it to VLAN 55.

Task 1.57

Configure interface e0/2.66 as the outside interface and

set it to VLAN 66.

Task 1.58

Add ICMP to the global inspect policy. Ping from R5 to R6

to verify lack of connectivity. Now bring up e0/2 and

repeat the ping test.

Task 1.59

View the log to see what kind of traffic is being denied.

Configure the ASA to allow this traffic and verify that it

is working on the routers.

Task 1.60

A host on the outside is trying to perform a man in the

middle attack by responding to ARP requests for IP

24.234.2.55 with its own MAC address. The real MAC that

should be mapped to 24.234.2.55 is 001b.533b.5555.

Configure the ASA to drop the bad ARP traffic.

Task 1.61

Enable ICMP from the inside networks to anywhere. Verify

that the ASA is blocking the bad ARP responses by pinging

from R5 to 24.234.2.55 and viewing the firewall log.





39



Task 1.62

Prepare for multiple context mode. Erase the configurations

on both ASA1 and ASA2. Change ASA2 to routed mode with the

no firewall transparent command. Reload both firewalls.

Task 1.63

Configure ASA1 as a multiple context firewall. Once it

reboots configure the hostname to ASA.

Task 1.64

Setup interfaces for future contexts. Interfaces should use

unique mac addresses. Create interface e0/1.11 and set it

to vlan 11. Create interface e0/1.22 and set it to vlan 22.

Enable interfaces e0/0, e0/1 and e0/2.

Task 1.65

Delete any existing .cfg files. Create the admin context.

Assign it interface e0/2. Set the config to disk0:

Task 1.66

Create context c1. Assign it interfaces e0/0 and e0/1.11.

Save the config to disk0:

Task 1.67







40



Task 1.68

Switch to the admin context and setup interface e0/2 as

inside with pi 192.168.2.200/24. Allow the ACS server SSH

access to this context. Verify connectivity to the ACS

server.

Task 1.69

Switch to context c1. Configure e0/0 as outside with IP

address 24.234.0.100/24 and e0/1.11 as inside with IP

address 172.16.11.100/24. Add ICMP inspection to the global

policy-map and test connectivity by pinging from R2 to R1.

Task 1.70



address 172.16.22.100/24. NAT the inside network to the

outside interface address and require a NAT translation for

traffic passing through the firewall. Verify connectivity

with telnet from R3 to R1.

Task 1.71

Switch back to the system and set the maximum number of

allowed connections for c1 to 200 and the maximum number of

connections for c2 to 100. Set the maximum number of SSH

connections to the admin context to 5.





41



Task 1.72

Prepare for active/standby failover with ASA2. Set ASA1 as

the primary failover unit. Set the failover interface to

E0/3 and name it failover. Set the failover IP address to

10.1.1.1/24 and the standby to 10.1.1.11. Bring up the

failover interface and enable failover.

Task 1.73

Prepare ASA2 for failover. Ensure that it is in multiple

mode. Set the failover interface to e0/3 and name it

failover. Set the failover IP address to 10.1.1.1 and the

standby to 10.1.1.11. Bring up the failover interface and

enable failover.

Task 1.74

Configure SW2 so that fa0/17 and fa0/23 are both on VLAN

66. This will be the failover VLAN.

Task 1.75

Verify that unit failover configuration is operational.





42



Task 1.76

Configure the firewall pair to use stateful failover.

Verify that state information is replicating to the

secondary unit.

Task 1.77

Configure the firewall to monitor all of the interfaces for

c1 and c2. Configure a standby IP address on each

interface. This IP should be the primary +10. If one of

these interfaces fails, the unit should failover. Set the

interface polltime to 500 milliseconds. Set the unit

polltime to 500 milliseconds.

Task 1.78

In addition to normal state information, replicate http

state information.

Task 1.79

Prepare for load balancing. Disable failover on both ASA1

and ASA2. Configure ASA1 to be the primary for c1 and

secondary for c2. Ensure that both ASAs will always take

over as active for the context they are primary for.





43



Task 1.80

Enable failover and verify that active/active is working

properly.

Task 1.81

Final verification involves testing failover. Telnet from

R2 to R1 and enter the password of cisco. Leave the session

up. On SW1, shutdown port fa0/12. Verify that your telnet

session has remained connected. Verify failover.

Task 1.1

Set the hostname of ASA1 to ASA1

The hostname is set with the “hostname” command. When

entered, the prompt will change to reflect the new

hostname.

ciscoasa(config)# hostname ASA1ASA1(config)#





44



Task 1.2

Configure interface E0/0; name it inside and use the IP

address 192.168.2.100/16. Use the default security level.

Bring the interface up.

Set the IP address with the “IP address” command.

Interfaces are named with the “nameif” command. Using the

name inside will automatically set the security-level to

100. Physical interfaces need the “no shut” command issued

for them to come up.

ASA1(config)# interface Ethernet0/0ASA1(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.ASA1(config-if)# ip address 192.168.2.100 255.255.0.0ASA1(config-if)# no shut

Task 1.3

Configure interface E0/3; name it outside and use the IP

24.234.0.100/24. Use the default security level. Bring the

interface up.

Set the IP address with the “IP address” command.

Interfaces are named with the “nameif” command. Using the

name outside will automatically set the security-level to

0. Physical interfaces need the “no shut” command issued

for them to come up.

ASA1(config)# interface Ethernet0/3ASA1(config-if)# nameif outside





45



INFO: Security level for "outside" set to 0 by default.ASA1(config-if)# ip address 24.234.0.100 255.255.255.0ASA1(config-if)# no shut

Task 1.4

Verify that your interfaces are functional.

Verify that interfaces are up and have the correct IP with

“show interface ip brief”.

ASA1(config)# show interface ip briefInterface IP-Address OK? Method StatusProtocolEthernet0/0 192.168.2.100 YES manual up upEthernet0/1 unassigned YES unsetadministratively down downEthernet0/2 unassigned YES unsetadministratively down downEthernet0/3 24.234.0.100 YES manual up upManagement0/0 unassigned YES unsetadministratively down down

Now verify connectivity to the outside by pinging to R1 and

to the inside by pinging R4.

ASA1(config)# ping 24.234.0.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/2/10 ms

ASA1(config)# ping 192.168.2.4





46



Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.4, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/1/1 ms

Task 1.5

Set the domain name to ccbootcamp.com

The domain name is set with the “domain-name” command.

ASA1(config)# domain-name ccbootcamp.com

Task 1.6

Set the clock to the current time.

The date and time are set manually with the “clock set”

command.

ASA1(config)# clock set 16:24:00 16 february 2009

Task 1.7

Configure logging so that information level and above

messages are sent to the local buffer. Log messages should

contain a time-stamp.

Buffered logging is configured with the “logging buffered

<level> command”. The syslog level (0-7) can be used as





47



well. Time-stamping is included with the command “logging

timestamp”.

ASA1(config)# logging buffered informationalASA1(config)# logging timestamp

Task 1.8

Configure logging to send messages of information level and

above to syslog on the ACS server. Enable Logging.

Logging to a syslog server is configured with “logging host

<interface> <ip address>” where the interface equals the

interface used to reach the host. Logging level is set with

the “logging trap <level>” command. Logging is enabled with

the “logging enable” command. Notice that we used the

syslog level (Level 6) instead of informational.

ASA1(config)# logging host inside 192.168.2.101ASA1(config)# logging trap 6ASA1(config)# logging enable

Task 1.9

Verify logging is operational both to the buffer and to the

ACS server.

Verify that buffered logging is working by issuing the

“show logging” command. You will see the current logging

settings as well as syslog traffic.





48



ASA1(config)# show loggingSyslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2446 messages logged Trap logging: level informational, facility 20, 677 messageslogged Logging to inside 192.168.2.101 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled16 2009 16:00:04: %ASA-6-302015: Built outbound UDP connection18 for inside:192.168.2.101/514 (192.168.2.101/514) to NPIdentity Ifc:192.168.2.100/514 (192.168.2.100/514)

Logging to the syslog server on the ACS can be verified by

connecting to the ACS and launching the available syslog

program. (Kiwi shown) The program will receive log entries

similar to those shown here:





49



Task 1.10

Configure the management0/0 interface with an IP of address

50.50.50.100 255.255.255.0 and name it management. Ensure

that only management traffic will be allowed to this

interface without using an ACL.

The management interface is configured like any other. To

allow only management traffic to *ANY* interface; use the

“management-only” command in interface configuration mode.

The management interface can be used as a regular interface

simply by using the no version of this command.

ASA1(config)# interface management0/0ASA1(config-if)# nameif managementASA1(config-if)# ip address 50.50.50.100 255.255.255.0ASA1(config-if)# management-onlyASA1(config-if)# no shut

Task 1.11

Configure the ASA to use the ASDM image stored on disk0.

Enable the HTTP server and permit *ONLY* the ACS server to

access it.

The ASDM image is set with “asdm image <location>” command.

The http server is enabled with “http server enable”. These

commands are necessary for ASDM to function. To allow a

specific IP or network access to the http server use the

command “http <ip address and mask> <interface>” where ip





50



address is the IP and subnet mask of the allowed host and

interface is the interface by which the allowed host can be

reached.

ASA1(config)# asdm image disk0:/asdm-61551.binASA1(config)# http server enableASA1(config)# http 192.168.2.101 255.255.255.255 inside

Task 1.12

Configure SSH and *ONLY* allow R4 to connect via SSH on the

inside interface. Do not use an ACL to accomplish this.

Before enabling SSH you need to generate keys. This is done

with “crypto key generate rsa modulus <modulus size>”.

Allowing specific hosts or networks to connect via SSH

works much the same as with HTTP in task 2. Use the command

“ssh <ip address and mask> <interface>”.

ASA1(config)# crypto key generate rsa modulus 1024ASA1(config)# ssh 192.168.2.4 255.255.255.255 inside

Task 1.13

Setup a local user called cisco with a password of cisco

and a privilege level of 15. Setup AAA so that SSH will use

local authentication.

A user is configured with “username <name> password

<password> privilege <priv level>”. To setup SSH to use





51



local authentication the command is “AAA authentication ssh

console LOCAL”.

ASA1(config)# username cisco password cisco privilege 15ASA1(config)# aaa authentication ssh console LOCAL

Task 1.14

Verify that you can connect to the ASA using ASDM from the

ACS server and with SSH from R4.

First verify that you can connect using ASDM. Get on the

ACS server, open internet explorer and go to

. You should get to a page that looks

like the example below. Click on run ASDM applet. Finally,

select yes on all security prompts and if prompted for a

username and password use cisco/cisco.





52



To verify that you can SSH to the ASA from R4, connect to

R4 and use ssh –l cisco 192.168.2.100 which will connect

using the username “cisco”. When prompted for the password

use “cisco”.

R4#ssh -l cisco 192.168.2.100

Password: ciscoType help or '?' for a list of available commands.ASA1>





53



Task 1.15

Setup a default route so that traffic not matching any

other routes will be sent to the next hop of R1.

Static routes are done with the “route” command. The order

of the command is route->interface the traffic will be

routed to->ip and subnet of the traffic to be routed->next

hop address. For default routes you can use the shorthand

of 0 0 for the IP and subnet.

ASA1(config)# route outside 0 0 24.234.0.1

Task 1.16

Configure EIGRP on the ASA so that it becomes a neighbor

with R4. Ensure that the loopback network of R4 appears in

the ASA’s routing table.

EIGRP is configured much the same as on a router. Use the

“router <routing protocol> <instance number>” command. Once

in router configuration mode, the networks who will be

participating in the routing protocol are added with the

“network” command. Notice that we use a regular subnet mask

to identify the network instead of the wildcard mask that

would be used on a router.





54



ASA1(config)# router eigrp 1ASA1(config-router)# network 192.168.0.0 255.255.0.0

Verify that the ASA has become a neighbor with R4 by using

the “show eigrp neighbors” command.

ASA1(config)# show eigrp neighborsEIGRP-IPv4 neighbors for process 1H Address Interface Hold Uptime SRTTRTO Q Seq (sec) (ms)Cnt Num0 192.168.2.4 Et0/0 11 00:27:09 14500 0 5

Verify that R4’s loopback network is in the routing table

with the command “show route”. It is the 4.4.4.4/32 network

and the D indicates the route came from EIGRP.

ASA1(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E -EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is 24.234.0.1 to network 0.0.0.0

D 4.4.4.4 255.255.255.255 [90/131072] via 192.168.2.4,0:25:38, insideC 24.234.0.0 255.255.255.0 is directly connected, outside





55



S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.0.1, outsideC 192.168.0.0 255.255.0.0 is directly connected, inside

Task 1.17

Configure OSPF on the ASA so that it becomes a neighbor

with R1. Verify that the 1.1.1.0/24 network is reachable.

Configuring OSPF is very similar to setting up the EIGRP

network except that we must be sure to add the 24.234.0.0

network to the proper area.

ASA1(config)# router ospf 1ASA1(config-router)# network 24.234.0.0 255.255.255.0 area 100

We can verify the neighbor relationship with R1 by using

the command “show ospf neighbor”.

ASA1(config)# show ospf neighbor

Neighbor ID Pri State Dead Time AddressInterface1.1.1.1 1 FULL/BDR 0:00:32 24.234.0.1outside

A show route will show that the 1.1.1.0/24 network is

reachable via R1.

ASA1(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea





56



N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E -EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route


O 1.1.1.0 255.255.255.0 [110/11] via 24.234.0.1, 0:03:06,outsideD 4.4.4.4 255.255.255.255 [90/131072] via 192.168.2.4,2:13:55, insideC 24.234.0.0 255.255.255.0 is directly connected, outsideS* 0.0.0.0 0.0.0.0 [1/0] via 24.234.0.1, outsideC 192.168.0.0 255.255.0.0 is directly connected, inside

And a ping to 1.1.1.1 will verify that it is reachable.

ASA1(config)# ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/1/1 ms

Task 1.18

Configure EIGRP so that the default route is sent into

EIGRP 1. Configure the ASA so that the EIGRP routes are

sent into OSPF area 100 without summarizing them. Verify

that R4 has received the default route and that R1 has

received the EIGRP routes.





57



Configuring EIGRP to propagate the default route is done

with route redistribution. First we will redistribute the

default route into EIGRP 1.

ASA1(config)# router eigrp 1ASA1(config-router)# redistribute static

Then we redistribute EIGRP into OSPF. Note that we use the

“subnets” keyword so that the networks are not summarized.

ASA1(config)# router ospf 1ASA1(config-router)# redistribute eigrp 1 subnets

Verify that R4 has received the default route by doing a

“show ip route”. It shows up as an EIGRP external route.

R4#show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route


4.0.0.0/24 is subnetted, 1 subnetsC 4.4.4.0 is directly connected, Loopback0D*EX 0.0.0.0/0 [170/30720] via 192.168.2.100, 00:12:04,FastEthernet0/0C 192.168.0.0/16 is directly connected, FastEthernet0/0





58



Verify that R1 has received the EIGRP routes with “show ip

route”. They show up as OSPF external type 2 routes. Notice

that it receives 4.4.4.0/24 because of the “subnets”

keyword.


Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0 4.0.0.0/24 is subnetted, 1 subnetsO E2 4.4.4.0 [110/20] via 24.234.0.100, 00:06:47,FastEthernet0/1 24.0.0.0/24 is subnetted, 1 subnetsC 24.234.0.0 is directly connected, FastEthernet0/1O E2 192.168.0.0/16 [110/20] via 24.234.0.100, 00:14:51,FastEthernet0/1

Task 1.19

Configure ASA1 to require a NAT rule for traffic passing

through it.





59



To make ASA1 require a NAT rule use the global command

“nat-control”.

ASA1(config)# nat-control

Task 1.20

Configure dynamic address translation so that any outbound

traffic from the 192.168.0.0/16 network translated to the

outside interface’s IP address.

To translate from an entire network to a single IP you must

use PAT. First define the inside network to be translated.

Note the NAT ID of 1 after the (inside) keyword.

ASA1(config)# nat (inside) 1 192.168.0.0 255.255.0.0

Then, using the “global” command and the same NAT ID used

to configure the translation. We use the “interface”

keyword but you could also type the IP address or a range

of IPs.

ASA1(config)# global (outside) 1 interfaceINFO: outside interface address added to PAT pool

Task 1.21

Configure NAT so that the ACS server is reachable from the

outside as 24.234.0.101. This host is sensitive to DoS

attacks, so set the total number of TCP connections allowed





60



to no more than 100 and the number of embryonic connections

allowed per host to 20.

Use the “static” command to allow the ACS server to be

reached from the outside. We use the “TCP” keyword to set

TCP specific parameters and 100 for the total TCP

connections allowed. The second number is the total number

of embryonic TCP connections allow per host to the ACS

server.

ASA1(config)# static (inside,outside) 24.234.0.101 192.168.2.101tcp 100 20

Task 1.22

Configure NAT so that hosts on the outside who telnet to

24.234.0.4 on port 2323 are able to reach R4 on port 23.

This type of NAT is known as port-redirection or port-

forwarding. The “static” command follows the same basic

format but we use “TCP” before the IP is entered and the

TCP ports after the IP addresses.

ASA1(config)# static (inside,outside) tcp 24.234.0.4 2323192.168.2.4 23

Task 1.23

Allow SW1 (192.168.2.11) to send traffic to the outside

without changing its IP address.





61



Nat-control requires a translation, but we can get around

this requirement by using identity NAT, also known as NAT

0. Notice that the NAT ID is set to 0.

ASA1(config)# nat (inside) 0 192.168.2.11 255.255.255.255nat 0 192.168.2.11 will be identity translated for outbound

Task 1.24

Dynamically translate R4’s address to 24.234.0.254 only

when pings are sent from R4 to R1.

A NAT translation based on requests from specific hosts is

known as policy NAT. An ACL is used to identify the

specific traffic. That ACL is then tied to a NAT ID. Notice

that we use a different NAT ID than that used for our PAT.

ASA1(config)# access-list POLICY_NAT extended permit icmp host192.168.2.4 host 24.234.0.1ASA1(config)# nat (inside) 2 access-list POLICY_NATASA1(config)# global (outside) 2 24.234.0.254INFO: Global 24.234.0.254 will be Port Address Translated

Task 1.25

Verify that your PAT configuration is working, and that the

static and policy NATs are in the ASA’s translation table.

First, verify the PAT configuration is working by

telnetting from R4 to R1.

R4#telnet 24.234.0.1





62



Trying 24.234.0.1 ... Open

R1#

To see the translation table on the ASA use the “show xlate

detail” command. We can see TCP PAT from R4’s address on

the inside to the ASA’s outside IP. The flags show as “ri”

which indicates a port map and a dynamic translation. We

can also see the static translation for the ACS server

which has the “s” or static flag and the policy NAT which

has the “sr” flags.

ASA1(config)# show xlate detail3 in use, 3 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n - norandom, r - portmap, s - staticTCP PAT from inside:192.168.2.4/23 to outside:24.234.0.4/2323flags srNAT from inside:192.168.2.101 to outside:24.234.0.101 flags sTCP PAT from inside:192.168.2.4/17116 tooutside:24.234.0.100/17803 flags ri





63



Task 1.27

On ASA1, create a standard ACL called R1 to permit all

traffic from R1. Do not apply it to any interface.

A standard ACL is very basic, it permits or denies based

only on the source IP address.

ASA1(config)# access-list R1 standard permit host 24.234.0.1

Task 1.28

On ASA1, setup an ACL called OUTSIDE that will protect your

network from outside attacks. When it is complete, apply it

for traffic incoming to the outside interface. All traffic

should be denied EXCEPT for:

• Telnet from any outside host to R4’s outside address

on port 2323

• RADIUS from R1 to the ACS server’s outside IP address

This second ACL gives us a good mix of TCP, UDP and a

routing protocol. Regardless of which protocol we’re

working with, the order is the same. Permit/Deny->protocol-

>From this address/port->To this address/port. Remember

that there is an implicit deny at the end of the ACL, so if





64



a packet doesn’t match any of the permit lines it will be

dropped.

ASA1(config)# access-list OUTSIDE extended permit tcp any host24.234.0.4 eq 2323ASA1(config)# access-list OUTSIDE extended permit udp host24.234.0.1 host 24.234.0.101 eq radius

ACLs are applied with the “access-group” command for

traffic that is entering or leaving an interface. In this

case it is entering the interface so we use the in keyword.

ASA1(config)# access-group OUTSIDE in interface outside

Task 1.29

All traffic from R4 to anywhere should be allowed during

business hours (9am to 5pm) but should be denied at all

other times. Create an ACL called INSIDE that will meet

these criteria and apply it to traffic inbound to the

inside interface. Log all denied traffic.

This is an example of a time based ACL. To accomplish the

task we first have to create a time range using the “time-

range” command. Time-range is based on a 24 hour clock.

ASA1(config)# time-range R4_BLOCKASA1(config-time-range)# periodic daily 00:00 to 08:59ASA1(config-time-range)# periodic daily 17:01 to 23:59

Next, we have to apply the time range to an ACL deny entry.

Remember that we also have to permit all other traffic at





65



all times so that it won’t be dropped by the implicit deny

at the end of the ACL. Note the “log” keyword in the deny

statement. This will generate log entries when this line is

matched.

ASA1# access-list INSIDE extended deny ip host 192.168.2.4 anylog time-range R4_BLOCKASA1# access-list INSIDE extended permit ip any any

Now we need to apply this ACL to the inside interface.

ASA1(config)# access-group INSIDE in interface inside

Task 1.30

When a traffic flow matches the INSIDE ACL time based

entry, the flow is cached. Configure the ASA so that an

error message is generated when the number of these cached

flows exceeds 2000.

To set a maximum number of cached flows use the “deny-flow-

max” command. This is useful in detecting a DoS attack.

ASA1(config)# access-list deny-flow-max 2000

Task 1.31

Verify that the OUTSIDE ACL is applied and working by

telnetting from R1 to 24.234.0.4 on port 2323.





66



On R1, use telnet to 24.234.0.4 2323 to verify that the ACL

is allowing the traffic and that the port map is working.

R1#telnet 24.234.0.4 2323Trying 24.234.0.4, 2323 ... Open

R4#

Now, on the ASA, further verify that the ACL allowed the

traffic with “show access-list OUTSIDE”. Notice that the

hit count is 1 for the line which permits the telnet

traffic.

ASA1(config)# show access-list OUTSIDEaccess-list OUTSIDE; 2 elementsaccess-list OUTSIDE line 1 extended permit tcp any host24.234.0.4 eq 2323 (hitcnt=1) 0x84f0d3e2access-list OUTSIDE line 2 extended permit udp host 24.234.0.1host 24.234.0.101 eq radius (hitcnt=0) 0x24db0f17

Task 1.32

Create a network object group called MAILERS and add both

R4 and SW1 (192.168.2.11) to it.

Create the group with the “object-group” command and the

network keyword. Then add the object to the group with the

network-object command. We added individual hosts with the





67



“host” keyword, but you can also add networks with an IP

address and subnet mask.

ASA1(config)# object-group network MAILERSASA1(config-network)# network-object host 192.168.2.4ASA1(config-network)# network-object host 192.168.2.11

Task 1.33

Create a service object group called MAIL_PORTS and add DNS

(TCP) and SMTP to it.

A service group is also created with the “object-group”

command, using the “service” keyword.

ASA1(config)# object-group service MAIL_PORTSASA1(config-service)# service-object tcp eq domainASA1(config-service)# service-object tcp eq smtp

Task 1.34

Add a single line to the INSIDE ACL that will block R4 and

SW1 from sending e-mail or DNS to servers outside the local

network.

Now we’re going to use our object groups to save several

lines in an ACL. Remember that there is a permit ip any any

near the end of the ACL so we have to insert the deny

statement before it. Note that instead of deny <protocol>

we have denied the object group.





68



ASA1(config)# access-list INSIDE line 1 deny object-groupMAIL_PORTS object-group MAILERS any

With this line in place, issue the “show access-list”

INSIDE command to see how many lines we saved by using the

object groups.

ASA1(config)# show access-list INSIDEaccess-list INSIDE; 8 elementsaccess-list INSIDE line 1 extended deny object-group MAIL_PORTSobject-group MAILERS any 0x3eef95c1 access-list INSIDE line 1 extended deny tcp host 192.168.2.4any eq domain (hitcnt=0) 0x8b85ea80 access-list INSIDE line 1 extended deny tcp host 192.168.2.1any eq domain (hitcnt=0) 0x60d1a14a access-list INSIDE line 1 extended deny tcp host 192.168.2.4any eq smtp (hitcnt=0) 0x4e7ad89b access-list INSIDE line 1 extended deny tcp host 192.168.2.1any eq smtp (hitcnt=0) 0x441049a2access-list INSIDE line 2 extended deny ip host 192.168.2.4 anylog informational interval 300 time-range R4_BLOCK (hitcnt=0)(inactive) 0x7b2cc583access-list INSIDE line 3 extended permit ip any any (hitcnt=0)0x2a29f5f2

Task 1.35



50.





69



Sub-interfaces are configured like regular interfaces with

the addition of “.x” where x is the number of the sub-

interface. Add the sub-interface to a vlan with the “vlan”

command. When sub-interfaces with VLANS are configured on

an interface, the physical interface acts as a DOT1Q trunk.

ASA1(config)# interface Ethernet0/1.11ASA1(config-subif)# vlan 11ASA1(config-subif)# nameif DMZ1ASA1(config-subif)# security-level 50ASA1(config-subif)# ip address 172.16.11.100 255.255.255.0

Task 1.36



50.

This sub-interface is configured just like the one above.

ASA1(config)# interface Ethernet0/1.22ASA1(config-subif)# vlan 22ASA1(config-subif)# nameif DMZ2ASA1(config-subif)# security-level 50ASA1(config-subif)# ip address 172.16.22.100 255.255.255.0

Task 1.37

Bring up interface E0/1.

The sub-interfaces will not come up unless the physical

interface is brought up.





70



ASA1(config)# int e0/1ASA1(config-if)# no shut

Task 1.38

Ping to both R2 and R3 to verify connectivity to the DMZ

hosts. Ping from R2 to R3.

The pings to the DMZ routers from the firewall should be

successful.

ASA1(config)# ping 172.16.11.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.11.2, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/1/1 msASA1(config)# ping 172.16.22.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.22.3, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/2/10 ms

But the pings from R2 to R3 should fail.

R2#ping 172.16.22.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.22.3, timeout is 2seconds:.....Success rate is 0 percent (0/5)





71



Task 1.39

Correct the issue that is stopping pings between the DMZ

routers.

The pings are being dropped at the firewall even though the

security levels of the DMZ interfaces are both 50. This is

the default behavior of an ASA. For the traffic to be

allowed, you must use the “same-security-traffic” command.

We permit “inter-interface” because the traffic is going

from one interface to another. In this case the sub-

interfaces act as different interfaces even though they are

entering and exiting the same physical interface.

ASA1(config)# same-security-traffic permit inter-interface

Now try the ping from R2 to R3 again.

R2#ping 172.16.22.3






72



Task 1.40

Remove activex objects from http traffic going from any

source to any destination.

This is done with the “filter activex” command. You can

enter a port number or range to filter traffic on, but we

used http instead of 80. Notice the 0 0 0 0, each zero is

shorthand for 0.0.0.0. This means match all or from any to

any.

ASA1(config)# filter activex http 0 0 0 0

Task 1.41

Stop hosts on the 192.168.0.0/16 network from downloading

java applets via http.

Java is filtered using the same format as activex. In this

example we entered 80 instead of http. We also entered a

source for the traffic, the 192.168.0.0/16 network. The

destination is still any, shortened to 0 0. It’s important

to note that this command blocks the java from returning to

the ASA through the outbound connection. It still allows

the HTTP traffic, but with the source for the java applet

commented out.

ASA1(config)# filter java 80 192.168.0.0 255.255.0.0 0 0





73



Task 1.42

Configure the ASA to use a URL filtering server in the DMZ.

The server will use the IP address of R2 and will be

running Websense with the default settings.

A URL filtering server is configured with the command “url-

server”. Notice the interface the server is reached through

in parenthesis, the vendor used and the IP of the server.

ASA1(config)# url-server (DMZ1) vendor websense host 172.16.11.2

Task 1.43

Filter URLs using the newly setup websense server. Do this

for all traffic from the 192.168.0.0/16 network. Block

attempts to use a proxy server and remove any cgi-

parameters.

With the URL filtering server configured, you must choose

which outgoing traffic will be checked against the server’s

policy. This is done with the “filter url” command. The

IP’s are entered in a from->to format and we again use the

0 0 shorthand to filter from our network to any

destination. The “proxy-block” option is used to block

attempts to use an http proxy server. The “cgi-truncate”

option removes CGI script parameters from the URL.

ASA1(config)# filter url http 192.168.0.0 255.255.0.0 0 0 proxy-block cgi-truncate





74



Task 1.44

The ACS server should be exempt from the URL filtering

policy.

Exceptions to the filtering policy can be added using the

“filter url except” command. These can be specific hosts or

entire networks, determined by the subnet mask. We use a 32

bit mask to identify only the ACS server host address.

ASA1(config)# filter url except 192.168.2.101 255.255.255.255 00

Task 1.45

Ping from R4 to R1. Use logging to determine why the pings

are failing.

Pings from R4 to R1 are failing even though they are coming

from the inside (trusted) network to the outside.

R4#ping 24.234.0.1






75



Using logging shows that NAT is translating R4’s address

properly and that a flow is being created for the ICMP

connection. The returning pings are being blocked by the

outside ACL.

ASA1(config)# show logging | inc 24.234.0.1Feb 23 2009 13:53:05: %ASA-6-302020: Built outbound ICMPconnection for faddr 24.234.0.1/0 gaddr 24.234.0.254/56751 laddr192.168.2.4/3Feb 23 2009 13:53:05: %ASA-4-106023: Deny icmp srcoutside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) byaccess-group "OUTSIDE" [0x0, 0x0]Feb 23 2009 13:53:07: %ASA-4-106023: Deny icmp srcoutside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) byaccess-group "OUTSIDE" [0x0, 0x0]Feb 23 2009 13:53:09: %ASA-4-106023: Deny icmp srcoutside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) byaccess-group "OUTSIDE" [0x0, 0x0]Feb 23 2009 13:53:11: %ASA-4-106023: Deny icmp srcoutside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) byaccess-group "OUTSIDE" [0x0, 0x0]Feb 23 2009 13:53:13: %ASA-4-106023: Deny icmp srcoutside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) byaccess-group "OUTSIDE" [0x0, 0x0]Feb 23 2009 13:53:15: %ASA-6-302021: Teardown ICMP connectionfor faddr 24.234.0.1/0 gaddr 24.234.0.254/56751 laddr192.168.2.4/3

Task 1.46

View the default modular policy framework configuration on

the ASA and then correct it to solve the ping issue. Do not

use an ACL to accomplish this. Verify that R4 can ping R1.

View the default MPF configuration with the “show service-

policy” command. Notice that ICMP is not included in the





76



inspection_default class-map. This explains why outgoing

ICMP is allowed but the return traffic is dropped.

ASA1(config)# show service-policy

Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns migrated_dns_map_1, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0,reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0,reset-drop 0 Inspect: netbios, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: skinny , packet 0, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 0, drop 0,reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip , packet 0, drop 0, reset-drop 0 Inspect: xdmcp, packet 0, drop 0, reset-drop 0

This can be corrected by editing the global_policy policy-

map and adding “inspect ICMP” to the inspection_default

class.

ASA1(config)# policy-map global_policyASA1(config-pmap)# class inspection_defaultASA1(config-pmap-c)# inspect icmp

Verify by once again pinging from R4 to R1, the pings are

now successful.





77



R4#ping 24.234.0.1


You can also look at the “show service-policy” command

again to see that the ICMP packet counter has increased.

ASA1(config-pmap)# show service-policy

Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: icmp, packet 10, drop 0, reset-drop 0

Task 1.47

Configure the ASA so that R2 is not allowed multiple telnet

sessions to R3.

Modular policy framework is used in situations where ACLs

do not provide enough control. In this case we must first

define the traffic we want to act on with an ACL.

ASA1(config)# access-list R2_TELNET permit tcp host 172.16.11.2host 172.16.22.3 eq telnet

Then we have to create a “class map” which creates a class

of traffic that matches our ACL.





78



ASA1(config)# class-map R2_TELNETASA1(config-cmap)# match access-list R2_TELNET

A “policy map” is created to apply an action to traffic

matching our class. In this case the action is to set the

maximum number of connections allowed per client to 1.

ASA1(config-cmap)# policy-map R2_TELNETASA1(config-pmap)# class R2_TELNETASA1(config-pmap-c)# set connection per-client-max 1

Finally we apply this policy to an interface (or globally)

with a “service-policy”.

ASA1(config)# service-policy R2_TELNET interface DMZ1

Task 1.48

Verify that R2 is limited to 1 telnet connection at a time.

The password is “cisco”.

First, telnet from R2 to R3

R2#telnet 172.16.22.3Trying 172.16.22.3 ... OpenUser Access VerificationPassword:R3>

Then drop back to R2 leaving the session open with

shift_ctrl_66,x. Issue the “show sessions” command to

verify your telnet connection is still open.





79



R2#show sessionsConn Host Address Byte Idle ConnName* 1 172.16.22.3 172.16.22.3 0 0172.16.22.3

Now attempt to open another telnet connection to R3. The

connection will fail.

R2#telnet 172.16.22.3Trying 172.16.22.3 ...% Connection timed out; remote host not responding

Further verify by viewing the ASA log. Notice that the per

client max has been exceeded.

ASA1(config)# show logging | inc 172.16.11.2

Feb 23 2009 15:04:58: %ASA-3-201013: Per-client connection limitexceeded 1/1 for input packet from 172.16.11.2/38100 to172.16.22.3/23 on interface DMZ1

Task 1.49

Allow R1 to FTP to the ACS server’s outside IP address.

Ensure that this traffic conforms to the RFCs for FTP.

Reset the connection if R1 attempts to use the ‘PUT’

command.





80



First we must allow the FTP traffic, and this is done by

adding a line to the OUTSIDE ACL.

ASA1(config)# access-list OUTSIDE extended permit tcp host24.234.0.1 host 24.234.0.101 eq ftp

Now we have to setup our application level inspection. This

is an added set of steps to the regular MPF configuration.

We will identify the specific type of layer 7 traffic we

want; in this case the ftp “put” command. To do this we use

“class-map type inspect ftp”.

ASA1(config)# class-map type inspect ftp match-all ACS_FTPASA1(config-cmap)# match request-command put

Now we are going to apply actions to the identified layer 7

traffic with a policy-map type inspect ftp. The action we

apply is “reset”.

ASA1(config)# policy-map type inspect ftp ACS_FTPASA1(config-pmap)# class ACS_FTPASA1(config-pmap-c)# reset

Policy map type inspects cannot be directly applied to an

interface. They must be nested within a normal layer 3/4

policy map. So we will proceed with our normal MPF

procedure. Identifying the layer 3/4 traffic to be acted on

with an ACL that will be used in a class map, in this case

R1’s connection to the ACS outside address via FTP.

ASA1(config)# access-list R1_ACS extended permit tcp host24.234.0.1 host 24.234.0.101 eq ftp





81



ASA1(config)# class-map R1_ACSASA1(config-cmap)# match access-list R1_ACS

Now we will apply actions to the identified traffic using a

layer 3/4 policy map. Notice that we “inspect ftp” with the

“strict” option which ensures that the FTP traffic conforms

to the FTP RFCs. Also note the ACS_FTP at the end. This is

our layer 7 policy map. This means that FTP will be

inspected and passed as normal, UNLESS the put command is

used, in which case the connection will be reset.

ASA1(config)# policy-map R1_ACSASA1(config-pmap)# class R1_ACSASA1(config-pmap-c)# inspect ftp strict ACS_FTP

Finally, we have to apply the policy map to an interface.

This is done with the “service-policy” command.

ASA1(config)# service-policy R1_ACS interface outside

Task 1.50

Create and test regular expressions that will match the

domains “illegal.com” and “spam.net”

Create the regular expressions with the “regex” command.

ASA1(config)# regex illegal "illegal\.com"ASA1(config)# regex spam "spam\.net"

Test them with the “test” command. Notice that even though

there is a “www.” before the phrase it still matches.





82



ASA1(config)# test regex www.illegal.com "illegal\.com"INFO: Regular expression match succeeded.ASA1(config)# test regex www.spam.net "spam\.net"INFO: Regular expression match succeeded.

Task 1.51

Drop and log outgoing http traffic from the ACS server when

it contains either of the domain names identified by the

regular expressions.

First we must create a class type regex that will identify

the phrases. Note the “match-any” option meaning either of

the phrases (not both) can be matched.

ASA1(config)# class-map type regex match-any BAD_DOMAINSASA1(config-cmap)# match regex illegalASA1(config-cmap)# match regex spam

Next we will create a class-map type inspect that will

identify the specific layer 7 attributes we want to

identify, in this case the domains we want to drop. Notice

that we are matching a request url that matches one of our

BAD_DOMAINS regular expressions.

ASA1(config)# class-map type inspect http ACS_URLASA1(config-cmap)# match request uri regex class BAD_DOMAINS

We have now identified the specific layer 7 traffic and

must apply actions to it with a policy-map type inspect.




http://www.illegal.com/

http://www.spam.net/


83



Note that we apply multiple actions, dropping the

connection and logging the dropped connection.

ASA1(config-cmap)# policy-map type inspect http ACS_URLASA1(config-pmap)# class ACS_URLASA1(config-pmap-c)# drop-connection log

Now we need to create an ACL that will identify the layer

3/4 traffic. Traffic from the ACS to any host using http.

ASA1(config)# access-list ACS_HTTP permit tcp host 192.168.2.101any eq http

We’ll use this ACL in a layer 3/4 class-map to identify the

traffic.

ASA1(config)# class-map ACS_HTTPASA1(config-cmap)# match access-list ACS_HTTP

Now we’ll apply actions to the traffic identified by the

layer 3/4 class-map with a policy-map. Note the inspect

http ACS_URL which nests our layer 7 policy within the

layer 3/4 policy-map.

ASA1(config)# policy-map ACS_HTTPASA1(config-pmap)# class ACS_HTTPASA1(config-pmap-c)# inspect http ACS_URL

Finally, apply the policy so that it will affect outgoing

traffic from the ACS server. This is done with service-

policy on the inside interface.





