CCNP security
Upcoming SlideShare
Loading in...5
×
 

CCNP security

on

  • 107 views

 

Statistics

Views

Total Views
107
Views on SlideShare
107
Embed Views
0

Actions

Likes
0
Downloads
27
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CCNP security CCNP security Document Transcript

  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ASA Initialization LAB 1 Basic ASA Configuration Initialization Setup of ASA is similar as Router where you use a rollover cable to connect console of ASA to com port of PC. Command Line Interface (CLI) here is little different from IOS Router but the modes are similar as on Router, We have an Unprivileged Mode “>” This is the most basic level of access to the Cisco Device, the first mode in which you can issue very few commands. To configure your ASA you need to get in to Privileged Mode “#”. Task-1 Getting Started With ASA When we boot up the device we get into unprivileged mode from where we can view the details of ASA, its supporting features, available interfaces and its Licensing etc... ciscoasa>show version Cisco ASA Security Appliance Software Version 8.4(2) IOS Version of ASA ciscoasa up 33 mins 30 secs Uptime of device Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Disabled perpetual VPN-DES : Disabled perpetual VPN-3DES-AES : Disabled perpetual Security Contexts : 0 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 5000 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 5000 perpetual Total VPN Peers : 0 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual This platform has an Restricted (R) license. Configuration has not been modified since last system restart.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ASA Initialization From unprivileged mode we can issue few more commands like ping, traceroute and login etc.… but to make any changes on the device or to configure device we need to get into privileged mode of that device. From Unprivileged mode issue enable command to get into privileged mode ciscoasa> enable Password: The default password on ASA is Blank <null> hit Enter when prompted ciscoasa# When you are in privileged mode now you can start configuring your device, When you are in privileged mode of ASA you can issue all the commands to device, to make some configuration on device you need to get into configure mode, you can get into configure mode by issuing configure terminal command in privileged mode ciscoasa# configure terminal ciscoasa(config)# enable password cisco123 Configuring Enable Password ciscoasa(config)# hostname ASA Modifying Hostname ASA(config)# In the description of show version command you can view the licensing details of the device which exhibits the capabilities of device functioning. ASA comes with two different licenses  Base License  Security plus License By default ASA comes with Base License where few functions of ASA will be restricted or locked. To use those functions we need to get an Activation Key from Cisco and Install it on Device. ASA(config)# activation-key 0x000000000x000000000x000000000x00000000 The following features available in flash activation key are NOT available in new activation key: Failover is different. flash activation key: Restricted(R) new activation key: Unrestricted(UR) Proceed with update flash activation key? [confirm] Press Enter WARNING: The running activation key was not updated with the requested key. The flash activation key was updated with the requested key, and will become active after the next reload.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ASA Initialization Task-2 Configuring Interfaces as per following Credentials Interface Ip Address Name Security Level GigabitEthernet 0 192.168.1.10 Outside 0 GigabitEthernet 1 10.1.1.10 Inside 100 GigabitEthernet 2 172.16.1.10 DMZ 50 Simply like a router, Interface configuration in ASA is done from interface mode only. ASA(config)# interface GigabitEthernet 0 ASA(config-if)# ip address 192.168.1.10 255.0.0.0 ASA(config-if)# no shutdown ASA(config-if)# interface GigabitEthernet 1 ASA(config-if)# ip address 10.1.1.10 255.0.0.0 ASA(config-if)# no shutdown ASA(config-if)# interface GigabitEthernet 2 ASA(config-if)# ip address 172.16.1.10 ASA(config-if)# no shutdown But apart from configuring ip address in ASA we even have to configure Two more credentials i.e. Name of interface and Trustiness of interface (Security Level). Where Name of the interface is the any logical name (Like Inside, Outside, Private any name) given to the interface and throughout configuration the interface will be called with that name not by their Physical names (Ethernet 0 or 1), Assigning name to interface is mandatory. Even if you assign ip address until and unless you configure name to it our interface will not function. And security level is the value which defines the trustiness of an interface. The interface with high security level value can communicate with low security value interfaces but low valued interface can’t initiate communication for high valued interfaces by default. ASA(config-if)# interface GigabitEthernet 0 ASA(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA(config-if)# security-level 0
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ASA Initialization ASA(config-if)# interface GigabitEthernet 1 ASA(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA(config-if)# interface GigabitEthernet 2 ASA(config-if)# nameif DMZ INFO: Security level for "DMZ" set to 0 by default. ASA(config-if)# security-level 50 Verification ASA(config-if)# show running-config ip ! interface GigabitEthernet0 nameif outside security-level 0 ip address 192.168.1.10 255.255.255.0 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 10.1.1.10 255.0.0.0 ! interface GigabitEthernet2 nameif dmz security-level 50 ip address 172.16.1.10 255.255.0.0 ASA identify only the word inside perfectly when this name is assigned to any interface automatically security level will be set to 100 Apart from inside any other name gets security level 0 by default
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic ASA Initialization - II LAB 2 Default security policy modifications and ACL in ASA ASA is a very advanced firewall which inspects all the TCP and UDP connections by default from higher security level to lower security level. Apart from basic TCP and UDP protocols we have other protocols which are given for inspection and the policy which inspects those protocols is known as Default Inspection Policy. Only the protocols and the services which are available in that default inspection policy will be inspected by default from high security level to low security level. If we want the inspection of some more services then in that case we have to add those services in default inspection list or create our own separate policy of inspection ASA always consider ICMP as an attack so by default there won’t be any inspection for ICMP services. Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA Ethernet 1 Outside/0 10.1.1.10 255.0.0.0 ASA Ethernet 0 Inside/100 192.168.1.10 255.255.255.0 R1 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 Configure a default route on both the sides pointing towards ASA
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic ASA Initialization - II Task 1 : Verify the Connectivity for telnet and ICMP Lets make a connection of telnet from PC to Router R1 R1#telnet 192.168.1.10 Trying 192.168.1.10 ... Open User Access Verification Password: R2> As we have discussed above that ASA by default inspect all TCP and UDP traffic that’s why it allows only TCP and UCP communication whereas ICMP is not allowed by default Because Telnet works with TCP protocol that’s the reason your telnet connections are allowed but default and not ICMP connections Now check the connectivity from high security level to low security level i.e. from inside to outside using ping R1#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) If we see the output of the ping test then our ping packets are not being allowed even from high security level to low security level where as per the basic rule of ASA it’s supposed to allow that connection
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic ASA Initialization - II Task 2 : Configure ASA to inspect ICMP traffic by modifying default inspection policy and verify the Connectivity for ICMP We can see the default inspection policy in running configuration of device ASA# show running-config : Saved . . ! class-mapinspection_default match default-inspection-traffic ! ! policy-mapglobal_policy classinspection_default inspectdnspreset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp Services available by default inspect sqlnet inspect skinny inspectsunrpc inspectxdmcp inspect sip inspect netbios inspect tftp ! service-policyglobal_policy global : : end
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic ASA Initialization - II To modify this default inspection policy we have to get into that class ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# We can modify the policy after getting into that policy To add ICMP inspection into the policy ASA(config-pmap-c)# inspect icmp As soon as we start ICMP inspection our ASA starts inspection of ICMP traffic and now icmp traffic will flow from High security level to low security level R1#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/80 ms To remove any service from default inspection ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# no inspect icmp As soon as we remove the inspection of ICMP again ICMP Traffic is not allowed to transact PC#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic ASA Initialization - II Task 3 : Configure ASA to allow ICMP traffic using Access-list. Don’t modify default inspection policy. As we know ASA allow all the traffic from high security level to low security level by default that means even ICMP echo packets which are initiated from inside subnet is allowed to go to outside subnet. But the echo-reply packets which are sent in response to echo are will be blocked because they are being initiated from low security level to high as there is no inspection for ICMP. As we are interested in using access list let's not make any changes with inspection policy than we can allow the ICMP packets from outside using Access-list Here we are creating an access-list to allow icmp traffic ASA(config)# access-list out_in permit icmp any any Now we have to apply that access-list on outside interface in inbound direction so that all the icmp traffic which is generated from that interface is allowed in to device By this the echo-reply which is generated in respond to echoes from inside is allowed to go to outside ASA(config)# access-group out_in interface outside Verification R1#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/32/84 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ALC and Object Groups LAB 3 Object Groups in ACL Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R2 FastEthernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Loopback 0 -- 21.1.1.1 255.0.0.0 R2 Loopback 1 -- 22.1.1.1 255.0.0.0 R2 Loopback 2 -- 23.1.1.1 255.0.0.0 Configure a default route on both the sides pointing towards ASA We may come across various situations where we configure access-lists with multiple numbers entries defining hosts and services and each time we want to add a particular host or service then we will add one more entry to that access-list. The entries made here are known as Access-Control Entries. As the number of entries increases in the access-list it will increase difficulty in managing and modifying access-lists. To ease the management of access-list here Cisco came up with a new tool called as object-group. Object Group here allows you to group similar entities under a single object and you are allowed to use those object groups in access-list We have 4 types of object-groups i. Network type Object Group ii. Services type Object Group iii. Protocols type Object Group iv. Icmp type Object Group
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ALC and Object Groups R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10 R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.10 Configure a default route on ASA pointing towards Router R2 to make the connectivity for loopbacks ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 Verify Routing and connectivity R1#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/76 ms R1#ping 21.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 21.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/56 ms R1#telnet 192.168.1.1 Trying 192.168.1.1 ... Open R2> R1#telnet 23.1.1.1 Trying 23.1.1.1 ... Open R2>
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ALC and Object Groups Task 1 : Configure an Access-list on ASA to restrict the traffic from inside subnet to hosts 21.1.1.1 , 22.1.1.1 and 23.1.1.1 using http, ftp & telnet services. We are very familiar with access-list and its services But in ASA the access-list is little different from your router. In ASA we don’t configure access-list with numbers but we do it with Names We have to configure multiple access-entries to achieve our required task ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq http ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq http ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq ftp ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq telnet ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq http ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq ftp ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq telnet ASA(config)# access-list in-out permit ip any any Apply the access-list using access-group option in global configuration mode ASA(config)# access-group in-out in interface inside As the access-list is applied over interface it denies the traffic matching ACL R1#telnet 23.1.1.1 Trying 23.1.1.1 ... % Connection refused by remote host and the traffic not matching to access-list is allowed. R1#ping 23.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/76 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ALC and Object Groups Task 2 : Rewrite the above created access-list using objects groups Steps to configure 1. Create an object group of network type and add the hosts 2. Create another object group of type services and add desired services 3. Use those object groups in Access-list Creating network type object group to catch hosts and network ASA(config)# object-group network nw-host ASA(config-network)# network-object host 21.1.1.1 ASA(config-network)# network-object host 22.1.1.1 ASA(config-network)# network-object host 23.1.1.1 Creating a services type object group with tcp protocol as all our required services (http, ftp & telnet) belongs to tcp. ASA(config)# object-group service serv-obj tcp ASA(config-service)# port-object eq http ASA(config-service)# port-object eq ftp ASA(config-service)# port-object eq telnet Using those object groups in access list ASA(config)# access-list obj-acl permit tcp any object-group nw-host object-group serv-obj Application of access-list on interface inside in inbound direction ASA(config)# access-group obj-acl in interface inside Name of ACL Network object group Service object Group
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 ALC and Object Groups Verification ASA(config)# show run object-group object-group network nw-host network-object host 21.1.1.1 network-object host 22.1.1.1 network-object host 23.1.1.1 object-group service serv-obj tcp port-object eq www port-object eq ftp port-object eq telnet ASA(config)# show access-list access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 object-group nw-host object-group serv-obj access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq www access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq www access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq ftp access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq telnet access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq www access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq ftp access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq telnet R1#telnet 21.1.1.1 Trying 21.1.1.1 ... % Connection refused by remote host R1#telnet 22.1.1.1 Trying 22.1.1.1 ... % Connection refused by remote host R1#telnet 23.1.1.1 Trying 23.1.1.1 ... % Connection refused by remote host
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Time Based Access control using ACL LAB 4 Time Based ACL We may come across a situation where we’ll be willing to control the users on the basis of time Access-list can be configured to be active on the basis of time. When we configure our Access-list based on time then in a particular interested time slot the access-list will be active. To configure a Time based Access-list we have to create a time-range first. Time range is a tool where we are allowed to define the time. We can define time with two different options => Absolute => Periodic Using option Absolute we define the starting and ending date whereas using periodic we define the time Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R2 FastEthernet 0/0 - - 192.168.1.1 255.255.255.0 Configure a default route on both the sides pointing towards ASA
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Time Based Access control using ACL Task 1 : Configure an access-list by the name “Time-Acl” to permit the entire host from inside subnet to outside only from 10:00 am to 05:00 pm in between 1 Oct 2011 to 31 Oct 2011 Steps to configure:-  Create a Time range by above given credentials  Configure an access-list and associate the time range with that access-list  Apply the access over an interface Creating time-range . ASA(config)# time-range t-range ASA(config-time-range)# By the above command we have created a time-range with the name “t-range”. After creating the time range we have to configure the time range as per given credentials. To define the date of time-range we use absolute option ASA(config-time-range)# absolute start 00:00 1 Oct 2012 end 00:00 31 Oct 2012 ASA(config-time-range)# When we are using absolute option to define the time in time range as soon as the end time meets the access-list will be invalid forever. To define a periodic time we use option periodic ASA(config-time-range)# periodic daily 10:00 to 17:00 ASA(config-time-range)# Using Periodic option in time range we define our clock time in 24 hours format. ASA(config-time-range)# periodic daily 10:00 to 17:00 ASA(config-time-range)#exit
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Time Based Access control using ACL Verify the configured Time-range ASA(config)# sh run time-range ! time-range t-range absolute start 00:00 01 October 2012 end 00:00 31 October 2012 periodic daily 10:00 to 17:00 ! Configuring an access-list using Time-range ASA(config)# access-list Time-Acl permit ip any any time-range t-range ASA(config)# access-list Time-Acl deny ip any any ASA(config)# show clock 15:52:57.756 UTC Fri Oct 21 2012 ASA(config)# show access-list access-list time-acl; 2 elements access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) 0xcaf6f246 access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9 Because the clock is as per the time range we can see that both the entries in access-list is active To verify lets change the clock of our device ASA(config)# clock set 12:00:00 1 nov 2012 ASA(config)# show clock 12:00:11.410 UTC Wed Nov 1 2012 ASA(config)# show access-list access-list time-acl; 2 elements access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) (inactive) access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9 As soon as the absolute option is met access-list will be inactive
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA LAB 5 Remote Access of ASA local access of ASA can be done using console port but when there is need of accessing ASA from remote location we need to use virtual Terminal lines (VTY) of ASA which are blocked by default to make use of remote access of ASA we need to configure those Virtual Terminal lines Remote Access of ASA can be fetched using Telnet, SSH and HTTP Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R2 FastEthernet 0/0 - - 192.168.1.1 255.255.255.0 PC NIC -- 10.1.1.5 255.0.0.0 Configure a default route on both the sides pointing towards ASA R1#ping 10.1.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms R1#telnet 10.1.1.10 Trying 10.1.1.10 ... % Connection timed out; remote host not responding
