Netmetric CCNP Security Workbook 2.0 ASA Initialization

Netmetric CCNP Security Workbook 2.
ASA Initialization
LAB 1 Basic ASA Configuration

Initialization Setup of ASA is similar as Router where you use a rollover cable to connect console
of ASA to com port of PC. Command Line Interface (CLI) here is little different from IOS Router but the
modes are similar as on Router, We have an Unprivileged Mode > This is the most basic level of access
to the Cisco Device, the first mode in which you can issue very few commands. To configure your ASA you
need to get in to Privileged Mode #.
Task-1 Getting Started With ASA

When we boot up the device we get into unprivileged mode from where we can view the details
of ASA, its supporting features, available interfaces and its Licensing etc...
ciscoasa>show version
Cisco ASA Security Appliance Software Version 8.4(2)
IOS Version of ASA
ciscoasa up 33 mins 30 secs
Uptime of device
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz

Internal ATA Compact Flash, 256MB
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 100
Inside Hosts
: Unlimited
Failover
: Disabled
VPN-DES
: Disabled
VPN-3DES-AES
: Disabled
Security Contexts
:0
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 5000
AnyConnect Essentials
: Disabled
Other VPN Peers
: 5000
Total VPN Peers
:0
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
:2
Total UC Proxy Sessions
:2
This platform has an Restricted (R) license.
Configuration has not been modified since last system restart.
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
Netmetric CCNP Security Workbook 2.0
ASA Initialization
From unprivileged mode we can issue few more commands like ping, traceroute and login etc.
but to make any changes on the device or to configure device we need to get into privileged mode of
that device. From Unprivileged mode issue enable command to get into privileged mode
ciscoasa> enable
Password:
ciscoasa#
The default password on ASA is Blank <null> hit Enter when prompted
When you are in privileged mode now you can start configuring your device, When you are in
privileged mode of ASA you can issue all the commands to device, to make some configuration on
device you need to get into configure mode, you can get into configure mode by issuing configure
terminal command in privileged mode
ciscoasa# configure terminal
ciscoasa(config)# enable password cisco123
ciscoasa(config)# hostname ASA
ASA(config)#
Configuring Enable Password

Modifying Hostname
In the description of show version command you can view the licensing details of the device
which exhibits the capabilities of device functioning. ASA comes with two different licenses
Base License
Security plus License
By default ASA comes with Base License where few functions of ASA will be restricted or locked. To use
those functions we need to get an Activation Key from Cisco and Install it on Device.
ASA(config)# activation-key 0x000000000x000000000x000000000x00000000
The following features available in flash activation key are NOT
available in new activation key:
Failover is different.
flash activation key: Restricted(R)
new activation key: Unrestricted(UR)
Proceed with update flash activation key? [confirm]
Press Enter
WARNING: The running activation key was not updated with the requested key.
The flash activation key was updated with the requested key, and will become active after the next
reload.
ASA Initialization
Task-2 Configuring Interfaces as per following Credentials

Interface
GigabitEthernet 0
GigabitEthernet 1
GigabitEthernet 2
Ip Address
192.168.1.10
10.1.1.10
172.16.1.10
Name
Outside
Inside
DMZ
Security Level
0
100
50
Simply like a router, Interface configuration in ASA is done from interface mode only.
ASA(config)# interface GigabitEthernet 0
ASA(config-if)# ip address 192.168.1.10 255.0.0.0
ASA(config-if)# no shutdown
ASA(config-if)# interface GigabitEthernet 1
ASA(config-if)# ip address 172.16.1.10
But apart from configuring ip address in ASA we even have to configure Two more credentials
i.e. Name of interface and Trustiness of interface (Security Level). Where Name of the interface is the
any logical name (Like Inside, Outside, Private any name) given to the interface and throughout
configuration the interface will be called with that name not by their Physical names (Ethernet 0 or 1),
Assigning name to interface is mandatory. Even if you assign ip address until and unless you configure
name to it our interface will not function.
And security level is the value which defines the trustiness of an interface. The interface with
high security level value can communicate with low security value interfaces but low valued interface
cant initiate communication for high valued interfaces by default.
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# security-level 0

ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
Verification
ASA(config-if)# show running-config ip
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.1.10 255.255.255.0
!
nameif inside
security-level 100
ip address 10.1.1.10 255.0.0.0
!
nameif dmz
security-level 50
ip address 172.16.1.10 255.255.0.0
ASA Initialization
ASA identify only the word inside perfectly

when this name is assigned to any interface
automatically security level will be set to 100
Apart from inside any other name gets
security level 0 by default
Basic ASA Initialization - II
LAB 2 Default security policy modifications and ACL in ASA

ASA is a very advanced firewall which inspects all the TCP and UDP connections by
default from higher security level to lower security level. Apart from basic TCP and UDP
protocols we have other protocols which are given for inspection and the policy which inspects
those protocols is known as Default Inspection Policy.
Only the protocols and the services which are available in that default inspection policy
will be inspected by default from high security level to low security level. If we want the
inspection of some more services then in that case we have to add those services in default
inspection list or create our own separate policy of inspection
ASA always consider ICMP as an attack so by default there wont be any inspection for
ICMP services.
Configure the Ip addressing as per following credentials

Device
ASA
ASA
R1
R2
Interface
Ethernet 1
Ethernet 0
Fast Ethernet 0/0
Fast Ethernet 0/0
Name
Outside/0
Inside/100
---
Ip Address
10.1.1.10
192.168.1.10
192.168.1.1
10.1.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
255.0.0.0
Configure a default route on both the sides pointing towards ASA
Task 1 : Verify the Connectivity for telnet and ICMP
Lets make a connection of telnet from PC to Router R1

R1#telnet 192.168.1.10
Trying 192.168.1.10 ... Open
User Access Verification
Password:
R2>
As we have discussed above that ASA by default inspect all TCP and UDP traffic thats
why it allows only TCP and UCP communication whereas ICMP is not allowed by default
Because Telnet works with TCP protocol thats the reason your telnet connections are
allowed but default and not ICMP connections
Now check the connectivity from high security level to low security level i.e. from inside
to outside using ping
R1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
If we see the output of the ping test then our ping packets are not being allowed even
from high security level to low security level where as per the basic rule of ASA its supposed to
allow that connection
Task 2 : Configure ASA to inspect ICMP traffic by modifying default inspection policy and
verify the Connectivity for ICMP
We can see the default inspection policy in running configuration of device

ASA# show running-config
: Saved
.
.
!
class-mapinspection_default
match default-inspection-traffic
!
!
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspectsunrpc
inspectxdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policyglobal_policy global
:
: end
Services available by default
To modify this default inspection policy we have to get into that class
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)#
We can modify the policy after getting into that policy
To add ICMP inspection into the policy
ASA(config-pmap-c)# inspect icmp
As soon as we start ICMP inspection our ASA starts inspection of ICMP traffic and now
icmp traffic will flow from High security level to low security level
R1#ping 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/80 ms
To remove any service from default inspection
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect icmp
As soon as we remove the inspection of ICMP again ICMP Traffic is not allowed to
transact
PC#ping 192.168.1.10
.....
Task 3 : Configure ASA to allow ICMP traffic using Access-list. Dont modify default inspection
policy.
As we know ASA allow all the traffic from high security level to low security level by default
that means even ICMP echo packets which are initiated from inside subnet is allowed to go to outside
subnet. But the echo-reply packets which are sent in response to echo are will be blocked because they
are being initiated from low security level to high as there is no inspection for ICMP.
As we are interested in using access list let's not make any changes with inspection policy
than we can allow the ICMP packets from outside using Access-list
Here we are creating an access-list to allow icmp traffic
ASA(config)# access-list out_in permit icmp any any
Now we have to apply that access-list on outside interface in inbound direction so that all the
icmp traffic which is generated from that interface is allowed in to device
By this the echo-reply which is generated in respond to echoes from inside is allowed to go to
outside
ASA(config)# access-group out_in interface outside
Verification
R1#ping 192.168.1.10
!!!!!
ALC and Object Groups
LAB 3 Object Groups in ACL

