micronics.nl sample
DESCRIPTION
CCIE SECTRANSCRIPT
-
Piotr Matusiak CCIE #19860 R&S, Security C|EH, CCSI #33705
Narbik Kocharians CCIE #12410 R&S, Security, SP CCSI #30832
M i c r o n i c s T r a i n i n g I n c . 2 0 1 3
CCIE Security V4 Lab Workbook SAMPLE Sample
-
CCIE SECURTY v4 Lab Workbook
Page 2 of 100
Table of Contents ASA Firewall LAB 1.1. BASIC ASA CONFIGURATION 8
LAB 1.2. BASIC SECURITY POLICY 17
LAB 1.3. DYNAMIC ROUTING PROTOCOLS 29
LAB 1.4. ASA MANAGEMENT 46
LAB 1.5. STATIC NAT (8.2) 59
LAB 1.6. DYNAMIC NAT (8.2) 67
LAB 1.7. NAT EXEMPTION (8.2) 77
LAB 1.8. STATIC POLICY NAT (8.2) 81
LAB 1.9. DYNAMIC POLICY NAT (8.2) 91
LAB 1.10. STATIC NAT (8.3+) 99
LAB 1.11. DYNAMIC NAT (8.3+) 115
LAB 1.12. BIDIRECTIONAL NAT (8.3+) 126
LAB 1.13. MODULAR POLICY FRAMEWORK (MPF) 131
LAB 1.14. FTP ADVANCED INSPECTION 138
LAB 1.15. HTTP ADVANCED INSPECTION 146
LAB 1.16. INSTANT MESSAGING ADVANCED INSPECTION 156
LAB 1.17. ESMTP ADVANCED INSPECTION 159
LAB 1.18. DNS ADVANCED INSPECTION 164
LAB 1.19. ICMP ADVANCED INSPECTION 169
LAB 1.20. CONFIGURING VIRTUAL FIREWALLS 175
LAB 1.21. ACTIVE/STANDBY FAILOVER 198
LAB 1.22. ACTIVE/ACTIVE FAILOVER 212
LAB 1.23. REDUNDANT INTERFACES 239
LAB 1.24. TRANSPARENT FIREWALL 246
LAB 1.25. THREAT DETECTION 260
LAB 1.26. CONTROLLING ICMP AND FRAGMENTED TRAFFIC 264
LAB 1.27. TIME BASED ACCESS CONTROL 270
LAB 1.28. QOS - PRIORITY QUEUING 276
LAB 1.29. QOS TRAFFIC POLICING 280
LAB 1.30. QOS TRAFFIC SHAPING 285
LAB 1.31. QOS TRAFFIC SHAPING WITH PRIORITIZATION 290
LAB 1.32. SLA ROUTE TRACKING 296
LAB 1.33. ASA IP SERVICES (DHCP) 303
LAB 1.34. URL FILTERING AND APPLETS BLOCKING 310
LAB 1.35. TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS 314
-
CCIE SECURTY v4 Lab Workbook
Page 3 of 100
Site-to-Site VPN LAB 1.36. BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS) 326
LAB 1.37. BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) 352
LAB 1.38. BASIC SITE TO SITE VPN WITH NAT (IOS-IOS) 369
LAB 1.39. IOS CERTIFICATE AUTHORITY 385
LAB 1.40. SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) 396
LAB 1.41. SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS) 410
LAB 1.42. SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) 420
LAB 1.43. SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA) 440
LAB 1.44. SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) 461
LAB 1.45. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS) 475
LAB 1.46. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA) 484
LAB 1.47. SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS)
LAB 1.48. GRE OVER IPSEC 550
LAB 1.49. DMVPN PHASE 1 567
LAB 1.50. DMVPN PHASE 2 (WITH EIGRP) 584
LAB 1.51. DMVPN PHASE 2 (WITH OSPF) 603
LAB 1.52. DMVPN PHASE 3 (WITH EIGRP) 623
LAB 1.53. DMVPN PHASE 3 (WITH OSPF) 643
LAB 1.54. DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD) 667
LAB 1.55. DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) 697
LAB 1.56. GET VPN (PSK) 738
LAB 1.57. GET VPN (PKI) 760
LAB 1.58. GET VPN COOP (PKI) 779
Remote Access VPN LAB 1.59. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO IOS)
LAB 1.60. CONFIGURING REMOTE ACCESS IPSEC VPN USING EASYVPN (IOS TO ASA)
LAB 1.61. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PSK) 831
LAB 1.62. CONFIGURING RA VPN USING CISCO VPN CLIENT AND ASA (PKI) 841
LAB 1.63. CONFIGURING SSL VPN (IOS) 865
LAB 1.64. CONFIGURING SSL VPN (ASA) 882
LAB 1.65. ANYCONNECT 3.0 BASIC SETUP 895
LAB 1.66. ANYCONNECT 3.0 ADVANCED FEATURES 912
LAB 1.67. EASYVPN SERVER ON ASA WITH LDAP AUTHENTICATION 922
Advanced VPN Features LAB 1.68. IPSEC STATEFUL FAILOVER 954
-
CCIE SECURTY v4 Lab Workbook
Page 4 of 100
LAB 1.69. IPSEC STATIC VTI 967
LAB 1.70. IKE ENCRYPTED KEYS 976
LAB 1.71. IPSEC DYNAMIC VTI 981
LAB 1.72. REVERSE ROUTE INJECTION (RRI) 991
LAB 1.73. CALL ADMISSION CONTROL FOR IKE 1008
LAB 1.74. IPSEC LOAD BALANCING (ASA CLUSTER) 1016
Content Security - IPS LAB 2.1. SENSOR INITIALIZATION 6
LAB 2.2. PROMISCUOUS MODE 20
LAB 2.3. INLINE MODE 36
LAB 2.4. INLINE VLAN PAIR MODE (ON-A-STICK) 46
LAB 2.5. SIGNATURE TUNING 53
LAB 2.6. CUSTOM HTTP SIGNATURE 62
LAB 2.7. CUSTOM STRING TCP SIGNATURE 69
LAB 2.8. CUSTOM ATOMIC IP SIGNATURE 78
LAB 2.9. META SIGNATURE 86
LAB 2.10. BLOCKING AND RATE LIMITING 98
LAB 2.11. RULES 133
LAB 2.12. ANOMALY DETECTION 148
LAB 2.13. VIRTUAL SENSORS 156
LAB 2.14. EVENT SUMMARIZATION 166
LAB 2.15. APPLICATION INSPECTION AND LOGGING 181
Content Security - WSA LAB 2.16. WSA BOOTSTRAPPING (OPTIONAL) 196
LAB 2.17. DNS AND ROUTING CONFIGRATION 206
LAB 2.18. WSA IDENTITIES AND ACCESS POLICIES 212
LAB 2.19. ACTIVE DIRECTORY INTEGRATION 223
LAB 2.20. USER AUTHENTICATION 228
LAB 2.21. CUSTOM URL CATEGORIES 243
LAB 2.22. DECRYPTION POLICIES 249
LAB 2.23. BANDWIDTH AND FILE TYPE LIMITS 255
LAB 2.24. APPLICATION VISIBILITY AND CONTROL 260
LAB 2.25. WEB REPUTATION AND DVS 265
LAB 2.26. TRANSPARENT PROXY WITH ASA 271
-
CCIE SECURTY v4 Lab Workbook
Page 5 of 100
Identity Management - ACS LAB 2.27. ACS BOOTSTRAPPING 281
LAB 2.28. SETUP AAA CLIENTS 290
LAB 2.29. USER AUTHENTICATION AND AUTHORIZATION (IOS) 300
LAB 2.30. LOCAL USER AUTHENTICATION AND AUTHORIZATION USING AAA (IOS) 306
LAB 2.31. TACACS+ USER AUTHENTICATION (IOS) 318
LAB 2.32. TACACS+ AUTHENTICATION AND AUTHORIZATION (IOS) 336
LAB 2.33. ACCOUNTING USING TACACS+ AND RADIUS (IOS) 357
LAB 2.34. IOS AUTHENTICATION PROXY 367
LAB 2.35. AUTHENTICATION PROXY ON ASA 386
LAB 2.36. ACS EXTERNAL IDENTITY STORE 395
Identity Management - ISE LAB 3.1. ISE INSTALLATION (OPTIONAL) 9
LAB 3.2. GENERATE AND INSTALL A CERTIFICATE 19
LAB 3.3. ADMINISTRATIVE ACCESS TO ISE 28
LAB 3.4. INTEGRATION WITH ACTIVE DIRECTROY 33
LAB 3.5. CONFIGURE ISE FOR MAB 38
LAB 3.6. CONFIGURE MAC WHITELIST 48
LAB 3.7. MAB WITH VLAN AUTHORIZATION 53
LAB 3.8. WINDOWS 7 AD INTEGRATION (OPTIONAL) 61
LAB 3.9. CONFIGURE WIRED 802.1X 64
LAB 3.10. WIRED 802.1X VLAN ASSIGNMENT 89
LAB 3.11. CONFIGURE WIRELESS 802.1X 99
LAB 3.12. LOCAL WEB AUTHENTICATION (LWA) FOR WIRED 121
LAB 3.13. CENTRAL WEB AUTHENTICATION (CWA) FOR WIRED 136
LAB 3.14. CENTRAL WEB AUTHENTICATION (CWA) FOR WIRELESS 151
LAB 3.15. CONFIGURE ISE FOR GUEST ACCESS 165
LAB 3.16. CONFIGURE ISE PROFILER 176
LAB 3.17. ANYCONNECT NAM 186
LAB 3.18. MACSEC SWITCH-TO-HOST 195
LAB 3.19. MACSEC SWITCH-TO-SWITCH 203
IOS Advanced Security LAB 3.20. BASIC ROUTER SECURITY 211
LAB 3.21. STANDARD NAMED ACCESS LIST 220
LAB 3.22. CONTROLLING TELNET ACCESS AND SSH 223
LAB 3.23. EXTENDED ACCESS LIST IP AND ICMP 229
LAB 3.24. EXTENDED ACCESS LIST OSPF & EIGRP 235
-
CCIE SECURTY v4 Lab Workbook
Page 6 of 100