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA Task 1 : Configure ASA to display a banner whenever a user logins to device. ASA(config)# banner login Welcome to CCNP Security Lab of ASA Firewall ASA(config)# show run banner banner login Welcome to CCNP Security Lab of ASA Firewall Task 2 : Configure ASA to accept telnet connections from host 10.1.1.1 from inside interface. As telnet is disable by default over ASA we need to enable it as follows ASA(config)# telnet 10.1.1.1 255.255.255.255 inside herein we define which subnet is allowed to access and from which interface the access should be granted. Verification: R1#telnet 10.1.1.10 Trying 10.1.1.10 ... Open Welcome to CCNP Security Lab of ASA Firewall User Access Verification Password: cisco Type help or '?' for a list of available commands. ASA> Default password for telnet access to ASA is set as cisco R2#telnet 192.168.1.10 Trying 192.168.1.10 ... % Connection timed out; remote host not responding Telnet access from outside interface is still not allowed
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA Task 3 : Set the telnet access password of ASA to "netadmin" Command to modify telnet password is "passwd" ASA(config)# passwd netadmin R1#telnet 10.1.1.10 Trying 10.1.1.10 ... Open Welcome to CCNP Security Lab of ASA Firewall User Access Verification Password:netadmin Type help or '?' for a list of available commands. ASA> Task 4 : Create a user Account on ASA and configure ASA to accept telnet connection on basis of user accounts Creating User Account on ASA ASA(config)# username user1 password cisco123 Applying Authentication of local database over telnet ASA(config)# aaa authentication telnet console LOCAL Verification: R1#telnet 10.1.1.10 Trying 10.1.1.10 ... Open User Access Verification Username: user1 Password: cisco123 Type help or '?' for a list of available commands. ASA>
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA Task 5 : Configure ASA to allow the SSH access from outside interface for any one with user account As SSH make use of encryption its must that we generate RSA keys to activate SSH over any device Generating RSA Keys ASA(config)# crypto key generate rsa INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... SSH can be accessed only using user account only thus create a user account for accessing of SSH and configure SSH authentication for Local database. Verify existence of a user account if account is not available create a new account ASA(config)# username user1 password cisco123 Set the SSH authentication system to LOCAL dataase ASA(config)# aaa authentication ssh console LOCAL Allow SSH access for everyone from outside interface ASA(config)# ssh 0.0.0.0 0.0.0.0 outside SSH can be initiated from any address over outside interface as the default network is permitted. Verification: R2#ssh -l user1 192.168.1.10 Password:cisco123 Type help or '?' for a list of available commands. ASA>
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA Task 6 : Enable HTTP Access of ASA and access firewall using Cisco ASDM. Enable the access of HTTP over ASA ASA(config)# http server enable Even after enabling HTTP services over ASA, ASA does not allow anyone to access its ASDM Administrator need to authorize the users for access of ASDM (GUI) Authorizing user 10.1.1.5 to access HTTP ASA(config)# http 10.1.1.5 255.255.255.255 inside If user account is not available create an user account ASA(config)# username user1 password cisco123 * Check the availability of ASDM image file in ASA flash ASA(config)# show flash: --#-- --length-- -----date/time------ path : 12 15841428 Jan 16 2012 19:35:19 asdm-641.bin : Open a Browser from computer and go to Url=https://10.1.1.10
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA Select Proceed anyways and then Install ASDM Launcher
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA After Downloading and installing ASDM Launcher to computer Run Cisco ASDM Launcher Provide the mandatory details such as Device address, username and password And ASDM loads successfully
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access of ASA
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA LAB 6 Dynamic Routing over ASA Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 ASA GigabitEthernet2 DMZ/50 172.16.1.10 255.255.0.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R1 Loopback 0 - - 11.11.11.11 255.0.0.0 R1 Loopback 1 - - 12.12.12.12 255.0.0.0 R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Loopback 0 - - 22.22.22.22 255.0.0.0 R2 Loopback 1 -- 23.23.23.23 255.0.0.0 R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0 R3 Loopback - - 33.33.33.33 255.255.255 Configure Default Route over all Routers pointing towards ASA Adaptive Security Appliance is designed in such a way that it is capable of performing task of multiple network devices as Router, Firewall as well as VPN Concentrator. So we can even make use of dynamic routing protocols to form our network using ASA. Support of Dynamic Routing was not available in PIX Series its introduced in ASA in IOS version 7.0 ASA Supports 3 majorly used Dynamic routing Protocols  RIP  EIGRP  OSPF Note: ASA is not capable of running multiple instances of EIGRP
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA Task 1 : Configure Static Routes over ASA to make the subnets over outside interface reachable. ASA(config)# route outside 22.0.0.0 255.0.0.0 192.168.1.1 ASA(config)# route outside 23.0.0.0 255.0.0.0 192.168.1.1 Verification: ASA# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Gateway of last resort is not set S 23.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside C 172.16.0.0 255.255.0.0 is directly connected, DMZ S 22.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside C 10.0.0.0 255.0.0.0 is directly connected, inside C 192.168.1.0 255.255.255.0 is directly connected, outside ASA# ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/30 ms ASA# ping 23.23.23.23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/40 ms Task 2 : Clear all the Static Routes on ASA ASA(config)# clear configure Route ASA# show route C 172.16.0.0 255.255.0.0 is directly connected, DMZ C 10.0.0.0 255.0.0.0 is directly connected, inside C 192.168.1.0 255.255.255.0 is directly connected, outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA Task 3 : Configure a Default Route on ASA to make all the Destinations reachable via Router R2 ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 or ASA(config)# route outside 0 0 192.168.1.1 ASA(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP * - candidate default,. Gateway of last resort is 192.168.1.1 to network 0.0.0.0 C 172.16.0.0 255.255.0.0 is directly connected, DMZ C 10.0.0.0 255.0.0.0 is directly connected, inside C 192.168.1.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA Task 4 : Configure RIP between Router R1 and ASA and make loopback addresses on Router R1 Reachable from ASA Configuring RIP over ASA ASA(config)# router rip ASA(config-router)# network 10.0.0.0 ASA(config-router)# version 2 Configuring RIP over Router R1 R1(config)#router rip R1(config-router)#network 11.0.0.0 R1(config-router)#network 12.0.0.0 R1(config-router)#network 10.0.0.0 R1(config-router)#version 2 Verification: ASA(config-router)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 192.168.1.1 to network 0.0.0.0 C 172.16.0.0 255.255.0.0 is directly connected, DMZ C 10.0.0.0 255.0.0.0 is directly connected, inside R 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:10, inside R 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:02, inside C 192.168.1.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA Task 5: Configure EIGRP AS 100 Between ASA and Router R3 and make loopback addresses on R3 reachable by ASA Configuring EIGRP over ASA ASA(config-router)# router eigrp 100 ASA(config-router)# network 172.16.1.10 Configuring EIGRP over Router R3 R3(config)#router Eigrp 100 R3(config-router)#network 172.16.1.1 R3(config-router)#network 33.33.33.33 *Mar 1 17:05:33.507: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.16.1.10 (FastEthernet0/0) is up: new adjacency ASA(config)# show eigrp neighbors EIGRP-IPv4 neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 172.16.1.1 Et2 14 00:00:51 20 200 0 3 ASA(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is 192.168.1.1 to network 0.0.0.0 D 33.0.0.0 255.0.0.0 [90/158720] via 172.16.1.1, 0:01:33, DMZ C 172.16.0.0 255.255.0.0 is directly connected, DMZ C 10.0.0.0 255.0.0.0 is directly connected, inside R 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside R 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside C 192.168.1.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA Task 6: Configure OSPF process 1 on outside interface of ASA and Router R2. Configuring OSPF over ASA ASA(config)# router ospf 1 ASA(config-router)# network 192.168.1.0 255.255.255.0 a 0 Advertise networks in OSPF Using subnet mask as ASA never use Wildcard Bits in configurations R2(config)#router ospf 1 R2(config-router)#network 192.168.1.0 0.0.0.255 a 0 R2(config-router)#network 22.0.0.0 0.255.255.255 area 0 R2(config-router)# network 23.0.0.0 0.255.255.255 area 0 ASA(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is 192.168.1.1 to network 0.0.0.0 D 33.0.0.0 255.0.0.0 [90/156160] via 172.16.1.1, 3:00:50, DMZ O 23.23.23.23 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside C 172.16.0.0 255.255.0.0 is directly connected, DMZ O 22.22.22.22 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside C 10.0.0.0 255.0.0.0 is directly connected, inside R 11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside R 12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside C 192.168.1.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside ASA# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 23.23.23.23 1 FULL/DR 0:00:38 192.168.1.1 inside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Routing over ASA Task 7 : Redistribute the Routing information between RIP and EIGRP and verify the routing updates Redistributing EIGRP into RIP ASA(config)# router rip ASA(config-router)# redistribute eigrp 100 ASA(config-router)# redistribute eigrp 100 metric 2 Redistributing RIP into EIGRP ASA(config)# Router eigrp 100 ASA(config-router)# redistribute rip metric 128000 100 150 150 2000 Verification: R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default, U - per-user static route Gateway of last resort is 10.1.1.10 to network 0.0.0.0 R 33.0.0.0/8 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0 R 172.16.0.0/16 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0 C 10.0.0.0/8 is directly connected, FastEthernet0/0 C 11.0.0.0/8 is directly connected, Loopback0 C 12.0.0.0/8 is directly connected, Loopback1 S* 0.0.0.0/0 [1/0] via 10.1.1.10 R3#show ip route Codes: C - connected, S - static, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area * - candidate default. Gateway of last resort is 172.16.1.10 to network 0.0.0.0 C 33.0.0.0/8 is directly connected, Loopback0 C 172.16.0.0/16 is directly connected, FastEthernet0/0 D EX 10.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0 D EX 11.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0 D EX 12.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 172.16.1.10
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.0 LAB 7 Basic NAT with ASA 8.0 Network Address Translation is process of changing Source and destination addresses in ip Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to facilitate multiple host to make use of single IP Address to access Internet Services. Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 ASA GigabitEthernet2 DMZ/50 172.16.1.10 255.255.0.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R1 Loopback 0 - - 11.11.11.11 255.0.0.0 R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Loopback 0 - - 22.22.22.22 255.0.0.0 R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0 R3 Loopback - - 33.33.33.33 255.255.255 Configure Routing and allow ICMP Inspection R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.0 Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside interface towards outside . When Ever a single IP is translated to another IP and translation of which is defined by administrator manually it's called as Static Translation Over ASA 8.0 all static translations are defined using STATIC keyword, Configuring Static Translations over ASA ASA80(config)# static (inside,outside) 55.56.57.58 10.1.1.1 Verification: To view the current translations on ASA ASA80(config)# show xlate 1 in use, 1 most used Global 55.56.57.58 Local 10.1.1.1 Task 2 : Configure ASA such that it statically translate address 10.1.1.1 to 71.72.73.74 from inside interface towards DMZ. ASA80(config)# static (inside,DMZ) 71.72.73.74 10.1.1.1 Verification: ASA80(config)# show xlate 2 in use, 2 most used Global 71.72.73.74 Local 10.1.1.1 Global 55.56.57.58 Local 10.1.1.1 Task 3 : Clear All the Static Translations Over ASA To clear all the static translations over ASA at once ASA80(config)# clear configure static Verification: ASA80(config)# show xlate 0 in use, 2 most used
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.0 Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60 when the traffic of inside interface destinies to any ip of DMZ subnets. when ever we want to translate a group of address to another group we make use of dynamic translation. Process of Dynamic Address Translation is divided into two Steps  Define the original Address pool need to be translated  Define the translated address also known as Mapped Address Pool Definition of Original IP addresses which are supposed to be translated are always defined using NAT option ASA80(config)# nat (inside) 2 10.0.0.0 255.0.0.0 Note : Number 2 in the command notates NAT ID which can be any number ranging (0-2147483647) the same number should be used to map the translated Address pool. Definition of Translated Address pool is done using Global option with same NAT ID used in NAT option ASA80(config)# global (DMZ) 2 172.16.1.50-172.16.1.60 As we use the same NAT ID the both NAT and GLOBAL pools binds together verification: R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 24/55/84 ms ASA80(config)# show xlate 1 in use, 2 most used Global 172.16.1.60 Local 10.1.1.1
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.0 Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when the traffic of inside interface destinies to any ip of Outside subnet PAT : Whenever we translate multiple IP Address with single IP Along with IP addresses even port numbers get translated such translations are defined as Port Address Translations To Translate All the traffic we can use the default subnet ASA80(config)# nat (inside) 5 0.0.0.0 0.0.0.0 In ASA we have privilege to replace default subnet 0.0.0.0 with a single "0" thus above statement can be even defined as follows ASA80(config)# nat (inside) 5 0 0 Defining Translated Address ASA80(config)# global (outside) 5 192.168.1.99 INFO: Global 192.168.1.99 will be Port Address Translated whenever a single ip address is defined as a translated IP ASA automatically consider it as PAT no extra options are required Verification: R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/71/108 ms R1#ping 23.23.23.23 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/62/88 ms ASA80(config)# show xlate 2 in use, 2 most used PAT Global 192.168.1.99(38897) Local 11.11.11.11 ICMP id 23 PAT Global 192.168.1.99(10530) Local 10.1.1.1 ICMP id 24
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.0 LAB 8 Advanced NAT with ASA 8.0 Network Address Translation is process of changing Source and destination addresses in ip Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to facilitate multiple host to make use of single IP Address to access Internet Services. Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 ASA GigabitEthernet2 DMZ/50 172.16.1.10 255.255.0.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R1 Loopback 0 - - 11.11.11.11 255.0.0.0 R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Loopback 0 - - 22.22.22.22 255.0.0.0 R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0 R3 Loopback - - 33.33.33.33 255.255.255 Configure Routing and allow ICMP Inspection R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms Clear all the configurations of previous LAB Before proceeding with this LAB
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.0 Task 1 : Configure ASA to enforce translation over all the traffic such that only traffic which is translated should bypass ASA rest should be denied. A Special feature of PIX device was to enforce the translation on all the traffic, which has been even inherited into ASA 8.0 by name NAT-CONTROL Before Enabling NAT-CONTROL R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/51/104 ms R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/140 ms To enable NAT control over ASA ASA80(config)# nat-control Verification: R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 ..... Success rate is 0 percent (0/5)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.0 Task 2 : Bypass the host 10.1.1.1 from Nat-Control and make sure that the host can communicate to any other subnet without translation even when NAT Control is enabled. NAT with ID 0 is dedicated to define no address translation, when ever NAT is to be bypassed for some host or subnets we need to define them in Nat option only with id "0" ASA80(config)# nat (inside) 0 10.1.1.1 255.255.255.255 nat 0 10.1.1.1 will be identity translated for outbound 0 indicates no address translation or also known as NAT Exemption R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/49/100 ms R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/61/124 ms ASA80(config)# show xlate 2 in use, 2 most used Global 10.1.1.1 Local 10.1.1.1 Global 10.1.1.1 Local 10.1.1.1 Traffic generated from other host still gets blocked due to NAT-CONTROL R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 ..... Success rate is 0 percent (0/5)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.0 Task 3 : Translate traffic of 11.11.11.11 from inside subnet to 202.11.59.19 when it destinies only to host 23.23.23.23 on outside interface Whenever a condition is added into translations such translations are known as Policy based translations where we define the desired condition of translation using an access-list Creating Access-list to define the condition of translation ASA80(config)# access-list nat1 permit ip host 11.11.11.11 host 23.23.23.23 we have created an access by name nat1 which map the traffic between host 11.11.11.11 to 23.23.23.23 Binding that access-list to NAT statement and enforcing translations only on access-list ASA80(config)# nat (inside) 9 access-list nat1 ASA80(config)# global (outside) 9 202.11.59.19 INFO: Global 202.11.59.19 will be Port Address Translated Verification: R1#ping 23.23.23.23 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/71/132 ms ASA80(config)# show xlate 3 in use, 3 most used PAT Global 202.11.59.19(58154) Local 11.11.11.11 ICMP id 41 The Same Host can't reach other destinations as they are not matching ACL in nat option. R1#ping 22.22.22.22 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 ..... Success rate is 0 percent (0/5)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.4 LAB 9 Basic NAT with ASA 8.4 From ASA Ver. 8.4 Cisco introduced new methods of making Network Address Translations over ASA using Objects. All the translations are made based on network objects. legacy commands like static and global have been eliminated and all translations happens using single command NAT. Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 ASA GigabitEthernet2 DMZ/50 172.16.1.10 255.255.0.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R1 Loopback 0 - - 11.11.11.11 255.0.0.0 R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Loopback 0 - - 22.22.22.22 255.0.0.0 R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0 R3 Loopback - - 33.33.33.33 255.255.255 Configure Routing and allow ICMP Inspection R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.4 Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside interface towards outside . For all the translations we need to create objects defining the traffic participating in translations and the translation are applied over the objects not on traffic directly. For purpose of Translations specially two types of objects have been introduced  Network  Service Network type object is designed to define IP address, Subnet or Range of IP 's Service type object is used to define services of TCP or UDP For static translation we need two different objects defining individual host in each Creating Network Objects ASA84(config)# object network host-in ASA84(config-network-object)# host 10.1.1.1 ASA84(config-network-object)# exit Object named host-in have been created for host 10.1.1.1, another object for mapped ip is to be created ASA84(config)# object network mapped-out ASA84(config-network-object)# host 55.56.57.58 ASA84(config-network-object)# exit Making Static translations over objects ASA84(config)# nat (inside,outside) source static host-in mapped-out Verification: ASA84(config)# show run object object network host-in host 10.1.1.1 object network mapped-out host 55.56.57.58 ASA84(config)# show xlate 1 in use, 1 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:00:56 timeout 0:00:00