84



ASA1(config)# service-policy ACS_HTTP interface inside

Task 1.52

Verify that both of your layer 3/4 policies are applied to

the correct interfaces and are using the correct layer 7

policies.

Because the configuration is lengthy, it’s always a good

idea to double check your policies. First verify the layer

3/4 policies are applied correctly with “show service-

policy” (global policy output removed). Note that on the

inside interface, the ACS_HTTP policy is applied and that

it is inspecting http with the ACS_URL layer 7 policy map.

Also note that the R1_ACS policy is applied to the outside

interface and is inspecting ftp strict using the ACS_FTP

layer 7 policy map.

ASA1# show service-policy

Interface inside: Service-policy: ACS_HTTP Class-map: ACS_HTTP Inspect: http ACS_URL, packet 0, drop 0, reset-drop 0

Interface outside: Service-policy: R1_ACS Class-map: R1_ACS Inspect: ftp strict ACS_FTP, packet 0, drop 0, reset-drop0





85



Task 1.53

DMZ2 contains mail servers. The mail servers send an

excessive amount of SMTP traffic causing connectivity and

speed problems for the entire network. Because of this,

police outgoing SMTP bandwidth to no more than 20mbps. If

the SMTP traffic exceeds this rate, drop it.

This is done with MPF, and as such we need a class map to

identify the SMTP traffic. Instead of matching an ACL as in

previous examples, we’re going to match a TCP port.

ASA1(config)# class-map SMTP_LIMITASA1(config-cmap)# match port tcp eq smtp

Now that we’ve identified our traffic, we will apply

actions to it with a policy map. We will be using the QoS

action “police”. With this command we’re policing the

output rate to 20,000,000 bits per second which is 20MB.

Notice that if the traffic rate conforms (up to 20MB) it

will be transmitted but if it exceeds (over 20MB) it will

be dropped.

ASA1(config)# policy-map SMTP_LIMITASA1(config-pmap)# class SMTP_LIMITASA1(config-pmap-c)# police output 20000000 conform-actiontransmit exceed-action drop





86



We now need to apply the policy to an interface, in this

case DMZ2 since that is where the SMTP traffic originates

from.

ASA1(config)# service-policy SMTP_LIMIT interface DMZ2

Task 1.54

Clients on the inside network run streaming audio/video

applications that use RTP on UDP ports 10000-20000. Because

of its time sensitive nature, this traffic should be given

priority over other traffic. The queue size for these

packets should be increased to the maximum size.

This QoS feature is known as priority queuing. To configure

it, first setup the priority queue on an interface, in this

case inside. Per the task, we increase the default queue

size from 1024 to 2048.

ASA1(config)# priority-queue insideASA1(config-priority-queue)# queue-limit 2048

Next we need to identify the traffic that will be

prioritized. We’re going to create a class-map that matches

RTP starting on UDP port 10000 with a range of 10000,

meaning ports 10000-20000.

ASA1(config)# class-map RTP_INSIDEASA1(config-cmap)# match rtp 10000 10000

Now we need to apply an action to the identified traffic

with a policy-map. We already have a policy map in place





87



for the inside interface, so we simply add our class to it

with the “class” command. Then set the action to

“priority”. The policy map is already applied to the inside

interface so no further configuration is needed.

ASA1(config)# policy-map ACS_HTTPASA1(config-pmap)# class RTP_INSIDEASA1(config-pmap-c)# priority

Task 1.55

Setup ASA2 as a transparent firewall. Set the hostname to

ASA2. Set the management IP to 24.234.2.200. Enable

buffered logging with time-stamps at level 6.

Before any configuration, use the command firewall

transparent to set the ASA to “transparent” mode.

ciscoasa(config)# firewall transparent

You should already be familiar with the “hostname” command

from the previous ASA configuration. The management IP of a

transparent firewall is setup from global configuration

mode with the “ip address” command.

ciscoasa(config)# hostname ASA2ASA2(config)# ip address 24.234.2.200 255.255.255.0

Logging configuration is identical to a standard ASA.





88



ASA2(config)# logging buffered 6ASA2(config)# logging timestampASA2(config)# logging enable

Task 1.56

Configure interface e0/2.55 as the inside interface and set

it to VLAN 55.

Sub-interfaces are configured like a standard ASA, except

that they do not need an IP address since they are not

working at layer 3.

ASA2(config)# int e0/2.55ASA2(config-subif)# vlan 55ASA2(config-subif)# nameif insideINFO: Security level for "inside" set to 100 by default.

Task 1.57

Configure interface e0/2.66 as the outside interface and

set it to VLAN 66.

e0/2.66 is setup similar to e0/2.55

ASA2(config)# int e0/2.66ASA2(config-subif)# vlan 66ASA2(config-subif)# nameif outsideINFO: Security level for "outside" set to 0 by default.





89



Task 1.58

Add ICMP to the global inspect policy. Ping from R5 to R6

to verify lack of connectivity. Now bring up e0/2 and

repeat the ping test.

You should be familiar with adding icmp inspection to the

global_policy from the previous ASA configuration.

ASA2(config)# policy-map global_policyASA2(config-pmap)# class inspection_defaultASA2(config-pmap-c)# inspect icmp

Ping from R5 to R6. This ping is expected to fail since

the routers are on separate VLANs and there is nothing to

bridge the L2 traffic from one vlan to another.

R5#ping 24.234.2.6


Bring up physical interface e0/2 and repeat the ping.

Notice that the ping is now successful because the firewall

is bridging the traffic at L2.

ASA2(config)# interface e0/2

ASA2(config-if)# no shut

R5#ping 24.234.2.6





90




Task 1.59

View the log to see what kind of traffic is being denied.

Configure the ASA to allow this traffic and verify that it

is working on the routers.

View the log with “show logging”. Notice that the traffic

denied is IP protocol 88 with a destination address of

224.0.0.10. This is EIGRP traffic.

ASA2(config)# show logging

Feb 25 2009 15:27:03: %ASA-3-106010: Deny inbound protocol 88src outside:24.234.2.6 dst inside:224.0.0.10Feb 25 2009 15:27:04: %ASA-3-106010: Deny inbound protocol 88src inside:24.234.2.5 dst outside:224.0.0.10Feb 25 2009 15:27:08: %ASA-3-106010: Deny inbound protocol 88src outside:24.234.2.6 dst inside:224.0.0.10Feb 25 2009 15:27:08: %ASA-3-106010: Deny inbound protocol 88src inside:24.234.2.5 dst outside:224.0.0.10

To permit this traffic we must create and apply ACLs in

both directions. First for the traffic from the inside-

>out.

ASA2(config)# access-list INSIDE permit eigrp host 24.234.2.5host 224.0.0.10





91



ASA2(config)# access-group INSIDE in interface inside

And then for the traffic from the outside->in

ASA2(config)# access-list OUTSIDE permit eigrp host 24.234.2.6host 224.0.0.10ASA2(config)# access-group OUTSIDE in interface outside

You’ll notice that neighbor adjacencies are formed on the

routers but they are going up and down. Viewing the ASA log

again points to the reason why. The 224.0.0.10 traffic is

allowed, but now the EIGRP traffic between the routers

themselves is being denied.


cess-group "INSIDE" [0x0, 0x0]Feb 25 2009 15:39:44: %ASA-4-106023: Deny protocol 88 srcoutside:24.234.2.6 dst inside:24.234.2.5 by access-group"OUTSIDE" [0x0, 0x0]Feb 25 2009 15:39:44: %ASA-4-106023: Deny protocol 88 srcinside:24.234.2.5 dst outside:24.234.2.6 by access-group"INSIDE" [0x0, 0x0]Feb 25 2009 15:39:49: %ASA-4-106023: Deny protocol 88 srcoutside:24.234.2.6 dst inside:24.234.2.5 by access-group"OUTSIDE" [0x0, 0x0]

To correct this we must add lines to both of our ACLs to

permit the router to router EIGRP traffic.

ASA2(config)# access-list OUTSIDE permit eigrp host 24.234.2.6host 24.234.2.5ASA2(config)# access-list INSIDE permit eigrp host 24.234.2.5host 24.234.2.6





92



The EIGRP neighbor adjacencies are now up and stable. You

can view them on the routers.

R5#sho ip eigrp neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTTRTO Q Seq (sec) (ms)Cnt Num0 24.234.2.6 Fa0/1 13 00:01:24 4200 0 12

Task 1.60

A host on the outside is trying to perform a man in the

middle attack by responding to ARP requests for IP

24.234.2.55 with its own MAC address. The real MAC that

should be mapped to 24.234.2.55 is 001b.533b.5555.

Configure the ASA to drop the bad ARP traffic.

We can defend against man in the middle attacks with ARP

inspection. We are going to statically map IP 24.234.2.55

to MAC 001b.533b.5555 and the inside interface with the

“arp” command. After mapping with ARP, we need to apply the

ARP inspection on the outside interface with the “arp-

inspection” command.

ASA2(config)# arp inside 24.234.2.55 001b.533b.5555ASA2(config)# arp-inspection outside enable





93



Task 1.61

Enable ICMP from the inside networks to anywhere. Verify

that the ASA is blocking the bad ARP responses by pinging

from R5 to 24.234.2.55 and viewing the firewall log.

First, we have to allow ICMP from our inside networks to

anywhere. This is done by adding an entry to the INSIDE

ACL.

ASA2(config)# access-list INSIDE extended permit icmp any any

Then, try to ping from R5 to 24.234.2.55. The host on the

outside that is MAC spoofing will try to respond to the ARP

requests, but the ASA will block them since they have the

wrong MAC address and are coming from the wrong interface.

View the log, the entry is very clear as to why the traffic

is being blocked.


Feb 25 2009 16:23:01: %ASA-3-322002: ARP inspection check failedfor arp response received from host 001b.533b.e951 on interfaceoutside. This host is advertising MAC Address 001b.533b.e951 forIP Address 24.234.2.55, which is statically bound to MAC Address001b.533b.5555





94



Task 1.62

Prepare for multiple context mode. Erase the configurations

on both ASA1 and ASA2. Change ASA2 to routed mode with the

no firewall transparent command. Reload both firewalls.

This is done with the “write erase” command. Reload the

firewall with the “reload” command.

ASA1# write eraseErase configuration in flash memory? [confirm][OK]ASA1# reloadProceed with reload? [confirm]

On ASA 2, be sure to change back to routed mode with “no

firewall transparent”.

ASA2(config)# no firewall transparent

Task 1.63

Configure ASA1 as a multiple context firewall. Once it

reboots configure the hostname to ASA.

The firewall mode is changed from single context to

multiple context with the “mode” command. After the reboot

you’ll be in the system execution space. You’ll notice that

many of the standard ASA commands are no longer available.

This is because the system execution space is primarily

used for configuring resources that will be used by the





95



contexts. The actual firewall configuration that we are use

to will be done later within the contexts themselves.

ciscoasa(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm]Convert the system configuration? [confirm]Security context mode: multiple

After the reboot we’ll name the firewall ASA.

ciscoasa(config)# hostname ASAASA(config)#

Task 1.64

Setup interfaces for future contexts. Interfaces should use

unique mac addresses. Create interface e0/1.11 and set it

to vlan 11. Create interface e0/1.22 and set it to vlan 22.

Enable interfaces e0/0, e0/1 and e0/2.

Unique mac addresses can be configured with the “mac-

address auto” command.

ASA(config)# mac-address auto

We’ve created sub-interfaces on previous configurations and

the commands are the same.

ASA(config)# int e0/1.11ASA(config-subif)# vlan 11





96



ASA(config-subif)# int e0/1.22ASA(config-subif)# vlan 22

Interfaces are enabled with the “no shut” command

ASA(config)# int e0/0ASA(config-if)# no shutASA(config-if)# int e0/1ASA(config-if)# no shutASA(config-if)# int e0/2ASA(config-if)# no shut

Task 1.65

Delete any existing .cfg files. Create the admin context.

Assign it interface e0/2. Set the config to disk0:

Before creating contexts it’s a good idea to remove any

existing configuration files that might be on your ASA.

This is done with the “delete” command.

ASA1# delete *.cfg

Delete filename [*.cfg]?

Delete disk0:/old_running.cfg? [confirm]

Delete disk0:/c1.cfg? [confirm]

Delete disk0:/c2.cfg? [confirm]

Delete disk0:/admin.cfg? [confirm]

The admin context is used for firewall and context

management, sending system related logs, etc… To create it,

use the “admin-context” command. Like other contexts, you

can configure it with the context command.

ASA1(config)# admin-context adminASA1(config)# context admin





97



Interfaces are added to a context with the “allocate-

interface” command.

ASA(config-ctx)# allocate-interface e0/2

The configuration file for the context is set with the

“config-url” command. If the file doesn’t already exist, it

will be created. Note the .cfg which indicates a

configuration file.

ASA(config-ctx)# config-url disk0:admin.cfgINFO: Converting disk0:admin.cfg to disk0:/admin.cfg

WARNING: Could not fetch the URL disk0:/admin.cfgINFO: Creating context with default configINFO: Admin context will take some time to come up .... pleasewait.

Task 1.66



The configuration of context c1 is very similar to the

admin context. We will create the context, allocate

interfaces to it and set a configuration file location.

ASA(config)# context c1Creating context 'c1'... Done. (2)ASA(config-ctx)# allocate-interface e0/0ASA(config-ctx)# allocate-interface e0/1.11ASA(config-ctx)# config-url disk0:c1.cfg





98



INFO: Converting disk0:c1.cfg to disk0:/c1.cfg

WARNING: Could not fetch the URL disk0:/c1.cfgINFO: Creating context with default config

Task 1.67



Context c2 is setup very similar to context c1. Notice that

contexts c1 and c2 are sharing interface e0/0. This is

acceptable because the ASA will assign packets to the

appropriate context based on a variety of criteria such as

source and destination IP, VLAN, etc….

ASA(config)# context c2Creating context 'c2'... Done. (3)ASA(config-ctx)# allocate-interface e0/0ASA(config-ctx)# allocate-interface e0/1.22ASA(config-ctx)# config-url disk0:c2.cfgINFO: Converting disk0:c2.cfg to disk0:/c2.cfg

WARNING: Could not fetch the URL disk0:/c2.cfgINFO: Creating context with default config

Task 1.68

Switch to the admin context and setup interface e0/2 as

inside with ip 192.168.2.200/24. Allow the ACS server SSH

access to this context. Verify connectivity to the ACS

server.





99



You can move to context configuration mode with the

“changeto context” command. In this case we’ll change to

the context admin and enter the listed configuration.

Inside the context, configuration is treated just as if you

were on a physical firewall.

ASA(config)# changeto context adminASA/admin(config)# int e0/2ASA/admin(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.ASA/admin(config-if)# ip address 192.168.2.200 255.255.255.0

SSH access is granted with the ssh command. Notice that we

generated a crypto key and configured the ACS server with a

32 bit mask using the “inside” option.

ASA1/admin(config)# crypto key generate rsa modulus 1024

ASA/admin(config)# ssh 192.168.2.101 255.255.255.255 inside

We can verify connectivity to the ACS server with a ping.

ASA/admin(config)# ping 192.168.2.101Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.101, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/1/1 ms

Task 1.69







100



address 172.16.11.100/24. Add ICMP inspection to the global

policy-map and test connectivity by pinging from R2 to R1.

Switch to context c1 with the “changeto” command and enter

the required interface configurations.

ASA/admin(config)# changeto context c1ASA/c1(config)# int e0/0ASA/c1(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.ASA/c1(config-if)# ip address 24.234.0.100 255.255.255.0ASA/c1(config-if)# int e0/1.11ASA/c1(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.ASA/c1(config-if)# ip address 172.16.11.100 255.255.255.0

You should already be familiar with adding ICMP inspect to

the global policy-map.

ASA/c1(config)# policy-map global_policyASA/c1(config-pmap)# class inspection_defaultASA/c1(config-pmap-c)# inspect icmp

The final step is to test your configuration by pinging

from R2 to R1. This lets you know that your first context

is operational.

R2#ping 24.234.0.1






101



Task 1.70



address 172.16.22.100/24. NAT the inside network to the

outside interface address and require a NAT translation for

traffic passing through the firewall. Verify connectivity

with telnet from R3 to R1.

The first part of this context’s configuration is very

similar to c1. We change to the context and setup the

interfaces.

ASA/c1(config)# changeto context c2ASA/c2(config)# int e0/0ASA/c2(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default..ASA/c2(config-if)# ip address 24.234.0.200 255.255.255.0ASA/c2(config-if)# int e0/1.22ASA/c2(config-if)# nameif insideINFO: Security level for "inside" set to 100 by defaultASA/c2(config-if)# ip address 172.16.22.100 255.255.255.0

Now we have to configure PAT, with nat for the inside

network and global for the outside interface. Don’t forget

nat-control to require a translation.

ASA/c2(config)# nat (inside) 1 172.16.22.0 255.255.255.0ASA/c2(config)# global (outside) 1 interfaceINFO: outside interface address added to PAT poolASA/c2(config)# nat-control





102



Our connectivity test is done with telnet instead of ping.

The telnet is successful although we can’t log in. We now

have two virtual firewalls with different policies running

on a single physical ASA.

R3#telnet 24.234.0.1Trying 24.234.0.1 ... Open

R1#

Task 1.71

Switch back to the system and set the maximum number of

allowed connections for c1 to 200 and the maximum number of

connections for c2 to 100. Set the maximum number of SSH

connections to the admin context to 5.

Change to the system with the “changeto system” command.

Limits to individual contexts are set by defining a class

with the “class” command. This should not be confused with

a class-map. The limits are set with the “limit-resource”

command. Each class can have multiple limit-resource

entries although we’ve only used one per context in our

example. Once the class is created, configure each context

to join the proper class with the member command.

ASA(config)# class c1ASA(config-class)# limit-resource conns 200ASA(config-class)# context c1ASA(config-ctx)# member c1

ASA(config)# class c2





103



ASA(config-class)# limit-resource conns 100ASA(config-class)# context c2ASA(config-ctx)# member c2

ASA(config)# class adminASA(config-class)# limit-resource ssh 5ASA(config-class)# context adminASA(config-ctx)# member admin

Task 1.72

Prepare for active/standby failover with ASA2. Set ASA1 as

the primary failover unit. Set the failover interface to

E0/3 and name it failover. Set the failover IP address to

10.1.1.1/24 and the standby to 10.1.1.11. Bring up the

failover interface and enable failover.

Failover configuration is done from the system, not the

contexts. From the system, use the “failover lan unit”

command to set the firewall to either primary or secondary.

Name and set the interface to be used with “failover lan

interface” command. Finally, set the IP with the “failover

interface ip” command. Notice the standby IP is set here as

well.

ASA(config)# failover lan unit primaryASA(config-if)# failover lan interface failover e0/3INFO: Non-failover interface config is cleared on Ethernet0/3and its sub-interfacesASA(config)# failover interface ip failover 10.1.1.1255.255.255.0 standby 10.1.1.11





104



Bring up the interface with no shut and enable failover

with “failover”.

ASA(config)# int e0/3ASA(config-if)# no shutASA(config)# failover

Task 1.73

Prepare ASA2 for failover. Ensure that it is in multiple

mode. Set the failover interface to e0/3 and name it

failover. Set the failover IP address to 10.1.1.1 and the

standby to 10.1.1.11. Bring up the failover interface and

enable failover.

For failover to function, both firewalls must be in the

same mode. Change ASA2 to multiple mode with the “mode

multiple” command. This will require a reboot.

ciscoasa(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm]Convert the system configuration? [confirm]

Failover configuration for the secondary unit is almost

identical to the primary. First set the unit as secondary.

Then configure and name interface e0/3 with failover LAN

interface. Set failover interface IP with the same IP and

standby address as ASA1. Issue a “no shut” command on the





105



failover interface and then enable failover with the

“failover” command.

ciscoasa(config)# failover lan unit secondaryciscoasa(config)# failover lan interface failover e0/3INFO: Non-failover interface config is cleared on Ethernet0/3and its sub-interfacesciscoasa(config)# failover interface ip failover 10.1.1.1255.255.255.0 standby 10.1.1.11ciscoasa(config)# int e0/3ciscoasa(config-if)# no shutciscoasa(config)# failover

Task 1.74

Configure SW2 so that fa0/17 and fa0/23 are both on VLAN

66. This will be the failover VLAN.

These are simple switchport configuration commands. The

failover VLAN should be isolated from any other network

traffic. Once this configuration is complete, your failover

replication should complete shortly.

SW2(config)#int fa0/17SW2(config-if)#sw mode accessSW2(config-if)#sw access vlan 66SW2(config-if)#int fa0/23SW2(config-if)#sw mode accessSW2(config-if)# sw access vlan 66

Task 1.75

Verify that unit failover configuration is operational.





106



Failover can be verified with the “show failover” command.

This is the output for ASA1. Notice that this host is

listed as Primary – Active and the other host as Secondary

– Standby Ready. Also notice that stateful failover is not

enabled. We’ll address this in the next section.

ASA# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 3 of 250 maximumVersion: Ours 8.0(4), Mate 8.0(4)Last Failover at: 14:11:11 UTC Feb 26 2009 This host: Primary - Active Active time: 1521 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status(Up Sys) admin Interface inside (192.168.2.200): LinkDown (Waiting) c1 Interface outside (24.234.0.100): Normal(Waiting) c1 Interface inside (172.16.11.100): Normal(Not-Monitored) c2 Interface outside (24.234.0.200): Normal(Waiting) c2 Interface inside (172.16.22.100): Normal(Not-Monitored) slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status(Up Sys) admin Interface inside (0.0.0.0): Link Down(Waiting) c1 Interface outside (0.0.0.0): Normal(Waiting)





107



c1 Interface inside (0.0.0.0): Normal (Not-Monitored) c2 Interface outside (0.0.0.0): Normal(Waiting) c2 Interface inside (0.0.0.0): Normal (Not-Monitored) slot 1: empty

Stateful Failover Logical Update Statistics Link : Unconfigured.

Task 1.76

Configure the firewall pair to use stateful failover.

Verify that state information is replicating to the

secondary unit.

Stateful failover allows for all state information to be

transmitted to the standby unit. This is configured with

the “failover link” command on the primary unit.

ASA(config)# failover link failover e0/3

Verify this is working with show failover. You’ll see the

additional state information at the bottom of the output.

ASA(config)# show failoverStateful Failover Logical Update Statistics Link : failover Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 51 0 46 0 sys cmd 46 0 46 0 up time 0 0 0 0





108



RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 5 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0

Logical Update Queue Information Cur Max Total Recv Q: 0 1 46 Xmit Q: 0 1 51

Task 1.77

Configure the firewall to monitor all of the interfaces for

c1 and c2. Configure a standby IP address on each

interface. This IP should be the primary +10. If one of

these interfaces fails, the unit should failover. Set the

interface polltime to 500 milliseconds. Set the unit

polltime to 500 milliseconds.

Interface monitoring is setup in the individual security

contexts. So you’ll need to change to each context and set

monitoring with the “monitor-interface <interface>”

command. To setup the standby IP re-enter the interface IP

address with the “standby” option.

ASA(config)# changeto context c1ASA/c1(config)# monitor-interface insideASA/c1(config)# monitor-interface outsideASA/c1(config)# int e0/0ASA/c1(config-if)# ip address 24.234.0.100 255.255.255.0 standby24.234.0.110ASA/c1(config-if)# int e0/1.11





109



ASA/c1(config-if)# ip address 172.16.11.100 255.255.255.0standby 172.16.11.110

ASA/c1(config)# changeto context c2ASA/c2(config)# monitor-interface insideASA/c2(config)# monitor-interface outsideASA/c2(config-if)# ip address 24.234.0.200 255.255.255.0 standby24.234.0.210ASA/c2(config-if)# int e0/1.22ASA/c2(config-if)# ip address 172.16.22.100 255.255.255.0standby 172.16.22.110

To set the interface polltime, change back to the system

and use the command “failover polltime” interface. Unit

polltime is set with “failover polltime unit”.

ASA/c2(config)# changeto systemASA(config)# failover polltime interface msec 500INFO: Failover interface holdtime is set to 5 secondsASA(config)# failover polltime unit msec 500INFO: Failover unit holdtime is set to 2 seconds

Task 1.78

In addition to normal state information, replicate http

state information.

HTTP state information is not normally included since these

connections are short lived and commonly retried. To enable

http replication, use the “failover replication http”

command.

ASA(config)# failover replication http





110



Task 1.79

Prepare for load balancing. Disable failover on both ASA1

and ASA2. Configure ASA1 to be the primary for c1 and

secondary for c2. Ensure that both ASAs will always take

over as active for the context they are primary for.

Disable failover with the “no failover” command. This only

has to be done on ASA1.

ASA(config)# no failover

To setupload balancing you must configure failover groups

and then join contexts to those groups. To configure the

failover groups, use the command “failover group”. Notice

that for failover group 1 we set this firewall as the

primary. We also setup both groups to preempt, which means

the ASA will take over the active state for its group when

it comes up.

ASA(config)# failover group 1ASA(config-fover-group)# primaryASA(config-fover-group)# preempt

ASA(config)# failover group 2ASA(config-fover-group)# secondaryASA(config-fover-group)# preempt

With the failover groups created, we have to join the

contexts to their respective groups. This is done with the

“join failover-group” command.





111



ASA(config)# context c1ASA(config-ctx)# join-failover-group 1ASA(config-ctx)# context c2ASA(config-ctx)# join-failover-group 2

Task 1.80

Enable failover and verify that active/active is working

properly.

Enable failover with the “failover” command on ASA1.

ASA(config)# failover

Verify the configuration with “show failover”. You’ll

notice that this firewall is active for group 1 and standby

for group 2. Just below that you’ll see the interface IP

addresses for c1 but not for c2. This is because the other

firewall is currently handling the traffic for c2.

ASA(config)# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover Ethernet0/3 (up)Unit Poll frequency 500 milliseconds, holdtime 2 secondsInterface Poll frequency 500 milliseconds, holdtime 5 secondsInterface Policy 1Monitored Interfaces 5 of 250 maximumfailover replication httpVersion: Ours 8.0(4), Mate 8.0(4)Group 1 last failover at: 15:57:37 UTC Feb 26 2009Group 2 last failover at: 15:57:36 UTC Feb 26 2009

This host: Primary Group 1 State: Active Active time: 1118 (sec)





112



Group 2 State: Standby Ready Active time: 97 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status(Up Sys) admin Interface inside (192.168.2.200): LinkDown (Waiting) c1 Interface outside (24.234.0.100): Normal(Waiting) c1 Interface inside (172.16.11.100): Normal(Waiting) c2 Interface outside (24.234.0.210): Normal(Waiting) c2 Interface inside (172.16.22.110): Normal(Waiting) slot 1: empty

Other host: Secondary Group 1 State: Standby Ready Active time: 107 (sec) Group 2 State: Active Active time: 1036 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status(Up Sys) admin Interface inside (0.0.0.0): Link Down(Waiting) c1 Interface outside (24.234.0.110): Normal(Waiting) c1 Interface inside (172.16.11.110): Normal(Waiting) c2 Interface outside (24.234.0.200): Normal(Waiting) c2 Interface inside (172.16.22.100): Normal(Waiting) slot 1: empty

Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 419 0 407 0 sys cmd 410 0 407 0 up time 0 0 0 0





113



RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 9 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0

Logical Update Queue Information Cur Max Total Recv Q: 0 1 408 Xmit Q: 0 1 420

Task 1.81

Final verification involves testing failover. Telnet from

R2 to R1 and enter the password of “cisco”. Leave the

session up. On SW1, shutdown port fa0/12. Verify that your

telnet session has remained connected. Verify failover.

For this final test, telnet from R2 to R1 using the

password “cisco”.


R1#

Now, shutdown port fa0/12 on sw1. This connects to the e0/0

interface of ASA1 and will cause an interface failure.

Verify that your telnet session is still connected by

hitting enter a few times.

R1#R1#R1#





114



Finally, do a “show failover” on ASA2 to make sure it is

active for both failover groups.

ASA(config)# show failoverFailover OnFailover unit SecondaryFailover LAN Interface: failover Ethernet0/3 (up)Unit Poll frequency 500 milliseconds, holdtime 2 secondsInterface Poll frequency 500 milliseconds, holdtime 5 secondsInterface Policy 1Monitored Interfaces 5 of 250 maximumfailover replication httpVersion: Ours 8.0(4), Mate 8.0(4)Group 1 last failover at: 16:06:03 UTC Feb 26 2009Group 2 last failover at: 15:57:34 UTC Feb 26 2009

This host: Secondary Group 1 State: Active Active time: 444 (sec) Group 2 State: Active Active time: 1789 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status(Up Sys) admin Interface inside (192.168.2.200): LinkDown (Waiting) c1 Interface outside (24.234.0.100): Normal(Waiting) c1 Interface inside (172.16.11.100): Normal(Waiting) c2 Interface outside (24.234.0.200): Normal(Waiting) c2 Interface inside (172.16.22.100): Normal(Waiting) slot 1: empty





115







116







117








118



ACS

.101

R5

IOS Firewall Technology Diagram

VLAN 1224.234.12.0 /24

Frame Relay24.234.245.0 /24

VLAN 192192.168.0.0 /16

VLAN 3624.234.36.0 /24

VLAN 624.234.6.0 /24

VLAN 524.234.5.0 /24

VLAN 424.234.4.0 /24

R2VLAN 23

24.234.23.0 /24

R1

R3

R4

R5

R6

F0/0

F0/0

F0/1

F0/1

S0/0/0

S0/0/0

F0/0

F0/1

S0/0/0 F0/1

F0/0

F0/0

F0/0

EIGRP 1

RIP v2





119








120











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





121








122











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





123



Task 2.1

Configure R3 so that interface F0/0 is trusted and

interface F0/1 is untrusted. Allow TCP, UDP, and ICMP

returning traffic. Allow telnet sessions from

FastEthernet0/0 of R6. R3 and R6 should continue to

exchange routing information.

Task 2.2

Configure R3 to log all dropped packets to the local buffer

and to the syslog server at 192.168.2.101.

Task 2.3

Configure R3 to log the total number of bytes transmitted

over TCP sessions.

Task 2.4

Configure R3 so that it will start dropping incomplete TCP

sessions after the number of existing half-open sessions

rises above 600. It should stop dropping incomplete TCP

sessions when the number of existing half-open sessions

falls below 300. Set it to start dropping incomplete TCP


rises above 400 within a minute. It should stop dropping

incomplete TCP sessions when the number of existing half-

open sessions falls below 200 incomplete within a minute.





124



Task 2.5

Configure R3 to drop TCP sessions if they are not

established within 20 seconds. After completion, TCP

sessions should only be managed for 4 seconds.

Task 2.6

Configure R3 to drop TCP sessions after 30 minutes of

inactivity and UDP sessions after 15 seconds of inactivity.

Drop DNS name lookup sessions after 4 seconds.

Task 2.7

Configure R3 to only allow 25 half-open TCP connections to

the same host. If this is exceeded, delete all existing

half-open sessions for the host and block all new

connection requests to the host for 10 minutes.

Task 2.8

Configure R3 to only allow java responses from webserver

24.234.36.6.

Task 2.9

Configure R3 to inspect all TCP, UDP and ICMP traffic

originating from the router.

Task 2.10

Improve the performance of CBAC on R3 by increasing the

inspect hash table size to 2048.





125



Task 2.11

Configure R3 to inspect fragmented packets, with a maximum

of 30 unassembled packets.

Task 2.12

Configure R3 to inspect http traffic on port 8000 in

addition to the default port. Also inspect port 2121 for

ftp traffic if it is destined for 24.234.6.6.

Task 2.13

Configure FastEthernet0/1 on R3 to re-assemble fragments

for inspection. The maximum number of IP data grams to be

reassembled is 50, and should be completed within 10

seconds.

Task 2.14

Configure R3 so that IM applications running over http are

dropped.





126



Task 2.15

Setup the following security zones on R2: (1) PRIVATE (2)

PUBLIC.

Task 2.16

Setup a zone pair to allow traffic from the PRIVATE zone to

the PUBLIC zone.

Task 2.17

Configure a class-map that should identify all TCP and UDP

traffic.

Task 2.18

Configure a policy-map to inspect the class map created

above.

Task 2.19

Apply the policy-map to the zone pair for private to

public.

Task 2.20

Assign interface FastEthernet0/0 and FastEthernet0/1 to the

PRIVATE zone and interface Serial0/0/0 to the PUBLIC zone.





127



Task 2.21

Configure R2 the inspect parameters listed below. This

parameter map should be applied to the existing class for

TCP and UDP traffic.

Alerting should be on

Auditing should be on

DNS timeout should be set to 4 seconds

Drop existing half-open sessions when the number rises

above 1000. Stop dropping existing half-open sessions

when the number falls below 800. Drop existing half-

open sessions when the number rises above 700 within a

minute, and stop dropping existing half-open sessions

when the number falls below 500 within a minute.

Allow a maximum of 3000 sessions

Each host can have a maximum of 25 existing half-open

sessions. When this is exceeded, all existing half-

open sessions should be deleted and blocked for 10

minutes.

Manage TCP sessions for only 5 seconds after they have

finished.

Delete TCP sessions after 30 minutes of inactivity.

Delete TCP sessions if not fully established within 20

seconds.

Delete UDP sessions after 20 seconds of inactivity.





128



Task 2.22

Rate limit ICMP traffic from the PRIVATE zone to the PUBLIC

zone to 8000 bps with a burst of 2000 bytes.

Task 2.23

Drop all P2P (KaZaA, Morpheus, Grokster) traffic and AOL

and Yahoo IM traffic from the PRIVATE zone to the PUBLIC

zone.





129



Task 2.24

Configure R1 to authenticate the ACS Server via HTTP before

allowing the ACS Server to browse to R2. Use a local user

with username “authproxyuser” and password “cisco” to do

this.

Task 2.25

Configure R1 with a login banner for Authentication Proxy

that states “Unauthorized access is prohibited”.

Task 2.26

Configure R1 so that user authentication entries are

removed after 30 minutes of inactivity. Configure R1 so

that the absolute time is 30 minutes. The maximum number

of retries should be set to 5.

Task 2.27

Configure R1 so that it only requires authentication if the

ACS Server is attempting to HTTP to R2’s loopback 0 address

(2.2.2.2).





130



(Reload startup config for R2 and R3)

Task 2.28

Configure R2 to deny any IP connectivity from behind

FastEthernet0/0 to the rest of the network. In order for

anyone behind FastEthernet0/0 to have IP connectivity to

the rest of the network, they must authenticate to R2 with

the username “locknkey” and password “cisco”. Idle time

should be 2 minutes minimum. Ensure that EIGRP is not

interrupted.

Task 2.29

Modify the configuration of R2 to enable per-host access

only.

Task 2.30

Configure R3 so that all TCP, UDP, and ICMP traffic

initiated from behind FastEthernet0/0 is automatically

allowed to return. Permit FastEthernet0/0 on R6 to initiate

telnet sessions to the 24.234.0.0 network. Ensure that

routing information is not interrupted. Log any denied

packets to the local buffer. Do not use CBAC to accomplish

this.





131



Task 2.31

Configure R2 s0/0/0 so that ICMP from R5 s0/0/0 is denied

access to the rest of the network from 2am to 4am. Also,

deny all non-initial fragments inbound on FastEthernet0/0.

All other traffic should be allowed at all times.

Task 2.1

Configure R3 so that interface F0/0 is trusted and

interface F0/1 is untrusted. Allow TCP, UDP, and ICMP

returning traffic. Allow telnet sessions from

FastEthernet0/0 of R6. R3 and R6 should continue to

exchange routing information.

This is done with CBAC. An ACL is used to block most

incoming traffic on the untrusted interface. The “ip

inspect” command allows for specific traffic to be

statefully inspected and return traffic allowed through the

ACL.





132



The inspect rule can be configured either inbound on

FastEthernet0/0 or outbound on FastEthernet0/1. Enabling it

outbound on FastEthernet0/1 allows for multiple trusted

interfaces.

R3#configure terminalR3(config)#ip inspect name CBAC tcpR3(config)#ip inspect name CBAC udpR3(config)#ip inspect name CBAC icmp

R3(config)#ip access-list extended CBAC_ACLR3(config-ext-nacl)#permit tcp host 24.234.36.6 any eq 23R3(config-ext-nacl)#permit udp host 24.234.36.6 host 224.0.0.9eq 520

R3(config)#interface FastEthernet0/1R3(config-if)#ip inspect CBAC outR3(config-if)#ip access-group CBAC_ACL in

You can verify the configuration with “show ip inspect

all”.

R3#sh ip inspect allSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [400:500]connectionsmax-incomplete sessions thresholds are [400:500]max-incomplete tcp connections per host is 50. Block-time 0minute.tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10





133



Interface Configuration Interface FastEthernet0/1 Inbound inspection rule is not set Outgoing inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10 Inbound access list is CBAC_ACL Outgoing access list is not set

You can further verify with ICMP. R1 can ping R6, but pings

initiated from R6 fail.

R1#ping 24.234.36.6


R6#ping 24.234.12.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 24.234.12.1, timeout is 2seconds:U.U.USuccess rate is 0 percent (0/5)

R3 shows the established icmp session from R1 to R6.

R3#show ip inspect sessions detailEstablished Sessions Session 46A16EA4 (24.234.12.1:8)=>(24.234.36.6:0) icmp SIS_OPEN Created 00:00:08, Last heard 00:00:08 ECHO request Bytes sent (initiator:responder) [360:360]





134



In SID 24.234.36.6[0:0]=>24.234.12.1[0:0] on ACL CBAC_ACL (5matches) In SID 0.0.0.0[0:0]=>24.234.12.1[3:3] on ACL CBAC_ACL In SID 0.0.0.0[0:0]=>24.234.12.1[11:11] on ACL CBAC_ACL

R3 continues to learn the 24.234.6.0 network (VLAN 6) via

RIP.

R3#sh ip route 24.234.6.0Routing entry for 24.234.6.0/24 Known via "rip", distance 120, metric 1 Redistributing via eigrp 1, rip Advertised by eigrp 1 metric 1000 1 255 1 1500 Last update from 24.234.36.6 on FastEthernet0/1, 00:00:04 ago Routing Descriptor Blocks: * 24.234.36.6, from 24.234.36.6, 00:00:04 ago, viaFastEthernet0/1 Route metric is 1, traffic share count is 1

Task 2.2

Configure R3 to log all dropped packets to the local buffer

and to the syslog server at 192.168.2.101.