LAB 3.25. EXTENDED ACCESS LIST WITH ESTABLISHED 239
LAB 3.26. DYNAMIC ACCESS LIST 242
LAB 3.27. REFLEXIVE ACCESS-LISTS 252
LAB 3.28. ACCESS-LIST AND TIME-RANGE 258
LAB 3.29. CONFIGURING BASIC CBAC 264
LAB 3.30. CONFIGURING ADVANCED CBAC 266
LAB 3.31. CONFIGURING CBAC & JAVA BLOCKING 273
LAB 3.32. CONFIGURING PAM 275
LAB 3.33. ZONE BASED POLICY FIREWALL (ZFW) 277
LAB 3.34. IMPLEMENTING SECURITY RFCS 311
LAB 3.35. USING MQC AS A FILTERING TOOL 315
LAB 3.36. BLACKHOLE ROUTING USING PBR 322
LAB 3.37. CONFIGURING NAT 326
LAB 3.38. NAT WITH OVERLAPPING NETWORKS 336
LAB 3.39. NAT TCP LOAD BALANCING 342
LAB 3.40. STATEFUL HIGH AVAILABILITY NAT 345
LAB 3.41. NAT VIRTUAL INTERFACE 355
LAB 3.42. TCP INTERCEPT 361
LAB 3.43. CONFIGURING NBAR 365
LAB 3.44. CONFIGURING NETFLOW 371
LAB 3.45. CONFIGURING IOS IPS 376
Control and Management Plane Security LAB 3.46. CPU PROTECTION MECHANISMS 389
LAB 3.47. DISABLING UNNECESSARY SERVICES 395
LAB 3.48. CONFIGURING SNMP 401
LAB 3.49. CONFIGURING SYSLOG 409
LAB 3.50. CONFIGURING NTP 414
LAB 3.51. PROTOCOL AUTHENTICATION AND ROUTE FILTERING 419
LAB 3.52. CONTROL PLANE POLICY (COPP) 433
Network Attacks LAB 3.53. PROTECTING AGAINST FRAGMENTATION ATTACKS 442
LAB 3.54. PROTECTING AGAINST MALICIOUS IP OPTION USAGE 447
LAB 3.55. PROTECTING AGAINST NETWORK MAPPING 454
LAB 3.56. PROTECTING AGAINST DOS ATTACKS USING CAR 458
LAB 3.57. PREVENTING PORT REDIRECTION ATTACKS 460
LAB 3.58. PROTECTING AGAINST SMURF ATTACKS 462
LAB 3.59. PORT SECURITY 465
LAB 3.60. PREVENTING VLAN HOPING ATTACKS 472
-
CCIE SECURTY v4 Lab Workbook
Page 7 of 100
LAB 3.61. VLAN ACCESS LIST 476
LAB 3.62. DHCP SNOOPING AND DYNAMIC ARP INSPECTION 480
LAB 3.63. IP SOURCE GUARD 491
LAB 3.64. PROTECTING AGAINST BROADCAST STORMS 495
LAB 3.65. PROTECTING SPANNING-TREE PROTOCOL 497
LAB 3.66. PREVENTING IP SPOOFING 501
-
CCIE SECURTY v4 Lab Workbook
Page 8 of 100
Physical Topology
-
CCIE SECURTY v4 Lab Workbook
Page 9 of 100
-
CCIE SECURTY v4 Lab Workbook
Page 10 of 100
This page is intentionally left blank.
-
CCIE SECURTY v4 Lab Workbook
Page 11 of 100
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Site-to-Site VPNs
Narbik Kocharians
CCIE #12410 R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
-
CCIE SECURTY v4 Lab Workbook
Page 12 of 100
LAB 2.1. DMVPN Phase 1
Lab Setup R1s F0/0 and R2s G0/0 interface should be configured in VLAN 12
R2s S0/1/0 and R5s S0/1/0 interface should be configured in a frame-relay
point-to-point manner
R2s S0/1/0 and R4s S0/0/0 interface should be configured in a frame-relay
point-to-point manner
Configure Telnet on all routers using password cisco Configure default routing on R1, R4 and R5 pointing to the R2
IP Addressing
Device Interface IP address
R1 Lo0
F0/0
192.168.1.1/24
10.1.12.1/24
-
CCIE SECURTY v4 Lab Workbook
Page 13 of 100
R2 F0/0
S0/1/0.25
S0/1/0.24
10.1.12.2/24
10.1.25.2/24
10.1.24.2/24
R4 Lo0
S0/0/0.42
192.168.4.4/24
10.1.24.4/24
R5 Lo0
S0/1/0.52
192.168.5.5/24
10.1.25.5/24
Task 1
Configure Hub-and-Spoke GRE tunnels between R1, R4 and R5, where R1
is acting as a Hub. Traffic originated from every Spokes loopback
interface should be transmitted securely via the Hub to the other spokes.
You must use EIGRP dynamic routing protocol to let other spokes know
about protected networks. Use the following settings when configuring
tunnels:
Tunnel Parameters
o IP address: 172.16.145.0/24 o IP MTU: 1400 o Tunnel Authentication Key: 12345
NHRP Parameters
o NHRP ID: 12345 o NHRP Authentication key: cisco123 o NHRP Hub: R1
Routing Protocol Parameters
o EIGRP 145 Encrypt the GRE traffic using the following parameters:
ISAKMP Parameters
o Authentication: Pre-shared o Encryption: 3DES o Hashing: SHA o DH Group: 2
-
CCIE SECURTY v4 Lab Workbook
Page 14 of 100
o Pre-Shared Key: cisco123 IPSec Parameters
o Encryption: ESP-3DES o Authentication: ESP-SHA-HMAC
Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by
Cisco in late 2000. This technology has been developed to address needs for
automatically created VPN tunnels when dynamic IP addresses on the spokes
are in use.
In GRE over IPSec (described in the previous lab) both ends of the connection
must have static/unchangeable IP address. It is possible however, to create
many GRE Site-to-Site tunnels from companys branches to the Headquarters.
This is pure Hub-and-Spoke topology where all branches may communicate
with each other securely through the Hub.
In DMVPN may have dynamic IP addresses on the spokes, but there must be
static IP address on the Hub. There is also an additional technology used to let
the hub know what dynamic IP addresses are in use by the spokes. This is
NHRP (Next Hop Resolution Protocol) which works like ARP but for layer 3. All
it does is building a dynamic database stored on the hub with information about
spokes IP addresses. Now the Hub knows IPSec peers and can build the
tunnels with them.
The Hub must be connected to many spokes at the same time so there was
another issue to solve: how to configure the Hub to not have many Tunnel
interfaces (each for Site-to-Site tunnel with spoke). The answer is: use GRE
multipoint type of tunnel, where we do not need to specify the other end of the
tunnel statically.
That being said, there are three DMVPN mutations called phases:
Phase 1: simple Hub and Spoke topology were dynamic IP addresses on
the spokes may be used
Phase 2: Hub and Spoke with Spoke to Spoke direct communication
allowed
Phase 3: Hub and Spoke with Spoke to Spoke direct communication
allowed with better scalability using NHRP Redirects
All above phases will be described in more detail in the next few labs.
Configuration
Complete these steps:
-
CCIE SECURTY v4 Lab Workbook
Page 15 of 100
Step 1 R1 configuration.
First we need ISAKMP Policy with pre-shared key configured. Note that in DMVPN we need to configure so-called wildcard PSK because there may be many peers. This is why more common sulution in DMVPN is to use certificates and PKI. In DMVPN Phase 1 there is no need for wildcard PSK as there is only Hub to Spoke tunnel, so that we know the peers.
R1(config)#crypto isakmp policy 1 R1(config-isakmp)#encr 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R1(cfg-crypto-trans)# mode transport
The mode transport is used for decreasing IPSec packet size (an outer IP header which is present in tunnel mode is not added in the transport mode).
R1(cfg-crypto-trans)#crypto ipsec profile DMVPN R1(ipsec-profile)#set transform-set TSET R1(ipsec-profile)#exi
There is only one interface Tunnel on every DMVPN router. This is because we use GRE multipoint type of the tunnel.