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.4 Task 2 : Configure ASA such that it statically translate address 10.1.1.1 to 71.72.73.74 from inside interface towards DMZ. Creating Object to define new mapped ip address ASA84(config)# object network map-dmz ASA84(config-network-object)# host 71.72.73.74 ASA84(config-network-object)# exit Defining Translation ASA84(config)# nat (inside,DMZ) source static host-in map-dmz Verification: ASA84(config)# sh xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:13:44 timeout 0:00:00 NAT from inside:10.1.1.1 to DMZ:71.72.73.74 flags s idle 0:01:14 timeout 0:00:00 ASA84(config)# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static host-in mapped-out translate_hits = 0, untranslate_hits = 0 2 (inside) to (DMZ) source static host-in map-dmz translate_hits = 0, untranslate_hits = 0 ASA84(config)# show run nat nat (inside,outside) source static host-in mapped-out nat (inside,DMZ) source static host-in map-dmz Task 3 : Clear All the Static Translations Over ASA ASA84(config)# clear configure nat
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic NAT over ASA 8.4 Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60 when the traffic of inside interface destinies to any ip of DMZ subnets. ASA84(config)# object network subnet-in ASA84(config-network-object)# subnet 10.0.0.0 255.0.0.0 ASA84(config)# object network isp-range ASA84(config-network-object)# range 172.16.1.50 172.16.1.60 Defining Translations ASA84(config)# nat (inside,DMZ) source dynamic subnet-in isp-range ASA84(config)# show xlate 1 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to DMZ:172.16.1.59 flags i idle 0:00:13 timeout 3:00:00 ASA84(config)# show nat Manual NAT Policies (Section 1) 1 (inside) to (DMZ) source dynamic subnet-in isp-range translate_hits = 5, untranslate_hits = 0 Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when the traffic of inside interface destinies to any ip of Outside subnet creating a new object to define the mapped address ASA84(config)# object network pat-ip ASA84(config-network-object)# host 192.168.1.99 ASA84(config-network-object)# exit Defining Translation ASA84(config)# nat (inside,outside) source dynamic any pat-pool pat-ip Verification: ASA84(config)# show xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice ICMP PAT from inside:10.1.1.1/52 to outside:192.168.1.99/52 flags ri idle 0:00:06 timeout 0:00:30
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 LAB 10 Advanced NAT with ASA 8.4 Along with NAT based on object groups ASA 8.4 introduced advanced options called as AutoNAT where Translations are defined inside the objects itself. Configure the Ip addressing as per following credentials Device Interface Name Ip Address Subnet Mask ASA GigabitEthernet0 Outside/0 10.1.1.10 255.0.0.0 ASA GigabitEthernet1 Inside/100 192.168.1.10 255.255.255.0 ASA GigabitEthernet2 DMZ/50 172.16.1.10 255.255.0.0 R1 Fast Ethernet 0/0 - - 10.1.1.1 255.0.0.0 R1 Loopback 0 - - 11.11.11.11 255.0.0.0 R2 Fast Ethernet 0/0 - - 192.168.1.1 255.255.255.0 R2 Loopback 0 - - 22.22.22.22 255.0.0.0 R3 Fast Ethernet 0/0 -- 172.16.1.1 255.255.0.0 R3 Loopback - - 33.33.33.33 255.255.255 Configure Routing and allow ICMP Inspection R1#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside interface towards outside using ASA auto NAT . Auto NAT is the translation statements when defined inside of objects ASA84(config)# object network host-in ASA84(config-network-object)# host 10.1.1.1 ASA84(config-network-object)# nat (inside,outside) static 55.56.57.58 ASA84(config-network-object)# exit Verification ASA84(config)# show nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source static host-in 55.56.57.58 translate_hits = 0, untranslate_hits = 0 ASA84(config)# show run object object network host-in host 10.1.1.1 ASA84(config)# show run nat ! object network host-in nat (inside,outside) static 55.56.57.58 ASA84(config)# show xlate 1 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:05:14 timeout 0:00:00
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 Task 2 : Configure ASA to translate any IP address sourced from any interface to the outside interface ip of ASA. ASA84(config)# nat (any,outside) source dynamic any interface above option translate any IP sourcing any interface destinies to outside to IP address which is assigned on interface outside. ASA84(config)# show nat Manual NAT Policies (Section 1) 1 (any) to (outside) source dynamic any interface translate_hits = 0, untranslate_hits = 0 R3#ping 22.22.22.22 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/48 ms ASA84(config)# show xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:55.56.57.58 flags s idle 0:19:55 timeout 0:00:00 ICMP PAT from any:172.16.1.1/0 to outside:192.168.1.10/31798 flags ri idle 0:00:04 timeout 0:00:30
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Content Filtering over ASA LAB 11 Java, Active X & Web Filtering Java and Active X are considered as beautiful programming languages but if we look at the other side of these languages they are used heavily to write scripts to hack the system. Usually these scripts are allowed into your network as they are a kind of text document but Cisco made ASA so intelligent that it can identify as well as filter the traffic of following specific types Active x ftp, https java & url Task 1 : Configure ASA such that it filters all the web traffic for inside subnet and drops the packets which contain the java program ASA make use of option “filter” to filter a specific data type in a service. ASA(config)# filter java http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 Any host from 10.0.0.0/8 subnet can't download or upload any java program Inside Subnet Service to be filtered Outside Subnet
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Content Filtering over ASA Task 2: Configure ASA such that it filters all the web and FTP traffic on all subnets and drops the packets which contain the Active-x program. ASA(config)# filter activex http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ASA(config)# filter activex ftp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Task 3 :Configure a web sense URL Filter server in Inside subnet on ip address of 10.0.1.11. Make configurations on ASA such that it filters all the web traffic from inside subnets for URL using that URL Filter server ASA is not so flexible in filtering URL’s on it more granularly, so ASA make help from other supporting URL Filters to filter the web traffic for their URL. ASA support only two URL Filters namely web sense & smart filter. ASA(config)# url-server (inside) vendor websense host 10.0.1.11 ASA(config)# filter url http 1.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 LAB 12 Modular Policy Framework Interface Configuration on ASA and Other devices Interface Ip Address Name Security Level Ethernet 0 192.168.1.10 Outside 0 Ethernet 1 10.1.1.10 Inside 100 Ethernet 2 172.16.1.10 DMZ 50 Configure a default Route on both the routers pointing towards ASA Device Interface Ip Address Subnet Mask R1 FastEthernet 0/0 10.0.1.10 255.0.0.0 R2 Fast Ethernet 0/0 192.168.1.10 255.255.255.0 R3 Fast Ethernet 0/0 172.16.0.10 255.255.0.0 When we call the interconnection of people as a network then we have different type of people available in network and all the people who utilize the network are not same. Basically I just want to say we have multiple types of users available in a same network but we always want our network to behave uniquely for each user example a normal user should be restricted with a certain bandwidth but a superior user should get a high bandwidth .This is how we always desire that behavior of the same network should change depending on the user and the usage. To facilitate us by this desired functionality of network we have a full framework available which is called as Modular Policy Framework (MPF).Majorly MPF is depended on its three components 1. Class-Map where we catch interesting traffic 2. Policy-Map Where We define Desired Action On interesting traffic 3. Service-Policy where we apply the condition on select interface
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 TASK 1 Configure ASA to catch the traffic from inside subnet and restrict the bandwidth usage to 8000 bits per second when its destination is R2 Steps to configure:- 1. Create a class-map 2. Create a policy-map 3. Define Service-policy A class-map is a tool used to catch interesting on more granular level where we are allowed not only to catch interesting traffic on the basis of layer 3 addresses (ip address) but even we can catch the traffic not only by access-list but even by Its Precedence, Tunnel group, RTP and DSCP values as well. Create an access-list to define flow of traffic here we want to catch the traffic when it’s starting from Inside subnet and visiting Site-A ASA(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 Create a class-map with any name and call the access-list in class-map ASA(config)# class-map c-map ASA(config-cmap)# match access-list 101 ASA(config-cmap)# exit Now we are done with catching of interesting traffic then our next step is to define the action over that interesting traffic to do that we are creating a policy-map Policy map is a place where we define our desired action on the cached interesting traffic where you have more granular options available apart from permitting and denying traffic. You have actions like police, priority and inspect etc... ASA(config)# policy-map p-map We created a policy map with the name “p-map” here then under that policy-map we are calling the class-map which we created. By this we’ll binding our class-map and our policy-map then we define the action over that ASA(config-pmap)# class c-map ASA(config-pmap-c)# police input 8000 Final step our configuration is to apply the created policy here we can apply the policy over a single interface or globally over all interfaces ASA(config)# service-policy p-map interface outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 Verification We can verify our applied policy by generating an extended Ping for the destination of Site-A R1#ping Protocol [ip]: Target IP address: 192.168.1.10 Repeat count [5]: 30 Datagram size [100]: 1000 Increase the size of datagram to generate huge traffic Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 30, 1000-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!.!!.!!.!.!!.!.!!.!!.!.!!.!!. Here we can observe the packet drop when they are exceeding policy Success rate is 63 percent (19/30), round-trip min/avg/max = 20/59/92 ms If we further Increase the size of datagram then more packets gets droped R1#ping Protocol [ip]: Target IP address: 192.168.1.10 Repeat count [5]: 30 Datagram size [100]: 2000 Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 30, 2000-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !.!..!..!...!...!...!..!...!.. Success rate is 30 percent (9/30), round-trip min/avg/max = 56/72/92 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Advanced NAT over ASA 8.4 TASK 2 Configure ASA to catch the telnet traffic from inside subnet and prioritize that when its destination is R3 Create a class map to catch telnet traffic here I am catching the traffic using an extended ACL ASA(config)#access-list 102 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0eq telnet ASA(config)# class-map telnet-traffic ASA(config-cmap)# match access-list 102 Create a policy-map to define priority action over the class ASA(config-cmap)# policy-map inspect-telnet ASA(config-pmap)# class telnet-traffic ASA(config-pmap-c)# priority Apply that policy map created on interface Before applying the priority type policy map over the interface we have to enable priority-queue over that interface and set the queue-limit ASA(config)# priority-queue dmz ASA(config-priority-queue)# queue-limit 1024 ASA(config-priority-queue)# exit Now we can apply that policy-map over interface dmz as we have configured the priority-queue over that interface ASA(config)# service-policy inspect-telnet interface dmz
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls LAB 13 Virtual Firewall One of the major advancement which was made from PIX to ASA is the capability of virtual Firewallingover ASA. The virtual firewall methodology enables a physical firewall to be partitioned into multiple standalone firewalls. Each standalone firewall acts and behaves as an independent entity with its own configuration, interfaces, security policies, routing table, and administrators. In Cisco ASA, these virtual firewalls are known as Security contexts. But two major features of ASA doesn’t supports on when you make it into virtual Firewalls are =>VPN =>Dynamic Routing Protocols Connect your firewall using console port and start configuring the virtual firewalls Before making your ASA into virtual firewall make sure that you take backup of your all running configuration, because when you change the mode of your ASA into virtual firewalls or from virtual firwall to single mode, you will lose all the running configuration of your device. Even if you won’t take the backup by default your ASA saves the current running configuration to the flash of ASA with file name as “old_running.cfg” Context 1 Context 2
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls To check the current mode of your ASA ciscoasa(config)# show mode Security context mode: single To checkout weather your ASA is capable of virtual firewalling you can see the details in show version output or you can filter that output by issuing following options ciscoasa# show version | grep Security Contexts Security Contexts : 2 The output here gives the capability of the device to make into virtual firewalls;the above output here gives the value as 2 that mean I am allowed to create two security contexts. To change the mode of ASA from single to virtual ciscoasa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] As soon as you issue this command your ASA will be reloaded itself and your entire current configuration will be erased. ciscoasa# show mode Security context mode: multiple As we know that ASA will make backup of running configuration in flash its visible when we see the files on flash. ciscoasa# show flash: Directory of flash:/ 9 -rw- 2076 07:45:11 Oct 17 2011 old_running.cfg 10 -rw- 1446 07:45:12 Oct 17 2011 admin.cfg 16128000 bytes total (16119296 bytes free)
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls To see the current context on ASA we can issue the command ciscoasa# show context Context Name Class Interfaces URL *admin default Ethernet0 flash:/admin.cfg Total active Security Contexts: 1 From the above output we can observe that we have one Context by the name “admin” which we haven’t created. When we change our mode from single to multiple we will be having one context created by default and the name of that context will “admin” context which will have certain more preferences then other context. A very special property of this admin context is that the whole configurations of your physical device will be copied to this admin context. And this context will replace the actual device. Excluding this admin context we can make two more contexts (as on this device) then totally we’ll be having 3 contexts (as admin context is not counted in created context list) If we want to configure any context then we have enter into that particular context and configure that context To enter the context ciscoasa(config)# changeto context admin ciscoasa/admin(config)# Now we are in the context admin which we can observe by change in Hostname And to get back to system ciscoasa/admin(config)# changeto system ciscoasa(config)#
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls Task 1 Create two context by the names CTX1 and CTX2 and allocate two interfaces to each context and assign IP Addresses to the interfaces as per below credentials. And save the configuration of those contexts in flash with respective names of context. CTX 1 Interface IP Address Subnet Mask Security level Name of interface Ethernet 0 1.1.1.1 255.0.0.0 100 Inside Ethernet 1 192.168.1.1 255.255.255.0 0 Outside CTX 2 Ethernet 2 2.2.2.2 255.0.0.0 100 Inside Ethernet 3 172.16.1.1 255.255.0.0 0 Outside Steps to Configure:-  Create context  Allocate interfaces  Assign configuration location Creating Context Remember that the names which we assign to context will be case-sensitive ciscoasa(config)# context CTX1 Creating context 'CTX1'... Done. (2) ciscoasa(config-ctx)# exit ciscoasa(config)# context CTX2 Creating context 'CTX2'... Done. (3) Allocating Interfaces to Context To allocate interface to a context get into that context and assign the desired interface and even we can assign one interface two different context that is called as shared interface. ciscoasa(config)# context CTX1 ciscoasa(config-ctx)# allocate-interface ethernet0 ciscoasa(config-ctx)# allocate-interface ethernet1 ciscoasa(config-ctx)# exit ciscoasa(config)# context CTX2 ciscoasa(config-ctx)# allocate-interface ethernet2 ciscoasa(config-ctx)# allocate-interface ethernet3 ciscoasa(config-ctx)# exit
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls Assigning Configuration location to context ciscoasa(config)# context CTX1 ciscoasa(config-ctx)# config-url flash:CTX1 INFO: Converting flash:CTX1 to flash:/CTX1 WARNING: Could not fetch the URL flash:/CTX1 INFO: Creating context with default config ciscoasa(config-ctx)# exit ciscoasa(config)# context CTX2 ciscoasa(config-ctx)# config-url flash:CTX2 INFO: Converting flash:CTX2 to flash:/CTX2 WARNING: Could not fetch the URL flash:/CTX2 INFO: Creating context with default config ciscoasa(config-ctx)# exit Assigning Ip addresses to contexts. ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# interface ethernet0 ciscoasa/CTX1(config-if)# ip address 1.1.1.1 255.0.0.0 ciscoasa/CTX1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa/CTX1(config-if)# no shutdown ciscoasa/CTX1(config-if)# interface ethernet1 ciscoasa/CTX1(config-if)# ip add 192.168.1.1 255.255.255.0 ciscoasa/CTX1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa/CTX1(config-if)# no shutdown ciscoasa/CTX1(config-if)# changeto system ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# interface ethernet2 ciscoasa/CTX2(config-if)# ip address 2.2.2.2 255.0.0.0 ciscoasa/CTX2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa/CTX2(config-if)# no shutdown ciscoasa/CTX2(config-if)# interface ethernet3 ciscoasa/CTX2(config-if)# ip address 172.16.1.1 255.255.0.0 ciscoasa/CTX2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa/CTX2(config-if)# no shutdown