This is done with the “logging” command. The “buffered”

keyword sends logs to the local buffer and the “host”

keyword followed by an IP sends logs to an external host,

in this case the ACS server.

R3(config)#logging bufferedR3(config)#logging host 192.168.2.101

R3(config)#ip access-list extended CBAC_ACLR3(config-ext-nacl)#deny ip any any log





135



To verify, open the kiwi syslog server on the ACS. Ping

from R6 to R2. The ping will fail.

R6#ping 24.234.23.2


R3’s local buffer shows the denied packet.

R3#sh loggingSyslog logging: enabled (11 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filteringdisabled) Console logging: level debugging, 59 messages logged, xmldisabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xmldisabled, filtering disabled Buffer logging: level debugging, 3 messages logged, xmldisabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level informational, 55 message lines logged Logging to 192.168.2.101 (udp port 514, audit disabled,link up), 3 message lines logged, xml disabled, filtering disabled

Log Buffer (4096 bytes):





136



*Mar 11 16:27:10.447: %SYS-5-CONFIG_I: Configured from consoleby console*Mar 11 16:27:13.039: %SYS-6-LOGGINGHOST_STARTSTOP: Logging tohost 192.168.2.101 started - CLI initiated*Mar 11 16:28:07.927: %SEC-6-IPACCESSLOGDP: list CBAC_ACL deniedicmp 24.234.36.6 -> 24.234.23.2 (8/0), 1 packet

The Kiwi Syslog server shows the denied packet.

Task 2.3

Configure R3 to log the total number of bytes transmitted

over TCP sessions.

The audit trail feature tracks all network transactions,

recording information such as source/destination host





137



addresses, ports used, and the total number of transmitted

bytes with time stamps. By default, audit-trail is off.

R3(config)#ip inspect name CBAC tcp audit-trail on

Verify by launching a telnet session from R2 to R6, then

exit.


User Access Verification

Password:R6#exit

[Connection to 24.234.36.6 closed by foreign host]R2#

R3 shows the audit trail starting and stopping for the telnetsession from R2 to R6.

R3#sh loggingSyslog logging: enabled (11 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filteringdisabled) Console logging: level debugging, 63 messages logged, xmldisabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xmldisabled, filtering disabled Buffer logging: level debugging, 7 messages logged, xmldisabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled





138




Trap logging: level informational, 59 message lines logged Logging to 192.168.2.101 (udp port 514, audit disabled,link up), 7 message lines logged, xml disabled, filtering disabled

Log Buffer (4096 bytes):

*Mar 11 16:33:39.123: %SEC-6-IPACCESSLOGDP: list CBAC_ACL deniedicmp 24.234.36.6 -> 24.234.23.2 (8/0), 19 packets*Mar 11 16:39:17.643: %SYS-5-CONFIG_I: Configured from consoleby console*Mar 11 16:39:56.139: %FW-6-SESS_AUDIT_TRAIL_START: Start tcpsession: initiator (24.234.23.2:16071) -- responder(24.234.36.6:23)*Mar 11 16:40:04.499: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session:initiator (24.234.23.2:16071) sent 43 bytes -- responder(24.234.36.6:23) sent 86 bytes

The Kiwi Syslog server also shows the audit trail starting

and stopping for the telnet session from R2 to R6.

Task 2.4





139



Configure R3 so that it will start dropping incomplete TCP

sessions after the number of existing half-open sessions

rises above 600. It should stop dropping incomplete TCP


falls below 300. Set it to start dropping incomplete TCP


rises above 400 within a minute. It should stop dropping

incomplete TCP sessions when the number of existing half-

open sessions falls below 200 incomplete within a minute.

This is done with the “ip inspect max-incomplete” and “ip

inspect one-minute commands.” Aggressive behavior (dropping

sessions) begins when the number of existing half-open

sessions rises above the high threshold value, and ends

when the number of existing half-open sessions falls below

the low threshold value.

R3(config)#ip inspect max-incomplete high 600R3(config)#ip inspect max-incomplete low 300R3(config)#ip inspect one-minute high 400R3(config)#ip inspect one-minute low 200

The max-incomplete and one-minute thresholds have been

changed.

R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]max-incomplete tcp connections per host is 50. Block-time 0minute.





140



tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10

Task 2.5

Configure R3 to drop TCP sessions if they are not

established within 20 seconds. After completion, TCP

sessions should only be managed for 4 seconds.

By default, CBAC waits 30 seconds for TCP sessions to

establish and will manage TCP sessions for 5 seconds after

they are completed. This behavior can be changed with the

IP inspect using the TCP “synwait-time” and “finwait-time”

keywords.

R3(config)#ip inspect tcp synwait-time 20R3(config)#ip inspect tcp finwait-time 4

The TCP “snywait-time” and “finwait-time” timers have been

changed.

R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]





141



max-incomplete tcp connections per host is 50. Block-time 0minute.tcp synwait-time is 20 sec -- tcp finwait-time is 4 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10





142



Task 2.6

Configure R3 to drop TCP sessions after 30 minutes of

inactivity and UDP sessions after 15 seconds of inactivity.

Drop DNS name lookup sessions after 4 seconds.

The TCP and UDP idle timers are measured in seconds. The

default idle time for TCP is 3600 seconds (1 hour) and for

UDP, 30 seconds. The DNS timer is measured in seconds and

the default DNS name lookup timeout is 5 seconds. These can

all be changed using IP inspect with the “idle-time” and

“dns-timeout” keywords.

R3(config)#ip inspect tcp idle-time 1800R3(config)#ip inspect udp idle-time 15R3(config)#ip inspect dns-timeout 4

Verify with the “show ip inspect config” command.

R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]max-incomplete tcp connections per host is 50. Block-time 0minute.tcp synwait-time is 20 sec -- tcp finwait-time is 4 sectcp idle-time is 1800 sec -- udp idle-time is 15 secdns-timeout is 4 secInspection Rule Configuration Inspection name CBAC





143



tcp alert is on audit-trail is on timeout 1800 udp alert is on audit-trail is off timeout 15 icmp alert is on audit-trail is off timeout 10





144



Task 2.7

Configure R3 to only allow 25 half-open TCP connections to

the same host. If this is exceeded, delete all existing

half-open sessions for the host and block all new

connection requests to the host for 10 minutes.

This is done with ip inspect using the max-incomplete host

keywords. The default behavior is to allow for 50 tcp

sessions per host. The default block-time is 0 which

deletes the oldest existing half-open session for the host

for every new connection request. When setting a block-time

greater than 0, the router will delete all existing half-

open sessions for the host and then block all new

connection requests. The router will continue to block all

new connection requests to the host until the block-time

expires.

R3(config)#ip inspect tcp max-incomplete host 25 block-time 10


R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]max-incomplete tcp connections per host is 25. Block-time 10minutes.





145



tcp synwait-time is 20 sec -- tcp finwait-time is 4 sectcp idle-time is 1800 sec -- udp idle-time is 15 secdns-timeout is 4 secInspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 udp alert is on audit-trail is off timeout 15 icmp alert is on audit-trail is off timeout 10

Task 2.8

Configure R3 to only allow java responses from webserver

24.234.36.6.

This is accomplished by using IP inspect for http with the

java-list keyword. Java blocking only works with numbered

standard access lists.

R3(config)#access-list 1 permit host 24.234.36.6R3(config)#ip inspect name CBAC http java-list 1


R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]max-incomplete tcp connections per host is 25. Block-time 10minutes.tcp synwait-time is 20 sec -- tcp finwait-time is 4 sectcp idle-time is 1800 sec -- udp idle-time is 15 secdns-timeout is 4 secInspection Rule Configuration





146



Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 udp alert is on audit-trail is off timeout 15 icmp alert is on audit-trail is off timeout 10 http java-list 1 alert is on audit-trail is off timeout 1800

Task 2.9

Configure R3 to inspect all TCP, UDP and ICMP traffic

originating from the router.

To enable Inspection of Router-Generated Traffic, use IP

inspect with the “router-traffic” keyword.

R3(config)#ip inspect name CBAC tcp router-trafficR3(config)#ip inspect name CBAC udp router-trafficR3(config)#ip inspect name CBAC icmp router-traffic


R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]max-incomplete tcp connections per host is 25. Block-time 10minutes.tcp synwait-time is 20 sec -- tcp finwait-time is 4 sectcp idle-time is 1800 sec -- udp idle-time is 15 secdns-timeout is 4 secInspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 inspection of router local traffic is enabled udp alert is on audit-trail is off timeout 15





147



inspection of router local traffic is enabled icmp alert is on audit-trail is off timeout 10inspection of router local traffic is enabled http java-list 1 alert is on audit-trail is off timeout 1800

Telnet from R3 to R6 provides a router generated TCP

session.



Password:*Mar 11 17:20:13.083: %FW-6-SESS_AUDIT_TRAIL_START: Start tcpsession: initiator (24.234.36.3:21825) -- responder(24.234.36.6:23)R6#

Task 2.10

Improve the performance of CBAC on R3 by increasing the

inspect hash table size to 2048.

This is done with the “ip inspect hashtable-size” command.

Increasing the size of the hash table allows the number of

sessions per hash bucket to be reduced which can improve

the throughput performance of CBAC.

R3(config)#ip inspect hashtable-size 2048CBAC: Changing Hashlen from 1024 to 2048





148



Task 2.11

Configure R3 to inspect fragmented packets, with a maximum

of 30 unassembled packets.

This is done with IP inspect and the “fragment maximum”

command.

R3(config)#ip inspect name CBAC fragment maximum 30


R3#show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [200:400]connectionsmax-incomplete sessions thresholds are [300:600]max-incomplete tcp connections per host is 25. Block-time 10minutes.tcp synwait-time is 20 sec -- tcp finwait-time is 4 sectcp idle-time is 1800 sec -- udp idle-time is 15 secdns-timeout is 4 secInspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 inspection of router local traffic is enabled udp alert is on audit-trail is off timeout 15 inspection of router local traffic is enabled icmp alert is on audit-trail is off timeout 10 inspection of router local traffic is enabled http java-list 1 alert is on audit-trail is off timeout 1800 fragment Maximum 30 In Use 0 alert is on audit-trail is offtimeout 1





149



Task 2.12

Configure R3 to inspect http traffic on port 8000 in

addition to the default port. Also inspect port 2121 for

ftp traffic if it is destined for 24.234.6.6.

This is accomplished by using PAM (Port to Application

Mapping) via the ip port-map command. PAM allows you to

customize TCP or UDP port numbers for network services or

applications.

R3(config)#ip port-map http port tcp 8000

R3#show ip port-map httpDefault mapping: http tcp port 80system definedDefault mapping: http tcp port 8000user defined

R3(config)#access-list 21 permit 24.234.6.6R3(config)#ip port-map ftp port 2121 list 21

R3#show ip port-map ftpDefault mapping: ftp tcp port 21system definedHost specific: ftp tcp port 2121in list 21 user defined

Task 2.13





150



Configure FastEthernet0/1 on R3 to re-assemble fragments

for inspection. The maximum number of IP data grams to be

reassembled is 50, and should be completed within 10

seconds.

We’ll be using virtual fragmentation reassembly (VFR) to

allow the firewall to assemble fragments before inspection.

This is done with the “ip virtual-reassembly” command. It

is configured per-interface.

R3(config)#int f0/1R3(config-if)#ip virtual-reassembly max-fragments 50 timeout 10

Task 2.14

Configure R3 so that IM applications running over http are

dropped.

The application firewall allows the router to perform

limited deep packet inspection of instant messenger

traffic. In this case we’re using it to detect and block IM

over http.

R3(config)#appfw policy-name IMR3(cfg-appfw-policy)#application httpR3(cfg-appfw-policy-http)#port-misuse im action reset

R3(config)#ip inspect name CBAC appfw IM

Verify with the “show appfw configuration” command.





151



R3#show appfw configurationApplication Firewall Rule configuration Application Policy name IM Application http port-misuse im action reset

Task 2.15

Setup the following security zones on R2: (1) PRIVATE (2)

PUBLIC.

The first step in a zone based firewall is configuring the

zones. A security zone is a logical group of interface(s)

to which a policy can be applied.

R2(config)#zone security PRIVATER2(config-sec-zone)#description Inside NetworksR2(config-sec-zone)#exit

R2(config)#zone security PUBLICR2(config-sec-zone)#description Outside networksR2(config-sec-zone)#exit

Task 2.16

Setup a zone pair to allow traffic from the PRIVATE zone to

the PUBLIC zone.





152



A zone-pair allows you to specify a one way firewall policy

between two security zones. It is configured with the zone-

pair security command. The direction of the traffic is

specified by specifying a source and destination zone.

R2(config)#zone-pair security OUTBOUND source PRIVATEdestination PUBLICR2(config-sec-zone-pair)#description Traffic from PRIVATE zoneto PUBLIC zone

Task 2.17

Configure a class-map that should identify all TCP and UDP

traffic.

Layer 3 and 4 class maps identify traffic at a high level.

In this case we’re matching all traffic with the match

protocol command within the class-map.

R2(config)#class-map type inspect match-any TCP_UDP_ICMAPR2(config-cmap)#match protocol tcpR2(config-cmap)#match protocol udp

Task 2.18

Configure a policy-map to inspect the class map created

above.





153



Layer 3/4 policy maps allow you to define high-level

actions such as inspect, drop, pass, and URL filter. In

this case we’re using inspect.

R2(config)#policy-map type inspect INSPECT_PMAPR2(config-pmap)#class type inspect TCP_UDP_ICMAPR2(config-pmap-c)#inspect

Task 2.19

Apply the policy-map to the zone pair for private to

public.

To attach a firewall policy map to a zone-pair we’ll use

the “service-policy type inspect” command.

R2(config)#zone-pair security OUTBOUND source PRIVATEdestination PUBLICR2(config-sec-zone-pair)#service-policy type inspectINSPECT_PMAP

Verify with the “show zone-pair security command”.

R2#show zone-pair securityZone-pair name OUTBOUNDDescription: Traffic from PRIVATE zone to PUBLIC zone Source-Zone PRIVATE Destination-Zone PUBLIC service-policy INSPECT_PMAP

Task 2.20





154



Assign interface FastEthernet0/0 and FastEthernet0/1 to the

PRIVATE zone and interface Serial0/0/0 to the PUBLIC zone.

Traffic between members of the same zone is unrestricted.

Traffic between members of different zones will only be

allowed if a zone-pair and policy exists. Add an interface

to a zone with the “zone-member security” command.

R2(config)#interface FastEthernet 0/0R2(config-if)#zone-member security PRIVATE

R2(config-if)#interface FastEthernet 0/1R2(config-if)#zone-member security PRIVATE

R2(config-if)#interface Serial0/0/0R2(config-if)#zone-member security PUBLIC

Verify with the “show zone security command”.

R2#show zone securityzone self Description: System defined zone

zone PRIVATE Description: Inside Networks Member Interfaces: FastEthernet0/0 FastEthernet0/1

zone PUBLIC Description: Outside Networks Member Interfaces: Serial0/0/0





155



Task 2.21

Configure R2 the inspect parameters listed below. This

parameter map should be applied to the existing class for

TCP and UDP traffic.

Alerting should be on

Auditing should be on

DNS timeout should be set to 4 seconds

Drop existing half-open sessions when the number rises

above 1000. Stop dropping existing half-open sessions

when the number falls below 800. Drop existing half-

open sessions when the number rises above 700 within a

minute, and stop dropping existing half-open sessions

when the number falls below 500 within a minute.

Allow a maximum of 3000 sessions

Each host can have a maximum of 25 existing half-open

sessions. When this is exceeded, all existing half-

open sessions should be deleted and blocked for 10

minutes.

Manage TCP sessions for only 5 seconds after they have

finished.

Delete TCP sessions after 30 minutes of inactivity.

Delete TCP sessions if not fully established within 20

seconds.

Delete UDP sessions after 20 seconds of inactivity.





156



A parameter map allows you to specify parameters and apply

them within a policy-map. First we’ll create the parameter

map.

R2(config)#parameter-map type inspect INSPECT_PARAMETER_MAPR2(config-profile)#alert onR2(config-profile)#audit-trail onR2(config-profile)#dns-timeout 4R2(config-profile)#max-incomplete high 1000R2(config-profile)#max-incomplete low 800R2(config-profile)#one-minute high 700R2(config-profile)#one-minute low 500R2(config-profile)#sessions maximum 3000R2(config-profile)#tcp max-incomplete host 25 block-time 10R2(config-profile)#tcp finwait-time 5R2(config-profile)#tcp idle-time 1800R2(config-profile)#tcp synwait-time 20R2(config-profile)#udp idle-time 20

Then apply it under our existing policy map. Notice that

the parameter map is added within the inspect command.

Although we only have one, different parameter maps can be

applied to different classes of traffic.

R2(config)#policy-map type inspect INSPECT_PMAPR2(config-pmap)#class type inspect TCP_UDP_ICMAPR2(config-pmap-c)#inspect INSPECT_PARAMETER_MAP

Verify with “show parameter-map”.

R2#show parameter-map type inspect parameter-map type inspect INSPECT_PARAMETER_MAP audit-trail on alert on max-incomplete low 800 max-incomplete high 1000 one-minute low 500





157



one-minute high 700 udp idle-time 20 icmp idle-time 10 dns-timeout 4 tcp idle-time 1800 tcp finwait-time 5 tcp synwait-time 20 tcp max-incomplete host 25 block-time 10 sessions maximum 3000

Task 2.22

Rate limit ICMP traffic from the PRIVATE zone to the PUBLIC

zone to 8000 bps with a burst of 2000 bytes.

Rate limiting is done within a policy map with the police

command. First identify the protocol ICMP with a class-map.

R2(config)#class-map type inspect ICMPR2(config-cmap)#match protocol icmp

Then apply actions to it within our existing policy-map.

R2(config)#policy-map type inspect INSPECT_PMAPR2(config-pmap)#class ICMPR2(config-pmap-c)#inspectR2(config-pmap-c)#police rate 8000 burst 2000

Task 2.23





158



Drop all P2P (KaZaA, Morpheus, Grokster) traffic and AOL

and Yahoo IM traffic from the PRIVATE zone to the PUBLIC

zone.

This is done with a layer 7 or application class-map. The

match criteria within such a class-map are specific to the

particular application. In this case we’ll be matching any

of the listed P2P protocols.

R2(config)#class-map type inspect match-any P2PR2(config-cmap)#match protocol fasttrackR2(config-cmap)#match protocol aolR2(config-cmap)#match protocol ymsgr

We can then apply the drop action to this class of traffic

in our policy map.

R2(config)#policy-map type inspect INSPECT_PMAPR2(config-pmap)#class type inspect P2PR2(config-pmap-c)#drop

Task 2.24

Configure R1 to authenticate the ACS Server via HTTP before

allowing the ACS Server to browse to R2. Use a local user

with username “authproxyuser” and password “cisco” to do

this.





159



Auth-proxy intercepts requests on a particular interface

and requires authentication before allowing the connection.

The authentication can either be local or remote via

TACACS+ or RADIUS. In this example it will be local

authentication.

R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#username authproxyuser password ciscoR1(config)#R1(config)#aaa new-modelR1(config)#aaa authentication login default localR1(config)#aaa authorization auth-proxy default localR1(config)#ip auth-proxy name AUTHP httpR1(config)#R1(config)#R1(config)#interface FastEthernet0/0R1(config-if)#ip auth-proxy AUTHPR1(config-if)#exitR1(config)#R1(config)#ip http serverR1(config)#ip http authentication aaa

Enable the http server on R2 before testing.

R2(config)#ip http server

And verify by attempting to connect via http from the ACS

to R2. The connection must first be authenticated.





160







161



The “show ip auth-proxy cache” command will list the

authenticated client.

R1#show ip auth-proxy cacheAuthentication Proxy Cache Client Name authproxyuser, Client IP 192.168.2.101, Port 4775,timeout 60, Time Remaining 60, state ESTAB

Task 2.25

Configure R1 with a login banner for Authentication Proxy

that states “Unauthorized access is prohibited”.

As we saw in the previous section there is no banner on the

authentication screen by default. It can be added with the

“ip auth-proxy auth-proxy-banner” command.

R1(config)# ip auth-proxy auth-proxy-banner http ^Unauthorizedaccess is prohibited^

Clear the authentication proxy cache on R1, and re-

authenticate. The login banner is now displayed.

R1#clear ip auth-proxy cache *





162



Task 2.26

Configure R1 so that user authentication entries are

removed after 30 minutes of inactivity. Configure R1 so

that the absolute time is 30 minutes. The maximum number

of retries should be set to 5.

Auth-proxy has several timers, thresholds and variables

that can be modified.

R1(config)#ip auth-proxy inactivity-timer 30R1(config)#ip auth-proxy absolute-timer 10R1(config)#ip auth-proxy max-login-attempts 5





163



Task 2.27

Configure R1 so that it only requires authentication if the

ACS Server is attempting to HTTP to R2’s loopback 0 address

(2.2.2.2).

This is done with the list option at the end of the “ip

auth-proxy” command. It allows for control over what

traffic will be authenticated.

R1(config)#access-list 101 permit tcp host 192.168.2.101 host2.2.2.2 eq 80R1(config)#ip auth-proxy name AUTHP http list 101

To verify, clear the authentication proxy cache on R1, and

browse to 24.234.12.2 from the ACS Server. No

authentication is required. From the ACS Server, browse to

R2’s loopback 0 address 2.2.2.2, and authentication is

required.

R1#clear ip auth-proxy cache *





164







165



(Reload startup config for R2 and R3)

Task 2.28

Configure R2 to deny any IP connectivity from behind

FastEthernet0/0 to the rest of the network. In order for

anyone behind FastEthernet0/0 to have IP connectivity to

the rest of the network, they must authenticate to R2 with

the username “locknkey” and password “cisco”. Idle time

should be 2 minutes minimum. Ensure that EIGRP is not

interrupted.

This is done with a lock-and-key. Lock-and-key allows a

user to gain temporary access through a dynamic access list

after they have authenticated via telnet to the router.

R2(config)#username locknkey password cisco

R2(config)#ip access-list extended INBOUNDR2(config-ext-nacl)# permit tcp any host 24.234.12.2 eq telnetR2(config-ext-nacl)# permit eigrp host 24.234.12.1 host224.0.0.10R2(config-ext-nacl)# permit eigrp host 24.234.12.1 host24.234.12.2R2(config-ext-nacl)#dynamic ACCESS timeout 120 permit ip any any

R2(config-ext-nacl)#interface FastEthernet0/0R2(config-if)# ip access-group INBOUND in





166



R2(config-if)#line vty 0 4R2(config-line)# login localR2(config-line)# autocommand access-enable timeout 2

Verify by attempting to ping from R1 to R5, it will fail.

R1#ping 24.234.245.5


In order for R1 to connect to R5, R1 must authenticate to

R2 via telnet.



Username: locknkeyPassword:[Connection to 24.234.12.2 closed by foreign host]R1#ping 24.234.245.5


Once authenticated, you can view the dynamic ACL entry on

R2.





167



R2#show ip access-listsExtended IP access list INBOUND 10 permit tcp any host 24.234.12.2 eq telnet (81 matches) 20 permit eigrp host 24.234.12.1 host 224.0.0.10 (138matches) 30 permit eigrp host 24.234.12.1 host 24.234.12.1 40 Dynamic ACCESS permit ip any any permit ip any any (5 matches) (time left 110)

Notice, that the dynamic ACL is “permit ip any any”. This

requirement changes in the next step.

Task 2.29

Modify the configuration of R2 to enable per-host access

only.

The host keyword must be used within the access-enable

command in order to enable per-host access.

R2(config)#line vty 0 4R2(config-line)#autocommand access-enable host timeout 2

R1 cannot ping R5, so R1 will need to authenticate to R2,

before being allowed.

R1#ping 24.234.5.5

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 24.234.5.5, timeout is 2seconds:U.U.U





168



Success rate is 0 percent (0/5)R1#R1#telnet 24.234.12.2Trying 24.234.12.2 ... Open


Username: locknkeyPassword:[Connection to 24.234.12.2 closed by foreign host]R1#ping 24.234.5.5

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 24.234.5.5, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =56/57/60 msR1#

The dynamic access-list now permits the specific host

instead of any.

R2#sh ip access-listsExtended IP access list INBOUND 10 permit tcp any host 24.234.12.2 eq telnet (159 matches) 20 permit eigrp host 24.234.12.1 host 224.0.0.10 (1020matches) 30 permit eigrp host 24.234.12.1 host 24.234.12.1 40 Dynamic ACCESS permit ip any any permit ip host 24.234.12.1 any (5 matches) (time left104)





169



Task 2.30

Configure R3 so that all TCP, UDP, and ICMP traffic

initiated from behind FastEthernet0/0 is automatically

allowed to return. Permit FastEthernet0/0 on R6 to initiate

telnet sessions to the 24.234.0.0 network. Ensure that

routing information is not interrupted. Log any ‘denied

packets’ to the local buffer. Do not use CBAC to

accomplish this.

Since we can’t use CBAC, this will be done with reflexive

ACLs. Reflexive ACLs allow return traffic for certain

protocols, in this case TCP, UDP, and ICMP. On the outbound

ACL use the reflect keyword. On the inbound or blocking ACL

use the “evaluate” command to allow the return traffic.

R3(config)#logging buffered

R3(config)#ip access-list extended OUTBOUNDR3(config-ext-nacl)#permit tcp any any reflect REFR3(config-ext-nacl)#permit udp any any reflect REFR3(config-ext-nacl)#permit icmp any any reflect REF

R3(config-ext-nacl)#ip access-list extended INBOUNDR3(config-ext-nacl)#permit udp host 24.234.36.6 host 224.0.0.9eq 520R3(config-ext-nacl)#permit tcp host 24.234.36.6 24.234.0.00.0.255.255 eq 23R3(config-ext-nacl)#evaluate REFR3(config-ext-nacl)#deny ip any any log

R3(config-ext-nacl)#interface FastEthernet0/1





170



R3(config-if)# ip access-group INBOUND inR3(config-if)# ip access-group OUTBOUND out

Test by pinging from R2 to R6.

R2#ping 24.234.36.6


Now do a “show ip access-list”. Notice that there is a

reflexive ACL entry for the traffic.

R3#show ip access-listExtended IP access list INBOUND 10 permit udp host 24.234.36.6 host 224.0.0.9 eq rip (12matches) 20 permit tcp host 24.234.36.6 24.234.0.0 0.0.255.255 eqtelnet 30 evaluate REF 40 deny ip any any logExtended IP access list OUTBOUND 10 permit tcp any any reflect REF 20 permit udp any any reflect REF 30 permit icmp any any reflect REF (10 matches)Reflexive IP access list REF permit icmp host 24.234.36.6 host 24.234.23.2 (20 matches)(time left 282)

Task 2.31





171



Configure R2 s0/0/0 so that ICMP from R5 s0/0/0 is denied

access to the rest of the network from 2am to 4am. Also,

deny all non-initial fragments inbound on FastEthernet0/0.

All other traffic should be allowed at all times.

This is accomplished with a time based ACL. First we’ll

configure a time range identifying the time we want to work

with. Then we’ll create an ACL entry using the time range

to deny ICMP traffic.

The fragments keyword is used to block non-initial

fragments. Notice that the deny statement is before any

other entry in the ACL. Only if there are no non-initial

fragments should other entries be checked.

R2(config)#time-range R5R2(config-time-range)# periodic daily 02:00 to 04:00

R2(config-time-range)#ip access-list extended TIMER2(config-ext-nacl)#deny ip any any fragmentsR2(config-ext-nacl)#deny icmp host 24.234.245.5 any time-rangeR5R2(config-ext-nacl)#permit ip any any

R2(config-ext-nacl)#interface s0/0/0R2(config-if)# ip access-group TIME in

Set the clock on R2 to an acceptable time that will allow

R5 to ping R2’s loopback address.

R2#clock set 01:00:00 22 jan 2009R2#





172



*Jan 22 01:00:00.000: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 23:04:48 UTC Wed Mar 11 2009 to 01:00:00 UTC ThuJan 22 2009, configured from console by console.

R5#ping 2.2.2.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =56/57/60 ms

Set the clock on R2 to a time between 2am and 4am. Try the

ping again. It will fail.

R2#clock set 03:00:00 22 jan 2009

Jan 22 03:00:00.000: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 01:01:06 UTC Thu Jan 22 2009 to 03:00:00 UTC ThuJan 22 2009, configured from console by console.

R5#ping 2.2.2.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)





173







174







175








176







177








178











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





179








180











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





181



Task 3.1

Configure R1 as a CA and NTP server with authentication.

Setup ASA1 and R5 as NTP and CA clients.

Task 3.2

Add the following route to the ACS server:

route add 100.0.0.0 mask 255.0.0.0 192.168.2.100.

Task 3.3

Configure the following IPsec parameters between ASA1 and

R5.

IKE 1 RSA, DH2, AES, SHA

IKE 2 AES, SHA

Protected traffic, all IP between hosts 1.1.1.1 and

22.22.22.2

tunnel endpoints asa 100.60.10.100 and R5 5.5.5.5

Erase and Reload initial configurations on ASA1 and R5.

Verify the ACS PC has a route to 100.0.0.0 via firewall





182



Task 3.4

Create a DMVPN using the following:

R2 hub

R3/R4 Spokes

GRE network 10.0.0.y/24

New loop 234 of 10.yy.0.y/24

Overlay of eigrp 1 for the 10 networks.

source from loop 0 on each router

IKE 1: dh2, psk cisco, 3des, sha

IKE 2: 3des, sha

Task 3.5

Permit the IPsec related traffic through the ASA.

Task 3.6

Setup GET VPN with the following:

R6 key server

R3/R4 members

IKE 1 3des, dh2, lifetime 400, psk cisco

IKE 2 3des, sha





183



interesting traffic ICMP between 3.3.3.3 and 4.4.4.4

bidirectional

Task 3.7

Configure EasyVPN with the following:

ASA easy vpn server on inside

R2 and ACS PC easy vpn clients

IKE 1 sha, dh2, aes, psk

IKE 2 aes, sha, pfs 2

split tunnel- traffic for the 100.70.10.0/24 net

clilent mode

pool 100.60.10.201-210

username vpn_user

group vpn_group

password cisco (for both)

R2 loop 0 is inside interface

allow password storage on clients

user virtual template





184



Task 3.8

Allow clients to locally save password.





185



Task 3.9

Configure the ASA to prioritize EasyVPN IPsec traffic.





186



Task 3.10

Configure clientless WebVPN on the inside of ASA1 using the

following:

Connection named SSL_VPN

URL: https://192.168.2.100/ssl

local authentication user “ssl_user” password “cisco”

group policy = SSL_VPN




https://192.168.2.100/ssl


187



Task 3.11

Configure high availability using the following:

R2 loop 0, peers with R3 and R4 HSRP address

IKE 1 PSK cisco, dh 2, 3des, sha

IKE 2 3des sha

Interesting traffic: IP between New loopback 222 of

10.yy.yy.2/24 and R5 loop 0

Do not add 10.yy.yy.0/24 to any routing protocols on

R2.

Task 3.1





188



Configure R1 as a CA and NTP server with authentication.

Setup ASA1 and R5 as NTP and CA clients:

NTP is necessary so that all times on certificates match

what time the router thinks it is. If they don’t a valid

cert may be seen as expired or future.

The NTP source is setup as L0 so that it will be reachable

regardless of interface status. NTP master 1 configures the

router as an NTP server, stratum 1. Stratum is the distance

from the reference clock. Stratum 1 is most

trusted/accurate as it is assumed to be directly connected

to a reference clock. We set up key 1 as cisco.

R1(config)#ntp source Loopback0R1(config)#ntp master 1R1(config)#ntp authentication-key 1 md5 ciscoR1(config)#clock timezone PST -8R1(config)#clock summer-time PDT recurringApr 14 17:31:44.327: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 17:31:44 UTC Tue Apr 14 2009 to 09:31:44 PST TueApr 14 2009, configured from console by console.Apr 14 17:31:44.811: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 09:31:44 PST Tue Apr 14 2009 to 10:31:44 PDT TueApr 14 2009, configured from console by console.

To configure a router as a CA server you’ll need a few

things. First, set up the HTTP server. This is used by the

clients to enroll. You’ll need a domain name and a hostname

which will be included in the cert. Optionally you can

generate keys which allows you to control the label name.

They will be automatically generated if you don’t.





189



R1(config)#ip http serverR1(config)#ip domain-name cisco.comR1(config)#crypto key generate rsa general-keys label R1-General-Keys modulus 1024 exportableThe name for the keys will be: R1-General-Keys

% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be exportable...[OK]

R1(config)#Apr 14 17:31:53.115: %SSH-5-ENABLED: SSH 1.99 has been enabled

Now we’ll configure the server itself. We’ve included some

options such as cert lifetimes and the cdp URL for

certificate revocation. The most important one is grant

auto. This means certs do not need to be approved via the

CLI, they will be granted automatically when the client

makes an enrollment request. Remember to issue the no shut

command on the server

R1(config)#crypto pki server R1-CA_ServerR1(cs-server)#database url nvram:R1(cs-server)#database level minimumR1(cs-server)#issuer-name CN=R1-CA_Server.cisco.com L=NV C=USR1(cs-server)#lifetime ca-certificate 365R1(cs-server)#lifetime certificate 200R1(cs-server)#lifetime crl 24R1(cs-server)#cdp-url http://1.1.1.1/R1-CA_Servercdp.R1-CA_Server.crlR1(cs-server)#grant autoR1(cs-server)#Apr 14 17:33:05.183: %PKI-6-CS_GRANT_AUTO: All enrollmentrequests will be automatically granted.R1(cs-server)#no shut%Some server settings cannot be changed after CA certificategeneration.% Please enter a passphrase to protect the private key% or type Return to exitPassword:cisco123




http://1.1.1.1/R1-CA_Servercdp.R1-


190



Re-enter password:cisco123% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.R1(cs-server)#Apr 14 17:33:30.451: %PKI-6-CS_ENABLED: Certificate server nowenabled.R1(cs-server)#

With the CA server enabled, we’ll move on to client

configuration. On the ASA we’ll set the same timezone as

the server, enter the same key, set it up as trusted and

authenticate the server with the key.

ASA-1(config)# domain-name ciscoASA-1(config)# clock timezone PST -8ASA-1(config)# clock summer-time PDT recurringASA-1(config)# ntp authentication-key 1 md5 ciscoASA-1(config)# ntp trusted-key 1ASA-1(config)# ntp authenticateASA-1(config)# ntp server 1.1.1.1 key 1

We’ll generate RSA keys before setting up the trustpoint.

The retry commands are optional, what is important is the

enrollment URL. Note that the port is 80.

ASA-1(config)# crypto key generate rsa general-keys modulus1024WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yesKeypair generation process begin. Please wait...ASA-1(config)# crypto ca trustpoint R1-CAASA-1(config-ca-trustpoint)# enrollment retry count 5ASA-1(config-ca-trustpoint)# enrollment retry period 3ASA-1(config-ca-trustpoint)# enrollment url http://1.1.1.1:80ASA-1(config-ca-trustpoint)# revocation-check none




http://1.1.1.1/


191



ASA-1(config-ca-trustpoint)# exitASA-1(config)# ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =30/32/40 ms

After verifying connectivity to the CA server, we’ll first

authenticate and then enroll to it. Authentication must

occur before enrollment is allowed. You will receive a

message stating that the certificate has been granted.

ASA-1(config)# crypto ca authenticate R1-CA

INFO: Certificate has the following attributes:Fingerprint: 5fe94f9c 3ce30ecc 01972a46 9b34833aDo you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.ASA-1(config)# cryp ca enroll R1-CA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally providethis password to the CA Administrator in order to revoke yourcertificate. For security reasons your password will not be saved in theconfiguration. Please make a note of it.Password: cisco123Re-enter password: cisco123

% The fully-qualified domain name in the certificate will be:ASA-1.cisco

% Include the device serial number in the subject name?[yes/no]: no

Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority





192



ASA-1(config)# The certificate has been granted by CA!

Configuration for routers is almost identical to the ASA.

Set the timezone, configure NTP with authentication, set a

domain name, generate keys and configure the trustpoint.

The CA must be authenticated before enrollment.

R5(config)#clock timezone PST -8R5(config)#clock summer-time PDT recurringR5(config)#Apr 14 18:40:06.592: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 18:40:06 UTC Tue Apr 14 2009 to 10:40:06 PST TueApr 14 2009, configured from console by console.R5(config)#Apr 14 18:40:07.740: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 10:40:07 PST Tue Apr 14 2009 to 11:40:07 PDT TueApr 14 2009, configured from console by console.R5(config)#ntp authentication-key 1 md5 ciscoR5(config)#ntp trusted-key 1R5(config)#ntp authenticateR5(config)#ntp server 1.1.1.1 key 1

R5(config)#ip domain-name cisco.comR5(config)#crypto key generate rsa general-keys modulus 1024exportableThe name for the keys will be: R5.cisco.com

% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be exportable...[OK]

R5(config)#*Apr 14 17:52:04.235: %SSH-5-ENABLED: SSH 1.99 has been enabledR5(config)#crypto ca trustpoint R1-CAR5(ca-trustpoint)# enrollment retry count 5R5(ca-trustpoint)# enrollment retry period 3R5(ca-trustpoint)# enrollment url http://1.1.1.1:80R5(ca-trustpoint)# revocation-check noneR5(ca-trustpoint)#exitR5(config)#R5(config)#!R5(config)#crypto pki authenticate R1-CA




http://1.1.1.1/


193



Certificate has the following attributes: Fingerprint MD5: 5FE94F9C 3CE30ECC 01972A46 9B34833A Fingerprint SHA1: A6BD7EA9 73833535 8DD8E12E C6BDC548BEF74795

% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.

R5(config)#cryp pki enroll R1-CA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally providethis password to the CA Administrator in order to revoke yourcertificate. For security reasons your password will not be saved in theconfiguration. Please make a note of it.

Password:Re-enter password:

% The subject name in the certificate will include: R5.cisco.com% Include the router serial number in the subject name?[yes/no]: no% Include an IP address in the subject name? [no]: yesEnter Interface name or IP Address[]: loop 0Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate R1-CA verbose' commandwillshow the fingerprint.