R1(config)#interface Tunnel0 R1(config-if)#ip address 172.16.145.1 255.255.255.0 R1(config-if)#ip mtu 1400
Maximum Transmission Unit is decreased to ensure that DMVPN packet would not exceed IP MTU set on non-tunnel IP interfaces usually a 1500 bytes (When transport mode is used then DMVPN packet consists of original IP Packet, GRE header, ESP header and outer IPSec IP header. If oryginal IP packet size is close to the IP MTU set on real IP interface then adding GRE and IPSec headers may lead to exceeding that value)
R1(config-if)#ip nhrp authentication cisco123 R1(config-if)#ip nhrp map multicast dynamic R1(config-if)#ip nhrp network-id 12345
The Hub works as NHS (Next Hop Server). The NHRP configuration on the Hub is straight forward. First, we
-
CCIE SECURTY v4 Lab Workbook
Page 16 of 100
need NHRP network ID to identify the instance and authenticate key to secure NHRP registration. There is a need for NHRP static mapping on the Hub. The Hub must be able to send down all multicast traffic so that dynamic routing protocols can distribute routes between spokes. The line ip nhrp map multicast dynamic simply tells the NHRP server to replicate all multicast traffic to all dynamic entries in the NHRP table (entries with flag dynamic).
R1(config-if)#no ip split-horizon eigrp 145
Since we use EIGRP between the Hub and the Spokes, we need to disable Split Horizon for that protocol to be able to send routes gathered from one Spoke to the other Spoke. The Split Horizon rule says: information about the routing is never sent back in the direction from which it was received. This is basic rule for loop prevention.
R1(config-if)#tunnel source FastEthernet0/0 R1(config-if)#tunnel mode gre multipoint R1(config-if)#tunnel key 12345 R1(config-if)#tunnel protection ipsec profile DMVPN
A regular GRE tunnel usually needs source and destination of the tunnel to be specified. However in the GRE multipoint tunnel type, there is no need for a destination. This is because there may be many destinations, as many Spokes are out there. The actual tunnel destination is derived form NHRP database. The tunnel has a key for identification purposes, as there may be many tunnels on one router and the router must know what tunnel the packet is destined to. Finally, we must encrypt the traffic. This is done by using IPSec Profile attached to the tunnel. I recommend to leave that command aside for a while when configuring DMVPN and add it to the configuration once we know the tunnels work fine. DMVPN may work without any encryption, so no worries.
R1(config-if)#exi %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Tunnel0 has changed its state to UP. ISAKMP protocol is enabled and operates on the router.
R1(config)#router eigrp 145 R1(config-router)#network 172.16.145.0 0.0.0.255 R1(config-router)#network 192.168.1.0 R1(config-router)#no auto-summary R1(config-router)#exi
-
CCIE SECURTY v4 Lab Workbook
Page 17 of 100
Finally we need a routing protocol over the tunnel. Remember, this protocol will be used to carry the info about networks behind the Spokes (or Hub). Be careful when configuring it as there is a chance to get into recursive loop. This means we shouldnt use the same dynamic routing protocol instance for prefixes available over the tunnel and to achieve underlaying connectivity between Hub and Spokes.
Step 2 R5 configuration.
R5 is our first Spoke. Again, we need ISAKMP Policy configuration and PSK.
R5(config)#crypto isakmp policy 1 R5(config-isakmp)# encr 3des R5(config-isakmp)# authentication pre-share R5(config-isakmp)# group 2 R5(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 R5(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R5(cfg-crypto-trans)# mode transport R5(cfg-crypto-trans)#crypto ipsec profile DMVPN R5(ipsec-profile)# set transform-set TSET R5(ipsec-profile)#exi
The tunnel interface configuration is slightly different on the Spoke than on the Hub. This is because the Spoke works as NHRP Client to the Hub (NHS). Most of belove commands have been described already.
R5(config)#interface Tunnel0 R5(config-if)# ip address 172.16.145.5 255.255.255.0 R5(config-if)# ip mtu 1400 R5(config-if)# ip nhrp authentication cisco123 R5(config-if)# ip nhrp map 172.16.145.1 10.1.12.1 R5(config-if)# ip nhrp network-id 12345 R5(config-if)# ip nhrp holdtime 360 R5(config-if)# ip nhrp nhs 172.16.145.1
NHRP Client configuration. We need our Spoke to register in NHS, so that we need to configure the following:
NHRP authentication key to authenticate successfully to the NHS
NHRP Network ID to be authenticated to correct NHS instance
NHRP Holdtime to tell the NHS for how long
-
CCIE SECURTY v4 Lab Workbook
Page 18 of 100
it should treat the registered spokes IP address as valid
NHS IP address of NHRP Server; note this is its Private (tunnel) IP address. To resolve this address to the Public (Physical) IP address of the NHS, we need the last command which is:
NHRP static mapping to resolve NHS Physical IP address
This mapping is very important as it causes the Spoke to initiate the GRE tunnel to the Hub. Without this the Spoke has no clue how to register to the NHS.
R5(config-if)# tunnel source Serial0/1/0.52 R5(config-if)# tunnel destination 10.1.12.1 R5(config-if)# tunnel key 12345 R5(config-if)# tunnel protection ipsec profile DMVPN
The tunnel configuration is also different. On the Spoke there is no reason for using GRE multipoint tunnel mode. This is because there is only one tunnel (Spoke to Hub) in DMVPN Phase 1. Hence, we are obligated to provide both: source and destination of the tunnel.
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R5(config-if)#exi R5(config)#router eigrp 145 R5(config-router)# network 172.16.145.0 0.0.0.255 R5(config-router)# network 192.168.5.0 R5(config-router)# no auto-summary R5(config-router)#ex %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.1 (Tunnel0) is up: new adjacency R5(config-router)#exi
The router has established EIGRP adjancency through the tunnel. Note that the adjancency has been established with the DMVPN hub (172.16.145.1).
Step 3 R4 configuration.
The beauty of this technology is that there is exactly the same configuration on all Spokes!
R4(config)#crypto isakmp policy 1
-
CCIE SECURTY v4 Lab Workbook
Page 19 of 100
R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 R4(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)#crypto ipsec profile DMVPN R4(ipsec-profile)# set transform-set TSET R4(ipsec-profile)#exi R4(config)#interface Tunnel0 R4(config-if)# ip address 172.16.145.4 255.255.255.0 R4(config-if)# ip mtu 1400 R4(config-if)# ip nhrp authentication cisco123 R4(config-if)# ip nhrp map 172.16.145.1 10.1.12.1 R4(config-if)# ip nhrp network-id 12345 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp nhs 172.16.145.1 R4(config-if)# tunnel source Serial0/0/0.42 R4(config-if)# tunnel destination 10.1.12.1 R4(config-if)# tunnel key 12345 R4(config-if)# tunnel protection ipsec profile DMVPN %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R4(config-if)#exi R4(config)#router eigrp 145 R4(config-router)# network 172.16.145.0 0.0.0.255 R4(config-router)# network 192.168.4.0 R4(config-router)# no auto-summary %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.1 (Tunnel0) is up: new adjacency R4(config-router)#exi
Verification R1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route
-
CCIE SECURTY v4 Lab Workbook
Page 20 of 100
o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.12.2 to network 0.0.0.0 172.16.0.0/24 is subnetted, 1 subnets C 172.16.145.0 is directly connected, Tunnel0 D 192.168.4.0/24 [90/27008000] via 172.16.145.4, 00:00:17, Tunnel0 D 192.168.5.0/24 [90/27008000] via 172.16.145.5, 00:00:55, Tunnel0
Spokes have sent updates about their networks (loopback interfaces) to the Hub. Now Hub must send that information down to the other Spokes. The Hub may do that as long as Split Horizon rule is disabled for the routing protocol.
10.0.0.0/24 is subnetted, 1 subnets C 10.1.12.0 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 10.1.12.2 R1#sh ip nhrp 172.16.145.4/32 via 172.16.145.4 Tunnel0 created 00:00:33, expire 00:05:26 Type: dynamic, Flags: unique registered NBMA address: 10.1.24.4 172.16.145.5/32 via 172.16.145.5 Tunnel0 created 00:01:08, expire 00:04:51 Type: dynamic, Flags: unique registered NBMA address: 10.1.25.5
NHRP database displayed on the DMVPN hub. Note that sh ip nhrp shows mapping between Tunnel0 ip address and ip address of Serial interface which is used for reaching the tunnel endpoint. The entries in NHRP database on the hub are dynamic (dynamically obtained from the spokes).
R1#sh ip eigrp neighbor IP-EIGRP neighbors for process 145 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 172.16.145.4 Tu0 11 00:00:38 10 1362 0 3 0 172.16.145.5 Tu0 11 00:01:16 29 1362 0 3 EIGRP adjacency established with the spokes. R1#sh ip eigrp interface IP-EIGRP interfaces for process 145 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Tu0 2 0/0 19 6/227 80 0 Lo0 0 0/0 0 0/1 0 0 R1#sh crypto isakmp sa
-
CCIE SECURTY v4 Lab Workbook
Page 21 of 100
IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.12.1 10.1.25.5 QM_IDLE 1001 ACTIVE 10.1.12.1 10.1.24.4 QM_IDLE 1002 ACTIVE IPv6 Crypto ISAKMP SA R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 10.1.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0)
Local and remote identities used for the tunnel. Note that GRE protocol is transported in the tunnel (IP protocol 47). It is automatically achieved by assigning IPSec profile to the tunnel interface (configuring crypto ACLs is no longer needed)
current_peer 10.1.24.4 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
Note that traffic is going through the tunnel established between the hub (R1) and the spoke (R4).
#pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.24.4 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x97564348(2539012936) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x2A3D155F(708646239) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2003, flow_id: NETGX:3, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4568792/3536) IV size: 8 bytes replay detection support: Y Status: ACTIVE
Inbound SPI (Security Parameter Index) has been negotiated.