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls Verifying the configurations ciscoasa(config)# show context Context Name Class Interfaces URL *admin default flash:/admin.cfg CTX1 default Ethernet0,Ethernet1 flash:/CTX1 CTX2 default Ethernet2,Ethernet3 flash:/CTX2 ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# show run interface ! interface Ethernet0 nameif inside security-level 100 ip address 1.1.1.1 255.0.0.0 ! interface Ethernet1 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 ciscoasa/CTX1# changeto system ciscoasa(config)# ciscoasa(config)# changeto context CTX2 ciscoasa/CTX2(config)# show run interface ! interface Ethernet2 nameif inside security-level 100 ip address 2.2.2.2 255.0.0.0 ! interface Ethernet3 nameif outside security-level 0 ip address 172.16.1.1 255.255.0.0 ciscoasa/CTX2(config)# changeto system ciscoasa(config)#
  • Abbad Ur Rahman Talha Netmetric Solutions Netmetric CCNP Security Workbook 2.0 Virtual Firewalls Task 2 Configure context CTX1 to inspect icmp and configure an access-list to deny any traffic from inside to outside subnets Steps to configure:-  Get into specific context  Then apply the desired rules ciscoasa(config)# changeto context CTX1 ciscoasa/CTX1(config)# policy-map global_policy ciscoasa/CTX1(config-pmap)# class inspection_default ciscoasa/CTX1(config-pmap-c)# inspect icmp PC-A#ping192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 8/22/40 ms As soon as the inspection of icmp is on we can see that icmp traffic is allowed to transact ciscoasa/CTX1(config)# changeto context CTX2 ciscoasa/CTX2(config)# access-list 101 deny ip any 172.16.0.0 255.255.0.0 ciscoasa/CTX2(config)# access-group 101 in interface inside R2#ping 172.16.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) We can see here no traffic is being allowed from inside to outside subnets but still the traffic from PC is allowed to R1 PC-A#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/64 ms As we did this configuration on context CTX2 it will not effect on other context CTX1by this we can conclude that each context maintains its own configurations
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Transparent Firewall Lab 14 Transparent Firewall To view the current mode of working of ASA issue the following command ASA# show firewall Firewall mode: Router To change the mode of ASA from router mode to transparent mode issue the following command ASA(config)# firewall transparent !!As soon as we issue the above command to ASA we’ll lose our entire running configuration ASA(config)# show firewall Firewall mode: Transparent As now we are working with transparent mode of firewall we don’t have any ip addresses configured so we need an IP address for our firewall to manage our device remotely. To Assign IP address to a firewall in Transparent mode new virtual interfaces have to be configured named Bridge Virtual Interface and IP address to the firewall is assigned to that particular interface If you look at a layer 2 switch it doesn’t require any ip addresses as they are layer 2 device they work with MAC Address and even they behave as a hidden device into the network they never exhibits there existence in the network From the basics of our firewall we know that our firewall is basically a layer 3 device which works with IP addresses and exhibits there existence into network. Transparent Firewall is a device where you configure your layer 3 firewall to work as a layer 2 Firewall which doesn’t work with IP addresses but works with MAC addresses. As it works with MAC Addresses it doesn’t exhibits his existence in the network and still capable of filtering and managing traffic from layer 2 We have to remember here that when we are making our ASA as a transparent firewall then few services doesn’t work on ASA Firewall  Dynamic routing protocols  IPv6  Quality of Service  Multicast
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Transparent Firewall LAB Topology Device Interface Ip Address Subnet Mask R1 Fast Ethernet 0/0 10.1.1.1 255.0.0.0 R2 FastEthernet 0/0 10.1.1.2 255.0.0.0 Task 1 : Configure ASA as Transparent Firewall and Assign the interface credentials as follows Create a Transparent Firewall Interface (Bridge Virtual Interface) for management and activation of device and assign IP Address 10.1.1.10 ASA(config)# firewall transparent Creating a Bridge Virtual Interface and assigning IP address to it ASA(config)# interface BVI1 ASA(config-if)# ip address 10.1.1.10 255.0.0.0 Configuring Interfaces and associating then to Bridge Virtual Interface 1 ASA(config)# interface GigabitEthernet0 ASA(config-if)# nameif outside ASA(config-if)# bridge-group 1 ASA(config-if)# security-level 0 ASA(config)# interface GigabitEthernet1 ASA(config-if)# nameif inside ASA(config-if)# bridge-group 1 ASA(config-if)# security-level 100 Interface Name Security level Giga Ethernet 0 Outside 0 Giga Ethernet 1 Inside 100
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby LAB 15 Failover Active/Standby failover configuration ASA is very important device of every network which is mostly perimeter device failure of which may let whole network to go down. considering this criticalness Failover of ASA has been introduced which is an Automated process of swapping the Active Device when It goes down.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby LAB TOPOLOGY Device Interface Ip Address Subnet Mask R1 Fast Ethernet 0/0 10.1.1.1 255.0.0.0 R2 FastEthernet 0/0 192.168.1.1 255.0.0.0 Task 1 : Configure Failover for ASA such that when ASA1 crashes ASA2 should automatically replace itself with ASA1 Before proceeding with failover configuration make sure Devices are licensed for it. ASA1(config)# show version | grep Failover Failover : Active/Active ASA2(config)# show version | grep Failover Failover : Active/Active While making failover configuration make sure you define a standby IP Address over every interface. ASA1(config)# interface GigaEthernet0 ASA1(config-if)# no shutdown ASA1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA1(config-if)# ip add 192.168.1.10 255.255.255.0 standby 192.168.1.7
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby ASA1(config-if)# interface GigaEthernet 1 ASA1(config-if)# no shutdown ASA1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1(config-if)# ip add 10.1.1.10 255.0.0.0 standby 10.1.1.7 After making Basic ASA interface configuration start making Failover Interface the interface which is being dedicated for failover should enabled ASA1(config-if)# interface GigaEthernet 2 ASA1(config-if)# no shutdown Here Interface GigaEthernet 2 is being dedicated for failover Enable Failover and define ASA1 as primary unit. ASA1(config)# failover lan enable ASA1(config)# failover lan unit primary Define the interface name which is being used as failover interface and allocate a logical name to that interface and assign an unused IP address to the interface ASA1(config)# failover lan interface failint GigaEthernet 2 INFO: Non-failover interface config is cleared on GigaEthernet 2 and its sub-interfaces ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7 ASA1(config)# failover Configuring ASA2 to be the secondary mate to ASA1 Enable all the interfaces participating in failover before making any configurations on ASA2 ASA2(config-if)# interface GigaEthernet 0 ASA2(config-if)# no shutdown ASA2(config-if)# interface GigaEthernet 1 ASA2(config-if)# no shutdown ASA2(config-if)# interface GigaEthernet 2 ASA2(config-if)# no shutdown
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Configure the secondary failover configurations here as well ASA2(config)# failover lan enable ASA2(config)# failover lan unit secondary ASA2(config)# failover lan interface failint GigaEthernet2 INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfaces ASA2(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7 ASA2(config)#failover As soon we issue command failover it activates the failover and look for the mate ASA2(config)# . Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate ASA1# sh failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: failint GigaEthernet2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 08:37:46 UTC Nov 25 2012 This host: Primary - Active Active time: 585 (sec) Interface outside (192.168.1.10): Normal Interface inside (10.1.1.10): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.1.1.7): Normal Stateful Failover Logical Update Statistics Link : Unconfigured.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby ASA1(config)# show failover state State Last Failure Reason Date/Time This host - Primary Active None Other host - Secondary Standby Ready Comm Failure 18:04:15 UTC Dec 29 2012 ====Configuration State=== Sync Done ====Communication State=== Mac set
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Task 2 : Change the Active/Standby Failover into Stateful Failover ASA1(config)# failover link failint GigaEthernet2 ASA1# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: failint GigaEthernet2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 08:37:46 UTC Nov 25 2012 This host: Primary - Active Active time: 765 (sec) Interface outside (192.168.1.10): Normal Interface inside (10.1.1.10): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.1.1.7): Normal Stateful Failover Logical Update Statistics Link : failint GigaEthernet2 (up) Stateful Obj xmit xerr rcv rerr General 9 0 8 0 sys cmd 8 0 8 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 1 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 0 0 0 0 VPN IPSEC upd 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 8 Xmit Q: 0 2 59
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby LAB 15 Failover Active/Active failover configuration Active / Active failover Configuring is failover facility for Context and making sure that when one context goes down another one should replicate and deployment of failover happens on virtual firewalls rather than physical.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby LAB TOPOLOGY Device Interface Ip Address Subnet Mask R1 Fast Ethernet 0/0 10.1.1.1 255.0.0.0 R2 FastEthernet 0/0 192.168.1.1 255.0.0.0 R3 FastEthernet 0/0 11.1.1.1 255.0.0.0 R4 FastEthernet 0/0 172.16.1.1 255.0.0.0 Task 1 : Configure Change the mode of ASA from Single to multiple ASA1(config)# mode multiple ASA2(config)# mode multiple ASA1# show mode Security context mode: multiple ASA2# show mode Security context mode: multiple
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Task 2 :Create two Context on ASA1 as following Credentials Name Interface Config-Url Ctx1 GigaEthernet 0 GigaEthernet 1 Flash:/ctx1 Ctx2 GigaEthernet 2 GigaEthernet 3 Flash:/ctx2 ASA1(config)# context Ctx1 Creating context 'ctx1'... Done. (2) ASA1(config-ctx)# config-url ctx1 INFO: Converting ctx1 to disk0:/ctx1 WARNING: Could not fetch the URL disk0:/ctx1 INFO: Creating context with default config ASA1(config-ctx)# allocate-interface g0 ASA1(config-ctx)# allocate-interface g1 ASA1(config)# context ctx2 Creating context 'ctx2'... Done. (3) ASA1(config-ctx)# config-url ctx2 INFO: Converting ctx2 to disk0:/ctx2 WARNING: Could not fetch the URL disk0:/ctx2 INFO: Creating context with default config ASA1(config-ctx)# allocate-interface g2 ASA1(config-ctx)# allocate-interface g3
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Task 3 : Configure Context CTX1 and CTX2 as follows Name Interface Nameif IP Address Standby IP Ctx1 GigaEthernet 0 GigaEthernet 1 Outside Inside 192.168.1.10 10.1.1.10 192.168.1.11 10.1.1.11 Ctx2 GigaEthernet 2 GigaEthernet 3 Inside Outside 11.1.1.10 172.16.1.10 11.1.1.11 172.16.1.11 ASA1(config)# changeto context ctx1 ASA1/ctx1(config)# interface gigabitEthernet 0 ASA1/ctx1(config-if)# ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11 ASA1/ctx1(config-if)# no shutdown ASA1/ctx1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA1/ctx1(config)# interface gigabitEthernet 1 ASA1/ctx1(config-if)# ip address 10.1.1.10 255.0.0.0 standby 10.1.1.11 ASA1/ctx1(config-if)# no shutdown ASA1/ctx1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/ctx1(config)# changeto context ctx2 ASA1/ctx2(config)# interface gigabitEthernet 2 ASA1/ctx2(config-if)# ip address 11.1.1.10 255.0.0.0 standby 11.1.1.11 ASA1/ctx2(config-if)# no shutdown ASA1/ctx2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1/ctx2(config)# interface gigabitEthernet 3 ASA1/ctx2(config-if)# ip address 172.16.1.10 255.0.0.0 standby 172.16.1.11 ASA1/ctx2(config-if)# no shutdown ASA1/ctx2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Task 4 : Configure Failover on Such that Context ctx1 should be active on ASA1 and CTX2 should be active on ASA2 ASA1(config)# failover lan unit primary ASA1(config)# failover lan interface failint g4 INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces ASA1(config)# failover link failint g4 ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7 ASA1(config)# failover Create Failover Groups and associate context to each group ASA1(config)# failover group 1 ASA1(config-fover-group)# primary ASA1(config-fover-group)# exit ASA1(config)# failover group 2 ASA1(config-fover-group)# secondary ASA1(config-fover-group)# exit Associating Groups to context created so that ctx1 can be primary and ctx2 should be secondary on ASA1 ASA1(config)# context ctx1 ASA1(config-ctx)# join-failover-group 1 ASA1(config-ctx)# exit ASA1(config)# context ctx2 ASA1(config-ctx)# join-failover-group 2 ASA1(config-ctx)# exit
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Configuring Failover Link ASA2 ASA2(config)# failover lan unit secondary ASA2(config)# failover lan interface failint g4 INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces ASA2(config)# failover link failint g4 ASA2(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.11 ASA2(config)# failover Failover LAN became OK Switchover enabled Configuration has changed, replicate to mate.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Failover- Active /Standby Verification: ASA1(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failint GigabitEthernet4 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 60 maximum Version: Ours 8.4(2), Mate 8.4(2) Group 1 last failover at: 05:36:55 UTC Dec 30 2012 Group 2 last failover at: 05:36:55 UTC Dec 30 2012 This host: Primary Group 1 State: Active Active time: 255 (sec) Group 2 State: Active Active time: 255 (sec) ctx1 Interface outside (192.168.1.10): Normal (Waiting) ctx1 Interface inside (10.1.1.10): Normal (Waiting) ctx2 Interface inside (11.1.1.10): Normal (Waiting) ctx2 Interface outside (172.16.1.10): Normal (Waiting) Other host: Secondary Group 1 State: Standby Ready Active time: 0 (sec) Group 2 State: Standby Ready Active time: 0 (sec) ctx1 Interface outside (192.168.1.11): Normal (Waiting) ctx1 Interface inside (10.1.1.11): Normal (Waiting) ctx2 Interface inside (11.1.1.11): Normal (Waiting) ctx2 Interface outside (172.16.1.11): Normal (Waiting)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN LAB - 1 Making Site to Site IPSec Virtual Private Network Points to Remember:  Majorly we used VPN technology is IPsec (Internet Protocol Security)  IPsec is a protocol suite which is designed to provide the solution for remote connectivity over an insecure network  IPsec Provides Confidentiality and Integrity to the ip packets traversing over internet  An another supporting protocols which is always associated with IPsec is ISAKMP (Internet security Association Key Management Protocol)  ISAKMP is purely dedicated to transfer the security keys from one device to another  ISAKMP works on UDP port no.500 For making of site to site VPN using IPSec technology, it requires  Devices which support VPN services and are licensed for it  A Static IP Address on both ends which is routable
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN LAB Topology In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet Loopbacks here demonstrates Local LAN Interface Configuration on Router Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 R3 F0/0 2.2.2.2 255.0.0.0 R3 loopback 33.33.33.33 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3 Verification for routing R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN Task 1 : Configure a IPSec site-to-site vpn between R1 and R3 to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) Process of making an IPSec VPN can be simplified by following the sequence of configuration. o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange o Define IPSec Credentials, which are used in data Exchange o Define interesting traffic using an access-list o Map all the credentials of VPN in a crypto map o Apply the Map on Interface Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33 definition of it can be done by an simple extended access-list R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101 A crypto map binds the interesting traffic and peer with a specific transform set Application of this crypto map over as interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1 R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN Verification Generating Interesting Traffic R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms As soon as VPN starts the traffic between two local LAN starts Transactions. R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN Task 2 : Modify Existing VPN connection to secure the telnet access between two peers An IPSec VPN Always catch interesting traffic based on crypto ACL (Access-list matched in crypto map is termed as crypto ACL) , Whatever traffic is supposed to pass through VPN it need to added into ACL Modifying Access-list of Router R1 R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet Modifying Access-list of Router R3 R3(config)#access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet Task 3 : Imagine there is one more Peer by name Site C (R4) at ip address 3.3.3.3 with loopback ip address 55.55.55.55, Secure the Access between Loopbacks of R1 and R4. Create a new Access-list for catching traffic between Loopbacks R1(config)#access-list 102 permit ip host 11.11.11.11 host 55.55.55.55 Create a Crypto map with same name but different ID ( No Need to Add a Different named VPN Map as you can not apply more than one Map on an interface) R3(config)#crypto map vpn-map 11 ipsec-isakmp R3(config-crypto-map)#set peer 3.3.3.3 R3(config-crypto-map)#set transform-set t-set-1 R3(config-crypto-map)#match address 102
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA LAB - 2 Making Site to Site IPSec Virtual Private Network Over ASA LAB Topology In Above topology two ASA are acting as border devices of two sites Site A & Site B Respectively and R2 is acting as Internet where as Router R1 and Router R3 are Local LAN of their respective sites Interface Configuration on Router Device Interface Name-if Ip Address Subnet ASA Site A E0/0 Outside 1.1.1.1 255.0.0.0 ASA Site A E0/1 Inside 11.11.11.10 255.0.0.0 ASA Site B E0/0 Outside 2.2.2.2 255.0.0.0 ASA Site B E0/1 Inside 33.33.33.10 255.0.0.0 R1 F0/0 -- -- 11.11.11.11 255.0.0.0 R3 F0/0 -- -- 33.33.33.33 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA Verification for routing ciscoasa-site-A# ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1 ciscoasa-Site-B# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA Task 1 : Configure a IPSec site-to-site vpn between Site A and Site B to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services, In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2 IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with Site to Site VPN we need to enable IKEv1 here ciscoasa-site-A(config)# crypto ikev1 enable Outside Configure all the Credentials of ISAKMP in a policy ciscoasa-site-A(config)# crypto ikev1 policy 10 ciscoasa-site-A(config-ikev1-policy)# encryption aes ciscoasa-site-A(config-ikev1-policy)# hash sha ciscoasa-site-A(config-ikev1-policy)# group 2 ciscoasa-site-A(config-ikev1-policy)# authentication pre-share ciscoasa-site-A(config-ikev1-policy)# lifetime 6000 Defining Pre-share key using Tunnel Group options A tunnel group specially designed to define the attributes related to VPN and its Functionality, The name of tunnel group of type L2L should be always the Peer Address ciscoasa-site-A(config)# tunnel-group 2.2.2.2 type ipsec-l2l ciscoasa-site-A(config)# tunnel-group 2.2.2.2 ipsec-attributes ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 Configure IPSec Credentials for both devices ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Definition of Interesting Traffic using Access-list ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA Create a Crypto map and bind all the credentials with that MAP ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2 ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-site-A(config)# crypto map mymap 10 match address 101 Apply The MAP on interface facing to Internet ciscoasa-site-A(config)# crypto map mymap interface Outside Make the VPN Configuration on Other Side As well ciscoasa-Site-B(config)# crypto ikev1 enable Outside ciscoasa-Site-B(config)# crypto ikev1 policy 10 ciscoasa-Site-B(config-ikev1-policy)# authentication pre-share ciscoasa-Site-B(config-ikev1-policy)# encryption aes ciscoasa-Site-B(config-ikev1-policy)# hash sha ciscoasa-Site-B(config-ikev1-policy)# group 2 ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600 ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 type ipsec-l2l ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 ipsec-attributes ciscoasa-Site-B(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Define interesting traffic by means of an access-list again which is mirrored to other side ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11 Crypto MAP Creation and Application ciscoasa-Site-B(config)# crypto map mymap 10 match address 109 ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1 ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-Site-B(config)# crypto map mymap interface outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA Verification Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms Verification of ISAKMP functionality ciscoasa-site-A# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Verification if IPSec Functionality ciscoasa-site-A# show crypto ipsec sa interface: Outside Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1 access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33 local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer: 2.2.2.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 80 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 58, media mtu 1500