R5(config)#Apr 14 17:49:37.897: CRYPTO_PKI: Certificate RequestFingerprint MD5: 68D31458 C10A3DC7 B5113FBD 38132DF8Apr 14 17:49:37.897: CRYPTO_PKI: Certificate RequestFingerprint SHA1: EF0CFEDB 71907504 A49B193C 7D700BDC 346789D9R5(config)#R5(config)#R5(config)#Apr 14 17:49:42.697: %PKI-6-CERTRET: Certificate received fromCertificate Authority





194



Task 3.2

Add the following route to the ACS server:

“route add 100.0.0.0 mask 255.0.0.0 192.168.2.100”

This is simple windows routing. Traffic for 100.x.x.x

should be sent to the next hop of 192.168.2.100.

Task 3.3

Configure the following IPSec parameters between ASA1 and

R5.

IKE 1 RSA, DH2, AES, SHA

IKE 2 AES, SHA

traffic, all IP between hosts 1.1.1.1 and 22.22.22.2

tunnel endpoints asa 100.60.10.100 and R5 5.5.5.5

On the ASA you must enable isakmp per interface, so we’ll

enable it on the outside. An ACL must be set up to identify

interesting traffic, in this case any ip from 22.22.22.2 to

1.1.1.1.

A tunnel group is set up to enter various attributes of the

tunnel. The group name must be the ip address of the peer,

in this case 5.5.5.5. The tunnel is configured as ipsec lan





195



to lan. The trustpoint, isakmp policy to use and

authentication method (rsa-sig AKA pki) is also set here.

ASA-1(config)# crypto isakmp enable outsideASA-1(config)# access-list outside_1_cryptomap line 1 extendedpermit ip host 22.22.22.2 host 1.1.1.1ASA-1(config)# clear xlateASA-1(config)# tunnel-group 5.5.5.5 type ipsec-l2lASA-1(config)# tunnel-group 5.5.5.5 ipsec-attributesASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry2ASA-1(config-tunnel-ipsec)# trust-point R1-CAASA-1(config-tunnel-ipsec)# crypto isakmp policy 10 authen rsa-sig

The isakmp policy is set per the instructions. AES, SHA, DH

group 2.

ASA-1(config)# crypto isakmp policy 10 encrypt aesASA-1(config)# crypto isakmp policy 10 hash shaASA-1(config)# crypto isakmp policy 10 group 2ASA-1(config)# crypto isakmp policy 10 lifetime 86400

The transform set is configured per the instructions. ESP

using AES and SHA.

ASA-1(config)# crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

Now we’ll set up our crypto map to tie everything together.

We set the trustpoint to be used, reference our previously

created ACL for interesting traffic, set the peer, the

transform set, the tunnel group to use and the very

important peer-id-validate cert command. Finally, the

crypto map is applied to the outside interface.

ASA-1(config)# crypto map outside_map 1 set trustpoint R1-CA





196



ASA-1(config)# crypto map outside_map 1 match addressoutside_1_cryptomapASA-1(config)# crypto map outside_map 1 set peer 5.5.5.5ASA-1(config)# crypto map outside_map 1 set transform-set ESP-AES-128-SHAASA-1(config)# tunnel-group 5.5.5.5 ipsec-attributesASA-1(config-tunnel-ipsec)# peer-id-validate certASA-1(config-tunnel-ipsec)# exitASA-1(config)# crypto map outside_map interface outside

Router configuration is similar but a little bit more

simple than the ASA. First we’ll create an ACL to identify

interesting traffic. It will be a mirrot image of the ASA’s

ACL.

R5(config)# access-list 100 permit ip 1.1.1.1 0.0.0.0 22.22.22.20.0.0.0

Then isakmp policy is set. This must match what the ASA is

using, so rsa-sig authentication (the default), AES

encryption, SHA for hashing and DH group 2.

R5(config)#crypto isakmp policy 1R5(config-isakmp)# authentication rsa-sigR5(config-isakmp)# encr aes 128R5(config-isakmp)# hash shaR5(config-isakmp)# group 2R5(config-isakmp)# lifetime 86400R5(config-isakmp)# exit

The transform set must also match what is being used on the

ASA. ESP with AES and SHA.

R5(config)# crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 128R5(cfg-crypto-trans)# exit





197



A crypto map is used to tie the configuration together.

Recall that the tunnel endpoint on R5 must be 5.5.5.5 or

l0. This must be done even though the crypto map is applied

to an actual interface. The local-address loop 0 command

accomplishes this. The transform set, peer and crypto ACL

are all set and the crypto map applied to the fa0/0.70

interface.

R5(config)# crypto map MYMAP local-address loop 0R5(config)# crypto map MYMAP 1 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R5(config-crypto-map)# set transform-set MYSETR5(config-crypto-map)# set peer 100.60.10.100R5(config-crypto-map)# match address 100R5(config-crypto-map)# exitR5(config)#interface FastEthernet0/0.70R5(config-subif)# crypto map MYMAPR5(config-subif)# exit

Verify by generating interesting traffic, in this case a

ping between 1.1.1.1 and 22.22.22.2. The ping is

successful. “Sho crypto ipsec sa” shows that the 4 packets

were encrypted and decrypted on both the router and the

ASA.

Apr 14 18:27:31.483: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Verify with a ping from R1 loopback 0 to 22.22.22.2:

R1#ping 22.22.22.2 source loop 0

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2seconds:Packet sent with a source address of 1.1.1.1





198



.!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =32/32/36 ms

R5#show crypto mapCrypto Map: "MYMAP" idb: Loopback0 local address: 5.5.5.5

Crypto Map "MYMAP" 1 ipsec-isakmp Peer = 100.60.10.100 Extended IP access list 100 access-list 100 permit ip host 1.1.1.1 host22.22.22.2 Current peer: 100.60.10.100 Security association lifetime: 4608000 kilobytes/3600seconds PFS (Y/N): N Transform sets={ MYSET, } Interfaces using crypto map MYMAP: FastEthernet0/0.70

R5# show crypto ipsec sa

interface: FastEthernet0/0.70 Crypto map tag: MYMAP, local addr 5.5.5.5

protected vrf: (none) local ident (addr/mask/prot/port):(1.1.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port):(22.22.22.2/255.255.255.255/0/0) current_peer 100.60.10.100 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0





199



ASA-1(config)# show crypto ipsec sainterface: outside Crypto map tag: outside_map, seq num: 1, local addr:100.60.10.100

access-list outside_1_cryptomap permit ip host 22.22.22.2host 1.1.1.1 local ident (addr/mask/prot/port):(22.22.22.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port):(1.1.1.1/255.255.255.255/0/0) current_peer: 5.5.5.5

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pktsdecomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragmentscreated: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needingreassembly: 0

Erase and Reload initial configs on ASA1 and R5.

Verify the ACS pc has a route to 100.0.0.0 via firewall.

Task 3.4

Create a DMVPN using the following:





200



R2 hub

R3/R4 Spokes

GRE network 10.0.0.y/24

New loop 234 of 10.yy.0.y/24

Overlay of eigrp 1 for the 10 networks.

source from loop 0 on each router

IKE 1: dh2, psk cisco, 3des, sha

IKE 2: 3des, sha

Hub configuration:

First we’ll create the loopback interface. Its important to

note that this address isn’t routeable on the existing

nextwork.

R2(config)#int loop 234*Apr 14 20:09:36.807: %LINEPROTO-5-UPDOWN: Line protocol onInterface Loopback234, changed state to upR2(config-if)#ip add 10.22.0.2 255.255.255.0

Now we’ll need to set up isakmp according to the

instructions. 3des encryption, sha for hashing, DH group 2

and authentication using a pre-shared key. Note that the

peer address from the pre-shared is the wildcard of

0.0.0.0. This means the key isn’t tied to a specific peer

which is important since multiple peers will be using it.

R2(config)#crypto isakmp policy 1R2(config-isakmp)# authentication pre-shareR2(config-isakmp)# encr 3des





201



R2(config-isakmp)# hash shaR2(config-isakmp)# group 2R2(config-isakmp)# lifetime 86400R2(config-isakmp)# exitR2(config)#crypto isakmp key cisco address 0.0.0.0

The transform set is configured using the instructions. ESP

with 3des and sha. Transport mode is set here, if it wasn’t

the default of tunnel would be used. This saves us an

additional 20 bytes since the existing IP header is used.

R2(config)# crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmacesp-3desR2(cfg-crypto-trans)# mode transportR2(cfg-crypto-trans)# exit

Finally, DMVPN doesn’t use a crypto map. The ipsec

configuration is tied to the tunnel with an ipsec profile,

so we’ll create that. It is very simple, set the transform

set to be used.

R2(config)#crypto ipsec profile DMVPN_PROFILER2(ipsec-profile)# set transform-set ESP-3DES-SHAR2(ipsec-profile)# exit

Most of the DMVPN configuration occurs on the tunnel

interface itself. Here we set the bandwidth and delay of

the interface, important since EIGRP uses these for metrics

and because the bandwidth by default is very low while the

delay is very high. We also need to set the MTU to a

reasonable level to take into account the additional packet

size caused by ipsec and GRE. Otherwise the packet can be

too large and cause fragmentation. 1400 is a good

conservative mtu. The ip tcp adjust-mss command modifies

the TCP maximum segement size in packets sent during TCP





202



establishment. It is set to 1360 so that end hosts will

only send 1360 bytes via TCP which will keep total packet

size no greater than our MTU of 1400 bytes. This is again

done to combat fragmentation.

R2(config)#interface Tunnel0R2(config-if)# ip address 10.0.0.2 255.255.255.0R2(config-if)# bandwidth 1000R2(config-if)# delay 1000R2(config-if)# ip mtu 1400R2(config-if)# ip tcp adjust-mss 1360

Next we’ll set up the ip nhrp command which allows the hub

to use the next hop routing protocol to properly map ip

addresses. The important command here is map mulicast

dynamic, which will allow EIGRP to function properly.

R2(config-if)# ip nhrp holdtime 360R2(config-if)# ip nhrp network-id 100000R2(config-if)# ip nhrp authentication ciscoR2(config-if)# ip nhrp map multicast dynamic

It is critical to turn off EIGRP split horizon since routingupdates will be leaving via the same interface they werereceived on. Also, next-hop-self must be turned off or *ALL*EIGRP routed traffic between the spokes will traverse the hub.This defeats the purpose of DMVPN.

R2(config-if)# no ip split-horizon eigrp 1R2(config-if)# no ip next-hop-self eigrp 1

The tunnel source is set to our new loopback 0 interface,

the mode is set to GRE multipoint, a tunnel key is set and

the ipsec profile is tied to the interface with the tunnel

protection command. Finally the interface is brought up

with no shut command.





203



R2(config-if)# tunnel source Loop 0R2(config-if)# tunnel mode gre multipointR2(config-if)# tunnel key 100000R2(config-if)# tunnel protection ipsec profile DMVPN_PROFILER2(config-if)# no shutdownR2(config-if)# exit

EIGRP is configured. We’ll be advertising all of our

10.x.x.x networks. This will include both the tunnel

interface and the loopback interface.

R2(config)#router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 10.0.0.0 0.255.255.255R2(config-router)# exit

R3 Spoke configuration:

To start, the configuration is almost identical to the hub.

The loopback interface is setup, then isakmp, the transform

set and the ipsec profile.

R3(config)#int loop 234R3(config-if)#ip address 10.33.0.3 255.255.255.0

R3(config)#crypto isakmp policy 1R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr 3desR3(config-isakmp)# hash shaR3(config-isakmp)# group 2R3(config-isakmp)# lifetime 86400R3(config-isakmp)# exitR3(config)#crypto isakmp key cisco address 0.0.0.0

R3(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmacesp-3desR3(cfg-crypto-trans)# mode transport





204



R3(cfg-crypto-trans)# exitR3(config)#crypto ipsec profile DMVPN_PROFILER3(ipsec-profile)# set transform-set ESP-3DES-SHAR3(ipsec-profile)# exit

The tunnel interface configuration starts the same as the

hub. An IP followed by the commands neccessary to combat

fragmentation.


There are a few differences in the ip nhrp configuration.

First we need to set a next hop server so that we can

register our tunnel to interface ip mappings and get the

mappings for other spokes we will communicate with. This is

done with the ip nhrp nhs command. Note that it is mapped

to the hub’s tunnel address. Since this is the case, we

need to know what routable IP we can send these packets to.

This is done with ip nhrp map. We map the NHS address to

the hub’s actual interface IP. We then map multicast to

this same IP so that EIGRP will function via the tunnel

interfaces.

R3(config-if)# ip nhrp holdtime 360R3(config-if)# ip nhrp network-id 100000R3(config-if)# ip nhrp authentication ciscoR3(config-if)# ip nhrp nhs 10.0.0.2R3(config-if)# ip nhrp map 10.0.0.2 100.60.10.22R3(config-if)# ip nhrp map multicast 100.60.10.22





205



The rest of the tunnel configuration is the same as the

hub. A tunnel source, the GRE mode, a tunnel key and the

ipsec profile which will be used to encrypt traffic.

Remember to no shut the interface.

R3(config-if)# tunnel source Loop 0R3(config-if)# tunnel mode gre multipointR3(config-if)# tunnel key 100000R3(config-if)# tunnel protection ipsec profile DMVPN_PROFILER3(config-if)# no shutdownR3(config-if)# exit

EIGRP is set up the same as the hub. It encompasses the entire10.x.x.x network.


R4 spoke configuration:

Aside from the ip addresses the other spoke is setup

identical to the first spoke. Cut ‘n paste is the preferred

method for additional spokes since it will save a lot of

time.

R4(config)#int loop 234R4(config-if)#ip address 10.44.0.4 255.255.255.0






206



R4(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmacesp-3desR4(cfg-crypto-trans)# mode transportR4(cfg-crypto-trans)# exitR4(config)#crypto ipsec profile DMVPN_PROFILER4(ipsec-profile)# set transform-set ESP-3DES-SHAR4(ipsec-profile)# exit


R4(config-if)# ip nhrp holdtime 360R4(config-if)# ip nhrp network-id 100000R4(config-if)# ip nhrp authentication ciscoR4(config-if)# ip nhrp nhs 10.0.0.2R4(config-if)# ip nhrp map multicast 100.60.10.22R4(config-if)# ip nhrp map 10.0.0.2 100.60.10.22

R4(config-if)# tunnel source Loop 0R4(config-if)# tunnel key 100000R4(config-if)# tunnel mode gre multipointR4(config-if)# tunnel protection ipsec profile DMVPN_PROFILER4(config-if)# no shutdownR4(config-if)# exit


At this point there is still a problem. The ipsec traffic

is not being allowed to pass the ASA.

ASA-1(config)# logging enableASA-1(config)# logging buffered 5ASA-1(config)# show logSyslog logging: enabled Facility: 20





207



Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level notifications, 3 messages logged Trap logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled%ASA-5-111008: User 'enable_15' executed the 'logging buffered5' command.%ASA-2-106006: Deny inbound UDP from 4.4.4.4/500 to100.60.10.22/500 on interface outside%ASA-2-106006: Deny inbound UDP from 3.3.3.3/500 to100.60.10.22/500 on interface outside

Task 3.5

Permit the IPSec related traffic through the ASA using an

ACL. We’re allowing ISAKMP and NAT-T as a general rule.

ASA-1(config)# access-list outside_access_in line 1 extendedpermit udp host 3.3.3.3 host 100.60.10.22 eq 500ASA-1(config)# access-list outside_access_in line 1 extendedpermit udp host 3.3.3.3 host 100.60.10.22 eq 4500ASA-1(config)# access-list outside_access_in line 1 extendedpermit udp host 4.4.4.4 host 100.60.10.22 eq 500ASA-1(config)# access-list outside_access_in line 1 extendedpermit udp host 4.4.4.4 host 100.60.10.22 eq 4500

ASA-1(config)# clear xlateASA-1(config)# access-group outside_access_in in interfaceoutside

With the traffic allowed your EIGRP neighbor relationships

should form and NHRP should be functional.





208



R2#show ip nhrp10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:00:32, expire00:05:28 Type: dynamic, Flags: unique registered used NBMA address: 3.3.3.310.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:00:37, expire00:05:22 Type: dynamic, Flags: unique registered used NBMA address: 4.4.4.4

R2#show ip eigrp neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTTRTO Q Seq (sec) (ms)Cnt Num1 10.0.0.3 Tu0 10 00:00:41 6200 0 30 10.0.0.4 Tu0 10 00:00:46 4200 0 3

R3#show crypto ipsec sa

interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3


A sho ip route verifies that the next hop for the 10.x.x.x

networks is via tunnel 0.





209





1.0.0.0/24 is subnetted, 1 subnetsO 1.1.1.0 [110/66] via 100.70.10.5, 00:30:59,FastEthernet0/0.70 2.0.0.0/24 is subnetted, 1 subnetsO 2.2.2.0 [110/12] via 100.60.10.100, 00:36:01,FastEthernet0/0.60 100.0.0.0/8 is variably subnetted, 9 subnets, 2 masksO 100.110.10.0/24 [110/75] via 100.70.10.5, 00:30:59,FastEthernet0/0.70C 100.70.10.0/24 is directly connected, FastEthernet0/0.70O 100.66.10.0/24 [110/67] via 100.70.10.5, 00:30:59,FastEthernet0/0.70O 100.90.10.0/24 [110/66] via 100.70.10.5, 00:31:00,FastEthernet0/0.70C 100.60.10.0/24 is directly connected, FastEthernet0/0.60O 100.55.10.0/24 [110/2] via 100.70.10.5, 00:35:52,FastEthernet0/0.70O 100.15.10.1/32 [110/65] via 100.70.10.5, 00:31:00,FastEthernet0/0.70O 100.15.10.5/32 [110/1] via 100.70.10.5, 00:31:20,FastEthernet0/0.70O 100.11.10.0/24 [110/66] via 100.70.10.5, 00:31:00,FastEthernet0/0.70 3.0.0.0/24 is subnetted, 1 subnetsC 3.3.3.0 is directly connected, Loopback0 4.0.0.0/24 is subnetted, 1 subnetsO 4.4.4.0 [110/2] via 100.70.10.4, 00:35:52,FastEthernet0/0.70





210



[110/2] via 100.60.10.4, 00:36:12,FastEthernet0/0.60 5.0.0.0/24 is subnetted, 1 subnetsO 5.5.5.0 [110/2] via 100.70.10.5, 00:35:52,FastEthernet0/0.70 6.0.0.0/24 is subnetted, 1 subnetsO 6.6.6.0 [110/67] via 100.70.10.5, 00:31:00,FastEthernet0/0.70 22.0.0.0/24 is subnetted, 1 subnetsO 22.22.22.0 [110/12] via 100.60.10.100, 00:36:03,FastEthernet0/0.60 10.0.0.0/24 is subnetted, 4 subnetsC 10.0.0.0 is directly connected, Tunnel0D 10.22.0.0 [90/2944000] via 10.0.0.2, 00:04:38, Tunnel0D 10.44.0.0 [90/3200000] via 10.0.0.4, 00:02:34, Tunnel0C 10.33.0.0 is directly connected, Loopback234O 192.168.2.0/24 [110/11] via 100.60.10.100, 00:19:26,FastEthernet0/0.60

A ping and sho crypto ipsec sa verifies the traffic.

R3#ping 10.44.0.4 repeat 10

Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 10.44.0.4, timeout is 2seconds:!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max =4/14/24 ms


interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3

protected vrf: (none) local ident (addr/mask/prot/port):(3.3.3.3/255.255.255.255/47/0) remote ident (addr/mask/prot/port):(100.60.10.22/255.255.255.255/47/0) current_peer 100.60.10.22 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 123, #pkts encrypt: 123, #pkts digest: 123





211



#pkts decaps: 122, #pkts decrypt: 122, #pkts verify: 122 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 72, #recv errors 0

local crypto endpt.: 3.3.3.3, remote crypto endpt.:100.60.10.22 path mtu 1514, ip mtu 1514, ip mtu idb Loopback0 current outbound spi: 0xC400E3DA(3288392666)

inbound esp sas: spi: 0x988C61D7(2559336919) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2003, flow_id: NETGX:3, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec):(4390499/3146) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xC400E3DA(3288392666) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2004, flow_id: NETGX:4, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec):(4390499/3144) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:





212




local crypto endpt.: 3.3.3.3, remote crypto endpt.: 4.4.4.4 path mtu 1514, ip mtu 1514, ip mtu idb Loopback0 current outbound spi: 0xFB5404C8(4216587464)

inbound esp sas: spi: 0x1BCE6890(466512016) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2005, flow_id: NETGX:5, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec):(4525120/3583) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xE945AB59(3913657177) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2007, flow_id: NETGX:7, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec):(4453101/3581) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:





213



outbound esp sas: spi: 0x99FE240B(2583569419) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2006, flow_id: NETGX:6, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec):(4525120/3581) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xFB5404C8(4216587464) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2008, flow_id: NETGX:8, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec):(4453101/3580) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:





214



Task 3.6

Setup GET VPN with the following:

R6 key server

R3/R4 members

IKE 1 3des, dh2, lifetime 400, psk cisco

IKE 2 3des, sha

interesting traffic icmp between 3.3.3.3 and 4.4.4.4

bidirectional

Key server configuration:

Get VPN uses ipsec to encrypt traffic, so this part of the

configuration will look no different than standard site to

site VPN. Note the wildcard pre-shared key.

R6(config)#no ip domain lookupR6(config)#ip domain name cisco.comR6(config)#crypto isakmp policy 1R6(config-isakmp)# encr 3desR6(config-isakmp)# authentication pre-shareR6(config-isakmp)# group 2R6(config-isakmp)# lifetime 400R6(config-isakmp)#crypto isakmp key cisco address 0.0.0.0

R6(config)# transform-set gdoi-trans-group1 esp-3des esp-sha-hmac





215



We’ll be using an ipsec profile, so that is configured

here. We’re really just setting the transform set to be

used similar to DMVPN. The SA lifetime is optional.

R6(cfg-crypto-trans)# crypto ipsec profile gdoi-profile-group1R6(ipsec-profile)# set security-association lifetime seconds1800R6(ipsec-profile)# set transform-set gdoi-trans-group1R6(ipsec-profile)#exit

Now we’ll setup the gdoi or group domain of interpretation.

This is the group that this key server will be providing

policy for. The server is set to local, meaning that this

is a key server. With GET, if you’re using unicast re-key

instead of multicast you must define an rsa key to be used.

This is done with the rekay authentication command.

R6(config)#crypto gdoi group group1R6(config-gdoi-group)# identity number 1R6(config-gdoi-group)# server localR6(gdoi-local-server)# rekey lifetime seconds 86400R6(gdoi-local-server)# rekey retransmit 10 number 2R6(gdoi-local-server)# rekey auhentication mypubkey rsa group1-export-generalR6(gdoi-local-server)# rekey transport unicast

Policy is set using the sa ipsec <number> command. Here we

define the ACL that will be used to determine interesting

traffic, the ipsec profile that we’ll use and the address

clients will use for the server, in this case 6.6.6.6.

R6(gdoi-local-server)# sa ipsec 1R6(gdoi-sa-ipsec)# profile gdoi-profile-group1R6(gdoi-sa-ipsec)# match address ipv4 101R6(gdoi-sa-ipsec)# replay counter window-size 64R6(gdoi-sa-ipsec)# address ipv4 6.6.6.6





216



Finally we’ll create the ACL that will be used to determine

interesting traffic. This step *CAN* be performed after the

ACL is defined in the key server setup, and can be changed

without having to reconfigure the key server.

R6(gdoi-coop-ks-config)#access-list 101 permit icmp host 3.3.3.3host 4.4.4.4R6(config)#access-list 101 permit icmp host 4.4.4.4 host 3.3.3.3

Member R3 configuration:

Most of the work in a GET configuration is done on the key

server. On the members you simply configure isakmp. A

transform set and ACL is not needed as it will be pushed

down by the key server.

R3(config)#crypto isakmp policy 1R3(config-isakmp)# encr 3desR3(config-isakmp)# authentication pre-shareR3(config-isakmp)# group 2R3(config-isakmp)# lifetime 3600R3(config-isakmp)# crypto isakmp key cisco address 6.6.6.6

Now we’ll set up the gdoi. We’ll use the same group and

identity number used on the key server. Instead of server

local we’ll set server to R6’s configured key server

address, 6.6.6.6.

R3(config)#crypto gdoi group group1R3(config-gdoi-group)# identity number 1R3(config-gdoi-group)# server address ipv4 6.6.6.6R3(config-gdoi-group)#exit





217



The configuration is completed by creating a gdoi crypto

map and setting it to use the group we just created, group

1. The crypto map is then applied to an interface just as

it would be in a site to site tunnel. Registration should

happen almost instantly.

R3(config)#crypto map map-group1 10 gdoiR3(config-crypto-map)# set group group1

R3(config-crypto-map)# interface fa0/0.60R3(config-subif)# crypto map map-group1R3(config-subif)# interface fa0/0.70R3(config-subif)# crypto map map-group1

*Apr 14 21:14:33.191: %GDOI-5-GM_REGS_COMPL: Registration to KS6.6.6.6 complete for group group1 using address 100.60.10.3*Apr 14 21:14:33.443: %CRYPTO-5-GM_REGSTER: Start registrationto KS 6.6.6.6 for group group1 using address 100.70.10.3*Apr 14 21:14:33.571: %SYS-5-CONFIG_I: Configured from consoleby console*Apr 14 21:14:33.839: %GDOI-5-GM_REGS_COMPL: Registration to KS6.6.6.6 complete for group group1 using address 100.70.10.3

Member R4 configuration:

Configuration is identical to R3. Cut ‘n paste is

recommended.

R4(config)# crypto isakmp policy 1R4(config-isakmp)# encr 3desR4(config-isakmp)# authentication pre-shareR4(config-isakmp)# group 2R4(config-isakmp)# lifetime 3600R4(config-isakmp)# crypto isakmp key cisco address 6.6.6.6

R4(config)# crypto gdoi group group1





218



R4(config-gdoi-group)# identity number 1R4(config-gdoi-group)# server address ipv4 6.6.6.6R4(config-gdoi-group)# exit

R4(config)#crypto map map-group1 10 gdoiR4(config-crypto-map)# set group group1

R4(config-crypto-map)#interface Fa0/0.60R4(config-subif)# crypto map map-group1R4(config-subif)# interface Fa0/0.70R4(config-subif)# crypto map map-group1

*Apr 14 21:21:45.119: %GDOI-5-GM_REGS_COMPL: Registration to KS6.6.6.6 complete for group group1 using address 100.60.10.4*Apr 14 21:21:45.415: %CRYPTO-5-GM_REGSTER: Start registrationto KS 6.6.6.6 for group group1 using address 100.70.10.4*Apr 14 21:21:45.811: %GDOI-5-GM_REGS_COMPL: Registration to KS6.6.6.6 complete for group group1 using address 100.70.10.4

Test by pinging 4.4.4.4 with a source of loopback 0. The

ping should be successful and a sho ipsec sa verifies the

encryption.


Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:Packet sent with a source address of 3.3.3.3!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/3/4 ms


interface: FastEthernet0/0.60 Crypto map tag: map-group1, local addr 100.60.10.3

protected vrf: (none) local ident (addr/mask/prot/port):(4.4.4.4/255.255.255.255/1/0) remote ident (addr/mask/prot/port):(3.3.3.3/255.255.255.255/1/0)





219



current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 100.60.10.3, remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.60 current outbound spi: 0x52555EAA(1381326506)

inbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: NETGX:3, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1733) IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: NETGX:4, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1732) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)





220



local ident (addr/mask/prot/port):(3.3.3.3/255.255.255.255/1/0) remote ident (addr/mask/prot/port):(4.4.4.4/255.255.255.255/1/0) current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0



inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: NETGX:2, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1723) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:





221



outbound pcp sas:

interface: FastEthernet0/0.70 Crypto map tag: map-group1, local addr 100.70.10.3

protected vrf: (none) local ident (addr/mask/prot/port):(4.4.4.4/255.255.255.255/1/0) remote ident (addr/mask/prot/port):(3.3.3.3/255.255.255.255/1/0) current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0



inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2008, flow_id: NETGX:8, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1721)





222



IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none) local ident (addr/mask/prot/port):(3.3.3.3/255.255.255.255/1/0) remote ident (addr/mask/prot/port):(4.4.4.4/255.255.255.255/1/0) current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0



inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac ,





223



in use settings ={Tunnel, } conn id: 2006, flow_id: NETGX:6, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1716) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Task 3.7

Configure EasyVPN with the following:

ASA easy vpn server on the inside interface

R2 and ACS PC easy vpn clients

IKE 1 sha, dh2, aes, psk

IKE 2 aes, sha, pfs 2

split tunnel- traffic for the 100.70.10.0/24 net

client mode

pool 100.60.10.201-210

username vpn_user





224



group vpn_group

password cisco (for both)

R2 loop 0 is inside interface

allow password storage on clients

user virtual template

ASA1 EasyVPN Server configuration:

The EasyVPN server configuration can be complex so it helps

to break it down into sections. First we’ll configure IPSec

settings. These will include the ISAKMP policy and

transform set that conforms to the instructions.

ASA-1(config)# crypto isakmp enable insideASA-1(config)# crypto isakmp policy 10 encrypt aesASA-1(config)# crypto isakmp policy 10 hash shaASA-1(config)# crypto isakmp policy 10 group 2ASA-1(config)# crypto isakmp policy 10 lifetime 86400

ASA-1(config)# crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

Now we’ll need to set up the EasyVPN attributes that will

be used by the clients. This will include the split tunnel

ACL, the group policy, the username/password and the IP

address pool.

ASA-1(config)# access-list vpn_group_splitTunnelAcl standardpermit 100.70.10.0 255.255.255.0

ASA-1(config)# group-policy vpn_group internalASA-1(config)# group-policy vpn_group attributesASA-1(config-group-policy)# vpn-tunnel-protocol IPSec





225



ASA-1(config-group-policy)# split-tunnel-policytunnelspecifiedASA-1(config-group-policy)# split-tunnel-network-list valuevpn_group_splitTunnelAcl

ASA-1(config)# username vpn_user password cisco privilege 0ASA-1(config)# username vpn_user attributesASA-1(config-username)# vpn-group-policy vpn_groupASA-1(config-username)# ip local pool MYPOOL 100.60.10.201-100.60.10.210 mask 255.255.255.0

Now we’ll configure the tunnel group. Notice that the type

is remote-access. It will reference the previously created

group policy and address pool. The IPSec attributes are

then set, including the PSK and the isakmp policy we

already created.

ASA-1(config)# tunnel-group vpn_group type remote-accessASA-1(config)# tunnel-group vpn_group general-attributesASA-1(config-tunnel-general)# default-group-policy vpn_groupASA-1(config-tunnel-general)# address-pool MYPOOLASA-1(config-tunnel-general)# tunnel-group vpn_group ipsec-attributesASA-1(config-tunnel-ipsec)# pre-shared-key ciscoASA-1(config-tunnel-ipsec)# crypto isakmp policy 10 authen pre-share

A dynamic crypto map is used to set both PFS and the

transform set. This dynamic map is referenced in the crypto

map which is actually applied to the inside interface. The

server configuration is now complete.

ASA-1(config)# crypto dynamic-map MYDYN 65535 set pfs group2ASA-1(config)# crypto dynamic-map MYDYN 65535 set transform-setESP-AES-128-SHAASA-1(config)# crypto map inside_map 65535 ipsec-isakmp dynamicMYDYNASA-1(config)# crypto map inside_map interface inside





226



R2 EasyVPN Client Configuration:

This is known as an EasyVPN Hardware client. The setup is

fairly simple. First we’ll configure the ezvpn client

settings. This includes the group to be used which must

match the group name created on the ASA. The peer (the ASA)

ip address is set as is the username and password to be

used. The username and password must match what was set on

the ASA.

R2(config)#crypto ipsec client ezvpn EZ_CLIENTR2(config-crypto-ezvpn)# group vpn_group key 0 ciscoR2(config-crypto-ezvpn)# peer 192.168.2.100R2(config-crypto-ezvpn)# username vpn_user password 0 ciscoR2(config-crypto-ezvpn)# xauth userid mode localR2(config-crypto-ezvpn)# exit

Loopback 0 is configured as the inside of the EasyVPN

tunnel.

R2(config)#interface loop 0R2(config-if)# crypto ipsec client ezvpn EZ_CLIENT insideR2(config-if)# exit

Now we’ll need to create our virtual template. This

template will be cloned to create a virtual access

interface (applied to the physical outside interface) when

the actual tunnel is built.

R2(config)#interface Virtual-Template1 type tunnelR2(config-if)# exit





227



With the virtual template created, we can go back into our

client configuration and set it to use a virtual-interface.

R2(config)#crypto ipsec client ezvpn EZ_CLIENTR2(config-crypto-ezvpn)# virtual-interface 1R2(config-crypto-ezvpn)# exit

We’ll now set the outside interface of the EasyVPN client,

the interface that face the EasyVPN server. We’ll also

bring up the virtual-template interface.

R2(config)#interface FastEthernet0/0.168R2(config-subif)# crypto ipsec client ezvpn EZ_CLIENT outsideR2(config-subif)# exit

R2(config)#interface Virtual-Template1 type tunnelR2(config-if)# no shutdownR2(config-if)# tunnel mode ipsec ipv4R2(config-if)# exitR2(config)#end

Now that the configuration is complete, we can authenticate

to the server. This is done with the crypto ipsec client

ezvpn xauth command. You’ll br prompted for the username

and password. Once authenticated the connection will come

up. You’ll see the client address get assigned and see the

virtual access interface come up.

R2# crypto ipsec client ezvpn xauthUsername: vpn_userPassword: cisco

*Apr 14 21:42:08.063: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)User= Group=vpn_group Server_public_addr=192.168.2.100Assigned_client_addr=100.60.10.201*Apr 14 21:42:08.067: %LINK-3-UPDOWN: Interface Virtual-Access1,changed state to upR2#





228



*Apr 14 21:42:08.943: %LINEPROTO-5-UPDOWN: Line protocol onInterface Loopback10000, changed state to up*Apr 14 21:42:09.011: %LINEPROTO-5-UPDOWN: Line protocol onInterface NVI0, changed state to up*Apr 14 21:42:09.067: %LINEPROTO-5-UPDOWN: Line protocol onInterface Virtual-Access1, changed state to up

Once the connection is up you can verify the setting with

sho crypto ipsec client ezvpn. Note that the virtual-access

interface is bound to the real outside interface. This lets

us know the virtual-template is functioning.

The client IP was received and is part of the proper pool

that we set on the server. The split tunnel ACL is also

correct. Only traffic destined for 100.70.10.0/24 will be

encrypted.

R2#show crypto ipsec client ezvpnEasy VPN Remote Phase: 6

Tunnel name : EZ_CLIENTInside interface list: Loopback0Outside interface: Virtual-Access1 (bound toFastEthernet0/0.168)Current State: IPSEC_ACTIVELast Event: MTU_CHANGEDAddress: 100.60.10.201 (applied on Loopback10000)Mask: 255.255.255.255Save Password: DisallowedSplit Tunnel List: 1 Address : 100.70.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0Current EzVPN Peer: 192.168.2.100





229



Task 3.8

Allow clients to locally save password.

To allow this, add the password-storage enable command to

the group policy. With this enabled and the xauth userid

mode local command on the client (which we’ve already

configured) the password will be stored and the next

connect will occur authomatically. View the output below

for verification.

ASA-1(config)# group-policy vpn_group attributesASA-1(config-group-policy)# password-storage enable

R2#clear crypto saR2#*Apr 14 21:46:48.967: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)User= Group=vpn_group Server_public_addr=192.168.2.100Assigned_client_addr=100.60.10.201R2#*Apr 14 21:46:49.023: %LINK-3-UPDOWN: Interface Virtual-Access1,changed state to down*Apr 14 21:46:50.023: %LINEPROTO-5-UPDOWN: Line protocol onInterface Virtual-Access1, changed state to downR2#*Apr 14 21:46:51.015: %LINK-5-CHANGED: Interface Loopback10000,changed state to administratively down*Apr 14 21:46:51.299: EZVPN(EZ_CLIENT): Pending XAuth Request,Please enter the following command:*Apr 14 21:46:51.299: EZVPN: crypto ipsec client ezvpn xauth

R2#*Apr 14 21:46:52.015: %LINEPROTO-5-UPDOWN: Line protocol onInterface Loopback10000, changed state to down

R2#crypto ipsec client ezvpn xauthUsername: vpn_user





230



Password: cisco

R2#*Apr 14 21:47:02.827: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100Assigned_client_addr=100.60.10.201R2#*Apr 14 21:47:02.831: %LINK-3-UPDOWN: Interface Virtual-Access1,changed state to up*Apr 14 21:47:03.831: %LINEPROTO-5-UPDOWN: Line protocol onInterface Virtual-Access1, changed state to upR2#*Apr 14 21:47:04.779: %LINK-3-UPDOWN: Interface Loopback10000,changed state to up*Apr 14 21:47:05.779: %LINEPROTO-5-UPDOWN: Line protocol onInterface Loopback10000, changed state to up

R2#show crypto ipsec client ezvpnEasy VPN Remote Phase: 6

Tunnel name : EZ_CLIENTInside interface list: Loopback0Outside interface: Virtual-Access1 (bound toFastEthernet0/0.168)Current State: IPSEC_ACTIVELast Event: MTU_CHANGEDAddress: 100.60.10.201 (applied on Loopback10000)Mask: 255.255.255.255Save Password: AllowedSplit Tunnel List: 1 Address : 100.70.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0Current EzVPN Peer: 192.168.2.100

R2#clear crypto saR2#*Apr 14 21:47:58.927: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100Assigned_client_addr=100.60.10.201R2#





231



*Apr 14 21:47:58.955: %LINK-3-UPDOWN: Interface Virtual-Access1,changed state to down*Apr 14 21:47:59.955: %LINEPROTO-5-UPDOWN: Line protocol onInterface Virtual-Access1, changed state to downR2#*Apr 14 21:48:00.955: %LINK-5-CHANGED: Interface Loopback10000,changed state to administratively down*Apr 14 21:48:01.087: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100Assigned_client_addr=100.60.10.201R2#*Apr 14 21:48:01.091: %LINK-3-UPDOWN: Interface Virtual-Access1,changed state to up*Apr 14 21:48:02.091: %LINEPROTO-5-UPDOWN: Line protocol onInterface Virtual-Access1, changed state to upR2#*Apr 14 21:48:03.043: %LINK-3-UPDOWN: Interface Loopback10000,changed state to upR2#show crypto ipsec client ezvpnEasy VPN Remote Phase: 6

Tunnel name : EZ_CLIENTInside interface list: Loopback0Outside interface: Virtual-Access1 (bound toFastEthernet0/0.168)Current State: IPSEC_ACTIVELast Event: MTU_CHANGEDAddress: 100.60.10.201 (applied on Loopback10000)Mask: 255.255.255.255Save Password: AllowedSplit Tunnel List: 1 Address : 100.70.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0Current EzVPN Peer: 192.168.2.100

R2#telnet 100.70.10.5 /source-interface Loop 0Trying 100.70.10.5 ... Open

R5#who





232



Line User Host(s) IdleLocation 0 con 0 idle 00:24:34*514 vty 0 idle 00:00:00100.60.10.201

Interface User Mode Idle PeerAddress

Task 3.9

Configure the ASA to prioritize EasyVPN IPSec traffic.