-
CCIE SECURTY v4 Lab Workbook
Page 22 of 100
inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x97564348(2539012936) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2004, flow_id: NETGX:4, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4568792/3536) IV size: 8 bytes replay detection support: Y Status: ACTIVE
Outbound SPI (Security Parameter Index) has been negotiated. outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0)
Local and remote identities used for tunnel established between hub (R1) and one of the spokes (R5).
current_peer 10.1.25.5 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34 #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.25.5 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x423D37C6(1111308230) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xE65FFF26(3865050918) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4492833/3501) IV size: 8 bytes
-
CCIE SECURTY v4 Lab Workbook
Page 23 of 100
replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x423D37C6(1111308230) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4492832/3501) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.24.2 to network 0.0.0.0 172.16.0.0/24 is subnetted, 1 subnets C 172.16.145.0 is directly connected, Tunnel0 C 192.168.4.0/24 is directly connected, Loopback0 D 192.168.5.0/24 [90/28288000] via 172.16.145.1, 00:03:22, Tunnel0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.24.0 is directly connected, Serial0/0/0.42 D 192.168.1.0/24 [90/27008000] via 172.16.145.1, 00:03:22, Tunnel0 S* 0.0.0.0/0 [1/0] via 10.1.24.2
The networks of R1 and R5 loopbacks are present in the R4s routing table. These networks are reachable through the hub (R1) over the DMVPN network.
R4#sh ip route 192.168.5.0 Routing entry for 192.168.5.0/24 Known via "eigrp 145", distance 90, metric 28288000, type internal Redistributing via eigrp 145
-
CCIE SECURTY v4 Lab Workbook
Page 24 of 100
Last update from 172.16.145.1 on Tunnel0, 00:03:34 ago Routing Descriptor Blocks: * 172.16.145.1, from 172.16.145.1, 00:03:34 ago, via Tunnel0
Next hop IP address followed by the information source (R1 the hub) Route metric is 28288000, traffic share count is 1 Total delay is 105000 microseconds, minimum bandwidth is 100 Kbit Reliability 255/255, minimum MTU 1400 bytes Loading 1/255, Hops 2 R4#sh ip cef 192.168.5.0 192.168.5.0/24 nexthop 172.16.145.1 Tunnel0
The CEF entries displayed for R5 loopback network. This indicates an IP address of next hop which have to be used for reaching 192.168.5.0/24.
R4#sh ip nhrp 172.16.145.1/32 via 172.16.145.1 Tunnel0 created 00:04:04, never expire Type: static, Flags: NBMA address: 10.1.12.1
The NHRP database entries displayed. This shows the mapping between hubs tunnel interface IP address and hubs real interface IP address through which the tunnel endpoint is reachable. Note that NHRP database entries related to the hub are static and never expires (the hub must be always reachable for the spoke and cannot be dynamic).
R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.12.1 10.1.24.4 QM_IDLE 1001 ACTIVE
This indicates that ISAKMP tunnel is established and active (QM_IDLE means that ISAKMP SA is authenticated and Quick Mode IPSec Phase 2 is fininshed.
IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 10.1.24.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.24.4/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) current_peer 10.1.12.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
-
CCIE SECURTY v4 Lab Workbook
Page 25 of 100
#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0
IPSec proxy IDs on the spoke indicates that traffic between tunnel endpoint will be encrypted/decrypted. Also, packet counters are incrementing as there are routing updates crossing the tunnel.
local crypto endpt.: 10.1.24.4, remote crypto endpt.: 10.1.12.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0.42 current outbound spi: 0x2A3D155F(708646239) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x97564348(2539012936) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4571034/3344) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2A3D155F(708646239) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4571034/3344) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R4#pi 192.168.5.5 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds: Packet sent with a source address of 192.168.4.4 !!!!!
-
CCIE SECURTY v4 Lab Workbook
Page 26 of 100
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms
Now ping the other spoke using its loopback IP address as source. This should simulate end-to-end connectivity through the DMVPN network.
R4#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.12.1 10.1.24.4 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
Note: No new ISAKMP SA or NHRP mappings created. R4#sh ip nhrp 172.16.145.1/32 via 172.16.145.1 Tunnel0 created 00:04:40, never expire Type: static, Flags: NBMA address: 10.1.12.1
The same bunch of commands should be run on the other spoke. R5#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.25.2 to network 0.0.0.0 172.16.0.0/24 is subnetted, 1 subnets C 172.16.145.0 is directly connected, Tunnel0 D 192.168.4.0/24 [90/28288000] via 172.16.145.1, 00:01:24, Tunnel0 C 192.168.5.0/24 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.25.0 is directly connected, Serial0/1/0.52 D 192.168.1.0/24 [90/27008000] via 172.16.145.1, 00:02:02, Tunnel0 S* 0.0.0.0/0 [1/0] via 10.1.25.2 R5#sh ip cef 192.168.4.0 192.168.4.0/24 nexthop 172.16.145.1 Tunnel0 R5#sh ip nhrp 172.16.145.1/32 via 172.16.145.1 Tunnel0 created 00:02:11, never expire Type: static, Flags:
-
CCIE SECURTY v4 Lab Workbook
Page 27 of 100
NBMA address: 10.1.12.1 R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.12.1 10.1.25.5 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA R5#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 10.1.25.5 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.25.5/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.1.12.1/255.255.255.255/47/0) current_peer 10.1.12.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40 #pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.1.25.5, remote crypto endpt.: 10.1.12.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1/0.52 current outbound spi: 0xE65FFF26(3865050918) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x423D37C6(1111308230) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2001, flow_id: NETGX:1, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4430458/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE65FFF26(3865050918) transform: esp-3des esp-sha-hmac , in use settings ={Transport, }
-
CCIE SECURTY v4 Lab Workbook
Page 28 of 100
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4430459/3455) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R5#pi 192.168.4.4 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.5.5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/40 ms Note: No new ISAKMP SA or NHRP mappings created. R5#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.12.1 10.1.25.5 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA R5#sh ip nhrp 172.16.145.1/32 via 172.16.145.1 Tunnel0 created 00:03:01, never expire Type: static, Flags: NBMA address: 10.1.12.1
-
CCIE SECURTY v4 Lab Workbook
Page 29 of 100
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Content Security WSA
Narbik Kocharians
CCIE #12410 R&S, Security, SP
Piotr Matusiak CCIE #19860
R&S, Security
www.MicronicsTraining.com
-
CCIE SECURTY v4 Lab Workbook
Page 30 of 100
Logical Topology for WSA labs
WSA is connected to the network using two interfaces:
P1 data interface, placed in VLAN 30 (ASA DMZ)
M1 management interface, placed in VLAN 10 (ASA Inside)
-
CCIE SECURTY v4 Lab Workbook
Page 31 of 100
LAB 2.2. Transparent Proxy with ASA
Objectives This lab shows how integrate WSA with ASA to do transparen proxy services
for users.
IP Addressing and devices Device Interface IP address
WSA M1
P1
10.1.10.80/24
10.1.30.80/24
R1 Lo0
E0/0
E0/1
1.1.1.1/32
10.1.10.1/24
172.31.1.1/24
ASA 0/0 (outside)
0/1 (inside)
0/2 (dmz)
100.2.2.10/24
10.1.10.10/24
10.1.30.10/24
R2 Lo0
E0/0
2.2.2.2/32
100.2.2.2/24
WinXP NIC 10.1.10.50/24
Win7 NIC 10.1.10.104/24
AD NIC 172.31.1.200/24
Task Reconfigure WSA to provide Transparent Proxy services to all users. THE
WSA should use its M1 interface and talk to ASA using WCCP v2 protocol.
Messages exchanged between WSA and ASA should be authenticated using
cisco123 shared secret. Enable Transparent proxy for http and HTTPS.
Disable CONNECT method for explicit proxy.
-
CCIE SECURTY v4 Lab Workbook
Page 32 of 100
Configuration
Complete these steps:
Step 1 Configure WCCP on ASA. ! access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 80 access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 443 ! wccp 90 redirect-list WCCP password cisco123 wccp interface inside 90 redirect in !
Step 2 Reconfigure interfaces on WSA. Go to Network > Interfaces and click Edit Settings Uncheck
Restrict M1 port to appliance management services only option
and erase P1 interface configuration. Click Submit.
Note the following message. Click Continue.
Review the configuration and click Commit Changes.
-
CCIE SECURTY v4 Lab Workbook
Page 33 of 100
Step 2 Enable Transparent Proxy services. Go to Network > Transparent Redirection and click Edit Device
From the drop-down list select WCCP v2 Router and click Submit.
Click Add Service
Provide name for WCCP service e.g. asa-wccp and select Dynamic
service ID option. Set the ID to 90 and associate Port Numbers of
80,443. Put 10.1.10.10 (ASAs inside interface IP) as Router IP
Address and tick Enable Security for Service option configuring
cisco123 as password. Click Submit.
-
CCIE SECURTY v4 Lab Workbook
Page 34 of 100
Review configuration and click Commit Changes.
Step 3 Win7 client PC configuration. Open up web browser and go to Tools > Internet Options >
Connections > LAN Settings and uncheck Use a proxy server for your LAN option.
-
CCIE SECURTY v4 Lab Workbook
Page 35 of 100
Verification On Win7 client PC open up web browser and go to http://www.google.com.
Authenticate as user from Employees group.