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA ciscoasa-Site-B# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 1.1.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE ciscoasa-Site-B# show crypto ipsec sa interface: outside Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2 access-list 109 extended permit ip host 33.33.33.33 host 11.11.11.11 local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) current_peer: 1.1.1.1 #pkts encaps: 362, #pkts encrypt: 362, #pkts digest: 362 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 362, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server LAB - 3 Making Site to Site IPSec Virtual Private Network with Points to Remember:  Digital Certificate is issued by an external Authority after Verification  Any Other Device who have the certificate from same authority can form VPN with each other  A Certificate Authority can be any server flavor Operating system or a Cisco router  The process of requesting and enrolling a certificate is done over SCEP protocol  Simple Certificate Enrollment Protocol(SCEP) is devoloped over HTTP so it also work on TCP/80  This Authentication which is done by an External Authentication Server is also called as PKI (Public Key Infrastucture) Whenever the authentication of VPN is set to Digital Certificates Peers Exchange there certificates As Soon as they confirm that the issuer is same for both the certificates they form vpn with each other
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server LAB Topology In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet as well as Certificate Authority. Loopbacks here demonstrates Local LAN Interface Configuration on Router Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 R3 F0/0 2.2.2.2 255.0.0.0 R3 loopback 33.33.33.33 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3 Verification for routing R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server Task 1 : Configure Router R1 to Act as Certificate Authority, and request Certificates From Router R1 and R3 Prerequisite  Make sure that you have enabled HTTP services on the router which is acting as CA Server  And Ensure proper clock is synchronized between peers and Server before making CA  Thus Configure NTP on all the Routers Participating in VPN and make sure they are sync. Verification R1#show clock 11:41:56.595 UTC Sat Jan 5 2013 R2#show clock 11:42:02.871 UTC Sat Jan 5 2013 R3#show clock 11:42:04.805 UTC Sat Jan 5 2013 R2(config)#ip http server R2#show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable once verify the services and pre-requisite start making router R2 as Certificate Authority (CA) R2(config)#crypto pki server ios_ca R2(cs-server)#grant auto R2(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password:******** Re-enter password:******** % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] % Exporting Certificate Server signing certificate and keys... Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled % Certificate Server enabled. Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server To enroll a certificate on Router R1 create a Trust point where all the properties of local Router and address of CA is to be defined R1(config)#crypto pki trustpoint ca_r1 R1(ca-trustpoint)#enrollment url http://1.1.1.2 R1(ca-trustpoint)#revocation-check none After we define the CA Server Address we need get certificate from CA To Enroll yourself and Get CA Certificate into your Router R1(config)#crypto pki authenticate ca_r1 Certificate has the following attributes: Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. To enroll the certificate from the CA Server R1(config)#crypto pki enroll ca_r1 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:******* Re-enter password:******* % The subject name in the certificate will include: R1.lab.local % Include the router serial number in the subject name? [yes/no]: no % The IP address in the certificate is 1.1.1.1 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate ca_r1 verbose' command will show the fingerprint. Jan 5 15:51:37.984: %PKI-6-CERTRET: Certificate received from Certificate Authority
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server Repeat the process with Router R3 as well R3(config)#crypto pki trustpoint ca_r3 R3(ca-trustpoint)#enrollment url http://1.1.1.2 R3(ca-trustpoint)#serial-number none R3(ca-trustpoint)#ip-address 2.2.2.2 R3(ca-trustpoint)#revocation-check none Authenticate Router R3 to CA R3(config)#crypto pki authenticate ca_r3 Certificate has the following attributes: Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Enroll Router R3 to CA R3(config)#crypto pki enroll ca_r3 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:******** Re-enter password:********* % The subject name in the certificate will include: R3.lab.local % The IP address in the certificate is 2.2.2.2 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate ca_r3 verbose' command will show the fingerprint. Jan 5 16:03:58.279: %PKI-6-CERTRET: Certificate received from Certificate Authority
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server Verify certificates R1#show crypto pki certificates Certificate Status: Available Certificate Serial Number: 02 Certificate Usage: General Purpose Issuer: cn=ios_ca Subject: Name: R1.lab.local IP Address: 1.1.1.1 ipaddress=1.1.1.1+hostname=R1.lab.local Validity Date: start date: 15:51:36 UTC Jan 5 2013 end date: 15:51:36 UTC Jan 5 2014 Associated Trustpoints: ca_r1 R3#show crypto pki certificates Certificate Status: Available Certificate Serial Number: 03 Certificate Usage: General Purpose Issuer: cn=ios_ca Subject: Name: R3.lab.local IP Address: 2.2.2.2 ipaddress=2.2.2.2+hostname=R3.lab.local Validity Date: start date: 16:03:56 UTC Jan 5 2013 end date: 16:03:56 UTC Jan 5 2014 Associated Trustpoints: ca_r3 R1#sh crypto pki trustpoints Trustpoint ca_r1: Subject Name: cn=ios_ca Serial Number: 01 Certificate configured. SCEP URL: http://1.1.1.2:80/cgi-bin Verification on CA Server i.e Router R2 R2#show crypto pki server Certificate Server ios_ca: Status: enabled State: enabled
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server Task 2 : Configure a IPSec site-to-site vpn between R1 and R3 using PKI authentication to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) Process of making an IPSec VPN can be simplified by following the sequence of configuration. o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange o Define IPSec Credentials, which are used in data Exchange o Define interesting traffic using an access-list o Map all the credentials of VPN in a crypto map o Apply the Map on Interface Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication rsa-sig R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we are using rsa-signatures here so no need to define any pre- share key. This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33 definition of it can be done by an simple extended access-list R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101 A crypto map binds the interesting traffic and peer with a specific transform set Application of this crypto map over as interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication rsa-sig R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac No Need to define any pre-share key as we are using Authentication as rsa-sig(i.e Digital Certificates) R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN using CA Server Verification Generating Interesting Traffic R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 20.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms As soon as VPN starts the traffic between two local LAN starts Transactions. R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA LAB - 4 Making Site to Site IPSec VPN Over ASA with PKI LAB Topology In Above topology two ASA are acting as border devices of two sites Site A & Site B Respectively and R2 is acting as Internet as well as a CA server where as Router R1 and Router R3 are Local LAN of their respective sites Interface Configuration on Router Device Interface Name-if Ip Address Subnet ASA Site A E0/0 Outside 1.1.1.1 255.0.0.0 ASA Site A E0/1 Inside 11.11.11.10 255.0.0.0 ASA Site B E0/0 Outside 2.2.2.2 255.0.0.0 ASA Site B E0/1 Inside 33.33.33.10 255.0.0.0 R1 F0/0 -- -- 11.11.11.11 255.0.0.0 R3 F0/0 -- -- 33.33.33.33 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA Verification for routing ciscoasa-site-A# ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1 ciscoasa-Site-B# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms Task 1 : Configure Router R2 as CA server and Enroll ASA Site A and Site B to that CA Server
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA R2(config)#ip http server R2#show ip http server status HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable once verify the services and pre-requisite start making router R2 as Certificate Authority (CA) R2(config)#crypto pki server ios_ca R2(cs-server)#grant auto R2(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password:******** Re-enter password:******** % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] % Exporting Certificate Server signing certificate and keys... Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled % Certificate Server enabled. Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled. To verify the certificate server R2#sh crypto pki server Certificate Server ios_ca: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=ios_ca CA cert fingerprint: B853F5E4 1DEFC727 3C2FFF84 994AA49A Granting mode is: auto Last certificate issued serial number: 0x3 CA certificate expiration timer: 15:00:58 UTC Jan 5 2016 CRL NextUpdate timer: 21:00:59 UTC Jan 5 2013 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage To enroll a certificate on ASA1 create a Trust point where all the properties of ASA1 is configured and address of CA is to be defined
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA ciscoasa-site-A (config)# crypto ca trustpoint ios_ca ciscoasa-site-A (config-ca-trustpoint)# enrollment url http://1.1.1.2 ciscoasa-site-A (config-ca-trustpoint)# revocation-check none Authenticate to CA Server ciscoasa-site-A (config)# crypto ca authenticate ios_ca INFO: Certificate has the following attributes: Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Generate RSA Keys and then Enroll to CA Server ciscoasa-site-A (config)# crypto key generate rsa ciscoasa-site-A (config)# crypto ca enroll ios_ca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ******** Re-enter password: ******** % The fully-qualified domain name in the certificate will be: ciscoasa-site-A % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority The certificate has been granted by CA! To enroll a certificate on ASA2 create a Trust point where all the properties of ASA2 is configured and address of CA is to be defined
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA ciscoasa-site-B (config)# crypto ca trustpoint ios_ca ciscoasa-site-B (config-ca-trustpoint)# enrollment url http://2.2.2.1 ciscoasa-site-B (config-ca-trustpoint)# revocation-check none Authenticate to CA Server ciscoasa-site-B (config)# crypto ca authenticate ios_ca INFO: Certificate has the following attributes: Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. Generate RSA Keys and then Enroll to CA Server ciscoasa-site-B (config)# crypto key generate rsa ciscoasa-site-B (config)# crypto ca enroll ios_ca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ******** Re-enter password: ******** % The fully-qualified domain name in the certificate will be: ciscoasa-site-B % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority The certificate has been granted by CA!
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA Verification ciscoasa-site-A(config)# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 04 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=ios_ca Subject Name: hostname=ciscoasa Validity Date: start date: 18:18:26 UTC Jan 5 2013 end date: 18:18:26 UTC Jan 5 2014 Associated Trustpoints: ios_ca ciscoasa-site-B(config)# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 05 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Issuer Name: cn=ios_ca Subject Name: hostname=ciscoasa Validity Date: start date: 18:18:26 UTC Jan 5 2013 end date: 18:18:26 UTC Jan 5 2014 Associated Trustpoints: ios_ca
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA Task 2 : Configure a IPSec site-to-site vpn between Site A and Site B using PKI to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services, In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2 IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with Site to Site VPN we need to enable IKEv1 here ciscoasa-site-A(config)# crypto ikev1 enable Outside Configure all the Credentials of ISAKMP in a policy ciscoasa-site-A(config)# crypto ikev1 policy 10 ciscoasa-site-A(config-ikev1-policy)# encryption aes ciscoasa-site-A(config-ikev1-policy)# hash sha ciscoasa-site-A(config-ikev1-policy)# group 2 ciscoasa-site-A(config-ikev1-policy)# authentication rsa-sig ciscoasa-site-A(config-ikev1-policy)# lifetime 6000 As we have certificates as authentication no need to define pre-share key Configure IPSec Credentials for both devices ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Definition of Interesting Traffic using Access-list ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 Create a Crypto map and bind all the credentials with that MAP ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2 ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-site-A(config)# crypto map mymap 10 match address 101 Apply The MAP on interface facing to Internet ciscoasa-site-A(config)# crypto map mymap interface Outside Make the VPN Configuration on Other Side As well
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA ciscoasa-Site-B(config)# crypto ikev1 enable Outside ciscoasa-Site-B(config)# crypto ikev1 policy 10 ciscoasa-Site-B(config-ikev1-policy)# authentication rsa-sig ciscoasa-Site-B(config-ikev1-policy)# encryption aes ciscoasa-Site-B(config-ikev1-policy)# hash sha ciscoasa-Site-B(config-ikev1-policy)# group 2 ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600 ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac Define interesting traffic by means of an access-list again which is mirrored to other side ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11 Crypto MAP Creation and Application ciscoasa-Site-B(config)# crypto map mymap 10 match address 109 ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1 ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set ciscoasa-Site-B(config)# crypto map mymap interface outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA Verification Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms Verification of ISAKMP functionality ciscoasa-site-A# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Verification if IPSec Functionality ciscoasa-site-A# show crypto ipsec sa interface: Outside Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1 access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33 local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer: 2.2.2.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 80 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 58, media mtu 1500
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site IPSec VPN over ASA ciscoasa-Site-B# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 1.1.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE ciscoasa-Site-B# show crypto ipsec sa interface: outside Crypto map tag: mymap, seq num: 10, local addr: 2.2.2.2 access-list 109 extended permit ip host 33.33.33.33 host 11.11.11.11 local ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) current_peer: 1.1.1.1 #pkts encaps: 362, #pkts encrypt: 362, #pkts digest: 362 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 362, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site GRE VPN LAB - 5 Making Site to Site GRE Virtual Private Network Points to Remember:  GRE is an only tunneling protocol which is used to form a tunnel between two sites  GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite  It adds an extra interface for each peer which allows us to configure Routing and QoS  GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE  GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly connected we need a static IP on both peers who are participation in a GRE tunnel
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site GRE VPN LAB Topology In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet Loopbacks here demonstrates Local LAN Interface Configuration on Router Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 R3 F0/0 2.2.2.2 255.0.0.0 R3 loopback 33.33.33.33 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3 Verification for routing R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site GRE VPN Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their public IP address as peer address to each other. o GRE VPN's is always configured using virtual interfaces called as tunnels which do have an ip address which is to be assigned by administrator, o Apart from ip address a Tunnel interface needs its association with physical interfaces which is done by defining tunnel source and tunnel destination o Tunnel source is association of your tunnel with a physical interface you have, it can be associated by defining an ip address or the name of interface it defines the starting point of tunnel. o Tunnel destination is defining the end point of the tunnel which physical ip address of remote device generally termed as peer address R1(config)#interface tunnel 0 R1(config-if)#ip add 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source 1.1.1.1 R1(config-if)#tunnel destination 2.2.2.2 If authentication is desired over tunnel, then we can configure a pre-share key over tunnel. In GRE Authentication is Optional unlike IPSec where its mandatory. R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well R2(config)#interface tunnel 123 R2(config-if)#ip add 6.6.6.32255.0.00.0 R2(config-if)#tunnel source FastEthernet 0/0 R2(config-if)#tunnel destination 1.1.1.1 R2(config-if)#tunnel key 123456 R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is 1.1.1.2 to network 0.0.0.0 C 1.0.0.0/8 is directly connected, FastEthernet0/0 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 1.1.1.2 Tunnel Is Acting as a Directly connected network to other side