The first step is to configure priority queues on both the

inside and outside interfaces. In this case the queue-limit

(size of the queue) and tx-ring-limit (number of packets

allowed in the queue) are set but this is optional.

ASA-1(config)# priority-queue insideASA-1(config-priority-queue)# tx-ring-limit 80ASA-1(config-priority-queue)# queue-limit 2048ASA-1(config-priority-queue)# priority-queue outsideASA-1(config-priority-queue)# tx-ring-limit 80ASA-1(config-priority-queue)# queue-limit 2048

Next we’ll need to identify the traffic to be placed in the

priority queue. This is done with a class-map that matches

our easyvpn tunnel-group. Once identified an action is

applied to the traffic using a policy map. In this case the





233



global policy map is used which will affect the traffic

regardless of what interface it appears on. The action of

course is “priority” which will place the identified

traffic into the priority queue. This means it will be

transmitted before normal traffic.

ASA-1(config)# class-map Remote_VPNASA-1(config-cmap)# match tunnel-group vpn_groupASA-1(config-cmap)# policy-map global_policyASA-1(config-pmap)# class Remote_VPNASA-1(config-pmap-c)# priority

Verify with the show service-policy command. Under the

class map Remote_VPN section the aggregate transmit counter

for the priority on the inside interface is incrementing.

This means the EasyVPN traffic is being prioritized.

ASA-1(config)# show service-policy

Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop0 Inspect: ftp, packet 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0,reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0,reset-drop 0 Inspect: netbios, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: skinny , packet 0, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 0, drop 0,reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip , packet 0, drop 0, reset-drop 0





234



Inspect: xdmcp, packet 0, drop 0, reset-drop 0 Inspect: icmp, packet 20964, drop 0, reset-drop 0 Class-map: Remote_VPN Priority: Interface outside: aggregate drop 0, aggregate transmit0 Priority: Interface inside: aggregate drop 0, aggregate transmit482 Class-map: class-default

Default Queueing

Task 3.10

Configure clientless WebVPN on the inside of ASA1 using the

following:

Connection named SSL_VPN

url: https://192.168.2.100/ssl

local authentication user ssl_user password cisco

group policy = SSL_VPN

To enter webvpn configuration mode, use the command

“webvpn”. We’ll enable it on the inside interface.

ASA-1(config)# webvpn

ASA-1(config-webvpn)# enable insideINFO: WebVPN and DTLS are enabled on 'inside'.




https://192.168.2.100/ssl


235



Now we’ll configure the group policy for webvpn. The vpn

tunnel protocol is set to webvpn and since no url list is

needed this is set to none.

ASA-1(config)# group-policy SSL_VPN attributesASA-1(config-group-policy)# vpn-tunnel-protocol webvpnASA-1(config-group-policy)# webvpnASA-1(config-group-webvpn)# url-list noneASA-1(config-group-webvpn)# configure terminal

Next we’ll configure the user, making sure that both the

group policy is set to our previously created policy.

ASA-1(config-webvpn)# username ssl_vpn password cisco privilege0ASA-1(config)# username ssl_vpn attributesASA-1(config-username)# vpn-group-policy SSL_VPNASA-1(config-username)# group-policy SSL_VPN internal

Finally the tunnel group is set up. Note that like the

EasyVPN configuration the type is set to remote access. The

default group policy is set to our policy which is set to

use webvpn. The specific webvpn attributes such as the

alias and URL are set using the tunnel-group <name> webvpn-

attributes command.

ASA-1(config)# tunnel-group SSL_VPN type remote-accessASA-1(config)# tunnel-group SSL_VPN general-attributesASA-1(config-tunnel-general)# default-group-policy SSL_VPNASA-1(config-tunnel-general)# tunnel-group SSL_VPN webvpn-attributesASA-1(config-tunnel-webvpn)# group-alias ssl enableASA-1(config-tunnel-webvpn)# group-url https://100.60.10.100/sslenableASA-1(config-tunnel-webvpn)# exit




https://100.60.10.100/ssl


236



Task 3.11

Configure high availability using the following:

R2 loop 0, peers with R3 and R4 HSRP address

IKE 1 PSK cisco, dh 2, 3des, sha

IKE 2 3des sha

Interesting traffic: ip between New loopback 222 of

10.yy.yy.2/24 and R5 loop 0

Do not add 10.yy.yy.0/24 to any routing protocols on

R2.

R2 configuration:

First we’ll create loopback 222.

R2(config)#int loop 222R2(config-if)# ip address 10.22.22.2 255.255.255.0

Then configure our basic ipsec settings. Most of this

should be very familiar with a few new settings. These

include isakmp and NAT keepalives so that the tunnel

problems can be detect and the tunnel rebuilt when failover

occurs. Also new is the local-address command in the crypto





237



map. This lets the tunnel be built between the HSRP address

and the R2 l0 address even though the crypto map is applied

to a physical interface.


R2(config)#crypto isakmp keepalive 10R2(config)#crypto isakmp nat keepalive 10R2(config)#crypto isakmp invalid-spi-recovery

R2(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmacesp-3desR2(cfg-crypto-trans)# exit

R2(config-if)#access-list 101 permit ip host 10.22.22.2 host5.5.5.5

R2(config)#crypto map MYMAP local-address loop 0R2(config)#crypto map MYMAP 1 ipsec-isakmpR2(config-crypto-map)# set transform-set ESP-3DES-SHAR2(config-crypto-map)# set peer 100.60.10.34R2(config-crypto-map)# match address 101R2(config-crypto-map)# exit

R2(config)#interface FastEthernet0/0.168R2(config-subif)# crypto map MYMAPR2(config-subif)# exit

R3 configuration:





238



Like the R2 configuration, this is mostly a basic IPSec

tunnel. The differences are isakmp and NAT keepalives, and

the crypto map. We’ve already talked about the keepalives.

Notice in the crypto map the reverse-route command is used.

When the IPSec tunnel is built, this will create a static

route to the subnets protected by the tunnel. This route is

then redistributed into OSPF so that R5 knows which router

(R3 or R4) to send the traffic to. This is a key concept

for VPN failover to function properly.

The other piece needed for VPN failover is the HSRP

configuration. Notice that the standby group is given a

name, and the crypto map is then applied to the name with

the redundancy keyword. This means the map is applied to

the standby IP, not the actual physical interface.








239



R3(config)#access-list 101 permit ip host 5.5.5.5 host10.22.22.2

R3(config)#crypto map MYMAP 1 ipsec-isakmpR3(config-crypto-map)# set transform-set ESP-3DES-SHAR3(config-crypto-map)# set peer 100.60.10.22R3(config-crypto-map)# match address 101R3(config-crypto-map)# reverse-routeR3(config-crypto-map)# exit

R3(config)#interface FastEthernet0/0.60R3(config-subif)# standby 1 name HAR3(config-subif)# crypto map MYMAP redundancy HAR3(config-subif)# exit

R3(config)#router ospf 1R3(config-router)#redistribute static subnetsR3(config-router)#end

R3#debug ip routingIP routing debugging is on

R4 configuration:

R4 configuration is the same as R3.



R4(config)#access-list 101 permit ip host 5.5.5.5 host10.22.22.2





240




R4(config)#crypto map MYMAP 1 ipsec-isakmpR4(config-crypto-map)# set transform-set ESP-3DES-SHAR4(config-crypto-map)# set peer 100.60.10.22R4(config-crypto-map)# match address 101R4(config-crypto-map)# reverseR4(config-crypto-map)# exit

R4(config)#interface FastEthernet0/0.60R4(config-subif)# standby 1 name HAR4(config-subif)# crypto map MYMAP redundancy HAR4(config-subif)# exit

R4(config)#router ospf 1R4(config-router)#redistribute static subnetsR4(config-router)#end

R4#debug ip routingIP routing debugging is on

R4(config)# int fa 0/0.60R4(config-subif)# ip ospf cost 2R4(config-subif)# int fa0/0.70R4(config-subif)# ip ospf cost 2

First test to see if the tunnel is built by pinging from

loopback 222 to 5.5.5.5.


Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:Packet sent with a source address of 10.22.22.2.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4ms

With debug ip routing turned on, you’ll see the static

route created on R3. This is because R3 is the active HSRP





241



router. Since the route is redistributed into OSPF R5 knows

to send the packets destined for 10.22.22.2 to R3. Although

not shown you can also verify this with a sho ip route on

R5.

R3#*Apr 14 22:50:54.571: RT: add 10.22.22.2/32 via 100.60.10.22,static metric [1/0]*Apr 14 22:50:54.571: RT: NET-RED 10.22.22.2/32




Now test failover by reloading R3.

R3#reloadProceed with reload? [confirm]

*Apr 14 22:52:26.871: %SYS-5-RELOAD: Reload requested byconsole. Reload Reason: Reload Command.*Apr 14 22:52:26.911: %HSRP-5-STATECHANGE: FastEthernet0/0.60Grp 1 state Active -> Init*Apr 14 22:52:26.911: RT: del 10.22.22.2/32 via 100.60.10.22,static metric [1/0]*Apr 14 22:52:26.911: RT: delete subnet route to 10.22.22.2/32





242



*Apr 14 22:52:26.911: RT: NET-RED 10.22.22.2/32*Apr 14 22:52:26.911: RT: delete network route to 10.0.0.0*Apr 14 22:52:26.911: RT: NET-RED 10.0.0.0/8

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.

Initializing memory for ECC

Failover isn’t instant, give some time for it to occur and

then repeat the ping from R2 loopback 222 to 5.5.5.5.


Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:Packet sent with a source address of 10.22.22.2.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4ms

You’ll notice that since R4 has now become the active HSRP

router, the static route is created and again redistributed

into OSPF. You’ve now verified that VPN redundancy is

functioning properly.

R4#*Apr 14 23:00:38.563: RT: add 10.22.22.2/32 via 100.60.10.22,static metric [1/0]*Apr 14 23:00:38.563: RT: NET-RED 10.22.22.2/32



protected vrf: (none)




http://www.cisco.com/techsupport


243



local ident (addr/mask/prot/port):(5.5.5.5/255.255.255.255/0/0) remote ident (addr/mask/prot/port):(10.22.22.2/255.255.255.255/0/0) current_peer 100.60.10.22 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0





244







245



ACS

outside24.234.0.0/24

DMZ172.16.0.0/24

E0/0.1 E0/1.100 .100R1

R2

R3

ASA1

.2

.1.101

IPS Lab Topoloy

.100E0/0.200

IPSVLAN 200

VLAN 2

inside192.168.2.0/16

IPS

ACS

.150

.3





246




ACS

outside24.234.0.0/24

DMZ172.16.0.0/24

E0/0.1 E0/1.100 .100R1

R2

R3

ASA1

.2

.1.101

IPS Lab Topoloy

.100E0/0.200

IPSVLAN 200

VLAN 2

inside192.168.2.0/16

IPS

ACS

.150

.3





247








248











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





249








250











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





251



Task 4.1

Log into the IPS with the username “cisco” and password

“ccie5796”

Task 4.2

Set the hostname to “IPS”, set the management IP to

192.168.2.150/16 and the default gateway to 192.168.2.100.

Allow network 192.168.0.0/16 to manage the IPS. Save your

configuration and verify that you can connect to the device

via IDM from the ACS server.

Task 4.3

Set the sensor to use a local NTP server at 192.168.2.3.

Set timezone to pacific (GMT -8)

Task 4.4

Restrict access to ONLY allow the ACS server to the sensor

configuration. (192.168.2.101)





252



Task 4.5

Setup a user called “ccbootcamp” with a password of

“ccbootcamp”. This user should be able to tune signatures

but not configure devices settings such as interfaces.

Task 4.6

Setup another user called “monitor” with a password of

“monitor123”. This user should only be able to view events.





253



Configure Security Policy

Task 4.7

Make a duplicate of policy sig0 called “sig1”.

Task 4.8

Make a duplicate of policy rules0 called “rules1”.

Task 4.9

Make a duplicate of anomaly detection policy ad0 called

“ad1”.





254



Configure Virtual Sensors

Task 4.10

Create an additional virtual sensor called “vs1”. Assign it

signature def policy “sig1”, event action policy “rules1”

and anomaly detection policy “ad1”.





255



Task 4.11

Setup a SPAN session on SW1 so that all traffic from port

fa0/10 is mirrored to port fa0/11.

Task 4.12

Configure an RSPAN session so that traffic from VLAN 3 on

SW1 is mirrored to port fa0/4 on SW3. Use VLAN 99 as the

remote vlan.





256



Task 4.13

Remove any existing inline pairs.

Task 4.14

Setup fa1/0 as a promiscuous interface, enable it and

assign it to virtual sensor “vs1”. This will monitor the

inside network.

Task 4.15

Setup interface g0/0 as an inline VLAN pair using vlans 2

and 200. Assign this new inline pair to sensor vs0. This

will monitor traffic between the outside and dmz. Verify

that the inline pair is working.





257



Task 4.16

Policy “sig1” should monitor traffic only. Ensure that no

signature within sig1 performs a TCP reset.

Task 4.17

Sort “sig0” signatures by name and search for ICMP. Find

the sig named “ICMP echo reply”. Enable it, then modify it

to only fire when R1 replies to R2’s echo request. Verify

that the signature is working.





258



Task 4.18

Internal users have been attacking the ACS server with

pings. Create a custom signature that will alert you when

any host pings the ACS server 50 times or more with packets

larger than 2000k





259



Task 4.19

Setup the ASA as a blocking device. For this task, create

a user with a username of “blocker” and password of

“blocker”. Use SSH to log into the ASA.

Task 4.20

Create a signature in sig0 that will fire when a user tries

to telnet using a username of “baduser” (case insensitive).

The IPS should use the ASA to block the host and generate

an alert when this happens.





260



Task 4.21

Enable interface fa1/1. Set this interface up as an

alternate TCP reset interface for fa1/0.

Task 4.22

Configure a signature within sig1 that will send a TCP

reset when a host attempts to telnet to R1 with a username

of “baduser”.





261



Task 4.23

Setup R2 as a blocking device. Use the username “blocker”

with a password “blocker” and a privilege of 15. Use telnet

to log into R2. Use the fa0/0 interface to rate limit

traffic.

Task 4.24

Enable and modify the rule within sig0 called “icmp flood”

so that it requests a rate limit of 1% of interface

bandwidth and generates an alert. Test the rate limit.





262



Task 4.25

Configure rules0 to protect against dangerous attacks by

changing any signature’s action to deny an attacker inline

if the risk rating is 90-100.

Task 4.26

R2 is a critical server. Configure rules0 so that the risk

rating of an attack against R2 is changed to reflect the

critical nature of the server, ensuring that these attacks

will be blocked.





263



Task 4.27

View events that have occurred on the sensor in the last

hour.

Task 4.28

Sort the view so only events with a threat rating of 90 or

greater are shown. Do not show error events.

Task 4.29

View attack response controller events.





264



Task 4.30

Setup ad1 anomaly detection to use the inside network for

the internal zone. For “ad0”, setup the DMZ network as the

internal zone.

Task 4.31

The ACS server’s normal traffic appears to be worm traffic

to the sensor. Exclude the ACS server from anomaly

detection in “ad1”.

Task 4.32

You’ve recently redesigned your DMZ and need to establish

baseline traffic patterns for anomaly detection using ad0.

Set “ad0” to learn mode.





265



Task 4.1

Log into the IPS with the username “cisco” and password

“ccie5796”

An un-configured IPS will have a default administrator

account username and password of cisco which you will have

to change upon initial login. CCBOOTCAMP’s IPS has been

preconfigured with a username of “cisco” and a password of

“ccie5796”.

IPS login: ciscoPassword: ccie5796Last login: Thu Mar 26 07:28:39 on ttyS0





266



Task 4.2

Set the hostname to “IPS”, set the management IP to

192.168.2.150/16 and the default gateway to 192.168.2.100.

Allow network 192.168.0.0/16 to manage the IPS. Save your

configuration and verify that you can connect to the device

via IDM from the ACS server.

Basic setup can be accomplished with the “setup” command.

This runs a step by step prompted guide that helps setup

basic connectivity so that IDM can be used for further

configuration. You will be shown the current configuration

and then will be allowed to modify it. During these steps

you will be able to set the hostname, management IP address

and access-list to allow management. At the end you can

review your configuration. You will then be prompted to

save your configuration.

sensor# setup

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.User ctrl-c to abort configuration dialog at any prompt.Default settings are in square brackets '[]'.

Current Configuration:





267



service hostnetwork-settingshost-ip 192.168.1.2/24,192.168.1.1host-name sensortelnet-option disabledftp-timeout 300no login-banner-textexittime-zone-settingsoffset 0standard-time-zone-name UTCexitsummertime-option disabledntp-option disabledexitservice web-serverport 443exitservice interfaceinline-interfaces pair-1description Created via setup by user ciscointerface1 FastEthernet1/0interface2 FastEthernet1/1exitinline-interfaces pair-2description Created via setup by user ciscointerface1 FastEthernet1/2interface2 FastEthernet1/3exitexitservice event-action-rules rules0overridesoverride-item-status Enabledrisk-rating-range 90-100exitexit

Current time: Thu Mar 26 18:52:03 2009

Setup Configuration last modified: Thu Mar 26 17:42:57 2009

Continue with configuration dialog?[yes]:





268



Enter host name[sensor]: IPSEnter IP interface[192.168.1.2/24,192.168.1.1]:192.168.2.150/16,192.168.2.100

Enter telnet-server status[disabled]:Enter web-server port[443]:Modify current access list?[no]: yesCurrent access list entries: No entriesPermit: 192.168.0.0/16Modify system clock settings?[no]:Modify interface/virtual sensor configuration?[no]:Modify default threat prevention settings?[no]:

The following configuration was entered.

service hostnetwork-settingshost-ip 192.168.2.150/16,192.168.2.100host-name IPStelnet-option disabledaccess-list 192.168.0.0/16ftp-timeout 300no login-banner-textexittime-zone-settingsoffset 0standard-time-zone-name UTCexitsummertime-option disabledntp-option disabledexitservice web-serverport 443exitservice interfaceinline-interfaces pair-1description Created via setup by user ciscointerface1 FastEthernet1/0interface2 FastEthernet1/1exitinline-interfaces pair-2description Created via setup by user cisco





269



interface1 FastEthernet1/2interface2 FastEthernet1/3exitexitservice event-action-rules rules0overridesoverride-item-status Enabledrisk-rating-range 90-100exitexit[0] Go to the command prompt without saving this config.[1] Return back to the setup without saving this config.[2] Save this configuration and exit setup.

Enter your selection[2]: 2Configuration Saved.*18:52:47 UTC Thu Mar 26 2009Modify system date and time?[no]:

With basic configuration setup you can now connect to the

sensor using a web browser to launch IDM (IPS Device

Manager), once again using “cisco”/”ccie5796” as your

administrator username and password.





270







271



Task 4.3

Set the sensor to use a local NTP server at 192.168.2.3.

Set timezone to pacific (GMT -8)

Proper time stamping is the key to a good IPS installation.

Synchronizing to an NTP server isn’t required but is highly

recommended so that events can be correlated with other

device logs. This is set under configuration->sensor setup-

>time. Hit apply when done with your changes, the sensor

will require a reboot.





272



Task 4.4

Restrict access to ONLY allow the ACS server to the sensor

configuration. (192.168.2.101)





273



This is done under configuration->sensor setup->allowed

hosts. Either edit an existing entry or add a new one. You

should only allow 192.168.2.101 255.255.255.255 meaning

just the ACS server. Hit apply when done.

Task 4.5

Setup a user called ccbootcamp with a password of

ccbootcamp. This user should be able to tune signatures but

not configure devices settings such as interfaces.

To create a user, go to configuration->sensor setup->users.

Click add to add a user. Our ccbootcamp user needs to be





274



assigned the role of operator, which can tune signatures

but not change physical device settings.





275



To test our new user, close IDM and log back in as

“ccbootcamp”. If you click on the interfaces configuration

you will receive the following pop-up letting you know that

you don’t have rights to modify it.





276



However, if you click on configure->policies->signature

definitions->sig0 you will be allowed. This lets us know

that our operator role is functioning.

Task 4.6

Setup another user called “monitor” with a password of

“monitor123”. This user should only be able to view events.

You’ll need to close IDM and log back in as user “cisco”,

password “ccie5796”. This user setup works the same as the

operator role setup, but the account is setup with the

viewer role. This role is even more restricted than the

operator role. A viewer can only view events and monitoring

information. After creation, close IDM and log in as

monitor. You should receive the following message when you

try to configure anything.

If you click on the monitoring button however, you are

allowed.





277



Task 4.7

Make a duplicate of policy sig0 called sig1.

The easiest way to create a new policy is to copy an

existing one and modify as necessary. This is done under

configuration->policies->signature definitions. Select

“sig0” and click on “clone”. Name the new policy “sig1”





278



Task 4.8

Make a duplicate of policy rules0 called “rules1”.

This process is very similar to signature cloning.

configuration->policies->event action rules.

Task 4.9

Make a duplicate of anomaly detection policy ad0 called

“ad1”.

This is very similar to the other two policies.

configuration->policies->anomaly detections.





279



Task 4.10

Create an additional virtual sensor called “vs1”. Assign it

signature def policy “sig1”, event action policy “rules1”

and anomaly detection policy “ad1”.

This is done under configuration->analysis engine->virtual

sensors. Click on add to create the new vs1 virtual sensor.

Name it vs1 and change the policies from sig0 to sig1,

rules0 to rules1, etc…. Note that this new virtual sensor

can be assigned to interfaces but we won’t do so now.





280



Task 4.11

Setup a SPAN session on SW1 so that all traffic from port

fa0/10 is mirrored to port fa0/11.

SPAN sessions allow network traffic from an interface or

vlan(s) to be mirrored to a port. This port is usually

connected to a network sniffer or promiscuous IPS. SPAN

sessions are setup with the “monitor session” command. They

must have a source and destination.





281



SW1(config)#monitor session 10 source interface fa0/10SW1(config)#monitor session 10 destination interface fa0/11

Task 4.12

Configure an RSPAN session so that traffic from VLAN 3 on

SW1 is mirrored to port fa0/4 on SW3. Use VLAN 99 as the

remote vlan.

RSPAN functions similarly to SPAN but allows for data to be

mirrored from a source to a destination VLAN. This VLAN can

then be carried to remote switches so they can use it as a

source for their own span sessions. In this case the

traffic will be used by the IPS for the promiscuous sensor.

First an RSPAN VLAN must be configured on SW1. Then it can

be used as a destination in a monitor session.

SW1(config)#vlan 99SW1(config-vlan)#remote-spanSW1(config-vlan)#exitSW1(config)#monitor session 1 source vlan 3SW1(config)#monitor session 1 destination remote vlan 99

On SW 3, the remote vlan is used as a source and the

destination is set to a physical port. This port is

connected to the IPS.





282



SW3(config)#monitor session 1 source remote vlan 99SW3(config)#monitor session 1 destination interface fa0/4





283



Task 4.13

Remove any existing inline pairs.

Your IPS may come with its interfaces pre-configured as

inline pairs. To free up these interfaces for other use,

you must delete the pairs. This is done under

configuration->interface configuration->inline pairs.

Select the pair you want to delete and click delete.





284



Task 4.14

Setup fa1/0 as a promiscuous interface, enable it and

assign it to virtual sensor “vs1”. This will monitor the

inside network.

Interfaces not setup as inline are promiscuous by default.

Interfaces are enabled under configuration->interface

configuration->interfaces. Select the interface fa1/0 and

click edit. Click on the enabled radio button and click ok

to enable.





285



Now you have to assign the interface to virtual sensor vs1.


sensors. Select “vs1” and click on edit. Select fa1/0 and

click the assign button. You will see a yes in the assigned

field. Click on ok.





286



Task 4.15

Setup g0/0 as an inline VLAN pair using vlans 2 and 200.

Assign this new inline pair to sensor “vs0”. This will

monitor traffic between the outside and dmz. Verify that

the inline pair is working.

Inline VLAN pairs force layer 3 traffic to traverse a layer

2 bridge on the IPS. Because the traffic must flow through





287



the IPS at layer 2, it is able to inspect and pass or drop

traffic in real time.

To setup the VLAN pair, go to configuration->interface

configuration->VLAN pairs and click on add. Select g0/0 and

enter a subinterface between 1 and 255, I used 2 since

we’re dealing with VLAN 2. Set VLAN A to 2 and VLAN B to

200.

Now we have to assign g0/0 (and thus the inline vlan pair)

to virtual sensor vs0. This is done exactly the same as

with our promiscuous interface above. Make sure that the

g0/0 interface is enabled as well.

To verify that the pair is working, simply ping from R2 to

R1. Since R2 is on a different vlan than its default





288



gateway (the ASA) the ping will only succeed if the pair is

bridging between the two.

Task 4.16

Policy “sig1” should monitor traffic only. Ensure that no

signature within sig1 performs a TCP reset.

Signatures for internal traffic are often setup to monitor

only to avoid disrupting corporate network traffic. To do

this, go to configuration->policies->signature definitions-

>sig1 and click on select all. All of your active

signatures will now be selected.

Click on actions to modify actions for all selected

signatures. Uncheck Reset TCP Connection and click on ok.

This will remove the action. Click apply when done.





289



Task 4.17

Sort sig0’s signatures by name and search for ICMP. Find

the sig named ICMP echo reply. Enable it, then modify it to

only fire when R1 replies to R2’s echo request. Verify that

the signature is working.

You can sort signatures based on a variety of criteria. To

sort by name, go to configuration->policies->signature

definitions->sig0 and click on select by. Choose Sig Name.

You can type a string in the “Enter Sig Name” field and

then click find. In our case we’ll enter ICMP.





290



Sig 2000 is the ICMP echo reply signature we’re looking

for. Click on it to select, and then click on enable.

The signature is now active, but we need to modify it so

that it will only fire on echo replies from R1 to R2. Click

on edit to edit the signature. We’ll need to scroll down

and set specific ip addr options. Set the source to

24.234.0.1 (R1) and the destination to 172.16.0.2 (R2).

Click ok when done.





291



To verify the sig is working we need to generate echo

replies from R1 to R2, so we’ll ping from R2 to R1 which

will of course generate replies.

R2#ping 24.234.0.1






292



Now on the IPS we’ll go to monitoring->events and click on

view. There is an ICMP Echo Reply event shown, so the

signature has fired.





293



Task 4.18

Internal users have been attacking the ACS server with

pings. Create a custom signature that will alert you when

any host pings the ACS server 50 times or more with packets

larger than 2000k

If you can’t find a signature to clone and modify, you can

create a custom signature. This is done by going to

configuration->policies->signature definitions->sig1 and

clicking on the custom signature tab. Start the wizard.

We’ll be using the atomic IP engine since it allows us

greater detection detail.

Call the signature Large Pings to ACS, a descriptive title.





294



Now configure the signature. We’ll set the protocol to

icmp, the ip payload length to 2000-18024 and the

destination address to 192.168.2.101 (The ACS server)





295



The signature fidelity and severity can be left at the

defaults. We have now setup our sig to detect large pings,

but not 50 or more. We’ll need to click on the advanced

button to set this.





296



Set the event count to 50 and the event count key to

attacker address.





297



Since attacks of this type could generate a large number of

alerts, we’ll use summarization.





298



The summary interval will be set to every 60 seconds. This

means the sig will only generate an alert once a minute

regardless of how many batches of 50 large pings come from

a single attacker. Click finish to complete the wizard.





299



Now we’ll test our sig by generating large pings from R3 to

the ACS server.

R3#ping 192.168.2.101 size 5000 repeat 1000

Type escape sequence to abort.Sending 1000, 5000-byte ICMP Echos to 192.168.2.101, timeout is2 seconds:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!





300



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max= 1/3/28 ms

When we view events, notice that the sig only generated one

alert even though we pinged the ACS server 1000 times.





301



Task 4.19

Setup the ASA as a blocking device. For this task, create

a user with a username and password of “blocker”. Use SSH

to log into the ASA.

To add a blocking device, we must first setup a login

profile. Go to configuration->blocking->device login

profile. Click on add and enter our username and password

of “blocker”.





302



Now we can add our blocking device. This is done under

configuration->blocking->blocking devices. Enter the IP

address of the ASA inside interface, use our newly created

blocker profile and set the device type to pix/asa. Click

on ok and apply when done.





303



Now we’ll need to configure the ASA. This involves creating

the “blocker” username/password, setting up SSH

authentication and allowing SSH from the IPS.

ASA1# conf tASA1(config)# username blocker password blocker privilege 15ASA1(config)# aaa authentication ssh console LOCALASA1(config)# ssh 192.168.2.150 255.255.255.255 inside

Finally we must obtain the ASA’s ssh public host key so it

can be set as a known host. Do this under configuration-

>ssh->known host keys. Click on add. Enter the IP address

of the ASA and click on retrieve host key. When the key has

been added, click ok and apply.





304



Task 4.20

Create a signature in sig0 that will fire when a user tries

to telnet using a username of “baduser”, case insensitive.

The IPS should use the ASA to block the host and generate

an alert when this happens.

This involves creating a custom signature. We are already

familiar with running the wizard. Use the string TCP engine

and create a regex that will match the string “baduser”

regardless of case. Set the service to port 23, telnet. The





305



event action should be produce alert and request block

host.

With the signature complete, attempt to telnet from R2 to

R1 using the username “baduser”. The host will be blocked

and further communication of any type will be unsuccessful.



Username: baduser[Connection to 24.234.0.1 closed by foreign host]





306



R2#ping 24.234.0.1


Now on the IPS, go to monitoring->active host blocks.

You’ll see a block for host 172.16.0.2.

Task 4.21





307



Enable interface fa1/1. Set this interface up as an

alternate TCP reset interface for fa1/0.

An interface in promiscuous mode cannot drop connections

inline by definition. It also cannot send normal network

traffic since it relies on the SPAN port of the switch it

is attached to. It can however, use another interface to

send TCP resets post attack. While this isn’t ideal it can

provide SOME response to attacks which is better than

nothing.

We already know how to enable an interface under configure-

>interface configuration->interfaces. After enabling fa1/1,

we need to set it as an alternate tcp reset interface for

fa1/0. Select fa1/0 and click on edit. Check the use

alternate tcp reset interface and choose fa1/1 from the

dropdown menu. Fa1/1 will now be used to send tcp resets

for fa1/0.





308



Task 4.22

Configure a signature within sig1 that will send a TCP

reset when a host attempts to telnet to R1 with a username

of “baduser”.

This signature will be identical to the custom sig we

created for our blocking task, except for the event action.

This will be “reset tcp connection” instead of “block

host”.





309



We can test the signature by attempting to telnet from R3

to R1. When prompted try to login with a username of

“baduser”. The connection will be immediately reset.



Username: baduser[Connection to 24.234.0.1 closed by foreign host]

Task 4.23

Setup R2 as a blocking device. Use the username of

“blocker” with a password of “blocker” and a privilege of

15. Use telnet to log into R2. Use the fa0/0 interface to

rate limit traffic.

We already know how to setup a blocking device. The

difference is R2 will only be set to rate limit instead of

block, and the communication method will be telnet instead

of SSH.





310



Now we’ll also need to setup what interface will be doing

the blocking. This is done under configuration->blocking-

>router blocking device interfaces. Click on add, select

172.16.0.2 (R2) as the blocking device. Enter fa0/0 as the

blocking interface. The direction should be in.





311



The username “blocker” must be configured on R2 as well as

the aaa login configuration.

R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#username blocker privilege 15 password blockerR2(config)#aaa new-modelR2(config)#aaa authentication login default localR2(config)#aaa authorization exec default localR2(config)#line vty 0 4R2(config-line)#login authentication default

Task 4.24

Enable and modify the rule within sig0 called icmp flood so

that it requests a rate limit of 1% of interface bandwidth

and generates an alert. Test the rate limit.





312



Sort sig0’s signatures by name and search for the icmp

flood signature. Select it by clicking on it and then click

enable. Click on actions and add the request rate limit

action. Click on ok.

Click on edit and change the external rate limit percentage

to 1%. Click ok when done.





313



Now we can test our signature by generating large pings

from R1 to R2.

R1#ping 172.16.0.2 repeat 50 size 10000

Type escape sequence to abort.

Sending 50, 10000-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:

!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!

Success rate is 76 percent (38/50), round-trip min/avg/max = 12/13/16 ms





314



The rate limit is clearly working, but you can also verify

the limit under monitoring->rate limits. You can also

remove the rate limit by selecting it and clicking delete.

Task 4.25





315



Configure “rules0” to protect against dangerous attacks by

changing any signature’s action to deny an attacker inline

if the risk rating is 90-100.

This is done with event action overrides. As the name

suggests, if an event has a high enough risk rating, the

override will change the action to the configured action.

This is configured in configuration->policies->event action

rules->rules0->event action overrides tab. We’ll want to

disable the existing deny packet inline and add a new

override. This override will have an action of deny

attacker inline and a risk rating of 90-100.

Task 4.26

R2 is a critical server. Configure rules0 so that the risk

rating of an attack against R2 is changed to reflect the





316



critical nature of the server, ensuring that these attacks

will be blocked.

Specific hosts or networks can be given a target value

rating which will modify the risk rating of an event. This

is configured in configuration->policies->event action

rules->rules0->target value rating tab. Click on add, enter

the IP for R2 and set the TVR to mission critical. This

will greatly boost the risk rating of attacks against R2.

With our configuration complete, we can test it by doing a

large ping from R1 to R2. In our last section this was

rated limited. Now since the TVR of R2 is boosting the

threat rating, R1 is denied inline instead. (Ping stopped)





317



R1#ping 172.16.0.2 repeat 1000 size 10000

Type escape sequence to abort.

Sending 1000, 10000-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!......

Success rate is 80 percent (24/30), round-trip min/avg/max = 12/15/16 ms

You can verify the attacker was blocked under monitoring-

>denied attackers.





318



Task 4.27

View events that have occurred on the sensor in the last

hour.

Monitoring of events on the sensor is found under

monitoring->events. The task asks for the default settings,

viewing events that occurred in the last hour. This is done

by clicking on the view button.





319



Task 4.28

Sort the view so only events with a threat rating of 90 or

greater are shown. Do not show error events.

This is done by changing the min field to 90 under show

alert events. Now only events with a threat rating of 90-

100 will be shown. We’ll also uncheck the error and fatal

boxes under show error events. If you click on view now you

should not show any events as none meet the criteria for

viewing.





320



Task 4.29

View attack response controller events.

This is done by checking the show attack response

controller events box. If you click on view now you will be

shown the block and/or rate limit requests from our

previous tasks.





321



Task 4.30





322



Setup “ad1” anomaly detection to use the inside network for

the internal zone. For “ad0” setup the DMZ network as the

internal zone.

The internal zone represents your internal network in

anomaly detection, in our case the 192.168.0.0/16 network.

This is setup under configuration->anomaly detections->ad1-

>internal zone tab. We’ll enter the range of addresses

192.168.0.0-192.168.255.255. The configuration for ad0 is

identical except for the DMZ address range.

Task 4.31

The ACS server’s normal traffic appears to be worm traffic

to the sensor. Exclude the ACS server from anomaly

detection in “ad1”.





323



If a device is causing AD signatures to fire incorrectly

you can exclude it from anomaly detection under the

configuration->anomaly detections->ad1->operation settings

tab. Make sure that enable ignored IP addresses box is

checked and enter the ACS server IP address under source

addresses.

Task 4.32





324



You’ve recently redesigned your DMZ and need to establish

baseline traffic patterns for anomaly detection using ad0.

Set “ad0” to learn mode.

When you want anomaly detection to establish a network

baseline for normal traffic you can put it into learn mode.


sensors. Select “vs0” and click on edit. Under the AD

operational mode drop down box select learn.





325



Chapter 5 – Identity Management





326








327







328








329







330








331











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





332








333











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





334



Task 5.1

Configure TACACS+ on R6 so that logins will authenticate to

the ACS server by default. Use a key of “cisco”. The

console should not require authentication.

Task 5.2

Ensure exec mode is authorized and accounted for using

TACACS+. Also, use accounting for all privilege level 0,1,

and 15 commands.

Task 5.3

Configure ASA1 to use the ACS as a RADIUS server. Do not

setup any further AAA.





335



Task 5.4

On the ACS server create a new ACS administrator named

“admin” with a password of “cisco”. This user should have

unlimited access to ACS.

Task 5.5

Setup R6 as a client within the ACS server using TACACS+ as

the protocol and “cisco” as the key.

Task 5.6

Setup ASA1 as a client using RADIUS as the protocol and

“cisco” as the key.

Task 5.7

Create a shell command authorization set to allow any

command and associate this command auth set with a group

named “super”. Ensure that this group has the privilege

level to use any command.

Task 5.8

Create a user ID on the ACS named “superuser” with password

of “cisco” and add this user to the “super” group.





336



Task 5.9

Verify that this user can login to R6 via telnet and that

all commands are available. Also verify that accounting is

working for both EXEC mode and privilege level 15 commands.





337



Task 5.10

Configure the ACS server so that authentication via the

windows database is possible. Do not require dialin

permission for windows users to authenticate.

Task 5.11

Ensure that users not found in the ACS local database will

be authenticated against the windows database and will use

the “super” group for authorization.