// there is 401 returned by the proxy which is authentication request. 1360089008.110 0 10.1.10.104 TCP_DENIED/401 0 GET http://proxy.micronics.local/B0000D0000N0001F0000S0000R0004/http://www.google.com/ - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE -
// after authentication the request is proceeded normally 1360089020.203 413 10.1.10.104 TCP_MISS/200 31422 GET http://www.google.com/ "MICRONICS\employee1@AD" DIRECT/www.google.com text/html ALLOW_WBRS_12-Employees-DefaultGroup-NONE-NONE-NONE-DefaultGroup -
Connect to http://www.facebook.com. The FB is redirecting the user to HTTPS by
default, so you should get certificate error (the certificate is not trusted because it is
signed by WSA). You should be connected after accepting the certificate.
-
CCIE SECURTY v4 Lab Workbook
Page 36 of 100
// HTTP request to facebook.com
1360089089.513 271 10.1.10.104 TCP_MISS/302 405 GET http://www.facebook.com/ "MICRONICS\employee1@AD" DIRECT/www.facebook.com text/html DEFAULT_CASE_12-Employees-DefaultGroup-NONE-NONE-NONE-DefaultGroup -
// TCP Connect to 443, redirected to WSA. 1360089089.703 183 10.1.10.104 TCP_MISS_SSL/200 0 TCP_CONNECT 31.13.64.23:443 "MICRONICS\employee1@AD" DIRECT/31.13.64.23 - DECRYPT_AVC_7-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup -
// check connection table on ASA there should be NO connections from Win7 PC ASA1(config)# sh conn 11 in use, 77 most used TCP outside 2.16.216.40:443 inside 10.1.10.80:57688, idle 0:00:07, bytes 32361, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57686, idle 0:00:07, bytes 27805, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57685, idle 0:00:07, bytes 74840, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57684, idle 0:00:07, bytes 75426, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57683, idle 0:00:08, bytes 11142, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57682, idle 0:00:08, bytes 83528, flags UIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57680, idle 0:00:14, bytes 2593, flags UfFrIO TCP outside 2.16.216.40:443 inside 10.1.10.80:57679, idle 0:00:14, bytes 45467, flags UfFrIO TCP outside 195.12.233.137:443 inside 10.1.10.80:57666, idle 0:00:15, bytes 2548, flags UIO TCP outside 31.13.64.23:443 inside 10.1.10.80:53205, idle 0:00:17, bytes 30380, flags UIO
Check ASA WCCP commands output. ASA1(config)# deb wccp packet WCCP-PKT:D90: Received valid Here_I_Am packet from 10.1.10.80 w/rcv_id 00000112 WCCP-PKT:D90: Sending I_See_You packet to 10.1.10.80 w/ rcv_id 00000113 ASA1(config)# sh wccp Global WCCP information: Router information: Router Identifier: 100.2.2.10 Protocol Version: 2.0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 11464 Redirect access-list: WCCP Total Connections Denied Redirect: 0 Total Packets Unassigned: 6
-
CCIE SECURTY v4 Lab Workbook
Page 37 of 100
Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 ASA1(config)# sh wccp 90 detail WCCP Cache-Engine information: Web Cache ID: 10.1.10.80 Protocol Version: 2.0 State: Usable Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets Redirected: 11464 Connect Time: 00:00:18 ASA1(config)# sh wccp 90 service WCCP service information definition: Type: Dynamic Id: 90 Priority: 240 Protocol: 6 Options: 0x00000012 -------- Hash: DstIP Alt Hash: -none- Ports: Destination:: 80 443 0 0 0 0 0 0
-
CCIE SECURTY v4 Lab Workbook
Page 38 of 100
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Identity Management ACS
Narbik Kocharians
CCIE #12410 R&S, Security, SP
Piotr Matusiak CCIE #19860
R&S, Security
www.MicronicsTraining.com
-
CCIE SECURTY v4 Lab Workbook
Page 39 of 100
Logical Topology for ACS labs
ACS 5 is connected to the network behind Router1 and has IP address of
172.31.1.100. Default gateway should be set to R1.
Management access to ACS should be allowed from WinXP PC (10.1.10.50).
-
CCIE SECURTY v4 Lab Workbook
Page 40 of 100
LAB 2.3. ACS Bootstrapping
Objectives
This lab introduces Cisco Secure Access Control Server v5.3 and verifies
basic connectivity with other network elements.
IP Addressing and devices
Device Interface IP address
ACS NIC 172.31.1.100
R1 Lo0
E0/0
E0/1
1.1.1.1/32
10.1.10.1/24
172.31.1.1/24
R2 Lo0
E0/0
2.2.2.2/32
100.2.2.2/24
WinXP NIC 10.1.10.50/24
-
CCIE SECURTY v4 Lab Workbook
Page 41 of 100
Task 1 Verify ACS installation
Connect to ACS console using SSH and username/password of
admin/Micronics1. Check and note the following: ACS application version
ACS daemon status
Interface configuration
Routing table (with default gateway)
Clock configuration
Timezone configuration
Configure the following: NTP server set to 172.31.1.1
Connect to the GUI and install the license located on WinXP desktop
(ACS5.lic)
Configuration
Complete these steps:
Step 1 Run Putty and connect to IP address of 172.31.1.100
Step 2 Verify that ACS is installed properly ACS5/admin# show application acs Cisco Secure Access Control System 5.3
Cisco ACS is an application installed on underlying operating system called Cisco ADE. Once youre connected to ADE you must check what applications are installed. Then you can use application name (in our case acs) in all other commands.
Step 3 Check ACS version ACS5/admin# show application version acs Cisco ACS VERSION INFORMATION
-
CCIE SECURTY v4 Lab Workbook
Page 42 of 100
----------------------------- Version : 5.3.0.40 Internal Build ID : B.839.EVAL
The main version is 5.3 and the patch level is 40. The build depends on the development stage and also indicates that we use evaluation version of ACS. You can install production license or evaluation license (90 days). Remember that if the ACS was installed with 60GB disk (minimum) there will be no option to run it with no-eval license. The 60GB is a minimum value and can only be used in lab environment.
Step 4 Check status of ACS processes ACS5/admin# show application status acs ACS role: PRIMARY Process 'database' running Process 'management' running Process 'runtime' running Process 'view-database' running Process 'view-jobmanager' running Process 'view-alertmanager' running Process 'view-collector' running Process 'view-logprocessor' running
If there is other status than running it means theres something wrong with a particular ACS subsystem/process. To fix that you can try to restart ACS application using application stop acs and then application start acs. Be patient as it may take a while to start all ACS processes.
Step 5 Check interface configuration and verify IP address and netmask ACS5/admin# show interface eth0 Link encap:Ethernet HWaddr 00:50:56:AE:83:F6 inet addr:172.31.1.100 Bcast:172.31.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feae:83f6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12645 errors:0 dropped:0 overruns:0 frame:0 TX packets:16627 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1105589 (1.0 MiB) TX bytes:19717105 (18.8 MiB) Interrupt:177 Base address:0x2000
-
CCIE SECURTY v4 Lab Workbook
Page 43 of 100
Make sure that you see RX and TX packets and no error counters increasing. This is a first indicator that something can be wrong with connectivity. If you do not see eth0 interface that usually means the interface is down.
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1939218 errors:0 dropped:0 overruns:0 frame:0 TX packets:1939218 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:300253955 (286.3 MiB) TX bytes:300253955 (286.3 MiB) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Step 6 Check routing table and default gateway ACS5/admin# show ip route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.31.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 172.31.1.1 0.0.0.0 UG 0 0 0 eth0
Step 7 Check basic connectivity to the gateway and to other network elements
ACS5/admin# ping 172.31.1.1 PING 172.31.1.1 (172.31.1.1) 56(84) bytes of data. 64 bytes from 172.31.1.1: icmp_seq=0 ttl=255 time=10.0 ms 64 bytes from 172.31.1.1: icmp_seq=1 ttl=255 time=0.642 ms 64 bytes from 172.31.1.1: icmp_seq=2 ttl=255 time=0.690 ms 64 bytes from 172.31.1.1: icmp_seq=3 ttl=255 time=0.784 ms --- 172.31.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.642/3.049/10.083/4.061 ms, pipe 2 ACS5/admin# ping 10.1.10.10 PING 10.1.10.10 (10.1.10.10) 56(84) bytes of data.
-
CCIE SECURTY v4 Lab Workbook
Page 44 of 100
--- 10.1.10.10 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3027ms
Note that you cannot reach ASA firewall at this stage. This is because the ASA has no route back to network 172.31.1.0/24. You will fix this later.