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site GRE VPN R1#ping 6.6.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms R3#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms Tunnel Communication is working well, But when local lan communication is desired its not working. R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R3#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Site-to-Site GRE VPN Task 2 : Route the traffic of both side local LAN using static routing via tunnel to make the local LAN reachable. R1(config)#ip route 33.33.33.0 255.255.255.0 6.6.6.2 Adding a static route reachable via tunnel will make the local LAN communication work well either next hop can be tunnel or the ip of Next hop Tunnel Address R3(config)#ip route 11.11.11.0 255.255.255.0 tunnel 0 As soon routes are added in routing table local LAN will be Reachable R1#show ip route C 1.0.0.0/8 is directly connected, FastEthernet0/0 33.0.0.0/24 is subnetted, 1 subnets S 33.33.33.0 [1/0] via 6.6.6.2 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 1.1.1.2 R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms R3#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/59/96 ms Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map LAB - 6 GRE Over IPSec VPN with Crypto-Map Points to Remember:  GRE is an only tunneling protocol which is used to form a tunnel between two sites  GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite  It adds an extra interface for each peer which allows us to configure Routing and QoS  GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE  GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly connected we need a static IP on both peers who are participation in a GRE tunnel
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map LAB Topology In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet Loopbacks here demonstrates Local LAN Interface Configuration on Router Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 R3 F0/0 2.2.2.2 255.0.0.0 R3 loopback 33.33.33.33 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3 Verification for routing R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their public IP address as peer address to each other. R1(config)#interface tunnel 0 R1(config-if)#ip add 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source 1.1.1.1 R1(config-if)#tunnel destination 2.2.2.2 R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well R2(config)#interface tunnel 123 R2(config-if)#ip add 6.6.6.32255.0.00.0 R2(config-if)#tunnel source FastEthernet 0/0 R2(config-if)#tunnel destination 1.1.1.1 R2(config-if)#tunnel key 123456 R1#ping 6.6.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms R3#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to make the local LAN reachable. we need to advertise the tunnel address as common address between peers R1(config)#router eigrp 100 R1(config-router)#net 11.0.0.0 R1(config-router)#net 6.0.0.0 !! Do not Advertise Physical networks in Dynamic Routing R3(config)#router eigrp 100 R3(config-router)#network 33.0.0.0 R3(config-router)#network 6.0.0.0 As soon routes are added in routing table local LAN will be Reachable R1#show ip route C 1.0.0.0/8 is directly connected, FastEthernet0/0 D 33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 1.1.1.2 R3#show ip route C 2.0.0.0/8 is directly connected, FastEthernet0/0 C 33.0.0.0/8 is directly connected, Loopback0 C 6.0.0.0/8 is directly connected, Tunnel0 D 11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0 S* 0.0.0.0/0 [1/0] via 2.2.2.1 R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPsec VPN solution with crypto-maps. Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit As per task our interesting traffic as all GRE Traffic sourced from 1.1.1.1 and destinies at 2.2.2.2 definition of it can be done by an simple extended access-list Make sure that your access list catches GRE Traffic. R1(config)#access-list 101 permit gre host 1.1.1.1 host 2.2.2.2 Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101 Appling the crypto map to interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1 R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R1(config)#access-list 101 permit gre host 2.2.2.2 host 1.1.1.1 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Verification Generating Interesting Traffic R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map LAB - 7 GRE Over IPSec VPN with IPSec Profiles Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their public IP address as peer address to each other. R1(config)#interface tunnel 0 R1(config-if)#ip add 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source 1.1.1.1 R1(config-if)#tunnel destination 2.2.2.2 R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well R2(config)#interface tunnel 123 R2(config-if)#ip add 6.6.6.32255.0.00.0 R2(config-if)#tunnel source FastEthernet 0/0 R2(config-if)#tunnel destination 1.1.1.1 R2(config-if)#tunnel key 123456 R1#ping 6.6.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms R3#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to make the local LAN reachable. we need to advertise the tunnel address as common address between peers R1(config)#router eigrp 100 R1(config-router)#net 11.0.0.0 R1(config-router)#net 6.0.0.0 !! Do not Advertise Physical networks in Dynamic Routing R3(config)#router eigrp 100 R3(config-router)#network 33.0.0.0 R3(config-router)#network 6.0.0.0 As soon routes are added in routing table local LAN will be Reachable R1#show ip route C 1.0.0.0/8 is directly connected, FastEthernet0/0 D 33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 1.1.1.2 R3#show ip route C 2.0.0.0/8 is directly connected, FastEthernet0/0 C 33.0.0.0/8 is directly connected, Loopback0 C 6.0.0.0/8 is directly connected, Tunnel0 D 11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0 S* 0.0.0.0/0 [1/0] via 2.2.2.1 R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPSec Profile. Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit As per task we are supposed to use IPSEC PROFILE to protect the traffic of tunnel thus creating an IPSec Profile. An IPSec Profile is a replacement of crypto-map which is used to apply a security policy only for tunnel interfaces, An IPSec Profile doesn't need any access-list or peer address R1(config)#crypto ipsec profile demo-profile R1(ipsec-profile)#set transform-set t-set-1 IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing through that tunnel R1(config)#interface tunnel 0 R1(config-if)#tunnel protection ipsec profile demo-profile
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1 R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R3(config)#crypto ipsec profile demo-profile R3(ipsec-profile)#set transform-set t-set-1 IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing through that tunnel R3(config)#interface tunnel 0 R3(config-if)#tunnel protection ipsec profile demo-profile
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 GRE/IPSec with Crypto - Map Verification Generating Interesting Traffic R1#ping 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0) R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN LAB - 8 Site-to-Site Dynamic Multipoint VPN (DMVPN)  DMVPN is a Cisco proprietary VPN service.  DMVPN make use of NHRP and MGRE as two special services to make a Dynamic VPN service successful.  Next Hop Resolution Protocol (NHRP) is a special query process designed to inquire unknown address of peers  MGRE is a multi-point GRE tunnel which is capable to work without a fixed tunnel destination Its mandatory for a hub to be always on a static IP address to be reachable to spokes. A spoke either can be on static IP or on Dynamic IP Address. whenever VPN process starts from a spoke to another spoke the Query of unknown address reaches to HUB. HUB resolves the query as per it NHRP Database and back to spoke with current address using which the Peering will be formed.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN LAB Topology In Above topology Router R4 is acting as HUB, Router R1 & R3 are acting as spokes and R2 is acting as Internet Loopbacks on routers here demonstrates Local LAN of each site. Interface Configuration on Devices Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 Loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.2 255.0.0.0 R2 F1/0 3.3.3.2 255.0.0.0 R3 F0/0 2.2.2.3 255.0.0.0 R3 Loopback 33.33.33.33 255.0.0.0 R4 F0/0 3.3.3.3 255.0.0.0 R4 Loopback 44.44.44.44 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on all routers Verification for routing R1#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Task 1 : Configure Dynamic Multipoint tunnels between Router R1, R2,R3 R4 where R4 Acting as HUB and R1 and R3 are spokes do not use a static peer address or fixed tunnel destination. configure GRE Tunnels on all the routers (HUB and Spokes both in same subnet) as the fixed tunnel destination is not allowed Make the mode of tunnel as Multipoint GRE, When a tunnel is configured in Multipoint mode its capable to be terminated on different destinations R1(config)#interface tunnel 0 R1(config-if)#ip address 6.6.6.1 255.0.00.0 R1(config-if)#tunnel source fastEthernet 0/0 R1(config-if)#tunnel mode gre multipoint R1(config-if)#tunnel key 123456 Configure the following configuration over other side device as well with different IP address of same subnet R3(config)#interface tunnel 0 R3(config-if)#ip address 6.6.6.3 2255.0.00.0 R3(config-if)#tunnel source FastEthernet 0/0 R3(config-if)#tunnel mode gre multipoint R3(config-if)#tunnel key 123456 R4(config)#interface Tunnel 0 R4(config-if)#ip add 6.6.6.4 255.0.0.0 R4(config-if)#tunnel source FastEthernet 0/0 R4(config-if)#tunnel mode gre multipoint R4(config-if)#tunnel key 123456
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Make NHRP configurations on HUB and Spokes Configuring NHRP for HUB router R4(config)#interface tunnel 0 R4(config-if)#ip nhrp network-id 123 R4(config-if)#ip nhrp map multicast dynamic Configuring NHRP for spoke routers while configuring NHRP over spoke we need to define the Next Hop Server (NHS) which is HUB and bind the tunnel and physical IP address of HUB R1(config)#interface tunnel 0 R1(config-if)#ip nhrp network-id 123 R1(config-if)#ip nhrp nhs 6.6.6.4 R1(config-if)#ip nhrp map 6.6.6.4 3.3.3.3 R1(config-if)#ip nhrp map multicast 3.3.3.3 R3(config)#interface Tunnel0 R3(config-if)#ip nhrp network-id 123 R3(config-if)#ip nhrp nhs 6.6.6.4 R3(config-if)#ip nhrp map 6.6.6.4 3.3.3.3 R3(config-if)#ip nhrp map multicast 3.3.3.3 As we complete NHRP configuration the HUB device records all the addresses in its database R4#show ip nhrp detail 6.6.6.1/32 via 6.6.6.1, Tunnel0 created 00:14:30, expire 01:45:29 Type: dynamic, Flags: unique nat registered NBMA address: 1.1.1.1 6.6.6.3/32 via 6.6.6.3, Tunnel0 created 00:10:10, expire 01:49:49 Type: dynamic, Flags: unique nat registered NBMA address: 2.2.2.3 And when all ip addresses are registered in database all the tunnels will be reachable to each other's even without a strict tunnel destination
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Verification: Connectivity between Spoke to others R1#ping 6.6.6.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/98/208 ms R1#ping 6.6.6.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/242/524 ms Connectivity between HUB and others R4#ping 6.6.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/176/304 ms R4#ping 6.6.6.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 68/192/268 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Task 2 : Configure Dynamic Routing between peers using EIGRP as routing protocols and make all the loopbacks reachable to each others R1(config)#router eigrp 100 R1(config-router)#network 11.11.11.11 R1(config-router)#network 6.0.0.0 R3(config)#router eigrp 100 R3(config-router)#network 33.33.33.33 R3(config-router)#network 6.0.0.0 R4(config)#router eigrp 100 R4(config-router)#network 44.44.44.44 R4(config-router)#network 6.0.0.0 To make the routes reachable to other spoke we need to break the split horizon on tunnel interface and disable the next hop changes on tunnel so that the routes from one spoke should reach to other spokes without any change R4(config)#interface tunnel 0 R4(config-if)#no ip split-horizon eigrp 100 R4(config-if)#no ip next-hop-self eigrp 100 Verification R3#show ip route C 2.0.0.0/8 is directly connected, FastEthernet0/0 C 33.0.0.0/8 is directly connected, Loopback0 C 6.0.0.0/8 is directly connected, Tunnel0 D 11.0.0.0/8 [90/310172416] via 6.6.6.1, 00:25:46, Tunnel0 D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:25:53, Tunnel0 S* 0.0.0.0/0 [1/0] via 2.2.2.2 R1#sh ip route C 1.0.0.0/8 is directly connected, FastEthernet0/0 D 33.0.0.0/8 [90/310172416] via 6.6.6.3, 00:26:57, Tunnel0 C 6.0.0.0/8 is directly connected, Tunnel0 C 11.0.0.0/8 is directly connected, Loopback0 D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:27:05, Tunnel0 S* 0.0.0.0/0 [1/0] via 1.1.1.2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Task 3 : Protect The tunnels which is created between HUB and Spokes using IPSec Profile. R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key , on all devices key word netmetric is the shared key with the address 0.0.0.0 as address is not fixed . R1(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0 R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit R1(config)#crypto ipsec profile demo-profile R1(ipsec-profile)#set transform-set t-set-1 R1(config)#interface tunnel 0 R1(config-if)#tunnel protection ipsec profile demo-profile
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Repeat the steps with other devices as well R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0 R3(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R3(config)#crypto ipsec profile demo-profile R3(ipsec-profile)#set transform-set t-set-1 R3(config)#interface tunnel 0 R3(config-if)#tunnel protection ipsec profile demo-profile ===================================================================================== R4(config)#crypto isakmp enable R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encryption 3des R4(config-isakmp)#authentication pre-share R4(config-isakmp)#group 2 R4(config-isakmp)#hash md5 R4(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0 R4(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R4(config)#crypto ipsec profile demo-profile R4(ipsec-profile)#set transform-set t-set-1 R4(config)#interface tunnel 0 R4(config-if)#tunnel protection ipsec profile demo-profile
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Dynamic Multipoint VPN Verification: R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 2.2.2.3 3.3.3.3 QM_IDLE 1002 0 ACTIVE 1.1.1.1 3.3.3.3 QM_IDLE 1001 0 ACTIVE R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 2.2.2.3 3.3.3.3 QM_IDLE 1002 0 ACTIVE 1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE 1.1.1.1 3.3.3.3 QM_IDLE 1002 0 ACTIVE R1#ping 33.33.33.33 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds: Packet sent with a source address of 11.11.11.11 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 228/236/244 ms R3#ping 11.11.11.11 source 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 33.33.33.33 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 236/290/336 ms R3#traceroute 11.11.11.11 Type escape sequence to abort. Tracing the route to 11.11.11.11 1 6.6.6.1 360 msec * 140 msec
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server LAB - 9 Remote Access VPN Router as Server (Easy VPN)  When a user gets connected an IP Address needs to be assigned to the user to make him part of LAN  Distinguished rules can be configured for each group of users using ISAKMP Client Groups  AAA must be used to make the VPN User authentication.  Only VPN server is to be configured with all the VPN configurations client doesnt need any specific VPN configs Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on internet. VPN Initiation can be done only by clients using an Application called Cisco VPN Client
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server LAB Topology In Above topology Router R1 is acting as VPN Server and RouterR2 is Internet to make the connectivity between networks. Loopback1 on router R1 here demonstrates Local LAN. Interface Configuration on Devices Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 Loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 R3 F0/0 2.2.2.2 255.0.0.0 R3 Loopback 33.33.33.33 255.0.0.0 PC NIC 2.2.2.3 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on all routers Verification for routing C:>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=232ms TTL=45 Reply from 1.1.1.1: bytes=32 time=231ms TTL=45 Reply from 1.1.1.1: bytes=32 time=230ms TTL=45 Reply from 1.1.1.1: bytes=32 time=229ms TTL=45 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 229ms, Maximum = 232ms, Average = 230msR3 R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server Task 1 : Configure Router R1 as a Easy VPN server. Create a Group of Users "Sales" and secure the access of 11.0.0.0/8 subnet for them. Configure Basic ISAKMP Credentials for key Exchange process R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)# group 2 No need to define a specific pre-share key as the authentication is desired by using username and password Define IPSec Transform Set R1(config)#crypto ipsec transform-set t-set esp-3des esp-sha-hmac As VPN Authentication is desired by using user accounts AAA Services need to configured with ISAKMP Enabling AAA services on router and creating a new authentication and authorization methods R1(config)#aaa new-model R1(config)#aaa authentication login vpn-users local R1(config)#aaa authorization network vpn-groups local As the Authentication is set to Local creating a new user account on local Database R1(config)#username user1 password 0 cisco123 Interesting traffic to secured can be define in an Access-list which is termed as Split Access-list R1(config)#access-list 109 permit ip 11.0.0.0 0.255.255.255 any A pool of IP needs to defined from where the Address is allocated to remote devices R1(config)#ip local pool vpn 10.1.1.1 10.1.1.50
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server Creating Group for VPN clients where all the credentials defined for client are configured R1(config)#crypto isakmp client configuration group Sales R1(config-isakmp-group)# key ciscoabc R1(config-isakmp-group)# pool vpn R1(config-isakmp-group)# acl 109 A normal crypto map makes peer address definition as a mandatory credential as we do not mention any specific peer address we make a dynamic crypto map which is capable of working without Peer as well. R1(config)#crypto dynamic-map d-map 10 R1(config-crypto-map)#set transform-set t-set R1(config-crypto-map)#reverse-route As the dynamic crypto map cannot be applied over interface directly bind the dynamic map with a Normal Crypto map R1(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map Bind the AAA and VPN configuration in Crypto map R1(config)#crypto map mymap client authentication list vpn-users R1(config)#crypto map mymap isakmp authorization list vpn-groups R1(config)#crypto map mymap client configuration address respond Apply the map to interface connected to internet i.e FastEthernet 0/0 R1(config)#interface FastEthernet0/0 R1(config-if)# crypto map mymap
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server Task 2 : Configure PC as a VPN client of Router R1 and Verify the IP Address Assigned and connectivity Download and Install Cisco VPN Client Software Select New option and define all your credentials required to be authenticate 1
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server Select the connection Entry Created and Connect to it as soon as Connection Initiate the User Authentication Prompt Pops-up After Successful Authentication VPN Gets Connected and Status of VPN Can be verified in status tab in Statistics options