Task 5.12

Verify that windows authentication is functional by logging

in to R6 with a username of “enablemode” and password

“enableme”.





338



Task 5.13

If the ACS server attempts to access R2 via http, R5 should

intercept and authenticate the traffic before allowing it.

Use a local username of “authp” and a password of “cisco”

to do this.

Task 5.14

Require authentication via telnet at ASA1 before R6 can

ping SW2. Use RADIUS and a virtual telnet address of

24.234.51.50. Authenticate with the ACS windows username of

“enablemode” and a password of “enableme”.





339



Task 5.15

Configure 802.1x on SW2. After successful authentication to

the ACS server using RADIUS, clients should be placed into

VLAN111. If a client doesn’t have an 802.1x supplicant they

should be placed in VLAN432. Use F0/20 for this

configuration, leave the port shutdown. Add a user to ACS

named “dot1xuser” with password “cisco”.

Task 5.16

Verify that you can authenticate as this user from SW2

using the “test aaa” command.





340



Task 5.17

On R2, configure a local user account named “ping” with

password “cisco”. Allow this user to perform an extended

ping but do not give access to other privilege level 15

commands.

Task 5.18

Create a user on the ACS server called “limited” with a

password of “cisco” that can only authenticate on R6 and

can only use level 1 show commands and exit.

Task 5.1





341



Configure TACACS+ on R6 so that logins will authenticate to

the ACS server by default. Use a key of “cisco”. The

console should not require authentication.

AAA can be configured locally or by using a remote server.

In this case we’ll be using the ACS server so we need to

configure the router to communicate with it first.

R6(config)#tacacs-server host 192.168.2.101R6(config)#tacacs-server key cisco

Next, we’ll configure AAA itself to authenticate to the ACS

server by default for logins. This is done with the “aaa”

commands. First we’ll start a new model, then configure

login authentication setting the default method list to use

tacacs+ as the method.

R6(config)#aaa new-modelR6(config)#aaa authentication login default group tacacs+

Finally, we need to make sure we can always get in via the

console even if the connection to the ACS server is not

working. To do this we’ll create a special method list

called CONSOLE with no authentication method. We’ll apply

it to the console port.

R6(config)#aaa authentication login CONSOLE noneR6(config)#line con 0R6(config-line)#login authentication CONSOLE





342



We’ll test by logging out of the console port and then back

in. There will be no prompt for username or password.

R6#exit

R6 con0 is now available

Press RETURN to get started.

R6>

Task 5.2

Ensure exec mode is authorized and accounted for using

TACACS+. Also, use accounting for all privilege level 0,1,

and 15 commands.

Authorization and Accounting are the other 2 A’s in AAA.

These are also setup using the “aaa” command with the

“authorization” and “accounting” options.

R6(config)#aaa authorization exec default group tacacs+R6(config)#aaa accounting exec default start-stop group tacacs+R6(config)#aaa accounting commands 0 default start-stop grouptacacs+R6(config)#aaa accounting commands 1 default start-stop grouptacacs+R6(config)#aaa accounting commands 15 default start-stop grouptacacs+





343



Task 5.3

Configure ASA1 to use the ACS as a RADIUS server. Do not

setup any further AAA.

Similar to a router, the ASA can either do local or remote

AAA. We’re going to set the ASA up to use RADIUS instead of

TACACS+. First we’ll setup a server group called RADIUS

that will use the protocol radius. Then we’ll add a host to

this server group which will use the key “cisco”.

ASA1(config)# aaa-server RADIUS protocol radiusASA1(config-aaa-server-group)# aaa-server RADIUS host192.168.2.101ASA1(config-aaa-server-host)# key cisco

Task 5.4

On the ACS server create a new ACS administrator named

“admin” with a password of “cisco”. This user should have

unlimited access to ACS.

There should be at least one admin account on the ACS. It

is setup under administration control. Click on add

administrator. Enter the username and password. Under

Administrator Privileges click on grant all. Click submit

when done.





344



Task 5.5

Setup R6 as a client within the ACS server using TACACS+ as

the protocol and “cisco” as the key.

Before a device can authenticate to the ACS server it must

be setup as a client. This is done under network

configuration. Click on add entry under the AAA clients

box. Enter the name, ip address, key, and protocol to be

used by the client. When done click on submit + apply.





345







346



Task 5.6

Setup ASA1 as a client using RADIUS as the protocol and

“cisco” as the key.

This is done the same as it was for R6. Instead of

selecting TACACS+ as the protocol select RADIUS. You’ll

notice there are several forms of RADIUS you can choose.

The choice is based on the vendor/model of the device, in

our case VPN3000/ASA/PIX 7.x.





347



Task 5.7

Create a shell command authorization set to allow any

command and associate this command auth set with a group

named “super”. Ensure that this group has the privilege

level to use any command.

Shell command authorization sets are used to grant access

to specific commands. They are setup under shared profile

components. Click on Shell Command Authorization Sets.

Enter a name for the set. Normally you would add commands

here which would give the user access to those commands

when logged on to the device. However we will enter no

commands and check the permit unmatched commands radio

button. This will give us access to all commands when

logged in. Click on submit when done.





348



Shell command authorization sets are attached to users or

groups. We’ll create a group called “super” under group

setup. Select a group from the drop down box and click on

rename group. Call it “super” and submit. Then click on

edit settings. Scroll down to the TACACS+ section and put a

check in the Shell (exec) box. Under the Shell Command

Authorization section click the radio button next to assign

a shell authorization set to any device. Select the “super”

authorization set that we created. Click on submit +

restart.





349



Task 5.8

Create a user ID on the ACS named “superuser” with password

of “cisco” and add this user to the “super” group.

Users are created under user setup. Enter the name

“superuser” in the user: field and click on add/edit. Once

in the user setup section you can enter a password and

select the “super” group under the group to which the user

is assigned. Click on submit when you are done.





350



Task 5.9

Verify that this user can login to R6 via telnet and that

all commands are available. Also verify that accounting is

working for both EXEC mode and privilege level 15 commands.

This is done by telneting from the ACS server to R6 and

logging in as superuser. Obviously we can’t test ALL the

commands on the router, but we can go into config mode and

bring an interface up/down as a good indicator we have full

access.





351



EXEC accounting is verified under reports and activity.

Click on TACACS+ accounting.





352



Command accounting is seen by clicking on TACACS+

Administration. You can see the commands issued in the

report.





353



Task 5.10

Configure the ACS server so that authentication via the

windows database is possible. Do not require dialin

permission for windows users to authenticate.

This is done under external user databases. Click on

configure database, windows database. Click the configure

button. Uncheck the verify that grant dialin permission

box. Under the configure domain list select \LOCAL and move





354



it from available domains to domain list. Click submit when

done.

Task 5.11

Ensure that users not found in the ACS local database will

be authenticated against the windows database and will use

the “super” group for authorization.

The first part of this task is done under external user

databases, unknown user policy. The policy should be set to

check the following external user databases and the Windows

Database should be selected. Click on submit when done.





355



Next, you’ll need to map an ACS group to the windows

database. This is also done under external user databases

by clicking on database group mapping and windows database.

Click on new configuration and then enter \LOCAL in the

domain field. Click submit.





356



Now, click on the newly created \LOCAL domain. Click on the

add mapping button. Click on users and add to selected.

From the CiscoSecure group dropdown, select the “Super”

group. Click submit.





357



Task 5.12

Verify that windows authentication is functional by logging

in to R6 with a username of “enablemode” and password

“enableme”.

Telnet from the ACS to R6. After login, your rights will be

the same as they were when you logged in as superuser.





358



Task 5.13

If the ACS server attempts to access R2 via http, R5 should

intercept and authenticate the traffic before allowing it.

Use a local username of “authp” and a password of “cisco”

to do this.

Authentication proxy allows a router to require

authentication before allowing certain traffic. First we’ll

create a local user, then configure AAA.

R5(config)#username authp password ciscoR5(config)#aaa new-modelR5(config)#aaa authentication login authp localR5(config)#aaa authorization auth-proxy default local





359



Now, we can setup an auth proxy rule that will intercept

http. The final step is to apply it to an interface, in

this case fa0/0.51 which faces the ACS server.

R5(config)#ip auth-proxy name AUTHP httpR5(config)#interface fa0/0.51R5(config-subif)#ip auth-proxy AUTHP

Test by attempting an http connection from the ACS to R2.

You’ll be prompted for a username and password. Enter

“authp”/”cisco” and the traffic will be allowed.





360



Task 5.14

Require authentication via telnet at ASA1 before R6 can

ping SW2. Use RADIUS and a virtual telnet address of

24.234.51.50. Authenticate with the ACS windows username of

“enablemode” and a password of “enableme”.

This is known as cut through proxy on an ASA. Similar to

auth proxy, traffic must be authenticated before it is

allowed. First we’ll configure our virtual telnet address.

ASA1(config)# virtual telnet 24.234.51.50

Then setup our outside access list to permit traffic both

to the virtual telnet address and from SW2 to R6.

ASA1(config)# access-list outside line 1 permit tcp any host24.234.51.50 eq telnetASA1(config)# access-list outside line 2 permit icmp host24.234.51.15 host 192.168.0.6

Next we’ll create an ACL for traffic requiring

authentication to be matched against.

ASA1(config)# access-list VTELNET extended permit icmp host24.234.51.15 host 192.168.0.6ASA1(config)# access-list VTELNET extended permit tcp host24.234.51.15 host 24.234.51.50 eq telnet

Virtual telnet requires a static translation from the

virtual telnet address to itself.





361



ASA1(config)# static (inside,outside) 24.234.51.50 24.234.51.50netmask 255.255.255.255

Finally, we’ll use AAA to authenticate traffic that matches

our VTELNET ACL.

ASA1(config)# aaa authentication match VTELNET outside RADIUS

With the configuration in place, try pinging from SW2 to

R6. It will fail.

SW2#ping 192.168.0.6


Now we’ll telnet to the virtual telnet address and

authenticate using the windows username and password of

“enablemode”/”enableme”. After authentication try the ping

again. It will be successful.

SW2#telnet 24.234.51.50Trying 24.234.51.50 ... Open

LOGIN Authentication

Username: enablemode

Password:

Authentication Successful





362



[Connection to 24.234.51.50 closed by foreign host]SW2#ping 192.168.0.6


On the ASA you can verify authentication with show uauth.

ASA1# show uauth Current Most SeenAuthenticated Users 1 1Authen In Progress 0 1user 'enablemode' at 24.234.51.15, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00

Task 5.15

Configure 802.1x on SW2. After successful authentication to

the ACS server using RADIUS, clients should be placed into

VLAN111. If a client doesn’t have an 802.1x supplicant they

should be placed in VLAN432. Use F0/20 for this

configuration, leave the port shutdown. Add a user to ACS

named “dot1xuser” with password “cisco”.

802.1x requires configuration on both the switch and ACS

server. First we’ll need to setup the switch to

authenticate to the ACS using RADIUS.





363



SW2(config)#radius-server host 192.168.2.101SW2(config)#radius-server key cisco

Then we’ll configure AAA to use radius for dot1x and

globally enable it on the switch.

SW2(config)#aaa new-modelSW2(config)#aaa authentication dot1x default group radiusSW2(config)#aaa authorization network default group radiusSW2(config)#aaa accounting dot1x default start-stop group radiusSW2(config)#dot1x system-auth-control

We’ll create the VLANs that will be used by dot1x

SW2(config)#vlan 111,432SW2(config-vlan)#exit

And configure the port specific dot1x commands. Note the

guest VLAN. This is used by clients that do not have dot1x

supplicant software.

SW2(config)#interface FastEthernet0/20SW2(config-if)# switchport mode accessSW2(config-if)# shutdownSW2(config-if)# dot1x pae authenticatorSW2(config-if)# dot1x port-control autoSW2(config-if)# dot1x guest-vlan 432

Now we’ll move on to the ACS configuration. First we’ll

setup SW2 as an AAA client. Note that we’re using RADIUS

(IETF). Click on submit + apply when done.





364



Now we’ll need to setup RADIUS to allow for per user

attributes. This is done under interface configuration.

Click on RADIUS (IETF) which is what SW2 is going to

authenticate with. Place check marks in the user column for

attributes 64, 65 and 81. Click on submit.





365



Now we’ll need to setup our dot1x user. You should already

know how to create a user. Scroll down to the IETF RADIUS

attributes section. Put check marks in attributes 64, 65

and 81. For attribute 64 select VLAN from the dropdown

menu. For attribute 65 select 802. For attribute 81 type in

VLAN0111 which must exactly match the name of the VLAN on

the switch. This will assign the user to VLAN 111 when they

authenticate successfully.





366



The final step for the configuration to function properly

is the ability of SW2 to communicate with the ACS server.

RADIUS must be allowed through the firewall.

ASA1(config)# access-list outside line 1 permit udp host24.234.51.15 host 192.168.2.101

Task 5.16

Verify that you can authenticate as this user from SW2

using the “test aaa” command.





367



Although there isn’t an 802.1x supplicant connected you can

verify that authentication will work using the “test aaa”

command.

SW2#test aaa group radius dot1xuser cisco legacyAttempting authentication test to server-group radius usingradiusUser was successfully authenticated.

Task 5.17

On R2, configure a local user account named “ping” with

password “cisco”. Allow this user to perform an extended

ping but do not give access to other privilege level 15

commands.

This is done by changing the privilege level of the “ping”

command. We’ll do that, and then create a user of the same

privilege level.

R2(config)#privilege exec level 1 pingR2(config)#username ping privilege 1 password cisco

Then we’ll setup AAA to authenticate and authorize the

user. We’ll setup the VTY lines 0-4 to use the AAA

configuration.





368



R2(config)#aaa new-modelR2(config)#aaa authentication login AUTHEN localR2(config)#aaa authorization exec AUTHOR localR2(config)#line vty 0 4R2(config-line)#authorization exec AUTHORR2(config-line)# login authentication AUTHEN

Now, we can test by telneting from R5 to R2. Once

authenticated as ping we can issue an extended ping from

user exec mode.



Username: pingPassword:

R2>pingProtocol [ip]:Target IP address: 24.234.25.5Repeat count [5]:Datagram size [100]: 1000Timeout in seconds [2]:Extended commands [n]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 1000-byte ICMP Echos to 24.234.25.5, timeout is 2seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/2/4 ms

Task 5.18





369



Create a user on the ACS server called “limited” with a

password of “cisco” that can only authenticate on R6 and

can only use level 1 show commands and exit.

This will be accomplished with various per user attributes.

We’ll create the user which we already know how to do.

Scrolling down, the first thing we’ll set is per user

network access restrictions. Set the table to define

permitted calling/point of access locations. Select R6 from

the AAA clients dropdown. The port and address will both be

*.





370



Under the advanced TACACS+ settings we’ll set the max

privilege for any AAA client to 1.

Under TACACS+ setting click on Shell (exec) and set the

privilege level to 1.





371



Click the radio button for per user command authorization.

Set it to deny unmatched commands. Enter show for the

command and permit unmatched arguments. Click on submit.

We’ll have to edit the user after submitting to add the

exit command.





372



With both commands entered, we’ll submit the user again and

verify that we can login to R6 but not issue commands other

than privilege level 1 show and exit. All other commands

will give a command authorization failed.





373







374







375







376








377







378








379











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





380







381











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





382



Task 6.1

Configure RIP MD5 authentication on the link between R1 and

ASA1.

Task 6.2

Configure OSPF MD5 authentication on the link between R2

and ASA1.

Task 6.3

Configure EIGRP MD5 authentication on the link between

ASA1, R3, and R4.

Task 6.4

Configure BGP peering between R1 and R4. R1 should

advertise the 192.168.0.0 /16 network. R4 should advertise

the 24.234.4.0, 24.234.5.0 and 24.234.6.0 networks.

Task 6.5

Configure MD5 authentication for the BGP peering between R1

and R4.

Task 6.6

Configure R1 to deny the route 24.234.5.0 via BGP, but

accept all other BGP routes from R4.





383



Task 6.7

Configure R5’s Control Plane to drop telnet traffic from R3

FastEthernet0/0, and rate limit all remaining telnet

traffic to 8000bps. Any telnet traffic that exceeds

8000bps should be dropped.

Task 6.8

Configure R6’s Control Plane to rate limit all ICMP traffic

outbound to 8000bps with a burst of 1000 bytes. Traffic

should be dropped when it exceeds.





384



Task 6.9

Configure R1’s control plane host sub-interface to drop all

telnet packets destined for any of its interfaces.

Task 6.10

Modify R1’s control plane configuration to only drop all

closed ports.

Task 6.11

Configure R2’s control plane host sub-interface to limit

the number of SNMP packets in the control-plane IP input

queue to 25.

Task 6.12

Configure SW2 interface FastEthernet0/14 to drop unicast

packets when 75% of the interface bandwidth is reached. SW2

should continue blocking all unicast packets until unicast

traffic falls below 50%.

Task 6.13

Configure SW2 interface FastEthernet0/15 to drop broadcast

packets when the interface reaches 3000bps. The interface





385



should continue blocking all broadcast packets until they

drop below 1000bps. During the broadcast storm, SW2 should

shutdown this interface.

Task 6.14

Configure SW2 interface FastEthernet0/16 to drop multicast

packets when the interface reaches 1000pps. The interface

should continue blocking all multicast packets until

multicast packets drop below 700pps. An SNMP trap should be

sent when a storm is detected.

Task 6.15

Configure SW2 to keep track of the small-frame rate-

arrival. Configure interface FastEthernet0/10 to drop small

frames when it reaches 3000 packets per second.

Task 6.16

Configure SW2 to recovery from a port being disabled due to

small frames. SW2 should re-enable the interface after 45

seconds.

Task 6.17

Configure SW2 interface FastEthernet0/11 to block the

forwarding of unknown unicast and multicast packets.

Task 6.18

Configure SW1 interface FastEthernet0/3 so that a maximum

of 1 mac-address is allowed. If there is a violation the

port should be shutdown.





386



Task 6.19

Configure SW1 interface FastEthernet0/4 so the first mac-

address learned is copied into the running configuration.

Task 6.20

Configure SW1 to check for the correction of a port

security violations every 30 seconds and to re-enable the

port if the violation is corrected.





387



Task 6.21

Configure R3 to delete all packets that contain IP Options.

Task 6.22

Configure R6 for logging. Disable logging to the console

and monitor. Configure R6 to limit log generation and

transmission to 100 messages per second except for log

levels 4 (warnings) through 0 (emergencies).

Task 6.23

Configure R6 to limit log-induced process switching to one

packet per 10 milliseconds.





388



Task 6.24

Secure R5 by disabling unnecessary global services.

Task 6.25

Secure R5 fa0/0 by disabling unnecessary interface

services.

Task 6.26

Secure R1 by disabling unnecessary services using a single

command.





389



Task 6.27

Configure R3 so that only devices in vlan 5 can telnet to

it.

Task 6.28

Configure R5 so that only devices in vlan 6 can ssh to it.

Authenticate the connection using a local user named

‘admin’ with a password ‘cisco’.

Task 6.29

Configure R4 so that only the ACS Server can HTTP into it.

Task 6.30

Configure ASA1 so that only SW2 can telnet to it. The

telnet session should disconnect after 2 minutes of

inactivity.

Task 6.31

Configure ASA1 so that only R1 can SSH to it. Authenticate

the connection using a local user named ‘admin’ with a

password ‘cisco’.

Task 6.32

Configure SW1 so that when user admin telnets into the

switch, they will have privilege 15 access.





390



Task 6.33

Configure SW1 to log to the Syslog Server on the ACS

Server.

Task 6.34

Configure SW1 for snmp with a community string of “cisco”

for read-only and a community string of “ccbootcamp” for

read-write. Send config traps to the SNMP Manager at

192.168.2.101 with a string of “cisco”.

Task 6.35

Set the clock and time zone on R1. Configure R1 as an NTP

master. Configure R4 to get its time from R1 using

authenticated NTP.





391



Task 6.1

Configure RIP MD5 authentication on the link between R1 and

ASA1.

If you are sending and receiving RIP Version 2 packets, you

can enable RIP authentication per interface. First a key

chain must be configured, then at least one key within the

chain. On the interface itself you can choose the

authentication mode and what key chain to use.

R1(config)#key chain RIPR1(config-keychain)#key 1R1(config-keychain-key)#key-string ciscoR1(config-keychain-key)#interface fastethernet0/1R1(config-if)#ip rip authentication mode md5R1(config-if)#ip rip authentication key-chain RIP

R1 has MD5 authentication configured but ASA1 does not.

Clear the IP routing table on R1 and there will be no

routes learned from ASA1 present.

R1#clear ip route *

R1#show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2





392



i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route


1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnetsC 24.234.10.0 is directly connected, FastEthernet0/1C 192.168.0.0/16 is directly connected, FastEthernet0/0

Now we’ll configure RIP authentication on the ASA. The

configuration is different, not requiring key chains.

However the mode and key must match what R1 is using.

ASA1(config)# interface ethernet0/1ASA1(config-if)# rip authentication mode md5ASA1(config-if)# rip authentication key cisco key_id 1

R1 will now learn routes from ASA1.







393



1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0 2.0.0.0/32 is subnetted, 1 subnetsR 2.2.2.2 [120/2] via 24.234.10.100, 00:00:16,FastEthernet0/1 3.0.0.0/24 is subnetted, 1 subnetsR 3.3.3.0 [120/2] via 24.234.10.100, 00:00:16,FastEthernet0/1 4.0.0.0/24 is subnetted, 1 subnetsR 4.4.4.0 [120/2] via 24.234.10.100, 00:00:16,FastEthernet0/1 5.0.0.0/24 is subnetted, 1 subnetsR 5.5.5.0 [120/2] via 24.234.10.100, 00:00:17,FastEthernet0/1 6.0.0.0/24 is subnetted, 1 subnetsR 6.6.6.0 [120/2] via 24.234.10.100, 00:00:17,FastEthernet0/1 24.0.0.0/24 is subnetted, 6 subnetsR 24.234.34.0 [120/1] via 24.234.10.100, 00:00:19,FastEthernet0/1R 24.234.2.0 [120/1] via 24.234.10.100, 00:00:19,FastEthernet0/1R 24.234.6.0 [120/2] via 24.234.10.100, 00:00:19,FastEthernet0/1R 24.234.4.0 [120/2] via 24.234.10.100, 00:00:19,FastEthernet0/1R 24.234.5.0 [120/2] via 24.234.10.100, 00:00:19,FastEthernet0/1C 24.234.10.0 is directly connected, FastEthernet0/1C 192.168.0.0/16 is directly connected, FastEthernet0/0

Task 6.2

Configure OSPF MD5 authentication on the link between R2

and ASA1.

The OSPF authentication mode can be set in the router

configuration or per interface as we’re doing in this case.





394



R2(config)#interface fastethernet0/0R2(config-if)#ip ospf authentication message-digestR2(config-if)#ip ospf message-digest-key 1 md5 cisco

Since ASA1 does not have OSPF authentication configured, R2

will not show it as a neighbor or learn OSPF routes from

it.

R2#show ip ospf neighbor

R2#



2.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnetsC 24.234.2.0 is directly connected, FastEthernet0/0

Now we’ll configure OSPF authentication on the ASA. The

commands are the same as on the router.

ASA1(config)# interface ethernet0/2ASA1(config-if)# ospf authentication message-digest





395



ASA1(config-if)# ospf message-digest-key 1 md5 cisco

ASA1 and R2 now have an OSPF adjacency and routes are being

exchanged.

ASA1# show ospf neighbor

Neighbor ID Pri State Dead Time AddressInterface2.2.2.2 1 FULL/BDR 0:00:35 24.234.2.2dmzASA1#

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time AddressInterface24.234.34.100 1 FULL/DR 00:00:37 24.234.2.100FastEthernet0/0R2#

R2#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route


1.0.0.0/24 is subnetted, 1 subnetsO E2 1.1.1.0 [110/20] via 24.234.2.100, 00:00:05,FastEthernet0/0





396



2.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Loopback0 3.0.0.0/24 is subnetted, 1 subnetsO E2 3.3.3.0 [110/20] via 24.234.2.100, 00:00:05,FastEthernet0/0 4.0.0.0/24 is subnetted, 1 subnetsO E2 4.4.4.0 [110/20] via 24.234.2.100, 00:00:05,FastEthernet0/0 5.0.0.0/24 is subnetted, 1 subnetsO E2 5.5.5.0 [110/20] via 24.234.2.100, 00:00:06,FastEthernet0/0 6.0.0.0/24 is subnetted, 1 subnetsO E2 6.6.6.0 [110/20] via 24.234.2.100, 00:00:06,FastEthernet0/0 24.0.0.0/24 is subnetted, 6 subnetsO E2 24.234.34.0 [110/20] via 24.234.2.100, 00:00:07,FastEthernet0/0C 24.234.2.0 is directly connected, FastEthernet0/0O E2 24.234.6.0 [110/20] via 24.234.2.100, 00:00:07,FastEthernet0/0O E2 24.234.4.0 [110/20] via 24.234.2.100, 00:00:07,FastEthernet0/0O E2 24.234.5.0 [110/20] via 24.234.2.100, 00:00:07,FastEthernet0/0O E2 24.234.10.0 [110/20] via 24.234.2.100, 00:00:07,FastEthernet0/0O E2 192.168.0.0/16 [110/20] via 24.234.2.100, 00:00:07,FastEthernet0/0

Task 6.3

Configure EIGRP MD5 authentication on the link between

ASA1, R3, and R4.

As with RIP, we’ll use key chains for EIGRP authentication.

The authentication mode and key chain to be used are set

per interface.





397



R3(config)#key chain EIGRPR3(config-keychain)#key 1R3(config-keychain-key)#key-string ciscoR3(config-keychain-key)#interface fastethernet0/0R3(config-if)#ip authentication mode eigrp 1 md5R3(config-if)#ip authentication key-chain eigrp 1 EIGRP

At this point R3 will no longer learn routes from ASA1 and

R4.



3.0.0.0/24 is subnetted, 1 subnetsC 3.3.3.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnetsC 24.234.34.0 is directly connected, FastEthernet0/0

Now we’ll configure authentication on R4 using the same key

and mode.

R4(config)#key chain EIGRPR4(config-keychain)#key 1R4(config-keychain-key)#key-string ciscoR4(config-keychain-key)#interface fastethernet0/0R4(config-if)#ip authentication mode eigrp 1 md5





398



R4(config-if)#ip authentication key-chain eigrp 1 EIGRP

R3 and R4 now have an EIGRP adjacency, but neither R3 nor

R4 have an EIGRP adjacency with ASA1.

R3#show ip eigrp 1 neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTTRTO Q Seq (sec) (ms)Cnt Num0 24.234.34.4 Fa0/0 13 00:02:32 4200 0 42

R4#show ip eigrp 1 neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTTRTO Q Seq (sec) (ms)Cnt Num0 24.234.34.3 Fa0/0 14 00:03:08 2200 0 232 24.234.4.10 Fa0/1 14 00:59:08 1200 0 53

We’ll now configure authentication on ASA1. As with RIP,

key chains aren’t used but mode and key must match.

ASA1(config)# interface ethernet0/0ASA1(config-if)# authentication mode eigrp 1 md5ASA1(config-if)# authentication key eigrp 1 cisco key-id 1

ASA1 now has adjacencies with R3 and R4 and is learning

routes via EIGRP.

ASA1# show eigrp neighbors





399



EIGRP-IPv4 neighbors for process 1H Address Interface Hold Uptime SRTTRTO Q Seq (sec) (ms)Cnt Num1 24.234.34.3 Et0/0 14 00:00:18 2200 0 260 24.234.34.4 Et0/0 14 00:00:18 6200 0 45

ASA1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E -EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route


R 1.1.1.0 255.255.255.0 [120/1] via 24.234.10.1, 0:00:08,insideO 2.2.2.2 255.255.255.255 [110/11] via 24.234.2.2, 0:11:44,dmzD 3.3.3.0 255.255.255.0 [90/131072] via 24.234.34.3, 0:01:16,outsideD 4.4.4.0 255.255.255.0 [90/131072] via 24.234.34.4, 0:01:16,outsideD 5.5.5.0 255.255.255.0 [90/156928] via 24.234.34.4, 0:01:16,outsideD 6.6.6.0 255.255.255.0 [90/156928] via 24.234.34.4, 0:01:16,outsideC 24.234.34.0 255.255.255.0 is directly connected, outsideC 24.234.2.0 255.255.255.0 is directly connected, dmz





400



D 24.234.6.0 255.255.255.0 [90/28928] via 24.234.34.4,0:01:16, outsideD 24.234.4.0 255.255.255.0 [90/28672] via 24.234.34.4,0:01:16, outsideD 24.234.5.0 255.255.255.0 [90/28928] via 24.234.34.4,0:01:16, outsideC 24.234.10.0 255.255.255.0 is directly connected, insideR 192.168.0.0 255.255.0.0 [120/1] via 24.234.10.1, 0:00:08,inside

Task 6.4

Configure BGP peering between R1 and R4. R1 should

advertise the 192.168.0.0 /16 network. R4 should advertise

the 24.234.4.0, 24.234.5.0 and 24.234.6.0 networks.

Before any BGP peering can occur, the ASA must be

configured to allow the BGP (TCP 179) traffic from R4 to

R1. This is done with an ACL, allowing the traffic in both

directions.

ASA1(config)# access-list OUTSIDE permit tcp host 24.234.34.4host 24.234.10.1 eq 179ASA1(config)# access-list OUTSIDE permit tcp host 24.234.34.4 eq179 host 24.234.10.1ASA1(config)# access-group OUTSIDE in interface outside

Now we can configure BGP on both routers.

R1(config)#router bgp 1R1(config-router)#neighbor 24.234.34.4 remote-as 4R1(config-router)#neighbor 24.234.34.4 ebgp-multihop 2R1(config-router)#network 192.168.0.0 mask 255.255.0.0





401



R4(config)#router bgp 4R4(config-router)#neighbor 24.234.10.1 remote-as 1R4(config-router)#neighbor 24.234.10.1 ebgp-multihop 2R4(config-router)#network 24.234.4.0 mask 255.255.255.0R4(config-router)#network 24.234.5.0 mask 255.255.255.0R4(config-router)#network 24.234.6.0 mask 255.255.255.0

Verify that peering has occurred.

R1#show ip bgp summaryBGP router identifier 1.1.1.1, local AS number 1BGP table version is 7, main routing table version 74 network entries using 480 bytes of memory4 path entries using 208 bytes of memory4/3 BGP path/bestpath attribute entries using 496 bytes ofmemory1 BGP AS-PATH entries using 24 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBitfield cache entries: current 1 (at peak 1) using 32 bytes ofmemoryBGP using 1240 total bytes of memoryBGP activity 10/6 prefixes, 11/7 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQUp/Down State/PfxRcd24.234.34.4 4 4 21 18 7 0 000:03:35 3

R1#show ip bgpBGP table version is 7, local router ID is 1.1.1.1Status codes: s suppressed, d damped, h history, * valid, >best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf WeightPath*> 24.234.4.0/24 24.234.34.4 0 0 4 i*> 24.234.5.0/24 24.234.34.4 28416 0 4 i*> 24.234.6.0/24 24.234.34.4 28416 0 4 i





402



*> 192.168.0.0/16 0.0.0.0 0 32768 i

Task 6.5

Configure MD5 authentication for the BGP peering between R1

and R4.

This is setup with the “neighbor” command within router bgp

configuration.

R1#conf tR1(config)#router bgp 1R1(config-router)#neighbor 24.234.34.4 password cisco

R4#conf tR4(config)#router bgp 4R4(config-router)#neighbor 24.234.10.1 password cisco

Once configured, you will start seeing these messages on

both routers.

*Mar 12 18:34:32.451: %TCP-6-BADAUTH: No MD5 digest from24.234.34.4(55006) to 24.234.10.1(179)

With the default settings in place, an ASA will break MD5

authentication between BGP peers. This is for two reasons:

First, the ASA clears Option 19 from the TCP header.

Second, it randomizes the TCP sequence number before

sending the packet. The original sequence number is used in

the MD5 hash so hash values won’t match at the destination.





403



First the ASA must be configured to allow for option 19

using a TCP map. The map is applied within the

global_policy policy map.

ASA1(config)# tcp-map OPTION19ASA1(config-tcp-map)# tcp-options range 19 19 allowASA1(config)# class-map BGP_CMAPASA1(config-cmap)# match port tcp eq 179

ASA1(config)# policy-map global_policyASA1(config-pmap)# class BGP_CMAPASA1(config-pmap-c)# set connection advanced-options OPTION19

Once the option 19 is allowed, the error message received

on R1 and R4 is now an Invalid MD5 digest, instead of a no

MD5 digest.

*Mar 12 18:42:04.503: %TCP-6-BADAUTH: Invalid MD5 digest from24.234.34.4(14857) to 24.234.10.1(179)

This is solved by disabling TCP sequence number

randomization for BGP packets.

ASA1(config)# policy-map global_policyASA1(config-pmap)# class BGP_CMAPASA1(config-pmap-c)# set connection random-sequence-numberdisable

After the random-sequence-number is disabled, the errors

will cease and the peers will establish.

R1#

*Apr 14 21:55:41.503: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Up





404



Task 6.6

Configure R1 to deny the route 24.234.5.0 via BGP, but

accept all other BGP routes from R4.

This is done with a distribute list. The distribute list

references an ACL and is set with the “neighbor” command.

R1(config)#access-list 1 deny 24.234.5.0 0.0.0.255R1(config)#access-list 1 permit anyR1(config)#router bgp 1R1(config-router)#neighbor 24.234.34.4 distribute-list 1 in

We’ll clear bgp and then verify the 24.234.5.0 route is

gone.

R1#clear ip bgp *R1#*Mar 12 18:53:46.175: %BGP-5-ADJCHANGE: neighbor 24.234.34.4Down User resetR1#*Mar 12 18:53:48.687: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Up


Network Next Hop Metric LocPrf WeightPath*> 24.234.4.0/24 24.234.34.4 0 0 4 i*> 24.234.6.0/24 24.234.34.4 28416 0 4 i*> 192.168.0.0/16 0.0.0.0 0 32768 i





405



Task 6.7

Configure R5’s Control Plane to drop telnet traffic from R3

FastEthernet0/0, and rate limit all remaining telnet

traffic to 8000bps. Any telnet traffic that exceeds

8000bps should be dropped.

Control plane policing allows for MQC to be applied to the

control plane. The configuration is the same as a standard

MQC. Identify traffic with a class map, act on the

identified traffic with a policy map and apply the policy

to the control plane with service-policy.

In this case we’ll need two different class maps, one to

identify telnet from R3 and one to identify all other

telnet. The traffic from R3 gets an action of drop and all

other telnet is policed to 8000bps.

R5(config)#ip access-list extended TELNET_DROPR5(config-ext-nacl)#permit tcp host 24.234.34.3 any eq telnet

R5(config)#ip access-list extended TELNET_RATER5(config-ext-nacl)#deny tcp host 24.234.34.3 any eq telnetR5(config-ext-nacl)#permit tcp any any eq telnet

R5(config-ext-nacl)#class-map TELNET_DROP_CMAPR5(config-cmap)#match access-group name TELNET_DROP

R5(config-cmap)#class-map TELNET_RATE_CMAPR5(config-cmap)#match access-group name TELNET_RATE





406



R5(config-cmap)#policy-map TELNET_PMAPR5(config-pmap)#class TELNET_DROP_CMAPR5(config-pmap-c)#drop

R5(config-pmap)#class TELNET_RATE_CMAPR5(config-pmap-c)#police rate 8000 bpsR5(config-pmap-c-police)#conform-action transmitR5(config-pmap-c-police)#exceed-action dropR5(config-pmap-c-police)#exitR5(config-pmap-c)#exitR5(config-pmap)#exitR5(config)#control-planeR5(config-cp)#service-policy input TELNET_PMAP

We’ll verify with a telnet from R4 to R5, this is allowed.



Password:

Now we’ll try a telnet from R3, the traffic is dropped.


“Show policy-map control-plane” shows us that packets

matched the configured classes and were acted upon.

R5#show policy-map control-plane Control Plane

Service-policy input: TELNET_PMAP

Class-map: TELNET_DROP_CMAP (match-all) 4 packets, 240 bytes





407



5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name TELNET_DROP drop

Class-map: TELNET_RATE_CMAP (match-all) 22 packets, 1329 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name TELNET_RATE police: rate 8000 bps, burst 1500 bytes conformed 22 packets, 1329 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any) 52 packets, 4140 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any

Task 6.8

Configure R6’s Control Plane to rate limit all ICMP traffic

outbound to 8000bps with a burst of 1000 bytes. Traffic

should be dropped when it exceeds.

Like the previous example, this is done with MQC applied to

the control plane. However the service policy is in the

outbound direction.

R6(config)#ip access-list extended ICMPR6(config-ext-nacl)#permit icmp any anyR6(config-ext-nacl)#class-map ICMP_CMAPR6(config-cmap)#match access-group name ICMPR6(config-cmap)#policy-map ICMP_PMAP





408



R6(config-pmap)# class ICMP_CMAPR6(config-pmap-c)#police rate 8000 bps burst 1000 bytesR6(config-pmap-c-police)#conform-action transmitR6(config-pmap-c-police)#exceed-action dropR6(config-pmap-c-police)#exitR6(config-pmap-c)#exitR6(config-pmap)#exitR6(config)#control-planeR6(config-cp)#service-policy output ICMP_PMAP

We’ll test by sending 100 icmp packets.

R6#ping 24.234.34.3 repeat 100

Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 24.234.34.3, timeout is 2seconds:!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!Success rate is 89 percent (89/100), round-trip min/avg/max =1/2/4 ms

Note that some packets were dropped. A look at the policy-

map shows that 11 packets were in violation of the policy

and were dropped.

R6#sho policy-map control-plane

Control Plane

Service-policy output: ICMP_PMAP

Class-map: ICMP_CMAP (match-all)

100 packets, 11400 bytes

5 minute offered rate 2000 bps, drop rate 0 bps

Match: access-group name ICMP

police:

rate 8000 bps, burst 1000 bytes





409



conformed 89 packets, 10146 bytes; actions:

transmit

exceeded 11 packets, 1254 bytes; actions:

drop

conformed 1000 bps, exceed 0 bps

Class-map: class-default (match-any)

30 packets, 2253 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Task 6.9

Configure R1’s control plane host sub-interface to drop all

telnet packets destined for any of its interfaces.