ACS5/admin# ping 10.1.10.50 PING 10.1.10.50 (10.1.10.50) 56(84) bytes of data. 64 bytes from 10.1.10.50: icmp_seq=0 ttl=127 time=0.812 ms 64 bytes from 10.1.10.50: icmp_seq=1 ttl=127 time=1.02 ms 64 bytes from 10.1.10.50: icmp_seq=2 ttl=127 time=1.02 ms 64 bytes from 10.1.10.50: icmp_seq=3 ttl=127 time=10.8 ms --- 10.1.10.50 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3009ms rtt min/avg/max/mdev = 0.812/3.429/10.860/4.291 ms, pipe 2
Step 8 Check the name server and domain configuration. Verify if DNS works asking to resolve FQDN of acs5.micronics.local ACS5/admin# show running-config | inc name hostname ACS5 ip domain-name micronics.local ip name-server 172.31.1.200 username admin password hash $1$Vlgou3Zx$hWKQ2lqIKFZF./OlFJ/Wi1 role admin ACS5/admin# ping 172.31.1.200 PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data. 64 bytes from 172.31.1.200: icmp_seq=0 ttl=128 time=0.551 ms 64 bytes from 172.31.1.200: icmp_seq=1 ttl=128 time=0.331 ms 64 bytes from 172.31.1.200: icmp_seq=2 ttl=128 time=0.401 ms 64 bytes from 172.31.1.200: icmp_seq=3 ttl=128 time=0.415 ms --- 172.31.1.200 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.331/0.424/0.551/0.082 ms, pipe 2 ACS5/admin# nslookup acs5.micronics.local Trying "acs5.micronics.local" ;; ->>HEADER
-
CCIE SECURTY v4 Lab Workbook
Page 45 of 100
acs5.micronics.local. 3600 IN A 172.31.1.100 Received 54 bytes from 172.31.1.200#53 in 0 ms
Step 9 Check clock and timezone configuration ACS5/admin# show clock Sun Jan 6 12:23:45 UTC 2013 ACS5/admin# show timezone UTC
If there is a different timezone configured you can always change it to the correct value using clock timezone UTC command in the global configurtion. To check what timezone names are available use show timezones command.
Step 10 Configure NTP ACS5/admin(config)# ntp server 172.31.1.1 The NTP server was modified. If this action resulted in a clock modification, you must restart ACS. ACS5/admin(config)# exit ACS5/admin# write mem Generating configuration... ACS5/admin# show ntp Primary NTP : 172.31.1.200 unsynchronised time server re-starting polling server every 64 s remote refid st t when poll reach delay offset jitter ============================================================================== 127.127.1.0 LOCAL(0) 10 l 42 64 7 0.000 0.000 0.002 172.31.1.1 LOCAL(1) 8 u 44 64 77 0.733 4.846 3.029 Warning: Output results may conflict during periods of changing synchronization. ACS5/admin# show ntp Primary NTP : 172.31.1.1
-
CCIE SECURTY v4 Lab Workbook
Page 46 of 100
synchronised to NTP server (172.31.1.1) at stratum 9 time correct to within 452 ms polling server every 64 s remote refid st t when poll reach delay offset jitter ============================================================================== 127.127.1.0 LOCAL(0) 10 l 45 64 77 0.000 0.000 0.002 *172.31.1.1 LOCAL(1) 8 u 44 64 77 0.733 4.846 3.029 Warning: Output results may conflict during periods of changing synchronization.
NTP synchronization is very important especially when ACS is a part of Active Directory domain. If you plan to join AD then clock between Domain Controller and ACS must be synchronized. The NTP related issues are causing most problems with AD integration. You can also check application logs when syncing with NTP. Note that ACS may not synchronize with a source which is not reliable (the source gets time from its local clock).
ACS5/admin# show logging application | in ntp Nov 8 11:38:05 ACS5 ntpd[29716]: ntpd [email protected] Mon Jul 28 11:03:50 EDT 2008 (1) Nov 8 11:38:05 ACS5 ntpd: ntpd startup succeeded Nov 8 11:38:05 ACS5 ntpd[29716]: precision = 2.000 usec Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface wildcard, 0.0.0.0#123 Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface wildcard, ::#123 Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface lo, 127.0.0.1#123 Nov 8 11:38:05 ACS5 ntpd[29716]: Listening on interface eth0, 172.31.1.100#123 Nov 8 11:38:05 ACS5 ntpd[29716]: kernel time sync status 0040 Nov 8 11:38:05 ACS5 ntpd[29716]: frequency initialized 0.000 PPM from /var/lib/ntp/drift Nov 8 11:41:20 ACS5 ntpd[29716]: synchronized to LOCAL(0), stratum 10 Nov 8 11:41:20 ACS5 ntpd[29716]: kernel time sync disabled 0041 Nov 8 11:42:23 ACS5 ntpd[29716]: synchronized to 172.31.1.1, stratum 8 Nov 8 11:42:24 ACS5 ntpd[29716]: kernel time sync enabled 0001
Step 11 Connect through the GUI and install the license. Open up web browser (IE or FF) and enter the following URL
https://172.31.1.100/acsadmin
Authenticate as acsadmin/default and change the default
-
CCIE SECURTY v4 Lab Workbook
Page 47 of 100
password to Micronics1.
Provide a license file ACS5.lic (should be on WinXP desktop)
Once license file is installed, the ACS is ready for further
configurtion
-
CCIE SECURTY v4 Lab Workbook
Page 48 of 100
-
CCIE SECURTY v4 Lab Workbook
Page 49 of 100
LAB 2.4. Setup AAA clients
Objectives
This lab shows how to configure AAA clients in ACS and perform basic
authentication using RADIUS and TACACS+ protocols.
IP Addressing and devices
Device Interface IP address
ACS NIC 172.31.1.100
R1 Lo0
E0/0
E0/1
1.1.1.1/32
10.1.10.1/24
172.31.1.1/24
SW1 Vlan10 10.1.10.7/24
WinXP NIC 10.1.10.50/24
-
CCIE SECURTY v4 Lab Workbook
Page 50 of 100
Task 1 Create a user in ACS internal database
Create a new user with username of student1 with a password of student123
in ACS Internal Identity Store. The user should belong to Students user group.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin. Add new entry to Device Type and Location NDGs (Network Device
Groups).
Go to Users and Identity Stores > Identity Groups and click Create. Add name Students under All Groups and click Submit.
Go to Users and Identity Stores > Users and click Create. Add
new user with a name of student1 and password of student123, select Students under Identity Groups and click Submit.
-
CCIE SECURTY v4 Lab Workbook
Page 51 of 100
Verification
There is no Verification for this task.
-
CCIE SECURTY v4 Lab Workbook
Page 52 of 100
Task 2 Adding the router as AAA client in ACS
Configure R1 router as AAA client in ACS using TACACS+ with secret key of
cisco123. Make sure the device is sourcing TACACS+ traffic from its loopback0 interface and uses only one TCP connection for whole AAA
conversation.
The new AAA client should be added as Device Type = Routers in Location =
HQ. Configure AAA on the router and use test aaa command to verify your
solution.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin. Add new entry to Device Type and Location NDGs (Network Device
Groups).
Go to Network Resources > Network Device Groups > Location
and click Create. Add name HQ under All Locations and click Submit.
-
CCIE SECURTY v4 Lab Workbook
Page 53 of 100
Devices can be differentiated based on their type and/or location. There are two pre-defined containers in ACS: one for location and second for type. This information can be further used in authorization policies and it is recommended to add new devices to correct categories.
Go to Network Resources > Network Device Groups > Device
Type and click Create. Add name Routers under All Device Types and click Submit.
Step 2 Add new AAA client to the ACS. Go to Network Resources > Network Device and AAA Clients and
click Create. Add new client with name of R1, select Location = HQ
and Device Type = Routers, configure IP address of 1.1.1.1, select
TACACS+ as a protocol and configure Shared Secret of cisco123. Select Single Connect Device option and click Submit.
-
CCIE SECURTY v4 Lab Workbook
Page 54 of 100
Step 3 Router configuration.
! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! aaa new-model ! tacacs server ACS address ipv4 172.31.1.100 key cisco123 single-connection ! Notice that we do not need to configure aaa authentication command here. It is enough to specify TACACS server in the configuration and then we can use it in test aaa command. Also note that you can specify AAA server in three ways:
1. using old command structure like tacacs-server host 2. using new command structure as configured above 3. using AAA groups with commands like aaa group server
The first option is deprecated and is not recommanded to be used in IOS 15.0 and above.
-
CCIE SECURTY v4 Lab Workbook
Page 55 of 100
Verification
Use test aaa command to check user authentication.
R1#test aaa group tacacs+ student1 student123 legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.
Check logs on ACS. Go to Monitoring and Reports and launch
Authentications TACACS Today report.
-
CCIE SECURTY v4 Lab Workbook
Page 56 of 100
Task 3 Adding the switch as AAA client in ACS
Configure SW1 switch as AAA client in ACS using RADIUS with secret key of
cisco123. Make sure the device is sourcing RADIUS traffic from vlan10 interface with IP address of 10.1.10.7/24.
The new AAA client should be added as Device Type = Switches in Location =
HQ. Configure AAA on the switch and use test aaa command to verify your solution.
Configuration Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin. Go to Network Resources > Network Device Groups > Device
Type and click Create. Add name Switches under All Device Types and click Submit.
Step 2 Add new AAA client to the ACS. Go to Network Resources > Network Device and AAA Clients and
click Create. Add new client with name of SW1, select Location = HQ
and Device Type = Switches, configure IP address of 10.1.10.7,
-
CCIE SECURTY v4 Lab Workbook
Page 57 of 100
select RADIUS as a protocol and configure Shared Secret of cisco123 and click Submit.
Step 3 Switch configuration.
! interface Vlan10 ip address 10.1.10.7 255.255.255.0 ! aaa new-model ! ip default-gateway 10.1.10.1 ip radius source-interface Vlan10 radius-server host 172.31.1.100 key cisco123 ! Note that when you enable aaa new-model the router will start asking for Username/Password on VTY lines. You must either configure login authentication command on VTYs or create some backup/fallback username in the local routers database. It is always recommended to have such local user account.
! username backup password backup !
-
CCIE SECURTY v4 Lab Workbook
Page 58 of 100
Verification
Use test aaa command to check user authentication.