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server IP Address Assigned to Client is 10.1.1.5 To check the secured LAN details select Tab: Route Details R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server Task 3 : Configure Router R3 as a VPN client of Router R1 to secure the communication of lacal LAN of R3 and R1 (Loopbacks)and Verify the IP Address Assigned and connectivity Define the VPN client configuration on Router R3 with all the same user credentials R3(config)#crypto ipsec client ezvpn ez-remote R3(config-crypto-ezvpn)# connect auto R3(config-crypto-ezvpn)# group Sales key ciscoabc R3(config-crypto-ezvpn)# mode client R3(config-crypto-ezvpn)# peer 1.1.1.1 R3(config-crypto-ezvpn)# username user1 password cisco123 Apply crypto map on both the interfaces Interface on which Local LAN traffic is inbound to router Apply it on as inside R3(config)#interface Loopback0 R3(config-if)#crypto ipsec client ezvpn ez-remote inside Interface through which router is connected to internet Apply as outside R3(config)#interface FastEthernet0/0 R3(config-if)#crypto ipsec client ezvpn ez-remote outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server Verification: To Verify Assigned Address on Router R3#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 2.2.2.2 YES manual up up FastEthernet0/1 unassigned YES unset administratively down down NVI0 unassigned NO unset up up Loopback0 33.33.33.33 YES manual up up Loopback1 10.1.1.3 YES manual up up To Verify the Connectivity between Loopbacks R3#ping 11.11.11.11 source 33.33.33.33 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 33.33.33.33 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/140/184 ms Verification of VPN Establishment at Client Router R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 1.1.1.1 2.2.2.2 QM_IDLE 1002 0 ACTIVE Verification of VPN Establishment at Server Router R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 1.1.1.1 2.2.2.3 QM_IDLE 1001 0 ACTIVE 1.1.1.1 2.2.2.2 QM_IDLE 1002 0 ACTIVE
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN Router as Server R3#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0, local addr 2.2.2.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.3/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 1.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x47AC3BBD(1202469821)
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server LAB - 10 Remote Access VPN ASA as Server (Easy VPN) LAB Topology In Above topology ASA is acting as VPN Server and RouterR2 is Internet to make the connectivity between networks. Router R1 here demonstrates Local LAN. Interface Configuration on Devices Device Interface Ip Address Subnet ASA G0 1.1.1.1 255.0.0.0 ASA G1 11.11.11.10 255.0.0.0 R1 F0/0 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 PC NIC 2.2.2.3 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC Verification for routing C:>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=232ms TTL=45 Reply from 1.1.1.1: bytes=32 time=231ms TTL=45 Reply from 1.1.1.1: bytes=32 time=230ms TTL=45 Reply from 1.1.1.1: bytes=32 time=229ms TTL=45 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 229ms, Maximum = 232ms, Average = 230msR3
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server Task 1 : Configure ASA as a Easy VPN server. Enable Isakmp IKEv1 and configure its credentials ciscoasa(config)#crypto ikev1 enable outside ciscoasa(config)#crypto ikev1 policy 10 ciscoasa(config-ikev1-policy)# authentication pre-share ciscoasa(config-ikev1-policy)# encryption 3des ciscoasa(config-ikev1-policy)# hash sha ciscoasa(config-ikev1-policy)# group 2 ciscoasa(config-ikev1-policy)# lifetime 36000 Define an IPSec Transform Set ciscoasa(config)#crypto ipsec ikev1 transform-set t-set esp-3des esp-sha-hmac Defining Pool of IP Address to be allocated to clients ciscoasa(config)#ip local pool demo-pool 10.1.1.1-10.1.1.50 Creating User Account for VPN Access ciscoasa(config)#username user1 password cisco123 Creating a VPN Group by name Ra-ASA and defining there attributes ciscoasa(config)#tunnel-group Ra-ASA type remote-access ciscoasa(config)#tunnel-group Ra-ASA general-attributes ciscoasa-site-A(config-tunnel-ipsec)# address-pool demo-pool ciscoasa(config)#tunnel-group Ra-ASA ipsec-attributes ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 Binding all the credentials with a crypto map
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server ciscoasa(config)#crypto dynamic-map d-map1 1 set ikev1 transform-set t-set ciscoasa(config)#crypto dynamic-map d-map1 1 set reverse-route ciscoasa(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map1 Applying the Crypto Map over Interface ciscoasa(config)#crypto map mymap interface outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server Task 2: Configure PC to be VPN client for ASA.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server Verification: ciscoasa(config)# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 2.2.2.3 Type : user Role : responder Rekey : no State : AM_ACTIVE ciscoasa(config)# show crypto ipsec sa interface: outside Crypto map tag: d-map1, seq num: 1, local addr: 1.1.1.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0) current_peer: 2.2.2.3, username: user1 dynamic allocated peer ip: 10.1.1.1 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.3/0 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 27287AB7 current inbound spi : FBD9BDEF
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Remote Access VPN - ASA as Server Reverse Route Added in ASA routing table ciscoasa(config)# show route Gateway of last resort is 1.1.1.2 to network 0.0.0.0 C 1.0.0.0 255.0.0.0 is directly connected, outside S 10.1.1.1 255.255.255.255 [1/0] via 1.1.1.2, outside C 11.0.0.0 255.0.0.0 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside To view protocol specific results ciscoasa# show crypto protocol statistics ikev1 [IKEv1 statistics] Encrypt packet requests: 86 Encapsulate packet requests: 86 Decrypt packet requests: 140 Decapsulate packet requests: 140 HMAC calculation requests: 147 SA creation requests: 3 SA rekey requests: 0 SA deletion requests: 2 Next phase key allocation requests: 6 Random number generation requests: 95 Failed requests: 0 ciscoasa# show crypto protocol statistics ipsec [IPsec statistics] Encrypt packet requests: 4 Encapsulate packet requests: 4 Decrypt packet requests: 4 Decapsulate packet requests: 4 HMAC calculation requests: 4 SA creation requests: 6 SA rekey requests: 0 SA deletion requests: 4 Next phase key allocation requests: 0 Random number generation requests: 3 Failed requests: 0
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI LAB - 11 Client Less SSL VPN- Router as Server (CLI)  SSL Works on TCP port number 443  Initially Introduced by Netscape later introduced as standard VPN Protocol by Name TLS(Transport Layer Security)  It provides security from Transport Layer (i.e. layer 4 ) to Application Layer (i.e. layer 7)  Authentication happens only based on digital certificates. pre-share authentication is not supported.  When SSL VPN is configured to establish using only a web Browser and no other application is required its called as Client-Less SSL VPN  Only web enabled services like HTTP,FTP and Email are supported Over an Client Less SSL VPN Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on internet. VPN Initiation can be done only by clients using a web browser
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI LAB Topology In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the connectivity between networks and PC is our client with a browser. Loopback1 on router R1 here demonstrates Local LAN. Interface Configuration on Devices Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 Loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 PC NIC 2.2.2.3 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on all routers Verification for routing C:>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=232ms TTL=45 Reply from 1.1.1.1: bytes=32 time=231ms TTL=45 Reply from 1.1.1.1: bytes=32 time=230ms TTL=45 Reply from 1.1.1.1: bytes=32 time=229ms TTL=45 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 229ms, Maximum = 232ms, Average = 230msR3
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with port number 443 SSL VPN configuration is mainly divided into two parts 1. Configuring Gateway 2. Configuring Context Gateway define the interface and the ports where the SSL services are supposed to be enabled and by default all the newly created gateways will be in disabled mode which can has to be enabled manuallu using "insiervice" Creating and Enabling SSL Gateway R1(config )#webvpn gateway ssl_gw R1(config-webvpn-gateway)# ip address 1.1.1.1 port 443 R1(config-webvpn-gateway)# inservice Context define the user policy and the environment of SSL VPN. Creating a Context and defining the web page properties of that context. R1(config )#webvpn context ssl_ctx R1(config-webvpn-context)# title "Netmetric-Infosolutions" R1(config-webvpn-context)# title-color green R1(config-webvpn-context)# gateway ssl_gw R1(config-webvpn-context)# inservice Creating a user account for SSL access as authentication is mandatory and by default its set to local authentication R1(config )#username user1 password cisco123
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Verification: Open Browser and enter the url as http://1.1.1.1 As we do not have any digital certificate issued by Certificate authorities a warning is posted don't worry and select proceed anyways
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Enter the user credentials when prompted then Login Once authenticated successfully we get default SSL Page where we are allowed enter the desired URL to communicate the local LAN
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Task 2 : Modify Existing SSL VPN connection and provide users a login banner and Bookmark list on SSL VPN Web Page to ease the access of local services. URL list can be defined under context configuration R1(config-webvpn-gateway)#webvpn context ssl_ctx R1(config-webvpn-context)#url-list "Servers" R1(config-webvpn-url)#Heading "Business Servers" R1(config-webvpn-url)#url-text Server1 url-value http://11.11.11.11 R1(config-webvpn-url)#url-text Server2 url-value http://17.14.12.34 R1(config-webvpn-url)#exit Newly created URL List can be applied to users by associating it to default group policy not only URL List but also the banner can be defined in Policy it self R1(config-webvpn-context)#policy group demo_ssl R1(config-webvpn-group)#url-list "Servers" R1(config-webvpn-group)#banner "Welcome to Netmetric Solutions" R1(config-webvpn-group)#exit Making the policy created as default policy so that it should be applied to all users R1(config-webvpn-context)#default-group-policy demo_ssl
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Verification:
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Banner message will be displayed as login succeeds URL List which is defined under policy is on web page after Login
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Task 3 : Imagine a Tacacs+ server on address 11.11.11.49, Configure SSL Server to authenticate users using that Tacacs+ server. Enable AAA services and define address of Tacacs server R1(config)#aaa new-model R1(config)#tacacs-server host 11.11.11.49 key ciscot Define a new authentication method with Tacacs option R1(config)#aaa authentication login ssl-auth group tacacs+ Call the authentication method in web VPN Context R1(config)#webvpn context ssl_ctx R1(config-webvpn-context)#aaa authentication list ssl-auth
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI LAB - 12 Client Less SSL VPN- Router as Server (GUI) LAB Topology In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the connectivity between networks and PC is our client with a browser. Loopback1 on router R1 here demonstrates Local LAN. Interface Configuration on Devices Device Interface Ip Address Subnet R1 F0/0 1.1.1.1 255.0.0.0 R1 Loopback 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 PC NIC 2.2.2.3 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on all routers Verification for routing C:>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=232ms TTL=45 Reply from 1.1.1.1: bytes=32 time=231ms TTL=45 Reply from 1.1.1.1: bytes=32 time=230ms TTL=45 Reply from 1.1.1.1: bytes=32 time=229ms TTL=45 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 229ms, Maximum = 232ms, Average = 230msR3
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with port number 443 using Cisco Configuration Professional Configure Prerequisite before getting started with SSL VPN Select Configure Select SSL VPN Manager Select 1 Select 2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Enable AAA and generate Self signed certificate
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI After completing Prerequisite starting WebVPN Wizard
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Its Optional to enable Secure SDM access requires only if in future you plan to use SDM through same interface.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Select Authentication method for users in following options Select ADD if some more users are desired
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Following step allows to configure Bookmark List (URL-LIST) for users
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI As we are working with client-less SSL VPN no need to enable full tunnel support thus deselect option
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Select Webpage design from drop down themes As you select finish you are done by making a SSL VPN
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI Verification:
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Client Less SSL VPN - IOS CLI
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA LAB - 13 Clientless SSL VPN ASA as Server (WebVPN) LAB Topology In Above topology ASA is acting as SSL VPN Server and RouterR2 is Internet to make the connectivity between networks. Router R1 here demonstrates Local LAN. Interface Configuration on Devices Device Interface Ip Address Subnet ASA G0 1.1.1.1 255.0.0.0 ASA G1 11.11.11.10 255.0.0.0 R1 F0/0 11.11.11.11 255.0.0.0 R2 F0/0 1.1.1.2 255.0.0.0 R2 F0/1 2.2.2.1 255.0.0.0 PC NIC 2.2.2.3 255.0.0.0 *Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC Verification for routing C:>ping 1.1.1.1 Pinging 1.1.1.1 with 32 bytes of data: Reply from 1.1.1.1: bytes=32 time=232ms TTL=45 Reply from 1.1.1.1: bytes=32 time=231ms TTL=45 Reply from 1.1.1.1: bytes=32 time=230ms TTL=45 Reply from 1.1.1.1: bytes=32 time=229ms TTL=45 Ping statistics for 1.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 229ms, Maximum = 232ms, Average = 230msR3
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Task 1 : Configure ASA as a SSL VPN Server. Get Started with ASDM Goto tab: Wizards>VPN Wizards> select : Clientless SSL VPN Wizard A simple six step Wizard help to Configure a SSL VPN
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Define Connecion Profile name selectthe interface on which SSL Services are to initiated Select the user authentication method and modify the user account database
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Either go for a creation of new policy or modify the existing policy which comes by default The Bookmark List visible for users can be modified and whatever bookmark is created here will be available after successful login of user
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Adding a Bookmark LIst by name Local_servers and adding some bookmarks by name Server1 and Server2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Conclude the VPN configuration by Hitting Finish
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Verification: Login to the ASA with the defines URL in SSL Profile https://1.1.1.1/vpn A warning is issued by browser as its not a trusted digital certificate
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Login using the user credentials Basic SSL VPN Page seen on ASA based VPN with a web Bookmark list Select Server1to go to that address
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Monitoring of SSL VPN Select Monitoring > VPN >VPN Statistics > Sessions Filter can be set to view only Clientless SSL VPN Sessions
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Clientless SSL VPN - ASA Double Click Session to get a full view of session details
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Cisco IOS Classic Firewall LAB 1 Classic IOS Firewall (CBAC) Interface Configuration Configure RIP on All Devices and advertise all connected network to make reachability Device Interface IP Address Outside Fast Ethernet 0/0 2.2.2.2 DMZ Fast Ethernet 0/0 3.3.3.3 CBAC-FW Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0 1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ) PC NIC 1.1.1.2 When you say you are working with ACL’s it means you are filtering the traffic on the basis of their names(i.e. IP Addresses) or services and more over you cannot configure ACL to be such intelligent that it should identify the originator of traffic and reply traffic. To make the packet filtering more enhanced we came up with Context-based access control (CBAC) it intelligently filters TCP and UDP packets based on application layer protocol session information.in CBAC we don’t work with IP Addresses now we allow or deny the services from inside to outside or vise-versa. And even CBAC maintains a state table in which it makes the record of traffic going out of interface and depending on that it will allow the incoming traffic
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Cisco IOS Classic Firewall Steps to configure:-  Use any routing protocol to make networks reachable we are using rip in this case  Block all the inbound traffic for private or local network  Allow traffic to only DMZ Network from outside  Create an inspection rule depending on the interesting traffic for each interface  Apply the inspection rule on the respective interfaces By using a simple block statement in access-list we are denying all the traffic for inside network from other networks CBAC-FW(config)#access-list 101 deny ip any any CBAC-FW(config)#int f 0/0 CBAC-FW(config-if)#ip access-group 101 OUT Now when all the traffic is blocked from other network to inside network then even the reply traffic for the queries done from inside network is blocked To allow that reply traffic we are making an inspection rule with desired protocols and services to be inspected and maintain a state table CBAC-FW(config)#ip inspect name my-cbac tcp CBAC-FW(config)#ip inspect name my-cbac icmp CBAC-FW(config)#ip inspect name my-cbac udp With the above commands we are starting to maintain the state table for tcp, udp and icmp now we will apply this inspection rule on the interface which is connected to outside CBAC-FW(config)#int f 0/1 CBAC-FW(config-if)#ip inspect my-cbac out Now we don’t want DMZ to interact with any network CBAC-FW(config)#access-list 102 deny ip any any CBAC-FW(config)#interface FastEthernet1/0 CBAC-FW(config-if)#ip access-group 102 in But we want outside network should be able to communicate with dmz so create a separate inspection for that traffic Task 1:  We want to make sure that an INSIDER can Access Outside network as well as DMZ  An Outsider Can’t access inside network but can access DMZ network  And DMZ Can’t access any network both Inside and Outside
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Cisco IOS Classic Firewall CBAC-FW(config)#ip inspect name cbac-dmz http CBAC-FW(config)#ip inspect name cbac-dmz telnet CBAC-FW(config)#ip inspect name cbac-dmz icmp Apply that inspection rule on the interface in outbound direction on which DMZ is connected CBAC-FW(config)#interface FastEthernet1/0 CBAC-FW(config-if)# ip inspect cbac-dmz out
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Cisco IOS Classic Firewall From outside allow only the specific traffic which is meant for the DMZ network and block all the rest traffic CBAC-FW(config)#access-list 103 permit ip any host 3.3.3.3 CBAC-FW(config)#access-list 103 deny ip any any CBAC-FW(config)#interface FastEthernet0/1 CBAC-FW(config-if)#ip access-group 103 in The traffic which is generated from inside is allowed to go to outside network and reply is allowed to come back From outside the connection is not successful to inside but its successful to DMZ Outside>ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Outside>ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/112 ms