Control plane protection allows for finer granularity in

filtering control plane traffic. We’ll use a port-filter

class map to identify all telnet traffic, and then drop it

in a policy map which is applied to control-plane host.

R1(config)#class-map type port-filter match-any PORT_CMAPR1(config-cmap)#match port tcp 23R1(config-cmap)#exitR1(config)#policy-map type port-filter PORT_PMAPR1(config-pmap)#class PORT_CMAPR1(config-pmap-c)#dropR1(config-pmap-c)#exitR1(config-pmap)#exitR1(config)#control-plane hostR1(config-cp-host)#service-policy type port-filter inputPORT_PMAPR1(config-cp-host)#*Mar 12 22:14:05.354: %CP-5-FEATURE: TCP/UDP Portfilter featureenabled on Control plane host path





410



We can test by telneting from SW2 to R1. The traffic is

dropped.

SW2#telnet 192.168.0.1Trying 192.168.0.1 ...% Connection timed out; remote host not responding

Showing the policy-map verifies that the packets were

dropped.

R1#show policy-map type port-filter control-plane host Control Plane Host

Service-policy port-filter input: PORT_PMAP

Class-map: PORT_CMAP (match-any) 4 packets, 240 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: port tcp 23 4 packets, 240 bytes 5 minute rate 0 bps drop


Task 6.10

Modify R1’s control plane configuration to only drop all

closed ports.





411



Closed ports are ports that the router is not actively

listening on. To drop this traffic we’ll remove the telnet

match in our class map and add closed-ports.

R1(config)#class-map type port-filter match-any PORT_CMAPR1(config-cmap)#no match port tcp 23R1(config-cmap)#match closed-ports

Verify what ports are open with show control-plane host

open-ports.

R1#show control-plane host open-portsActive internet connections (servers and established)Prot Local Address Foreign AddressService State tcp *:23 *:0Telnet LISTEN tcp *:80 *:0HTTP CORE LISTEN udp *:67 *:0 DHCPDReceive LISTEN udp *:68 *:0 BootPclient LISTEN

Notice, that RIP (UDP 520) is not listed, but the router is

running RIP. Since this port is not listed, RIP will be

blocked. Verify that R1 is no longer learning routes from

ASA1.

R1#clear ip route *

R1#show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF interarea





412



N1 - OSPF NSSA external type 1, N2 - OSPF NSSA externaltype 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route


1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnetsC 24.234.10.0 is directly connected, FastEthernet0/1C 192.168.0.0/16 is directly connected, FastEthernet0/0

Task 6.11

Configure R2’s control plane host sub-interface to limit

the number of SNMP packets in the control-plane IP input

queue to 25.

This is done with a queue-threshold class-map and policy-

map. These are special map types used by control plane

protection to limit the number of packets allowed for

specified protocols. This can be useful in defeating DoS

attacks launched against your router.

R2(config)#class-map type queue-threshold match-any QUEUE_CMAPR2(config-cmap)#match protocol snmpR2(config-cmap)#exit

R2(config)#policy-map type queue-threshold QUEUE_PMAPR2(config-pmap)#class QUEUE_CMAP





413



R2(config-pmap-c)#queue-limit 25R2(config-pmap-c)#exitR2(config-pmap)#exit

R2(config)#control-plane hostR2(config-cp-host)#service-policy type queue-threshold inputQUEUE_PMAPR2(config-cp-host)#*Mar 12 22:18:40.562: %CP-5-FEATURE: Protocol Queue Thresholdingfeature enabled on Control plane host path

Verify the configuration with a show policy-map.

R2#show policy-map type queue-threshold control-plane host queue-limit 25 queue-count 0 packets allowed/dropped 0/0 Control Plane Host

Service-policy queue-threshold input: QUEUE_PMAP

Class-map: QUEUE_CMAP (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol snmp 0 packets, 0 bytes 5 minute rate 0 bps


Task 6.12

Configure SW2 interface FastEthernet0/14 to drop unicast

packets when 75% of the interface bandwidth is reached. SW2





414



should continue blocking all unicast packets until unicast

traffic falls below 50%.

This is accomplished with “storm-control”. Storm control is

configured per interface and sets a rising and falling

threshold in percentage of interface bandwidth. The port

will block traffic when the rising threshold is reached and

resume normal operation when the traffic rate drops below

the falling threshold.

SW2(config)#interface fastethernet0/14SW2(config-if)#storm-control unicast level 75 50

Verify with “show storm-control unicast”.

SW2#show storm-control unicastInterface Filter State Upper Lower Current--------- ------------- ----------- ----------- ----------Fa0/14 Link Down 75.00% 50.00% 0.00%

Task 6.13

Configure SW2 interface FastEthernet0/15 to drop broadcast

packets when the interface reaches 3000bps. The interface

should continue blocking all broadcast packets until they

drop below 1000bps. During the broadcast storm, SW2 should

shutdown this interface.





415



This is also done with storm control using the “broadcast”

option instead of unicast. The “shutdown” action will

error-disable the interface during a storm.

SW2(config)#interface fastethernet0/15SW2(config-if)#storm-control broadcast level bps 3000 1000SW2(config-if)#storm-control action shutdown

Verify with show storm-control.

SW2#show storm-control broadcastInterface Filter State Upper Lower Current--------- ------------- ----------- ----------- ----------Fa0/15 Link Down 3k bps 1k bps 0 bps

Task 6.14

Configure SW2 interface FastEthernet0/16 to drop multicast

packets when the interface reaches 1000pps. The interface

should continue blocking all multicast packets until

multicast packets drop below 700pps. An SNMP trap should be

sent when a storm is detected.

This is done with the “multicast” option. Notice we’re

using “pps” instead of “bps”. We’ll also use the “action

trap” option to send an SNMP trap when the storm is

detected.

SW2(config)#interface FastEthernet0/16SW2(config-if)#storm-control multicast level pps 1000 700SW2(config-if)#storm-control action trap





416



Once again, we’ll verify with “show storm-control”.

SW2#show storm-control multicastInterface Filter State Upper Lower Current--------- ------------- ----------- ----------- ----------Fa0/16 Link Down 1k pps 700 pps 0 pps

Task 6.15

Configure SW2 to keep track of the small-frame rate-

arrival. Configure interface FastEthernet0/10 to drop small

frames when it reaches 3000 packets per second.

Incoming VLAN-tagged packets smaller than 67 bytes are

considered small frames. They are forwarded by the switch

but they do not cause the switch storm-control counters to

increment.

You globally enable the small-frame arrival feature on the

switch and then configure the small-frame threshold for

packets on each interface. Packets smaller than the minimum

size and arriving at a specified rate (the threshold) are

dropped since the port is error disabled.

SW2# errdisable detect cause small-frameSW2(config)#interface fastethernet0/10SW2(config-if)#small-frame violation-rate 3000

Task 6.16





417



Configure SW2 to recovery from a port being disabled due to

small frames. SW2 should re-enable the interface after 45

seconds.

This is done with “errdisable recovery” for the “cause

small-frame”. The interval is set to 45.

SW2(config)#errdisable recovery cause small-frameSW2(config)#errdisable recovery interval 45

Task 6.17

Configure SW2 interface FastEthernet0/11 to block the

forwarding of unknown unicast and multicast packets.

Default switch behavior is to flood packets with unknown

destination MAC addresses out of all ports. You can change

this behavior per interface with the “switchport block”

command.

SW2(config)#interface fastethernet0/11SW2(config-if)#switchport block unicastSW2(config-if)#switchport block multicast

Task 6.18

Configure SW1 interface FastEthernet0/3 so that a maximum

of 1 mac-address is allowed. If there is a violation the

port should be shutdown.





418



This is done with “port-security”. First port-security is

enabled, then a maximum number of allowed mac addresses and

a violation is configured.

SW1(config)#interface fastethernet0/3SW1(config-if)#switchport port-securitySW1(config-if)#switchport port-security maximum 1SW1(config-if)#switchport port-security violation shutdown

Task 6.19

Configure SW1 interface FastEthernet0/4 so the first mac-

address learned is copied into the running configuration.

This is done using the “sticky” option within port

security. The sticky option should be configured before

turning on port-security so the address can be properly

learned.

SW1(config)#interface fastethernet0/4SW1(config-if)#switchport port-security mac-address stickySW1(config-if)#switchport port-security

Task 6.20

Configure SW1 to check for the correction of a port

security violations every 30 seconds and to re-enable the

port if the violation is corrected.





419



This is done with “errdisable recovery” using the “cause

psecure-violation”. The recovery interval can also be set.

SW1(config)#errdisable recovery cause psecure-violationSW1(config)#errdisable recovery interval 30

To verify we will change the mac-address on R4 F0/0 to

0004.0004.0004. The switchport it is connected to will shut

down due to the violation.

R4(config)#interface fastethernet0/0R4(config-if)#mac-address 0004.0004.0004

SW1#09:35:36: %LINEPROTO-5-UPDOWN: Line protocol on InterfaceFastEthernet0/4, changed state to downSW1#09:35:38: %LINEPROTO-5-UPDOWN: Line protocol on InterfaceFastEthernet0/4, changed state to up09:35:39: %PM-4-ERR_DISABLE: psecure-violation error detected onFa0/4, putting Fa0/4 in err-disable stateSW1#09:35:39: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violationoccurred, caused by MAC address 0004.0004.0004 on portFastEthernet0/4.SW1#09:35:40: %LINEPROTO-5-UPDOWN: Line protocol on InterfaceFastEthernet0/4, changed state to down09:35:41: %LINK-3-UPDOWN: Interface FastEthernet0/4, changedstate to down

This can be further verified with the “show port-security”

command for the interface.

SW1#show port-security interface fastethernet0/4Port Security : EnabledPort Status : Secure-shutdown





420



Violation Mode : ShutdownAging Time : 0 minsAging Type : AbsoluteSecureStatic Address Aging : DisabledMaximum MAC Addresses : 1Total MAC Addresses : 1Configured MAC Addresses : 0Sticky MAC Addresses : 1Last Source Address:Vlan : 0004.0004.0004:34Security Violation Count : 1

Now, we will remove the mac-address from R4 F0/0. The port

will automatically recover.

R4(config-if)#no mac-address 0004.0004.0004

SW1#09:37:34: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/4SW1#09:37:37: %LINK-3-UPDOWN: Interface FastEthernet0/4, changedstate to up09:37:39: %LINEPROTO-5-UPDOWN: Line protocol on InterfaceFastEthernet0/4, changed state to up

Verify that the violation has been resolved.

SW1#show port-security interface fastethernet0/4Port Security : EnabledPort Status : Secure-upViolation Mode : ShutdownAging Time : 0 minsAging Type : AbsoluteSecureStatic Address Aging : DisabledMaximum MAC Addresses : 1Total MAC Addresses : 1Configured MAC Addresses : 0Sticky MAC Addresses : 1Last Source Address:Vlan : 0017.5926.03b0:34Security Violation Count : 0





421



Task 6.21

Configure R3 to delete all packets that contain IP Options.

IP Options can be globally removed with the “ip options

drop” command.

R3(config)#ip options drop

% Warning: RSVP and other protocols that use IP Options packetsmay not function as expected.

Task 6.22

Configure R6 for logging. Disable logging to the console

and monitor. Configure R6 to limit log generation and

transmission to 100 messages per second except for log

levels 4 (warnings) through 0 (emergencies).

Logging can be CPU intensive. Specific methods of logging

can be turned off with the “no” version of the “logging”

command. To limit the number of messages logged use

“logging rate-limit”.

R6(config)#logging onR6(config)#no logging consoleR6(config)#no logging monitorR6(config)#logging rate-limit 100 except 4





422



Verify the logging configuration with show logging.

R6#show loggingSyslog logging: enabled (11 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filteringdisabled) Console logging: disabled Monitor logging: disabled Buffer logging: disabled, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled


Trap logging: level informational, 41 message lines logged

Task 6.23

Configure R6 to limit log-induced process switching to one

packet per 10 milliseconds.

Although we rate limited the number of log entries, each

packet that matches a logging enabled ACE within an ACL is

processed in the switch. This is CPU intensive. This can be

solved using “ip access-list logging interval”. The

interval is set in milliseconds.

R6(config)#ip access-list logging interval 10





423



Task 6.24

Secure R5 by disabling unnecessary global services.

These common global services should be disabled on a

router, if not used. Some are off by default.

R5(config)#no service fingerR5(config)#no service padR5(config)#no service udp-small-serversR5(config)#no service tcp-small-serversR5(config)#no cdp runR5(config)#no ip bootp serverR5(config)#no ip http serverR5(config)#no ip fingerR5(config)#no ip source-routeR5(config)#no ip gratuitous-arpsR5(config)#no ip identd

Task 6.25

Secure R5 fa0/0 by disabling unnecessary interface

services.

These common interface services should be disabled on a

router, if not used.

R5(config)#interface fastethernet0/0R5(config-if)#no ip redirectsR5(config-if)#no ip proxy-arpR5(config-if)#no ip unreachables





424



R5(config-if)#no ip directed-broadcastR5(config-if)#no ip mask-reply





425



Task 6.26

Secure R1 by disabling unnecessary services using a single

command.

This is done with the “auto secure management” command.

AutoSecure disables common IP services that can be

exploited by network attacks. We’ll use the “no-interact”

option to avoid prompting. (Output cut)

R1#auto secure management no-interact --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security ofthe router, but it will not make it absolutely resistantto all security attacks ***

AutoSecure will modify the configuration of your device.All configuration changes will be shown. For a detailedexplanation of how the configuration changes enhance securityand any possible side effects, please refer to Cisco.com forAutosecure documentation.

Securing Management plane services...

Task 6.27

Configure R3 so that only devices in vlan 5 can telnet to

it.





426



This is done with a standard ACL. The ACL is applied to the

VTY lines with the “access-class” command.

R3(config)#access-list 1 permit 24.234.5.0 0.0.0.255R3(config)#line vty 0 4R3(config-line)#transport input telnetR3(config-line)#access-class 1 in

Test telneting from R5 which is in the allowed VLAN. The

connection is allowed.



Password:

Now telnet from R6 which is not in the allowed VLAN. Theconnection is refused.

R6#telnet 24.234.34.3Trying 24.234.34.3 ...% Connection refused by remote host

Task 6.28

Configure R5 so that only devices in vlan 6 can ssh to it.

Authenticate the connection using a local user named

“admin” with a password “cisco”.

To enable SSH the router must first have a domain name and

generated crypto keys. Then we’ll create a local user.





427



Finally, SSH can be limited just like telnet: with an ACL.

Login is set to local.

R5(config)#ip domain-name ccbootcamp.comR5(config)#crypto key generate rsaThe name for the keys will be: R5.ccbootcamp.comChoose the size of the key modulus in the range of 360 to 2048for your General Purpose Keys. Choosing a key modulus greater than 512may take a few minutes.

How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R5(config)#*Mar 13 21:06:57.746: %SSH-5-ENABLED: SSH 1.99 has been enabledR5(config)#username admin password ciscoR5(config)#access-list 2 permit 24.234.6.0 0.0.0.255R5(config)#line vty 0 4R5(config-line)#transport input sshR5(config-line)#access-class 2 inR5(config-line)#login local

Verify by connecting via ssh from R6 with a username of

“admin”. The connection is allowed.

R6#telnet 24.234.34.3Trying 24.234.34.3 ...% Connection refused by remote host

R6#ssh -l admin -c 3des 24.234.5.5

Password:

R5>exit

[Connection to 24.234.5.5 closed by foreign host]





428



Task 6.29

Configure R4 so that only the ACS Server can HTTP into it.

By default, routers have the http server service enabled.

We’ll need to create an access-list that only allows host

192.168.2.101. Apply it to the http server with “ip http

access-class”.

R4(config)#access-list 1 permit host 192.168.2.101R4(config)#ip http serverR4(config)#ip http access-class 1

Task 6.30

Configure ASA1 so that only SW2 can telnet to it. The

telnet session should disconnect after 2 minutes of

inactivity.

By default, there are no devices allowed to telnet to the

ASA. The telnet command is used to identify networks and/or

hosts that are allowed to telnet, and from which interface.

The default telnet password for the ASA is “cisco”.

ASA1(config)# telnet 192.168.0.10 255.255.255.255 insideASA1(config)# telnet timeout 2

Verify by telneting from SW2, the connection will be

allowed.





429



SW2#telnet 24.234.10.100Trying 24.234.10.100 ... Open


Password:Type help or '?' for a list of available commands.ASA1>

Now telnet from R1, the connection is not allowed.


Task 6.31

Configure ASA1 so that only R1 can SSH to it. Authenticate

the connection using a local user named “admin” with a

password “cisco”.

By default, no devices allowed to ssh to the ASA. The ssh

command is used to identify networks and/or hosts that are

allowed to ssh, and from which interface. Like a router, in

order for the ASA to be an ssh server crypto keys have to

be generated. AAA is used to setup authentication for SSH.

ASA1(config)# domain-name ccbootcamp.comASA1(config)# crypto key generate rsa modulus 1024WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.





430



Do you really want to replace them? [yes/no]: yesKeypair generation process begin. Please wait...ASA1(config)# username admin password ciscoASA1(config)# ssh 24.234.10.1 255.255.255.255 insideASA1(config)# aaa authentication ssh console LOCAL

Test by connecting from R1 via SSH with a username of

“admin”. The connection will be allowed.

R1#ssh -l admin -c 3des 24.234.10.100

Password:Type help or '?' for a list of available commands.ASA1>

Task 6.32

Configure SW1 so that when user “admin” telnets into the

switch, they will have privilege 15 access.

This is done by setting the privilege level of the user.

SW1(config)#username admin privilege 15 password ciscoSW1(config)#line vty 0 4SW1(config-line)# login local

Test by telneting from R5 to SW1. When you log in as

“admin” you’ll be able to show your privilege level.






431




Username: adminPassword:SW1#SW1#show privilegeCurrent privilege level is 15

Task 6.33

Configure SW1 to log to the Syslog Server on the ACS

Server.

Since SW1 is on the outside of the ASA, a translation and

access-list entry must be made for the syslog traffic.

ASA1(config)#static (inside,outside) 192.168.2.101 192.168.2.101ASA1(config)#access-list OUTSIDE permit udp host 24.234.4.10host 192.168.2.101 eq 514

And then syslog can be configured with the “logging host”

command.

SW1(config)#logging host 192.168.2.101

Task 6.34

Configure SW1 for snmp with a community string of “cisco”

for read-only and a community string of “ccbootcamp” for





432



read-write. Send config traps to the SNMP Manager at

192.168.2.101 with a string of cisco.

This is done with the “snmp-server” commands. Community

strings are setup with the “community” option, traps are

setup with the “enable traps” option and the trap receiver

setup with the “host” option.

SW1(config)#snmp-server community cisco roSW1(config)#snmp-server community ccbootcamp rwSW1(config)#snmp-server enable traps configSW1(config)#snmp-server host 192.168.2.101 traps cisco config

We can verify that traps are being sent by turning on SMNP

debugging and then entering configure commands.

SW1#debug snmp packetsSNMP packet debugging is onSW1#conf tEnter configuration commands, one per line. End with CNTL/Z.SW1(config)#exitSW1#*Mar 1 00:19:06.974: SNMP: Queuing packet to 192.168.2.101*Mar 1 00:19:06.974: SNMP: V1 Trap, ent ciscoConfigManMIB.2,addr 24.234.4.10, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.10 = 1 ccmHistoryEventEntry.4.10 = 2 ccmHistoryEventEntry.5.10 = 3*Mar 1 00:19:07.225: SNMP: Packet sent via UDP to 192.168.2.101SW1#*Mar 1 00:19:08.106: %SYS-5-CONFIG_I: Configured from consoleby console

Task 6.35





433



Set the clock and time zone on R1. Configure R1 as an NTP

master. Configure R4 to get its time from R1 using

authenticated NTP.

Since R4 resides on the outside of the ASA, a translation

and access-list entry is needed to allow ntp traffic.

ASA1(config)# static (inside,outside) 24.234.10.1 24.234.10.1netmask 255.255.255.255ASA1(config)# access-list OUTSIDE permit udp host 24.234.34.4host 24.234.10.1 eq 123

R1’s clock is set with the clock set command. NTP is

configured with the “ntp” command.

R1#clock set 9:00:00 22 JAN 2009R1#conf tR1(config)#clock timezone PST -8R1(config)#ntp master 8R1(config)#ntp authentication-key 1 md5 ciscoR1(config)#ntp authenticateR1(config)#ntp trusted-key 1

NTP is setup on R4 as well. The difference in the

configurations is that R4 is not set as a master; instead

it uses the ntp server command to get its time.

R4(config)#clock timezone PST -8R4(config)#ntp authentication-key 1 md5 ciscoR4(config)#ntp authenticateR4(config)#ntp trusted-key 1R4(config)#ntp server 24.234.10.1





434



Verify with “show ntp status”. Notice that the reference is

R1’s IP address.

R4#show ntp statusClock is synchronized, stratum 9, reference is 24.234.10.1nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz,precision is 2**18reference time is CD2326ED.1E74C01D (09:10:05.118 PST Thu Jan 222009)clock offset is 412.0026 msec, root delay is 1.92 msecroot dispersion is 615.78 msec, peer dispersion is 203.75 msec

“Show ntp associations” gives more detail about the NTP

server, R1.

R4#show ntp associations detail24.234.10.1 configured, our_master, sane, valid, stratum 8ref ID 127.127.7.1, time CD232728.5B248A87 (09:11:04.356 PST ThuJan 22 2009)our mode client, peer mode server, our poll intvl 64, peer pollintvl 64root delay 0.00 msec, root disp 0.03, reach 377, sync dist103.592delay 1.89 msec, offset 414.3799 msec, dispersion 102.62precision 2**24, version 3org time CD23272D.884979E0 (09:11:09.532 PST Thu Jan 22 2009)rcv time CD23272D.1E72CDAC (09:11:09.118 PST Thu Jan 22 2009)xmt time CD23272D.1DF4FA20 (09:11:09.117 PST Thu Jan 22 2009)filtdelay = 1.89 1.92 1.86 1.83 1.83 1.861.85 1.85filtoffset = 414.38 412.00 409.67 0.46 0.42 0.400.36 0.33filterror = 0.02 0.99 1.97 2.94 2.96 2.982.99 3.01





435







436







437







438








439







440








441











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





442







443











Fa0/12 Fa0/12SW1 SW2E0/0 E0/2


Fa0/17 Fa0/17SW1 SW2E0/1 E0/3

Fa0/18 Fa0/18SW1 SW2E0/0 E0/2

Fa0/23 Fa0/23SW1 SW2E0/1 E0/3

ASA01

ASA01

ASA02

ASA02

IDS


Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

2811R7

Fas0/0 Fas0/1

SW3Fas0/17

SW4Fas0/17

2811R8

Fas0/0 Fas0/1

SW3Fas0/18

SW4Fas0/18

ACS PC – SW1 Fa0/24192.168.2.101

XP Test PC – SW2 Fa0/16192.168.2.102





444



Task 7.1

Configure R3 to modify the DSCP value of telnet traffic

from VLAN 35 to a value of af43. The traffic should be

modified before transmitting out interfaces FastEthernet0/0

and Serial0/0/0.

Task 7.2

Configure R4 to modify the IP Precedence field for packets

arriving from VLAN 46 to an IP Precedence of immediate (2).





445



Task 7.3

Configure R4 to deny RFC1918, RFC2827/3704, and RFC3330

addresses on its FastEthernet0/0 interface.





446



Task 7.4

Configure R3 so that traffic sourced from VLAN 35 and

destined to R2’s Loopback0 will take 24.234.234.2 as the

next hop instead of SW1 (24.234.3.10).

Task 7.5

Configure R1 FastEthernet0/0 to send IP traffic destined

for R6’s L0 to interface null0.





447



Task 7.6

R2, R3, and R4 are configured in BGP AS 234. R2 is peering

with R3 and R4, and is acting as a Route-Reflector Server.

R2 is configured with Loopback 22 (22.22.22.2), and R2 is

redistributing its connected networks into BGP.

R5 and R6 have static route for 22.22.22.0/24 to R3 and R4

respectively.

Configure Remote Triggered Black Hole (RTBH) filtering so

that Routers R3 and R4 black hole any packets destined for

the 22.22.22.0 network.





448



Task 7.7

Configure R3 to deny inbound telnet and ICMP ECHOs on

FastEthernet0/1 from VLAN 35.

Task 7.8

Configure R4 to deny all inbound packets with the IP option

of timestap on interface FastEthernet0/0.





449



Task 7.9

Configure NAT on R4 so that any 24.234.0.0/16 address will

use an external pool as the source IP Address when

connecting to any R6 network. The external NAT pool will

be 46.46.46.100 – 46.46.46.200.

Task 7.10

Configure R4 so that incoming connections from R6 to

46.46.46.2 will be translated to the destination address of

loopback0 on R2.





450



Task 7.11

Configure R1 to protect the ACS Server (192.168.2.101) from

SYN-flooding attacks. Use TCP Intercept.

Task 7.12

Configure R1 to wait 20 seconds for TCP sessions to

establish. If TCP connections are not established within

20 seconds, then R1 should send a reset.

Task 7.13

Configure R1 to drop TCP connections 3 seconds after

receiving a reset or FIN-Exchange.

Task 7.14

Configure R1 to manage TCP connections for up to one hour

with no activity.

Task 7.15

Configure R1 to start dropping incomplete TCP connections

when the number exceeds 1000. Stop aggressive behavior when

incomplete TCP connections drop below 700. Configure R1 to

start aggressive behavior when the number of incomplete TCP

connections reaches 400 within a minute. Stop aggressive

behavior when the number of incomplete TCP connections

reaches 200 within a minute.





451



Task 7.16

Configure R1 so that when connections are dropped they are

chosen randomly instead of oldest first.

Task 7.17

Configure R3 interface FastEthernet0/1 to ensure that

packets are reachable via the interface they come in on.

Any denied packets should be logged.

Task 7.18

Configure uRPF on ASA1 for all traffic.

Task 7.19

Configure R2 FastEthernet0/0 so that the inbound traffic is

limited to the following:

HTTP traffic is limited to 1Mbps with a normal burst

of 16KB and an excess burst of 24KB.

ICMP traffic is limited to 200Kbps with a normal burst

of 8KB and an excess of 16KB.

All remaining traffic is limited to 4Mbps with a

normal burst of 16KB and an excess of 16KB.





452



Task 7.20

Configure R4 to discover application protocols on interface

F0/0.

Task 7.21

Configure R3 FastEthernet0/1 to drop KaZaA, Morpheus, and

Grokster P2P traffic coming from R6.





453



Task 7.22

Configure R1 to capture traffic being received by interface

fastethernet0/1.

Task 7.23

Configure R1 to export this data to the ACS Server over UDP

port 514.





454



Task 7.24

Configure R4 to police SMTP traffic to 400000Kbps with a

burst of 8k bytes and an excess burst of 16k bytes inbound

on interface FastEthernet0/0. SMTP traffic that conforms

is transmitted, and SMTP traffic that does not conform is

dropped.





455



Task 7.25

On ASA1 capture ICMP traffic from R1 to R2. The buffer

should start overwriting the beginning when full.





456



Task 7.26

Configure R2 to guarantee 33% of the bandwidth for voice

traffic with the dscp value of ef. Next, police ICMP

traffic to 8000 bps with a burst of 1000 bytes and an

excess burst of 1000 bytes. All other traffic uses the

queuing method of fair-queue.

Task 7.1

Configure R3 to modify the DSCP value of telnet traffic

from VLAN 35 to a value of af43. The traffic should be





457



modified before transmitting out interfaces FastEthernet0/0

and Serial0/0/0.

This is done with MQC. (Modular Quality of Service Command

Line Interface) An access-list with permit statements

identifies the traffic that we want subjected to the

marking. This ACL is referenced in a class map, an action

(set dscp) is applied in a policy map and finally the

policy applied to an interface with service-policy.

R3(config)#ip access-list extended VLAN35R3(config-ext-nacl)#permit tcp 35.35.35.0 0.0.0.255 any eqtelnetR3(config-ext-nacl)#exitR3(config)#class-map match-any VLAN35_CMAPR3(config-cmap)#match access-group name VLAN35R3(config-cmap)#exitR3(config)#policy-map VLAN35_PMAPR3(config-pmap)#class VLAN35_CMAPR3(config-pmap-c)#set dscp af43R3(config-pmap-c)#exitR3(config-pmap)#exitR3(config)#interface fastethernet0/1R3(config-if)#service-policy input VLAN35_PMAP

“Show policy-map” will allow us to verify. Currently, the

policy-map has not marked any telnet traffic.

R3#show policy-map interface fastethernet0/1 FastEthernet0/1

Service-policy input: VLAN35_PMAP

Class-map: VLAN35_CMAP (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps





458



Match: access-group name VLAN35 0 packets, 0 bytes 5 minute rate 0 bps QoS Set dscp af43 Packets marked 0


Now we’ll telnet from R5 to R2.



Password: ciscoR2#exit


Issue the “show policy-map” command again. Notice that

packets have now been marked.

R3#show policy-map interface fastethernet0/1 FastEthernet0/1

Service-policy input: VLAN35_PMAP

Class-map: VLAN35_CMAP (match-any) 23 packets, 1389 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name VLAN35 23 packets, 1389 bytes 5 minute rate 0 bps QoS Set





459



dscp af43 Packets marked 23


Task 7.2

Configure R4 to modify the IP Precedence field for packets

arriving from VLAN 46 to an IP Precedence of immediate (2).

This time we’ll be using a route map to provide the marking

of packets. Once again an ACL with a permit statement is

used to identify the traffic. This ACL is referenced in the

route-map. The “set” command within the route map is used

to set the IP precedence.

R4(config)#ip access-list extended VLAN46R4(config-ext-nacl)#permit ip 46.46.46.0 0.0.0.255 anyR4(config-ext-nacl)#exit

R4(config)#route-map VLAN46_RMAPR4(config-route-map)#match ip address VLAN46R4(config-route-map)#set ip precedence immediateR4(config-route-map)#exitR4(config)#interface fastethernet0/0R4(config-if)#ip policy route-map VLAN46_RMAP

Verify with “show route-map”. No packets have matched.

R4#show route-map VLAN46_RMAProute-map VLAN46_RMAP, permit, sequence 10





460



Match clauses: ip address (access-lists): VLAN46 Set clauses: ip precedence immediate Policy routing matches: 0 packets, 0 byte

Now generate traffic that will match the ACL.

R6#ping 24.234.234.2


Issue the “show route-map” command again and you’ll see

packets have matched.

R4#show route-maproute-map VLAN46_RMAP, permit, sequence 10 Match clauses: ip address (access-lists): VLAN46 Set clauses: ip precedence immediate Policy routing matches: 5 packets, 570 bytes

Task 7.3

Configure R4 to deny RFC1918, RFC2827/3704, and RFC3330

addresses on its FastEthernet0/0 interface.





461



All of these RFC’s refer to address space allocated for

private, internal, or special use. They should never be

seen incoming from a public network (The Internet) so we

will block them with an ACL.

R4(config)#ip access-list extended RFCsR4(config-ext-nacl)#remark RFC 1918R4(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 anyR4(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 anyR4(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 anyR4(config-ext-nacl)#remark RFC2827/RFC3704R4(config-ext-nacl)#deny ip 24.234.0.0 0.0.255.255 anyR4(config-ext-nacl)#remark RFC 3330R4(config-ext-nacl)#deny ip host 0.0.0.0 anyR4(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 anyR4(config-ext-nacl)#deny ip 169.254.0.0 0.0.255.255 anyR4(config-ext-nacl)#deny ip 224.0.0.0 15.255.255.255 anyR4(config-ext-nacl)#permit ip any anyR4(config-ext-nacl)#interface fastethernet0/0R4(config-if)#ip access-group RFCs in

Task 7.4

Configure R3 so that traffic sourced from VLAN 35 and

destined to R2’s Loopback0 will take 24.234.234.2 as the

next hop instead of SW1 (24.234.3.10).

Sinkhole routing involves diverting specific traffic so

that it can be segregated, analyzed, etc… In order to set a

different next hop than what is present in the routing





462



table, a route map will be used. Traffic that matches a

particular access-list will have a new next-hop set.

Currently, R3 shows the next hop of 2.2.2.2 to be SW1, and

a traceroute from R5 to 2.2.2.2 verifies this.

R3#show ip route 2.2.2.2Routing entry for 2.0.0.0/8 Known via "eigrp 1", distance 90, metric 156416, type internal Redistributing via eigrp 1 Last update from 24.234.3.10 on FastEthernet0/0, 00:13:09 ago Routing Descriptor Blocks: * 24.234.3.10, from 24.234.3.10, 00:13:09 ago, viaFastEthernet0/0 Route metric is 156416, traffic share count is 1 Total delay is 5110 microseconds, minimum bandwidth is100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2

R5#traceroute 2.2.2.2

Type escape sequence to abort.Tracing the route to 2.2.2.2

1 35.35.35.3 0 msec 0 msec 4 msec 2 24.234.3.10 0 msec 0 msec 4 msec 3 24.234.2.2 0 msec * 0 msec

Now we’ll configure and apply our route map.

R3(config)#ip access-list extended R2_L0R3(config-ext-nacl)#permit ip any host 2.2.2.2R3(config-ext-nacl)#exitR3(config)#route-map R2_L0_RMAPR3(config-route-map)#match ip address R2_Lo0R3(config-route-map)#set ip next-hop 24.234.234.2R3(config-route-map)#exit





463



R3(config)#interface fastethernet0/1R3(config-if)#ip policy route-map R2_L0_RMAP

We can verify it is working by running the traceroute

again. This time it goes to 24.234.234.2.

R5#traceroute 2.2.2.2

Type escape sequence to abort.Tracing the route to 2.2.2.2

1 35.35.35.3 0 msec 4 msec 0 msec 2 24.234.234.2 12 msec * 12 msec

Task 7.5

Configure R1 FastEthernet0/0 to send IP traffic destined

for R6’s L0 to interface null0.

This is known as black hole routing. A route map is used to

set the next-hop of matched traffic to null0 which drops

the packets.

Currently, SW2 can ping R6’s L0 (6.6.6.6).

SW2#ping 6.6.6.6






464



Now we’ll configure our route-map.

R1(config)#ip access-list extended R6_L0R1(config-ext-nacl)#permit ip any host 6.6.6.6R1(config-ext-nacl)#exitR1(config)#route-map R6_L0_RMAPR1(config-route-map)#match ip address R6_L0R1(config-route-map)#set interface null 0R1(config-route-map)#exitR1(config)#interface fastethernet0/0R1(config-if)#ip policy route-map R6_L0_RMAP

Now we’ll ping again to verify the black hole routing is

working properly.

SW2#ping 6.6.6.6

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

The pings are being dropped. A “show route-map” verifies

that 5 packets were matched.

R1#show route-map R6_L0_RMAProute-map R6_L0_RMAP, permit, sequence 10 Match clauses: ip address (access-lists): R6_L0 Set clauses: interface Null0 Policy routing matches: 5 packets, 570 bytes

Task 7.6





465



R2, R3, and R4 are configured in BGP AS 234. R2 is peering

with R3 and R4, and is acting as a Route-Reflector Server.

R2 is configured with Loopback 22 (22.22.22.2), and R2 is

redistributing its connected networks into BGP.

R5 and R6 have static route for 22.22.22.0/24 to R3 and R4

respectively.

Configure Remote Triggered Black Hole (RTBH) filtering so

that Routers R3 and R4 black hole any packets destined for

the 22.22.22.0 network.

RTBH provides the capability to drop packets at the edge of

your network by changing the configuration of a single

router.

R3 and R4 are learning about the R2 connected networks via

BGP.


Network Next Hop Metric LocPrf WeightPath*>i2.2.2.0/24 24.234.234.2 0 100 0 ?*>i22.22.22.0/24 24.234.234.2 0 100 0 ?r>i24.234.2.0/24 24.234.234.2 0 100 0 ?r>i24.234.234.0/24 24.234.234.2 0 100 0 ?





466





R5 and R6 have connectivity to the 22.22.22.0 network.

R5#ping 22.22.22.2


R6#ping 22.22.22.2


First, the BGP routers must have a ‘black hole’ to route

the bad traffic to. We’ll configure an address that will be

statically routed to null0.

R2#conf t





467



R2(config)#ip route 192.0.5.1 255.255.255.255 null0R2(config)#end

R3#conf tR3(config)#ip route 192.0.5.1 255.255.255.255 null0R3(config)#end

R4#conf tR4(config)#ip route 192.0.5.1 255.255.255.255 null0R4(config)#end

Now we’ll configure the BGP Trigger Router (R2) so that

traffic destined for the 22.22.22.0 network will be routed

to our black hole address of 192.0.5.1.

R2(config)#access-list 1 permit 22.22.22.0 0.0.0.255R2(config)#route-map RTBH permit 10R2(config-route-map)#match address 1R2(config-route-map)#set ip next-hop 192.0.5.1R2(config-route-map)#set local-preference 200R2(config-route-map)#route-map RTBH permit 20R2(config-route-map)#router bgp 234R2(config-router)#neighbor 24.234.234.3 route-map RTBH outR2(config-router)#neighbor 24.234.234.4 route-map RTBH out

After issuing a clear ip bgp *, we see that R3 and R4 have

updated their BGP table to reflect the next hop for

22.22.22.0 as 192.0.5.1.

R3#clear ip bgp *R3#show ip bgpBGP table version is 20, local router ID is 3.3.3.3Status codes: s suppressed, d damped, h history, * valid, >best, i - internal, r RIB-failure, S StaleOrigin codes: i - IGP, e - EGP, ? - incomplete





468






R5 and R6 can no longer ping 22.22.22.2.

R5#ping 22.22.22.2


R6#ping 22.22.22.2






469



Task 7.7

Configure R3 to deny inbound telnet and ICMP ECHOs on

FastEthernet0/1 from VLAN 35.

Access-lists provide traffic filtering capabilities to

allow or deny traffic from entering or exiting a network.

In this case the ACL is fairly simple.