SW1#ping 172.31.1.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.31.1.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1015 ms SW1#test aaa group radius student1 student123 legacy Attempting authentication test to server-group radius using radius User was successfully authenticated.
Check logs on ACS. Go to Monitoring and Reports and launch Authentications RADIUS Today report.
-
CCIE SECURTY v4 Lab Workbook
Page 59 of 100
LAB 2.5. User authentication and authorization (IOS)
Objectives
This lab shows how to configure routers to perform basic authentication and
authorization.
IP Addressing and devices
Device Interface IP address
R1 Lo0
E0/0
E0/1
1.1.1.1/32
10.1.10.1/24
172.31.1.1/24
R2 Lo0
E0/0
2.2.2.2/32
100.2.2.2/24
The router may authenticate remote users using its local user database. Every
user connecting to the router must be authenticated and authorized to perform
specific tasks. There are 16 privilege levels on the router. The levels are defined
with a number of 0 through 15. By default only three levels are configured:
Level 0 basic level which is accessible by every user with only access
to basic commands like exit and logout
Level 1 user without administrative permissions has this level
assigned. Usually every user in non-privileged router mode (non-enable
mode) is on this level
Level 15 user with administrative privileges is on this level. All
commands are available on this level by default. When a user enters
enable command and authenticates successfully, he/she is by default
authorized on level 15.
-
CCIE SECURTY v4 Lab Workbook
Page 60 of 100
Rest of the levels (2-14) is user configurable so that we can assign commands
to a specific level. The term assign is unfortunate here as we are able to only
move a command between levels. For example, if a command is by default on
level 15 (remember that most of the configuration commands are available only
on level 15) we can move it down to level 10. However, this command will be
now available on level 10 and on all levels above up to level 15.
The router can have different passwords for every privilege level, so that we can
authenticate to a specified level by entering command enable .
Note that because most configuration commands are available on level 15,
entering level 5 for example will not give us any access to other commands. We
need to move specific commands first to that level to be able to use them.
-
CCIE SECURTY v4 Lab Workbook
Page 61 of 100
Task 1 Local user authentication on router
On R2 configure local user luser1 with a password of luser1 and allow him
to issue only show commands when accessing the router using TELNET
session. Use strong encryption for enable password if possible. You are not
allowed to use any AAA commands or views to accomplish this task.
Configuration Complete these steps:
Step 1 Configure R2 as follows: ! privilege exec all level 3 show ! enable secret level 3 enable3 ! username luser1 password luser1 ! line vty 0 4 login local !
Verification R1#telnet 100.2.2.2 Trying 100.2.2.2 ... Open User Access Verification Username: luser1 Password: R2>show priv ^ show command is not accessible for level 1 user it is now on level 3 % Invalid input detected at '^' marker. R2>enable % No password set theres no enalble password for level 15 configured R2>enable 3 Password: enable3 password works for privilege level 3 only R2#sh priv Current privilege level is 3
-
CCIE SECURTY v4 Lab Workbook
Page 62 of 100
R2#show ? aaa Show AAA values aal2 Show commands for AAL2 access-expression List access expression access-lists List access lists accounting Accounting data for active sessions adjacency Adjacent nodes alarm-interface Display information about a specific Alarm Interface Card aliases Display alias commands alignment Show alignment information alps Alps information appfw Application Firewall information appletalk AppleTalk information arap Show Appletalk Remote Access statistics archive Archive of the running configuration information arp ARP table ase Display ASE specific information async Information on terminal lines used as router interfaces auto Show Automation Template autoupgrade Show autoupgrade related information backhaul-session-manager Backhaul Session Manager information R2#conf t ^ higher level commands are not accessible for level 3 user % Invalid input detected at '^' marker. R2#exit [Connection to 100.2.2.2 closed by foreign host] R1#
-
CCIE SECURTY v4 Lab Workbook
Page 63 of 100
This page is intentionally left blank.
-
CCIE SECURTY v4 Lab Workbook
Page 64 of 100
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Identity Management ISE
Narbik Kocharians
CCIE #12410 R&S, Security, SP
Piotr Matusiak CCIE #19860
R&S, Security
www.MicronicsTraining.com
-
CCIE SECURTY v4 Lab Workbook
Page 65 of 100
Logical Topology for ISE labs
ISE v1.1 is connected to the network behind Router1 and has IP address of
172.31.1.20. Default gateway should be set to R1.
Management access to ISE should be allowed from WinXP PC (10.1.10.50).
-
CCIE SECURTY v4 Lab Workbook
Page 66 of 100
LAB 2.6. ISE Installation (optional)
Objectives This lab introduces Identity Service Engine v1.1 and verifies basic connectivity
with other network elements.
IP Addressing and devices Device Interface IP address
ISE NIC 172.31.1.20
R1 Lo0
E0/0
E0/1
1.1.1.1/32
10.1.10.1/24
172.31.1.1/24
R2 Lo0
E0/0
2.2.2.2/32
100.2.2.2/24
WinXP NIC 10.1.10.50/24
This is an optional task. If the ISE is already pre-installed, you can go directly
to next task.
Task Perform ISE installation and bootstrapping. Provide the following information
during the installation process: Hostname: ISE
IP Address and mask: 172.31.1.20/24
Default gateway: 172.31.1.1
Domain name and nameserver: micronics.local, 172.31.1.200
NTP server and timezone: 172.31.1.200, UTC
-
CCIE SECURTY v4 Lab Workbook
Page 67 of 100
Configuration
Complete these steps:
Step 1 Log into the ISE Virtual Appliance console (if you have access to it). You should see the following prompt:
********************************************** Please type setup to configure the appliance ********************************************** localhost login:
Enter setup as a username to start configuration wizard.
Step 2 Go through the configuration wizard. Press Ctrl-C to abort setup Enter hostname[]: ise Enter IP address []: 172.31.1.20 Enter IP default netmask[]: 255.255.255.0 Enter IP default gateway[]: 172.31.1.1 Enter default DNS domain[]: micronics.local Enter Primary nameserver[]: 172.31.1.200 Add secondary nameserver? Y/N [N]: Enter Primary NTP server[time.nist.gov]: 172.31.1.1 Add another NTP server? Y/N [N]: Enter system timezone[UTC]: Enter username[admin]: Enter password: Micronics1 Enter password again: Micronics1 Bringing up network interface... Pinging the gateway... Pinging the primary nameserver ... Virtual machine detected, configuring VMware tools... Do not use Ctrl-C from this point on... Appliance is configured Installing applications... Installing ise ... The mode has been set to licensed.
Step 3 ISE installation. Provide passwords for ISE databased during
installation. Application bundle (ise) installed successfully === Initial Setup for Application: ise ===
-
CCIE SECURTY v4 Lab Workbook
Page 68 of 100
Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup requires you create a database administrator password and also create a database user password. Please follow the prompts below to create the database administrator password. Enter new database admin password: Micronics1234 Confirm new database admin password: Micronics1234 Successfully created database administrator password. Please follow the prompts below to create the data base user password: Enter new database user password: Micronics1234 Confirm new Database user password: Micronics1234 Successfully created database user password. Running database cloning script... Running database network config assistant tool... Extracting ISE database content... Starting ISE database processes... Creating ISE M&T session directory... Performing ISE database priming... Generating configuration... Rebooting...
Verification
Connect to ISE using SSH and provide username/password of admin/Micronics1. Check and note the following:
ISE application version
ISE daemon status
Interface configuration
Routing table (with default gateway)
Clock configuration
Timezone configuration
Connect to the GUI from WinXP desktop and check license and ISE deployment
options.
-
CCIE SECURTY v4 Lab Workbook
Page 69 of 100
Run Putty and connect using SSH to IP address of 172.31.1.20
Verify that ISE is installed properly
Cisco ISE is an application installed on underlying operating system called Cisco ADE. Once youre connected to ADE you must check what applications are installed. Then you can use application name (in our case ise) in all other commands.
ISE/admin# show application ise Cisco Identity Services Engine ISE/admin#
Check ISE version
ISE/admin# show application version ise Cisco Identity Services Engine --------------------------------------------- Version : 1.1.0.665 Build Date : Wed Mar 7 22:51:03 2012 Install Date : Wed Jan 2 17:12:33 2013
The main version is 1.1 and the patch level is 665. The build depends on the development stage. By default ISE is in EVAL mode for 90 days. You can install production license or use evaluation license. You do not need to provide any license file for ISE to be working.
Check status of ISE processes
ISE/admin# show application status ise ISE Database listener is running, PID: 4166 ISE Database is running, number of processes: 26 ISE Application Server is running, PID: 5694 ISE M&T Session Database is running, PID: 3826 ISE M&T Log Collector is running, PID: 5921 ISE M&T Log Processor is running, PID: 6005 ISE M&T Alert Process is running, PID: 5840 % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 64 GB
-
CCIE SECURTY v4 Lab Workbook
Page 70 of 100
If there is other status than is running it means theres something wrong with a particular ISE subsystem/process. To fix that you can try to restart ISE application using application stop ise and then application start ise. Be patient as it may take a while to start all ISE processes.