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Zone Based Firewall Lab 2 Zone Based Policy IOS Firewall Somehow using CBAC we succeeded to maintain the state table in our router and even configured our router to work as firewall. But very soon after working with CBAC Network Admins realized that there are few short comings in working with CBAC majorly, CBAC failed to filter the applications for specific users (i.e. you cannot configure inspection rule for set of users rules are applicable on all users) and when you are working with multiple interfaces as the number of interfaces increases the complications in implementing CBAC increases.to meet these short comings a new method of implementing Firewall has been introduced Zone Based Firewall herein we are configuring ACL’s to catch interesting traffic and we are configuring a group of interfaces as a single zone and then the rules will be applied on them. Steps to configure:-  Use any routing protocol to make networks reachable we are using rip in this case  Create Security Zones and associate interfaces with zones  Create a class map of type inspect to define the interesting traffic  Create a policy map of type inspect to define the action on interesting traffic  Create Zone pairs to define the source and destination of traffic Interface Configuration Device Interface IP Address Outside Fast Ethernet 0/0 2.2.2.2 DMZ Fast Ethernet 0/0 3.3.3.3 ZBF Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0 1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ) PC NIC 1.1.1.2 We are implementing the same typical DMZ network Setup here what we did in previous lab
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Zone Based Firewall First of all we are configuring RIP on all devices to advertise all networks and making all the three networks reachable from every one Check the Reachability from each device to each device then proceed with configuration Unlike CBAC where I implement the rules depending on the interfaces here I want to implement the rules on the group of interfaces which I call as a zone, as per our requirement I am creating three zones named DMZ, OUTSIDE and INSIDE ZBF(config)#zone security INSIDE ZBF(config-sec-zone)#exit ZBF(config)#zone security OUTSIDE ZBF(config-sec-zone)#exit ZBF(config)#zone security DMZ ZBF(config-sec-zone)#exit After Creating of Security zones there will be no change in the behavior of device then you associate those zones with interfaces ZBF(config)#int f 0/0 ZBF(config-if)#zone-member security INSIDE ZBF(config)#int f 0/1 ZBF(config-if)#zone-member security OUTSIDE ZBF(config-if)#int f 1/0 ZBF(config-if)#zone-member security DMZ Remember that as soon as we associate those zones with interfaces the communication within all the zones will be blocked and no two interfaces belongs to different zones can communicate neither an unzone interface (interface which is not associated with any zone) can communicate to a zoned interface but two interfaces which belongs to same zone and even the two interfaces which are unzone can communicate with each other. Now we need to create a class map of type inspect to identify the interesting traffic. Before defining interesting traffic in class-map we need to create an access list to define source and destination of desired inspection traffic and even we need to define the protocol which we want to inspect ZBF(config)#access-list 101 permit ip any any ZBF(config)#class-map type inspect c-map-1 ZBF(config-cmap)#match access-group 101 ZBF(config-cmap)#match protocol icmp
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Zone Based Firewall After defining the traffic in class map now it’s time to define the action on the interesting traffic for that we need to create a policy map of type inspect then call the class of interesting traffic. In that class define the desired action. As per our requirement we need inspection to be done on our traffic so we are defining inspect as our action. ZBF(config)#policy-map type inspect p-map-1 ZBF(config-pmap)#class c-map-1 ZBF(config-pmap-c)#inspect Now the only left out task is to apply that policy map and to define the source and the destination of our traffic this is done by configuring zone-pairs ZBF(config)#zone-pair security allow-in-out source INSIDE destination OUTSIDE ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit With this task our insiders can access outside network now but outsiders can’t access inside as we defined source to be INSIDE and destination to be OUTSIDE. Remember that this zone pair works unidirectional only As we want insiders to access DMZ as well and even we want outsiders to access DMZ so we need to create two more zone pairs with respective source and destinations ZBF(config)#zone-pair security allow-in-dmz source INSIDE destination DMZ ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit ZBF(config)#zone-pair security allow-out-dmz source OUTSIDE destination DMZ ZBF(config-sec-zone-pair)##service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Zone Based Firewall Verification Beginning from outside I am pinging to inside and DMZ OUTSIDE>ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) OUTSIDE>ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/80 ms We can observe from above that as per our requirement outsider can visit DMZ but cannot Visit INSIDE network. Now let’s make a connection from DMZ DMZ#ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) DMZ#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) DMZ is not allowed to visit either INSIDE or OUTSIDE network
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Zone Based Firewall But An Insider can visit both the other networks DMZ and OUTSIDE By this we Achieved our desired Network Security
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization LAB 1 Basic Sensor Initialization An Intrusion Prevention System has the capability to detect and prevent misuse and abuse of, and unauthorized access to, network resources An Intrusion Prevention / Detection system is an advanced filtering device dedicated to filter the content of network up to layer 7 which is not only capable to filter on basis of content but also the structure of the packet. The most common method of filtering traffic over a sensor is using signatures . where signature can be defined as pre defined pattern or structure of malicious traffic. A Sensor is a layer 2 device placed mostly behind firewall and configured to filter the malicious traffic in inbound and outbound directions of network Basic Configuration of sensor can be done by Command Line Interface through console port to initiate the sensor and its services.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization Task 1 : Initiate the sensor and configure the basic services and interface configurations as following options. Host Name NMSIPS Ip Address 10.1.1.10 Subnet Mask 255.0.0.0 Default Gateway 10.1.1.1 Https port 443 Telnet Enabled Permitted Host 10.0.0.0 255.0.0.0 Step 1 Connect IPS Console port to Com port of computer using a Console Cable to access the CLI of Device Step 2 Open a terminal Emulator application like Hyper terminal or putty.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization Step 3 : Login Sensor using user credentials. Sensor login: Cisco Password: *********** sensor# Step 4: As sensor initializes issue the SETUP option to make basic configuration and follow the interactive mode of Sensor sensor# setup — — — System Configuration Dialog — — — At any point you may enter a question mark '?' for help . User ctrl—c to abort configuration dialog at any prompt . Default settings are in square brackets ' [] ' . Current Configuration: service host network—settings host—ip 192.168.1.10/24,192.168.1.1 host-name sensor telnet —option disabled ftp-timeout 300 no login-banner-text exit time—zone-settings offset 0 standard- time-zone —name UTC exit summertime-option disabled ntp—option disabled exit service web—server port 443 exit Setup Configuration last modified: Sat Nov 24 09:37:20 2012 Continue with configuration dialog?[yes]: Yes As the Setup command executes current configuration of device is displayed and prompt for modification of current configuration appears type YES to make changes as desired.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization Continue with configuration dialog?[yes]: Yes Enter host name [sensor] : NMSIPS Enter IP interface []; 10.1.1.10/24,10.1.1.1 Enter telnet—server status [disabled] : enabled Enter web-server port [443]; <Enter> Modify current access list? [no] yes Current access list entries : No entries Permit: 10.0.0.0/8 Permit: Modify system clock setting?[no]: no Modify interface/virtual sensor configuration? [No]: no Modify default threat prevention settings? [No]: no the following configuration was entered. service host network—settings host—ip 10.1.1.10/24,10.1.1.1 host-name nms telnet —option enabled access-list 10.0.0.0/32 ftp-timeout 300 no login-banner-text exit time—zone-settings offset 0 standard- time-zone —name UTC exit summertime-option disabled ntp—option disabled exit Enter Hostname IP Address of Sensor port number on which GUI is supposed to work Access-list here defines the list of users permitted to access the sensor remotely
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization [0] Go to the command prompt without saving this config [1] Return to setup without saving this config [2] save this configuration and exit setup Enter you selection [2]: 2 Select second option to save basic config and end setup utility -----Configuration saved--------------- select desired options as per requrement
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization Task 2 : Initiate web access of sensor through web browser. Step 1 : Connect the computer to Sensor via Ethernet and assign the IP Address on computer in same subnet to sensor. C:>ipconfig Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::79b9:ae4b:fc78:88fd%16 IPv4 Address. . . . . . . . . . . . : 10.1.1.2 Subnet Mask . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . : 10.1.1.1 Step 2: Start a browser (Internet Explorer/Firefox) go to url (https://<ip address of sensor>) https://10.1.1.10 accept security warning message then type Username & password of your sensor when prompted.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 Basic Sensor Initialization After successful logging you should see Sensor Dashboard
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor LAB 2 Promiscuous Mode - IDS An Intrusion Detection System has the capability to only detect misuse and abuse of, and unauthorized access to, network resources An Intrusion Detection system is always placed in offline mode or promiscuous mode where device does not have capability to drop any traffic but it informs about the misuse to administrator and Admin takes the action immediately. As IDS is not inline device it will not add any latency in network. In Promiscuous mode, Sensor is not Placed in between the transit path of network rather its connected to switch and a copy of the traffic is sent to Sensor. LAB Topology Interface Configuration R1 => FastEthernet 10.1.1.1 R2 =>FastEthernet 10.1.1.2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor Task 1 : Configure Sensor in Promiscuous mode to work as Intrusion Detection System . A Promiscuous mode device need a copy of traffic thus always the switch in network is used to monitor the traffic and send the copy of packet from a port another. Step: 1 Enable SPAN on the switch interfaces SW1(config)#monitor session 1 source interface fa0/1 SW1(config)#monitor session 1 destination interface fa0/23 Step: 2 On IDS Sensor  Go to configure → Interfaces; Select interface on which switch is connected (e.v.Ethernet 2/0) and click enable button then Apply. Click here Click here
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor  Go to configure → Analysis Engine → Virtual Sensor → then Click “vs0” and edit  Highlight Fastethernet 2/0 interface on the list and click Assign button. Then click OK and Apply the changes to the sensor Click here
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor Verification: Switch#sh monitor session 1 Session 1 --------- Source Ports: RX Only: None TX Only: None Both: Fa0/1 Source VLANs: RX Only: None TX Only: None Both: None Destination Ports: Fa0/23 Filter VLANs: None Click here Click here
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor  To Test it, let's simulate an attack. Ping from your PC to Router R1 C:>ping 10.1.1.1 Pinging 10.1.1.1with 32 bytes of data: Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Ping statistics for 10.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms  Go to monitoring →Events, check show past events radio button and select 1 minute. then click on view button
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor  See the signatures Logs on the Event viewer to get logs click Refresh tab  Highlight the Event log and click Details to see more log details. Here the picture output for Event details. Click here Click here
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IDS-Promiscuous mode of Sensor Attacker student Pc IP aaaa Target Router IP aaaa
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline mode of Sensor LAB 3 Inline Mode - IPS An Intrusion Prevention System has the capability to only detect misuse and abuse of, and unauthorized access to, network resources An Intrusion Prevention system is always placed in inline mode in transit path of network such that all data traffic is supposed to pass through the sensor, then it do have capability to drop any traffic and also it informs about the misuse to administrator. An IPS is inline device it will add some latency in network for traffic filtering. In Promiscuous mode, Sensor is not Placed in between the transit path of network rather its connected to switch and a copy of the traffic is sent to Sensor. LAB Topology Interface Configuration R1 => FastEthernet 10.1.1.1 R2 =>FastEthernet 10.1.1.2 Connect Fast Ethernet 2/0 and Fast Ethernet 2/1 of sensor to Router R1 and R2 Respectively
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline mode of Sensor Task 1 : Configure Sensor in Inline mode to work as Intrusion Prevention System . Step 1 : Enable Interfaces of Sensor. Go to configuration → Interface, select Fastethernet 2/0 & Fastethernet 2/1 and Enable then Apply to Sensor
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline mode of Sensor Step 2 : Define a Interface Pair Go to configuration → Interface configuration → Select Interface Pairs → Add. Then enter a name for interface pair, Select fa2/0 and 2/1 interface on the list, make some description and click on OK Apply to the sensor. 1 2 3 4 5
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline mode of Sensor Step 3 : Associate Interface Pair with Analysis Engine Go to configuration → analysis Engine → Virtual Sensors → Select vs0 and click Edit select newly created interface pair {pair-1} on the list and click Assign. Then click OK and apply changes to the sensor. 2 1 4 5 6
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline mode of Sensor Verification:
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline VLAN mode of Sensor LAB 4 Inline VLAN Mode - IPS Inline interface mode of Sensor requires two dedicated interfaces for monitoring traffic but in a case we have only single interface and we are in need of inline filtering we can devide our network in VLANs and filter the traffic based on VLAN where. an Inline VLAN mode of filtering traffic divides network into two different VLANS and enforce the traffic to pass through IPS using a VLAN pairing over it. and an IPS here act as Inter VLAN Router. Interface Configuration R1 => FastEthernet 10.1.1.1 R2 =>FastEthernet 10.1.1.2 Switch=> FastEthernet 0/1 VLAN10 Switch => FastEthernet 0/2 VLAN20 Connect R1- F0/1 ==> SW F0/1 R2 F0/1 to SW F0/2
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline VLAN mode of Sensor Task 1 : Configure Sensor in Inline VLAN mode to work as Intrusion Prevention System . Step 1 : Configure VLANs on Switch Switch(config)#vlan 10 Switch(config-vlan)#exit Switch(config)#vlan 20 Switch(config-vlan)#exit Step 2 : Associate VLANs with Interfaces respectively Switch(config)#interface range fa0/1 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config)#interface range fa0/2 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 20 Step 3 : Enable Interface on Sensor Go to configuration → interface configuration → Interfaces → select Fastethernet 2/0 and click enable button and apply changes to the sensor 1 2 3 4
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline VLAN mode of Sensor Step 4 : Create a VLAN pair Go to configuration → interface configuration → Vlan pair → then Click Add button. 1 2 3
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS-Inline VLAN mode of Sensor Step 5 : Associate VLAN Pair with Analysis Engine Go to configuration → Analysis Engine → Virtual sensor → select “vs0” virtual sensor 0 on the list and click edit. Highlight Fastethernet 2/0.1 interface on the list and click assign button. Then Click ok and apply the changes to the sensor. 1 2 3 4 5
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com LAB 5 Signature Tuning Task 1: Change the status of signatures by enabling or disabling the signature and define the action to be taken as desired A signature which comes from Cisco and utilized as it is are known as Default Signatures but if the parameters of default signatures are tuned as per requirement then such signatures as termed as Tuned Signatures A signature which comes from Cisco and utilized as it is are known as Default Signatures but if the parameters of default signatures are tuned as per requirement then such signatures as termed as Tuned Signatures
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com Task:2 The network security administrator discovers signature 6250, the FTP Authorization Failure signature. After examining the parameters for signature 6250, the administrator decides to tune the signature as follows  Change the severity level from informational to high  Add the Deny Connection Inline action to the default action of Produce Alert
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Modification of Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com LAB 6 Custom Signature Task 1:Create a custom signature that is triggered by SYN packets destined for port 23. The administrator decides to use the ATOMIC IP engine for the following reasons:  Atomic signatures can trigger on the contents of a single packet.  The ATOMIC IP engine allows you to select a Layer 4 protocol.  You can use the TCP Flags and TCP Mask parameters to specify the flag of interest.  You can use the Destination Port Range parameter to specify the destination port of interest A Signature which is created by Administrator to match user defined traffic and apply action over it is termed as Custom Signature. The Signature id 1 to 59999 is reserved for default signatures and ID 60000 to 65535 is Open for a custom Signatures.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com Task 2: Create a signature that can detect and drop traffic containing the word “confidential.” The administrator wants the signature to fire if the traffic is directed to the following ports: FTP: 20 and 21, Telnet: 23, SMTP: 25, HTTP: 80, POP3: 110 The administrator wants to configure the signature to send alerts to the Event Store as follows:  Send an alert to the Event Store every time the signature fires.  This alert should fire when a single victim triggers 3 events in a 60-second period.  If the alert rate exceeds 20 alerts in 30 seconds, dynamically change its response as follows:  Send a summary alert for firings of the signature on the same victim address during the interval.  If the alert rate exceeds 25 in the 30-second interval, send a global summary alert, which counts the number of times the signature fires for all attacker and victim IP addresses and ports.
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com
  • Abbad Ur Rahman Talha N etmetric Solutions Netmetric CCNP Security Workbook 2.0 IPS- Custom Signatures Copyright 2013 Netmetric Infosolutions (P) Ltd | www.netmetric-solutions.com