R3(config)#ip access-list extended VLAN35R3(config-ext-nacl)#deny tcp 35.35.35.0 0.0.0.255 any eq telnetR3(config-ext-nacl)#deny icmp 35.35.35.0 0.0.0.255 any echoR3(config-ext-nacl)#permit ip any anyR3(config-ext-nacl)#exitR3(config)#interface fastethernet0/1R3(config-if)#ip access-group VLAN35 in

Verify by attempting a telnet from R5 to 24.234.234.2

R5#telnet 24.234.234.2Trying 24.234.234.2 ...% Destination unreachable; gateway or host down

When sourcing the telnet address from loopback 0, the

telnet is allowed.

R5#telnet 24.234.234.2 /source-interface lo0Trying 24.234.234.2 ... Open


Password:R2#exit





470




A ping from R5 fails due to the access-list.

R5#ping 24.234.234.2


But a ping from R5’s loopback0 is successful.

R5#ping 24.234.234.2 source lo0

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 24.234.234.2, timeout is 2seconds:Packet sent with a source address of 5.5.5.5!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =28/29/32 ms

Task 7.8

Configure R4 to deny all inbound packets with the IP option

of timestap on interface FastEthernet0/0.

ACLs can filter IP Options. In this example, we are denying

packets that have the IP Option “timestamp” specified.

Currently, R6 can traceroute to 2.2.2.2 with the IP Option

timestamp.

R6#traceroute





471



Protocol [ip]:Target IP address: 2.2.2.2Source address:Numeric display [n]:Timeout in seconds [3]:Probe count [3]:Minimum Time to Live [1]:Maximum Time to Live [30]:Port Number [33434]:Loose, Strict, Record, Timestamp, Verbose[none]: tNumber of timestamps [ 9 ]:Loose, Strict, Record, Timestamp, Verbose[TV]:Type escape sequence to abort.Tracing the route to 2.2.2.2

1 46.46.46.4 4 msecReceived packet has optionsTotal option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 9 Time=*16:01:07.611 UTC (836FF01B) >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000)

Now we will configure an access-list to deny ip packets

with the timestamp IP Option using the “option” keyword.

R4(config)#ip access-list extended IPOPTIONSR4(config-ext-nacl)#deny ip any any option timestampR4(config-ext-nacl)#permit ip any anyR4(config-ext-nacl)#exitR4(config)#interface fastethernet0/0R4(config-if)#ip access-group IPOPTIONS in





472



Now, the traceroute from R6 to 2.2.2.2 with the timestamp

IP Option is denied.

R6#tracerouteProtocol [ip]:Target IP address: 2.2.2.2Source address:Numeric display [n]:Timeout in seconds [3]:Probe count [3]:Minimum Time to Live [1]:Maximum Time to Live [30]:Port Number [33434]:Loose, Strict, Record, Timestamp, Verbose[none]: tNumber of timestamps [ 9 ]:Loose, Strict, Record, Timestamp, Verbose[TV]:Type escape sequence to abort.Tracing the route to 2.2.2.2

1 46.46.46.4 !AReceived packet has optionsTotal option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 9 Time=*15:58:55.915 UTC (836DEDAB) >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) * !AReceived packet has optionsTotal option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 9 Time=*15:58:58.915 UTC (836DF963) >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000)





473



Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000)

Issuing “show ip access-lists” verifies the traceroute

packets were dropped.

R4#show ip access-listsExtended IP access list IPOPTIONS 10 deny ip any any option timestamp (3 matches) 20 permit ip any any (27 matches)

Task 7.9

Configure NAT on R4 so that any 24.234.0.0/16 address will

use an external pool as the source IP Address when

connecting to any R6 network. The external NAT pool will

be 46.46.46.100 – 46.46.46.200.

First we will create a nat pool. Then create an ACL to

identify traffic to be translated. We’ll setup the

translation to use the ACL and pool with the “ip nat

inside” command. Finally interface s0/0/0 is setup as

“inside” and fa0/0 setup as “outside”.

R4(config)#ip nat pool NAT-POOL 46.46.46.100 46.46.46.200prefix-length 24R4(config)#ip access-list extended NET





474



R4(config-ext-nacl)#permit ip 24.234.0.0 0.0.255.255 anyR4(config-ext-nacl)#exitR4(config)#ip nat inside source list NET pool NAT-POOLR4(config)#interface serial0/0/0R4(config-if)#ip nat insideR4(config-if)#interface fastethernet0/0R4(config-if)#ip nat outside

Verify by generating traffic that will be translated. A

ping from R2 to R6 accomplishes this.

R2#ping 46.46.46.6

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 46.46.46.6, timeout is 2seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max =56/58/60 ms

Now do a show ip nat translations on R4 to see the NAT.

R4#show ip nat translationsPro Inside global Inside local Outside localOutside globalicmp 46.46.46.100:0 24.234.234.2:0 46.46.46.6:046.46.46.6:0--- 46.46.46.100 24.234.234.2 --- ---

Task 7.10

Configure R4 so that incoming connections from R6 to

46.46.46.2 will be translated to the destination address of

loopback0 on R2.





475



In this example, we are hiding the 2.2.2.2 address behind

the public address of 46.46.46.2. When R6 telnets to

46.46.46.2, the packets are sent to 2.2.2.2.

R4(config)#ip nat inside source static 2.2.2.2 46.46.46.2

To verify, telnet from R6 to 46.46.46.2. Once logged in

you’ll be connected to R2.



Password:R2#

Issue show ip nat translation on R4 to see the NAT.

R4#show ip nat translationsPro Inside global Inside local Outside localOutside globaltcp 46.46.46.2:23 2.2.2.2:23 46.46.46.6:1122346.46.46.6:11223--- 46.46.46.2 2.2.2.2 --- ------ 46.46.46.100 24.234.234.2 --- ------ 46.46.46.101 24.234.234.3 --- ---

Task 7.11





476



Configure R1 to protect the ACS Server (192.168.2.101) from

SYN-flooding attacks. Use TCP Intercept.

An access-list is used to provide granularity for the

traffic that should be intercepted, in this case from any

device to the ACS server. Then TCP intercept is configured

with “ip tcp intercept”.

R1(config)#ip access-list extended TCP_INTERCEPTR1(config-ext-nacl)#permit ip any host 192.168.2.101R1(config-ext-nacl)#exitR1(config)#ip tcp intercept list TCP_INTERCEPTcommand accepted, interfaces with mls configured might causeinconsistent behavior

Task 7.12

Configure R1 to wait 20 seconds for TCP sessions to

establish. If TCP connections are not established within

20 seconds, then R1 should send a reset.

TCP Intercept can be configured in one of two modes:

Intercept or Watch. In watch mode the router will monitor

connections and terminate them only if they are not

established within a specified period.

R1(config)#ip tcp intercept mode watchcommand accepted, interfaces with mls configured might causeinconsistent behavior

R1(config)#ip tcp intercept watch-timeout 20





477



command accepted, interfaces with mls configured might causeinconsistent behavior

Task 7.13

Configure R1 to drop TCP connections 3 seconds after

receiving a reset or FIN-Exchange.

By default, TCP Intercept waits 5 seconds from receipt of a

reset or FIN-exchange before it ceases to manage the

connection. We’ll be changing this to 3 seconds.

R1(config)#ip tcp intercept finrst-timeout 3command accepted, interfaces with mls configured might causeinconsistent behavior

Task 7.14

Configure R1 to manage TCP connections for up to one hour

with no activity.

By default, TCP Intercept still manages a connection for 24

hours after no activity. We’ll be dropping this time down

to one hour. The time is in seconds.

R1(config)#ip tcp intercept connection-timeout 3600command accepted, interfaces with mls configured might causeinconsistent behavior





478



Task 7.15

Configure R1 to start dropping incomplete TCP connections

when the number exceeds 1000. Stop aggressive behavior when

incomplete TCP connections drop below 700. Configure R1 to

start aggressive behavior when the number of incomplete TCP

connections reaches 400 within a minute. Stop aggressive

behavior when the number of incomplete TCP connections

reaches 200 within a minute.

TCP Intercept starts aggressive behavior when the high

value is exceeded and stops it when the number falls below

the low value.

R1(config)#ip tcp intercept max-incomplete high 1000command accepted, interfaces with mls configured might causeinconsistent behavior

R1(config)#ip tcp intercept max-incomplete low 700command accepted, interfaces with mls configured might causeinconsistent behavior

R1(config)#ip tcp intercept one-minute high 400command accepted, interfaces with mls configured might causeinconsistent behavior

R1(config)#ip tcp intercept one-minute low 200command accepted, interfaces with mls configured might causeinconsistent behavior





479



Task 7.16

Configure R1 so that when connections are dropped they are

chosen randomly instead of oldest first.

TCP Intercept can drop partial connections one of two ways:

Oldest or Random. The default is to drop the oldest, we’ll

be changing that.

R1(config)#ip tcp intercept drop-mode randomcommand accepted, interfaces with mls configured might causeinconsistent behavior

Task 7.17

Configure R3 interface FastEthernet0/1 to ensure that

packets are reachable via the interface they come in on.

Any denied packets should be logged.

Unicast Reverse Path Forwarding (uRPF) mitigates source IP

Address spoofing. It is applied per interface. Logging can

be added by specifying an access-list at the end of the

command. The “log” or “log-input” statement must be added

at the end of the ACL.

R3(config)#access-list 1 deny any log





480



R3(config)#interface fastethernet0/1R3(config-if)#ip verify unicast source reachable-via rx 1

Task 7.18

Configure uRPF on ASA1 for all traffic.

Just like an IOS Router, Unicast Reverse Path Forwarding is

configured on a per interface basis.

ASA1(config)# ip verify reverse-path interface insideASA1(config)# ip verify reverse-path interface outside

Task 7.19

Configure R2 FastEthernet0/0 so that the inbound traffic is

limited to the following:

HTTP traffic is limited to 1Mbps with a normal burst

of 16KB and an excess burst of 24KB.

ICMP traffic is limited to 200Kbps with a normal burst

of 8KB and an excess of 16KB.

All remaining traffic is limited to 4Mbps with a

normal burst of 16KB and an excess of 16KB.

This is configured with the rate-limit command in interface

configuration mode. An ACL is used to identify the traffic





481



to be rate limited. The rate is measured in bits per

second. The normal and maximum burst are measured in bytes

per second.

R2(config)#access-list 101 permit tcp any any eq wwwR2(config)#access-list 102 permit icmp any anyR2(config)#access-list 103 permit ip any anyR2(config)#interface fastethernet0/1

R2(config-if)#rate-limit input access-group 101 1000000 1600024000 conform-action transmit exceed-action drop



Task 7.20

Configure R4 to discover application protocols on interface

F0/0.

This is done using NBAR with the “protocol-discovery”

keyword.

R4(config)#interface fastethernet0/0R4(config-if)#ip nbar protocol-discovery

With this configuration in place, generate some traffic

through the router.





482



R6#ping 2.2.2.2


Now issue the “show ip nbar protocol-discovery protocol

icmp” command. You can see various information including

the number and size of packets discovered by NBAR.

R4#show ip nbar protocol-discovery protocol icmp

FastEthernet0/0 Input Output ----- ------ Protocol Packet Count PacketCount Byte Count Byte Count 5min Bit Rate (bps) 5min BitRate (bps) 5min Max Bit Rate (bps) 5min MaxBit Rate (bps) ------------------------ ------------------------ ------------------------ icmp 5 5 570 570 0 0 0 0 unknown 0 0 0 0 0 0 0 0 Total 47 26 3678 2124 0 0 0 0





483



Task 7.21

Configure R3 FastEthernet0/1 to drop KaZaA, Morpheus, and

Grokster P2P traffic coming from R6.

After NBAR identifies traffic, MQC can be used to take

actions on it such as dropping or policing. The class map

identifies the traffic. The policy map sets the action. The

policy map is applied to an interface with the “service-

policy” command.

R3(config)#class-map match-any P2P_CMAPR3(config-cmap)#match protocol fasttrackR3(config-cmap)#policy-map P2P_PMAPR3(config-pmap)#class P2P_CMAPR3(config-pmap-c)#dropR3(config-pmap-c)#interface fastethernet0/1R3(config-if)#service-policy input P2P_PMAP

Task 7.22

Configure R1 to capture traffic being received by interface

fastethernet0/1.

NetFlow can be configured on an interface with the “ip

flow” command in one of two ways: ingress or egress.

Ingress captures traffic being received by the interface.





484



Egress captures the traffic being transmitted by the

interface. We’re using ingress.

R1(config)#interface fastethernet0/1R1(config-if)#ip flow ingress

Verify that netflow is working by generating traffic.

ASA1# ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/2/10 ms

Now view netflow information with “show ip cache flow”.

R1#show ip cache flowIP packet size distribution (14 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384416 448 480 .000 .642 .000 .357 .000 .000 .000 .000 .000 .000 .000 .000.000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes 2 active, 4094 inactive, 2 added 40 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 secondsIP Sub Flow Cache, 25800 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics neverProtocol Total Flows Packets Bytes PacketsActive(Sec) Idle(Sec)





485



-------- Flows /Sec /Flow /Pkt /Sec/Flow /Flow

SrcIf SrcIPaddress DstIf DstIPaddress PrSrcP DstP PktsFa0/1 24.234.10.100 Local 1.1.1.1 010000 0800 5Fa0/1 24.234.10.100 Null 224.0.0.10 580000 0000 9

Task 7.23

Configure R1 to export this data to the ACS Server over UDP

port 514.

NetFlow data can be exported to an external device using

the “ip flow-export” command. When specifying the IP

Address of the device, you must also specify the port to be

used.

In this example, we specified the Kiwi Syslog Server on the

ACS, and set the port to UDP 514, which is the port for

syslog. Since the Kiwi Syslog Server listens on that port,

you will see the NetFlow information sent to the Kiwi

Syslog Server.

R1(config)#ip flow-export destination 192.168.2.101 514 udp

Verify that traffic is being exported by generating

traffic.





486



ASA1# ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/1/1 ms

And then viewing what traffic has been exported with show ipflow export.

R1#show ip flow exportFlow export v1 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1) 192.168.2.101 (514) Version 1 flow records 1 flows exported in 1 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixupfailures

Task 7.24

Configure R4 to police SMTP traffic to 400000 Kbps with a

burst of 8k bytes and an excess burst of 16k bytes inbound

on interface FastEthernet0/0. SMTP traffic that conforms

is transmitted, and SMTP traffic that does not conform is

dropped.





487



An access-list is used to classify the traffic, and MQC is

used to police the traffic.

R4(config)#ip access-list extended SMTPR4(config-ext-nacl)#permit tcp any any eq smtpR4(config-ext-nacl)#exitR4(config)#class-map match-any SMTP_CMAPR4(config-cmap)#match access-group name SMTPR4(config-cmap)#policy-map SMTP_PMAPR4(config-pmap)#class SMTP_CMAPR4(config-pmap-c)#police 400000 8000 16000R4(config-pmap-c-police)#conform-action transmitR4(config-pmap-c-police)#exceed-action dropR4(config-pmap-c-police)#interface fastethernet0/0R4(config-if)#service-policy input SMTP_PMAP

Task 7.25

On ASA1 capture ICMP traffic from R1 to R2. The buffer

should start overwriting the beginning when full.

In order to capture and see packets on the ASA, the first

step is to configure an access-list for the specific

traffic that you would like to capture. Once the access-

list has been configured, the “capture” command is used to

enable the capture. The “circular-buffer” option allows the

buffer to be overwritten.

ASA1(config)#access-list R1_R2 permit icmp host 24.234.10.1 host2.2.2.2





488



ASA1(config)#capture ICMP access-list R1_R2 circular-bufferinterface inside

R1#ping 2.2.2.2


The show capture commands are used for viewing of the

captured packets.

ASA1# show capture ICMP5 packets captured 1: 02:01:57.919752 24.234.10.1 > 2.2.2.2: icmp: echo request 2: 02:01:57.921735 24.234.10.1 > 2.2.2.2: icmp: echo request 3: 02:01:57.923322 24.234.10.1 > 2.2.2.2: icmp: echo request 4: 02:01:57.924924 24.234.10.1 > 2.2.2.2: icmp: echo request 5: 02:01:57.926526 24.234.10.1 > 2.2.2.2: icmp: echo request5 packets shown

Task 7.26

Configure R2 to guarantee 33% of the bandwidth for voice

traffic with the dscp value of ef. Next, police ICMP

traffic to 8000 bps with a burst of 1000 bytes and an

excess burst of 1000 bytes. All other traffic uses the

queuing method of fair-queue.





489



This will be accomplished with MQC. First, the ICMP traffic

will be identified with an ACL.

R2(config)#ip access-list extended ICMPR2(config-ext-nacl)#permit icmp any any

The voice traffic will be identified with the match command

within a class map and the ICMP traffic by matching our ACL

within another class map.

R2(config)#class-map match-all VOICER2(config-cmap)# match ip dscp efR2(config-cmap)#exitR2(config)#R2(config)#class-map match-any ICMP_CMAPR2(config-cmap)#match access-group name ICMPR2(config-cmap)#exit

Then a policy map is created. Within the policy map the

voice class is given priority with the “priority percent”

command.

R2(config)#policy-map WAN_PMAPR2(config-pmap)#class VOICER2(config-pmap-c)#priority percent 33R2(config-pmap-c)#exit

Then the ICMP traffic is policed with the “police” command.

R2(config-pmap-c)#class ICMP_CMAPR2(config-pmap-c)#police 8000 1000 1000R2(config-pmap-c-police)#conform-action transmitR2(config-pmap-c-police)#exceed-action drop





490



All other traffic is fair-queued with the “fair-queue”

command.

R2(config-pmap)#class class-defaultR2(config-pmap-c)#fair-queue

Finally, the policy map is applied to an interface with a

service-policy.

R2(config-pmap-c)#interface serial0/0/0R2(config-if)#service-policy output WAN_PMAP

We’ll verify with a normal ping which will conform to the

policy.

R1#ping 4.4.4.4


A “show policy-map” verifies ICMP packets were subjected to

the policing and in this case were transmitted. (Output cut

for clarity)

R2#show policy-map interface serial 0/0/0

Serial0/0/0

Service-policy output: WAN_PMAP

Class-map: ICMP_CMAP (match-any) 5 packets, 520 bytes





491



5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name ICMP 5 packets, 520 bytes 5 minute rate 0 bps Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 police: cir 8000 bps, bc 1000 bytes, be 1000 bytes conformed 5 packets, 520 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps, violate 0 bps

A large ping request will be denied due to the policy.

R1#ping 4.4.4.4 size 2000


Doing another “show policy-map” verifies that there were

packets in violation of the policy.

R2#show policy-map interface serial 0/0/0

Serial0/0/0

Service-policy output: WAN_PMAP

Class-map: ICMP_CMAP (match-any) 15 packets, 10660 bytes 5 minute offered rate 1000 bps, drop rate 1000 bps





492



Match: access-group name ICMP 15 packets, 10660 bytes 5 minute rate 1000 bps Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 police: cir 8000 bps, bc 1000 bytes, be 1000 bytes conformed 10 packets, 3140 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 5 packets, 7520 bytes; actions: drop conformed 0 bps, exceed 0 bps, violate 1000 bps





493







494








495



outside24.234.1.0/24

DMZ172.16.0.0/24

E0/0.3 E0/1

.100 .100R1

R2

R3

ASA1

.2

.1.101

Network Attacks Lab Topoloy

.100E0/0.2inside

192.168.2.0/16

ACS

.3

R4.4

R5.5

.1S0/0/0

Fa0/0

Fa0/0

Fa0/0

Fa0/0

S0/0/0

EIGRP 1





496








497







498








499







500








501







502



Task 8.1

A network beyond R5 is launching fragmentation based

attacks against the network. Drop non-initial fragments

incoming on R1 but allow all other traffic to pass.

Task 8.2

Hosts behind R4 are particularly vulnerable to

fragmentation attacks. Drop all fragments incoming to R4.

Do not use an access list to accomplish this.

Task 8.3

Some fragments must be allowed from the internal network to

the outside, but to cut down on fragmentation attacks,

configure the ASA to only allow a maximum of 12 fragments

per IP packet.





503



Task 8.4

A network beyond R5 is launching an IP option based attack.

Configure R1 to drop all IP option traffic.





504



Task 8.5

You believe an attacker from the outside is trying to gain

information about your network by scanning internal hosts.

Configure the ASA to detect this behavior and shun the

attacker for half an hour if detected.

Task 8.6

You think the attacker may have been scanning because you

are allowing too much information to the outside. ICMP and

telnet should only be allowed incoming from R1 and FTP

should only be allowed from anywhere to R2. Review the ASA

configuration and correct the access allowed.





505



Task 8.7

R1 is connected to the internet via R5. Configure R1 to

drop incoming packets sourced with the RFC 1918 addresses

on the internet facing interface.

Task 8.8

You believe that a user inside your network is launching

attacks against internet hosts using spoofed source IPs.

Configure the ASA so that it will verify incoming packets

originated from the internal networks.

Task 8.9

You suspect that a user on port fa0/10 of SW1 is spoofing

mac addresses. Configure SW1 to learn the host’s real mac

address, enter it in the running config and disable the

port if additional mac addresses are seen.

Task 8.10

There is a hub attached to port fa0/11 of SW1. The number

of devices on the hub varies from 5 to 10 depending on who





506



is in the office that day. One of the users is attempting

to flood the CAM table of the switch. Configure SW1 so that

the necessary number of devices will be allowed but the

port will be shutdown if CAM table flooding occurs.





507



Task 8.11

The ACS server is setup as a DHCP server for VLAN 1.

Configure SW1 so that ONLY the ACS server port can respond

to DCHP requests on VLAN 1. Any other port that attempts to

respond should be shutdown.





508



Task 8.12

Configure SW1 so that ARP spoofing is not possible on VLAN

1.





509



Task 8.13

Port fa0/19 on SW1 is designated for use as a trunk link.

Its current configuration is vulnerable to VLAN hopping.

Configure port fa0/19 so this is not possible.





510



Task 8.14

A specially crafted internet worm has infected your

network. Multiple hosts from the inside are leaving half

open connections to the FTP server on R2. Configure the ASA

to limit the number of half open connections to 1000. Do

this without using a NAT statement or ACL.

Task 8.15

Hosts on the internal network are infected with a worm.

They are attempting to syn flood R5 on random TCP ports.

Configure R1 so that when the number of half open

connections exceeds 1000 it will start dropping the oldest

partial connection. When the number of connections drops

below 500 normal behavior should resume.





511



Task 8.16

Although there are already configurations in place to

defeat man in the middle attacks, SMTP between the loopback

addresses of R3 and R4 is critical to the company. Ensure

that this traffic cannot be viewed or tampered with in

transit, even if an attacker has physical access to the

switch between the devices.





512



Task 8.17

R2 has been compromised from the outside and is taking part

in a port redirection attack against internal hosts. Review

the ASA configuration and determine why the port

redirection is possible. Correct the configuration so that

port redirection is not allowed.





513



Task 8.18

R2 is an older DNS server that uses a weak randomization

algorithm for DNS transaction ID. Configure the ASA to

inspect DNS and better randomize the transaction ID for DNS

coming from the outside to R2.





514



Task 8.19

You suspect R1 might be configured to allow your network to

be used as an intermediary in a smurf attack. Review the

configuration and correct it.

Task 8.1

A network beyond R5 is launching fragmentation based

attacks against the network. Drop non-initial fragments

incoming on R1 but allow all other traffic to pass.

Non-initial fragments can be matched and permitted or

denied in an ACL with the “fragments” keyword. Remember

that your ACL needs a permit statement to allow non-

fragmented traffic to be permitted.

R1(config)#access-list 101 deny ip any any fragments





515



R1(config)#access-list 101 permit ip any anyR1(config-if)#ip access-group 101 in

Task 8.2

Hosts behind R4 are particularly vulnerable to

fragmentation attacks. Drop all fragments incoming to R4.

Do not use an access list to accomplish this.

Virtual reassembly is normally used with IOS firewall

features to set limits on reassembling packets for

inspection. However you can also block all fragments using

“ip virtual reassembly” with the “drop-fragments” keyword.

R4(config)#int fa0/0R4(config-if)#ip virtual-reassembly drop-fragments

Task 8.3

Some fragments must be allowed from the internal network to

the outside, but to cut down on fragmentation attacks,

configure the ASA to only allow a maximum of 12 fragments

per IP packet.

The ASA can set limits on the number of fragments allowed

per whole IP packet. It is 24 by default but you can set it

lower or higher with the “fragment chain” command. Setting

this to 1 means fragmentation will not be allowed. You can

also set this per interface as we will do in this task.





516



ASA(config)# fragment chain 12 inside

Task 8.4

A network beyond R5 is launching an IP option based attack.

Configure R1 to drop all IP option traffic.

IP Options can be dropped at a router with the “ip options

drop” command. You will receive a warning about protocols

that use IP options not working as expected.

R1(config)#ip options drop

% Warning: RSVP and other protocols that use IP Options packetsmay not function as expected.

Task 8.5

You believe an attacker from the outside is trying to gain

information about your network by scanning internal hosts.

Configure the ASA to detect this behavior and shun the

attacker for half an hour if detected.





517



Scanning threats can be detected and/or blocked with the

“threat-detection” command. Use the “shun” option with a

duration to block for a specified amount of time in

seconds.

ASA(config)# threat-detection scanning-threat shun duration 1800

Task 8.6

You think the attacker may have been scanning because you

are allowing too much information to the outside. ICMP and

telnet should only be allowed incoming from R1 and FTP

should only be allowed from anywhere to R2. Review the ASA

configuration and correct the access allowed.

Network attacks often occur because administrators don’t

use the principal of least access. Only the least amount of

access needed for a network to function should be allowed.

Anything else leaves the door open for attacks. In this

case we know what access is needed. Now we will look at the

current configuration to see what is allowed.

ASA# sho run access-listaccess-list outside extended permit icmp any anyaccess-list outside extended permit tcp any any eq telnetaccess-list outside extended permit tcp any any eq ftp

This allows our network to function, but it is too

permissive. We need to first remove these ACL entries.





518



ASA(config)# no access-list outside extended permit icmp any anyASA(config)# no access-list outside extended permit tcp any anyeq telnetASA(config)# no access-list outside extended permit tcp any anyeq ftp

And then add only the access needed. Since we removed the

entire ACL we need to re-apply the new one to the outside

interface.

ASA(config)# access-list outside extended permit icmp host24.234.1.1 anyASA(config)# access-list outside extended permit tcp host24.234.1.1 any eq telnetASA(config)# access-list outside extended permit tcp any host172.16.0.2 eq ftpASA(config)# access-group outside in interface outside

Task 8.7

R1 is connected to the internet via R5. Configure R1 to

drop incoming packets sourced with the RFC 1918 addresses

on the internet facing interface.

RFC 1918 addresses are set aside for private network use.

They should never come in from the internet and can be

blocked with an ACL. We already have an ACL present on the

internet facing interface (s0/0/0) so we first need to

remove our “permit IP any any” statement so the deny

statements will function. After the RFC 1918 addresses are

denied the “permit” statement can be re-applied.





519



R1(config)#no access-list 101 permit ip any anyR1(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 anyR1(config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 anyR1(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 anyR1(config)#access-list 101 permit ip any any

Task 8.8

You believe that a user inside your network is launching

attacks against internet hosts using spoofed source IPs.

Configure the ASA so that it will verify incoming packets

originated from the internal networks.

This is done with the “ip verify reverse-path” command. The

ASA will check that the source address of a packet is

reachable via the interface this command is configured for.

If it is not, that packet will be dropped.

ASA(config)# ip verify reverse-path interface inside

Task 8.9

You suspect that a user on port fa0/10 of SW1 is spoofing

mac addresses. Configure SW1 to learn the host’s real mac

address, enter it in the running config and disable the

port if additional mac addresses are seen.

This is done with the “switchport port-security” command.

By default the max number of mac addresses allowed per port

is 1. The default is to disable the port. The “sticky”





520



option enters the learned mac address into the running

config of the switch.

SW1(config)#interface fa0/10SW1(config-if)#switchport port-securitySW1(config-if)#switchport port-security mac-address sticky

Task 8.10

There is a hub attached to port fa0/11 of SW1. The number

of devices on the hub varies from 5 to 10 depending on who

is in the office that day. One of the users is attempting

to flood the CAM table of the switch. Configure SW1 so that

the necessary number of devices will be allowed but the

port will be shutdown if CAM table flooding occurs.

In this case multiple mac addresses are allowable since

there is a hub attached to the port. However we should

never see more than 10 mac addresses on the port. We’ll

need to use port-security again, but set the maximum

allowable mac addresses to 10.

SW1(config)#interface fa0/11SW1(config-if)#switchport port-securitySW1(config-if)#switchport port-security maximum 10





521



Task 8.11

The ACS server is setup as a DHCP server for VLAN 1.

Configure SW1 so that ONLY the ACS server port can respond

to DCHP requests on VLAN 1. Any other port that attempts to

respond should be shutdown.

This is done with DHCP snooping. It allows you to set a

port as trusted. Only trusted ports will be able to respond

to DHCP requests. First DHCP snooping must be enabled

globally, then for specific VLANs, and finally a port is

set as trusted.

SW1(config)#ip dhcp snoopingSW1(config)#ip dhcp snooping vlan 1SW1(config)#int fa0/24SW1(config-if)#ip dhcp snooping trust

You can verify your DHCP snooping configuration with “show

ip dhcp snooping”.

SW1#sho ip dhcp snoopingSwitch DHCP snooping is enabledDHCP snooping is configured on following VLANs:1DHCP snooping is operational on following VLANs:1DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled





522



circuit-id format: vlan-mod-port remote-id format: MACOption 82 on untrusted port is not allowedVerification of hwaddr field is enabledVerification of giaddr field is enabledDHCP snooping trust/rate is configured on the followingInterfaces:

Interface Trusted Rate limit (pps)------------------------ ------- ----------------FastEthernet0/24 yes unlimited

Task 8.12

Configure SW1 so that ARP spoofing is not possible on VLAN

1.

One of the benefits of DHCP snooping is that it creates a

mac to IP binding database. Dynamic ARP inspection (DAI)

can then be used to verify a valid mac to ip binding before

allowing the ARP packet.

SW1(config)#ip arp inspection vlan 1

Task 8.13

Port fa0/19 on SW1 is designated for use as a trunk link.

Its current configuration is vulnerable to VLAN hopping.

Configure port fa0/19 so this is not possible.





523



By default switchports are set to negotiate their mode to

either access or trunk links depending on the neighbor.

It’s possible to connect a rouge switch or a PC emulating

trunking. Also, fa0/19 is using the default native VLAN of

1 which is used as a data VLAN in our lab. This allows for

possible double tagging to VLAN hop. To eliminate the

possibility of VLAN hopping, force fa0/19 to always be a

trunk link and set the native VLAN to one unused by regular

traffic.

SW1(config)#interface fa0/19SW1(config-if)#switchport trunk encapsulation dot1qSW1(config-if)#switchport mode trunkSW1(config-if)#switchport trunk native vlan 10

Task 8.14

A specially crafted internet worm has infected your

network. Multiple hosts from the inside are leaving half

open connections to the FTP server on R2. Configure the ASA

to limit the number of half open connections to 1000. Do

this without using a NAT statement or ACL.

Although the ASA can limit half open connections using a

NAT statement sometimes you are not using NAT to go from

one internal network to another. In this case it can be

done from within a policy map.





524



ASA(config)# class-map FTPASA(config-cmap)# match port tcp eq ftpASA(config-cmap)# policy-map FTPASA(config-pmap)# class FTPASA(config-pmap-c)# inspect ftpASA(config-pmap-c)# set connection embryonic-conn-max 1000ASA(config-pmap-c)# service-policy FTP interface inside

Task 8.15

Hosts on the internal network are infected with a worm.

They are attempting to syn flood R5 on random TCP ports.

Configure R1 so that when the number of half open

connections exceeds 1000 it will start dropping the oldest

partial connection. When the number of connections drops

below 500 normal behavior should resume.

This is done with TCP intercept. The max-incomplete high is

the number of half open connections that must be exceeded

to trigger aggressive mode. The max-incomplete low is the

number that half open connections must fall below for

normal behavior to resume.

R1(config)#access-list 105 permit tcp any host 24.234.0.5R1(config)#ip tcp intercept list 105command accepted, interfaces with mls configured might causeinconsistent behavior

R1(config)#ip tcp intercept max-incomplete high 1000command accepted, interfaces with mls configured might causeinconsistent behavior





525



R1(config)#ip tcp intercept max-incomplete low 500command accepted, interfaces with mls configured might causeinconsistent behavior

Task 8.16

Although there are already configurations in place to

defeat man in the middle attacks, SMTP between the loopback

addresses of R3 and R4 is critical to the company. Ensure

that this traffic cannot be viewed or tampered with in

transit, even if an attacker has physical access to the

switch between the devices.

We’ve already configured DHCP snooping, dynamic arp

inspection and port-security on our network. However an

attacker with physical access to the switch (such as IT

staff) could still perform a MITM attack or simply

duplicate and view the traffic with a SPAN port.

To defeat this you can treat your internal network as

untrusted and encrypt the specific traffic you need to

protect. First we’ll configure R3. (ICMP included for

testing)

R3(config)#crypto isakmp policy 10R3(config-isakmp)#encryption aesR3(config-isakmp)#hash shaR3(config-isakmp)#authentication pre-shareR3(config-isakmp)#exitR3(config)#crypto isakmp key 0 cisco address 192.168.2.4





526



R3(config)#crypto ipsec transform-set R4_SMTP esp-aes esp-sha-hmacR3(cfg-crypto-trans)#exitR3(config)#access-list 101 permit tcp host 3.3.3.3 host 4.4.4.4eq smtpR3(config)#access-list 101 permit icmp host 3.3.3.3 host 4.4.4.4R3(config)#crypto map R4_SMTP 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R3(config-crypto-map)#set peer 192.168.2.4R3(config-crypto-map)#match address 101R3(config-crypto-map)#set transform-set R4_SMTPR3(config-crypto-map)#exitR3(config)#int fa0/0R3(config-if)#crypto map R4_SMTP

Then R4

R4(config)#crypto isakmp policy 10R4(config-isakmp)#encryption aesR4(config-isakmp)#hash shaR4(config-isakmp)#authentication pre-shareR4(config-isakmp)#exitR4(config)#crypto isakmp key 0 cisco address 192.168.2.3R4(config)#crypto ipsec transform-set R3_SMTP esp-aes esp-sha-hmacR4(cfg-crypto-trans)#exitR4(config)#access-list 101 permit tcp host 4.4.4.4 host 3.3.3.3eq smtpR4(config)#access-list 101 permit icmp host 4.4.4.4 host 3.3.3.3R4(config)#crypto map R3_SMTP 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R4(config-crypto-map)#set peer 192.168.2.3R4(config-crypto-map)#match address 101R4(config-crypto-map)#set transform-set R3_SMTPR4(config-crypto-map)#exitR4(config)#int fa0/0R4(config-if)#crypto map R3_SMTP





527



Now verify the tunnel works, in this case with a ping. The

ping should be successful and the ipsec sa should show

packets encrypted and decrypted.

R4#ping 3.3.3.3 source loopback 0

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 4.4.4.4!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max =1/2/4 msR4#sho crypto ipsec sa

interface: FastEthernet0/0 Crypto map tag: R3_SMTP, local addr 192.168.2.4


Task 8.17

R2 has been compromised from the outside and is taking part

in a port redirection attack against internal hosts. Review





528



the ASA configuration and determine why the port

redirection is possible. Correct the configuration so that

port redirection is not allowed.

Port redirection exploits trust relationships. An outside

host may not have access directly to an internal host, but

does have access to a DMZ host. If the DMZ host has access

to the inside and is exploited, the attacker uses it as a

jump off point to attack the inside.

This is often only possible because the DMZ host has more

access to the inside network than it needs. This violates

the concept of least access. First we’ll review the DMZ ACL

to see what might be wrong.

ASA# sho run access-list dmzaccess-list dmz extended permit icmp any anyaccess-list dmz extended permit tcp any any eq telnetaccess-list dmz extended permit tcp any any eq wwwaccess-list dmz extended permit tcp any any eq ftp

The access list allows DMZ hosts fairly broad access to the

inside network. Since the task made no mention of specific

access needed to the inside by DMZ hosts, it is best to

apply the principal of least access and completely remove

the ACL. This will mean the interface security level will

take over and the DMZ will not be able to initiate any

traffic to the inside.

ASA(config)# clear configure access-list dmz





529



Task 8.18

R2 is an older DNS server that uses a weak randomization

algorithm for DNS transaction ID. Configure the ASA to

inspect DNS and better randomize the transaction ID for DNS

coming from the outside to R2.

This will involve the “id-randomization” parameter within a

DNS policy map type inspect. The policy map type inspect is

then nested within a L3/4 policy map which is applied to

the outside interface.

ASA(config)# policy-map type inspect dns R2_DNSASA(config-pmap)# parametersASA(config-pmap-p)# id-randomizationASA(config-pmap-p)# exitASA(config-pmap)# exitASA(config)# access-list R2_DNS permit tcp any host 172.16.0.2eq 53ASA(config)# access-list R2_DNS permit udp any host 172.16.0.2eq 53ASA(config)# class-map R2_DNSASA(config-cmap)# match access-list R2_DNSASA(config-cmap)# exitASA(config)# policy-map R2_DNS_L4ASA(config-pmap)# class R2_DNSASA(config-pmap-c)# inspect dns R2_DNSASA(config-pmap-c)# exitASA(config-pmap)# exitASA(config)# service-policy R2_DNS_L4 interface outside





530



Task 8.19

You suspect R1 might be configured to allow your network to

be used as an intermediary in a smurf attack. Review the

configuration and correct it.

Smurf attacks rely on directed broadcasts, so that is the

configuration we’ll be looking for.

R1#sho run int fa0/0Building configuration...

Current configuration : 118 bytes!interface FastEthernet0/0 ip address 24.234.1.1 255.255.255.0 ip directed-broadcast duplex auto speed autoend

“IP directed-broadcast” is off by default but can be

enabled for specific purposes. Since we are concerned with

possible smurf attacks we’ll disable it.

R1(config)#int fa0/0R1(config-if)#no ip directed-broadcast




CCIE Security Tech Lab Wkbk v3.0 eBook Updated

Documents

uservpnuser

r3sh loggingsyslog

user groupvpngroup

r1show ip

r1clear ip

1x supplicant

h323 ras defaulth323map

h323 h225