Check interface configuration and verify IP address and netmask
ISE/admin# show interface GigabitEthernet 0 Link encap:Ethernet HWaddr 00:50:56:AE:A1:34 inet addr:172.31.1.20 Bcast:172.31.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feae:a134/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:70970 errors:0 dropped:0 overruns:0 frame:0 TX packets:90676 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8304352 (7.9 MiB) TX bytes:15921119 (15.1 MiB) Interrupt:59 Base address:0x2024 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:29034318 errors:0 dropped:0 overruns:0 frame:0 TX packets:29034318 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:501930492 (478.6 MiB) TX bytes:501930492 (478.6 MiB) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Make sure that you see RX and TX packets and no error counters increasing. This is the first indicator that something can be wrong with connectivity. If you do not see GigabitEhernet0 interface that usually means the interface is down. You may see more interfaces depending on ISE installation. Some interfaces may be used for profiling services.
Check routing table and default gateway
-
CCIE SECURTY v4 Lab Workbook
Page 71 of 100
ISE/admin# show ip route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.31.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 172.31.1.1 0.0.0.0 UG 0 0 0 eth0
Note that there is still interface eth0 in the command output. This interface is a pointer to GigabitEthernet0.
Check basic connectivity to the gateway and to other network elements
ISE/admin# ping 172.31.1.1 PING 172.31.1.1 (172.31.1.1) 56(84) bytes of data. 64 bytes from 172.31.1.1: icmp_seq=1 ttl=255 time=0.853 ms 64 bytes from 172.31.1.1: icmp_seq=2 ttl=255 time=0.810 ms 64 bytes from 172.31.1.1: icmp_seq=3 ttl=255 time=0.776 ms 64 bytes from 172.31.1.1: icmp_seq=4 ttl=255 time=0.886 ms --- 172.31.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 0.776/0.831/0.886/0.046 ms ISE/admin# ping 10.1.10.10 PING 10.1.10.10 (10.1.10.10) 56(84) bytes of data. 64 bytes from 10.1.10.10: icmp_seq=1 ttl=254 time=67.9 ms 64 bytes from 10.1.10.10: icmp_seq=2 ttl=254 time=1.17 ms 64 bytes from 10.1.10.10: icmp_seq=3 ttl=254 time=16.3 ms 64 bytes from 10.1.10.10: icmp_seq=4 ttl=254 time=57.0 ms --- 10.1.10.10 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 1.172/35.622/67.910/27.663 ms
You may not reach ASa firewall at this stage. If not, check if ASA has static route to 172.31.1.0/24 network configured. ISE/admin# ping 10.1.10.50 PING 10.1.10.50 (10.1.10.50) 56(84) bytes of data. 64 bytes from 10.1.10.50: icmp_seq=1 ttl=127 time=0.862 ms 64 bytes from 10.1.10.50: icmp_seq=2 ttl=127 time=0.909 ms 64 bytes from 10.1.10.50: icmp_seq=3 ttl=127 time=1.00 ms 64 bytes from 10.1.10.50: icmp_seq=4 ttl=127 time=0.896 ms --- 10.1.10.50 ping statistics ---
-
CCIE SECURTY v4 Lab Workbook
Page 72 of 100
4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.862/0.917/1.004/0.064 ms
Check the name server and domain configuration. Verify if DNS works asking to
resolve FQDN of ise.micronics.local
ISE/admin# show running-config | inc name hostname ISE ip domain-name micronics.local ip name-server 172.31.1.200 username admin password hash $1$pAzQ9DDO$zWBNlRgM8m1mlZPZLRh0Y1 role admin no-username ISE/admin# ping 172.31.1.200 PING 172.31.1.200 (172.31.1.200) 56(84) bytes of data. 64 bytes from 172.31.1.200: icmp_seq=1 ttl=128 time=0.345 ms 64 bytes from 172.31.1.200: icmp_seq=2 ttl=128 time=0.348 ms 64 bytes from 172.31.1.200: icmp_seq=3 ttl=128 time=0.382 ms 64 bytes from 172.31.1.200: icmp_seq=4 ttl=128 time=0.417 ms --- 172.31.1.200 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 0.345/0.373/0.417/0.029 ms ISE/admin# nslookup ise.micronics.local Trying "ise.micronics.local" ;; ->>HEADER
-
CCIE SECURTY v4 Lab Workbook
Page 73 of 100
ISE/admin# show ntp Configured NTP Servers: 172.31.1.1 Unable to talk to NTP daemon. Is it running? % To restart NTP do 'no ntp server' followed by 'ntp server ' If you experience the above issue try to reapply the NTP server configuration.
ISE/admin# conf t Enter configuration commands, one per line. End with CNTL/Z. ISE/admin(config)# ntp server 172.31.1.1 ISE/admin(config)# end
NTP synchronization is very important especially when ISE is a part of Active Directory domain. If you plan to join AD then clock between Domain Controller and ISE must be synchronized. The NTP related issues are causing most problems with AD integration. You can also check application logs when syncing with NTP. Note that ISE may not synchronize with a source that is not reliable (the source gets time from its local clock).
ISE/admin# show ntp Configured NTP Servers: 172.31.1.1 unsynchronised time server re-starting polling server every 64 s remote refid st t when poll reach delay offset jitter ============================================================================== 127.127.1.0 .LOCL. 10 l 3 64 1 0.000 0.000 0.001 172.31.1.1 LOCAL(1) 8 u 2 64 1 0.930 -0.146 0.001 * Current time source, + Candidate Warning: Output results may conflict during periods of changing synchronization. ISE/admin# show ntp Configured NTP Servers: 172.31.1.1 synchronised to NTP server (172.31.1.1) at stratum 9 time correct to within 944 ms polling server every 64 s remote refid st t when poll reach delay offset jitter ============================================================================== 127.127.1.0 .LOCL. 10 l 29 64 77 0.000 0.000 0.001
-
CCIE SECURTY v4 Lab Workbook
Page 74 of 100
*172.31.1.1 LOCAL(1) 8 u 26 64 77 0.778 0.357 0.529 * Current time source, + Candidate Warning: Output results may conflict during periods of changing synchronization.
Connect through the GUI and check license. Open up web browser (IE or FF) and
enter the following URL https://172.31.1.20 Authenticate as admin/Micronics1.
You may see the following message while connecting to the ISE for the first time.
Pick Do not show this message again and then click OK.
-
CCIE SECURTY v4 Lab Workbook
Page 75 of 100
Check the deployment mode by selecting ise on the top right of the current window.
To check license you must go to Administration -> System -> Licensing.
-
CCIE SECURTY v4 Lab Workbook
Page 76 of 100
LAB 2.7. Configure Wired 802.1x
Objectives This lab shows how to configure 802.1x for wired environment.
IP Addressing and devices Device Interface IP address
ISE NIC 172.31.1.20
R1 Lo0
E0/0
E0/1
1.1.1.1/32
10.1.10.1/24
172.31.1.1/24
AD NIC 172.31.1.200
WinXP NIC 10.1.10.50/24
SW1 VLAN10 10.1.10.7/24
Task There is a Windows 7 host connected to SW1 port 0/7 through the IP Phone.
The IP Phone is authenticated using MAB configured in previous tasks.
Configure Win7 PC to use its native supplicant with PEAP/MS-CHAPv2 only.
Use Active Directory user employee1 and computers account (member of
Domain Computers AD group) for authentication. Upon successful
authentication the user and machine should get full access to the network.
Enable 802.1x low impact mode on the port and allow only DHCP, DNS, TFTP
and ICMP traffic. Ensure the following authentication order: o 802.1x o MAB
The switch should time out 802.1x authentication method after 15 seconds
and allow only one MAC address to be seen behind the IP Phone. If there are
more MAC addresses the switch should NOT authenticate them and silently
drop the packets.
-
CCIE SECURTY v4 Lab Workbook
Page 77 of 100
You can disable Whitelist authorization rule and put the IP Phone back to the
default Cisco-IP-Phone group.
-
CCIE SECURTY v4 Lab Workbook
Page 78 of 100
Configuration
Complete these steps:
Step 1 Switch configuration.
! ip access-list extended DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark TFTP permit udp any any eq tftp remark Ping permit icmp any any ! interface GigabitEthernet0/7 ip access-group DEFAULT in authentication open authentication order dot1x mab dot1x timeout tx-period 5 ! ip device tracking radius vsa send !
Step 2 Create allowed protocols object. Go to Policy > Policy Elements > Results > Authentication >
Allowed Protocols and click Add. Enter PEAP_Only as name, pick
Allow PEAP with Allow EAP-MS-CHAPv2, uncheck all other
methods and click Submit.
-
CCIE SECURTY v4 Lab Workbook
Page 79 of 100
Step 3 Create authorization profile for AD clients to get full network access upon successful authorization.
Go to Policy > Policy Elements > Results > Authorization >
Authorization Profiles and click Add. Enter AD_Success_Profile as
name, pick DACL Name checkbox and chose default PERMIT_ALL_TRAFFIC from the drop-down list. Click Submit.
-
CCIE SECURTY v4 Lab Workbook
Page 80 of 100
Step 4 Move IP Phone MAC address to the default Identity Group and disable Whitelist authorization rule.
Go to Administration > Identity Management > Identities >
Endpoints and click Cisco-IP-Phone (an entry with IP Phone MAC
address). Change the Identity Group Assignment to Cisco-IP-Phone. Click Save.
-
CCIE SECURTY v4 Lab Workbook
Page 81 of 100
Go to Policy > Authorization and click Edit link next to the Whitelist
rule. Click on the green icon and chose Disabled. Click Done and Save.
Step 5 Add new authentication rule or edit default one. Go to Policy > Authentication and click orange arrow next to
Allowed Protocols in Dot1X rule. Pick PEAP_Only from configure