We may come across various situations where we configure access-lists with
multiple numbers entries defining hosts and services and each time we want to add a
particular host or service then we will add one more entry to that access-list. The entries
made here are known as Access-Control Entries. As the number of entries increases in the
access-list it will increase difficulty in managing and modifying access-lists. To ease the
management of access-list here Cisco came up with a new tool called as object-group.
Object Group here allows you to group similar entities under a single object and you
are allowed to use those object groups in access-list
We have 4 types of object-groups
i. Network type Object Group
ii. Services type Object Group
iii. Protocols type Object Group
iv. Icmp type Object Group

Device
ASA
ASA
R1
R2
R2
R2
R2
Interface
GigabitEthernet0
GigabitEthernet1
Fast Ethernet 0/0
FastEthernet 0/0
Loopback 0
Loopback 1
Loopback 2
Name
Outside/0
Inside/100
------
Ip Address
10.1.1.10
192.168.1.10
10.1.1.1
192.168.1.1
21.1.1.1
22.1.1.1
23.1.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.0.0.0
255.255.255.0
255.0.0.0
255.0.0.0
255.0.0.0
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10

R2(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.10
Configure a default route on ASA pointing towards Router R2 to make the connectivity
for loopbacks
ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1
Verify Routing and connectivity

R1#ping 192.168.1.1
!!!!!
R1#ping 21.1.1.1
!!!!!
R1#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R2>
R1#telnet 23.1.1.1
Trying 23.1.1.1 ... Open
R2>
Task 1 : Configure an Access-list on ASA to restrict the traffic from inside subnet to hosts
21.1.1.1 , 22.1.1.1 and 23.1.1.1 using http, ftp & telnet services.
We are very familiar with access-list and its services
But in ASA the access-list is little different from your router. In ASA we dont configure
access-list with numbers but we do it with Names
We have to configure multiple access-entries to achieve our required task
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq http
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet
ASA(config)# access-list in-out permit ip any any
Apply the access-list using access-group option in global configuration mode

ASA(config)# access-group in-out in interface inside
As the access-list is applied over interface it denies the traffic matching ACL
R1#telnet 23.1.1.1
Trying 23.1.1.1 ...
% Connection refused by remote host
and the traffic not matching to access-list is allowed.
R1#ping 23.1.1.1
!!!!!
Task 2 : Rewrite the above created access-list using objects groups

Steps to configure
1. Create an object group of network type and add the hosts
2. Create another object group of type services and add desired services
3. Use those object groups in Access-list
Creating network type object group to catch hosts and network
ASA(config)# object-group network nw-host
ASA(config-network)# network-object host 21.1.1.1
Creating a services type object group with tcp protocol as all our required services
(http, ftp & telnet) belongs to tcp.
ASA(config)# object-group service serv-obj tcp
ASA(config-service)# port-object eq http
ASA(config-service)# port-object eq ftp
ASA(config-service)# port-object eq telnet
Using those object groups in access list
Service object
Group
ASA(config)# access-list obj-acl permit tcp any object-group nw-host object-group serv-obj
Name of ACL
Application of access-list on interface inside in inbound direction

ASA(config)# access-group obj-acl in interface inside
Network object group
Verification
ASA(config)# show run object-group
object-group network nw-host
network-object host 21.1.1.1
object-group service serv-obj tcp
port-object eq www
port-object eq ftp
port-object eq telnet
ASA(config)# show access-list
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 object-group nw-host object-group serv-obj
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq www
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet
R1#telnet 21.1.1.1
Trying 21.1.1.1 ...
R1#telnet 22.1.1.1
Trying 22.1.1.1 ...
R1#telnet 23.1.1.1
Trying 23.1.1.1 ...
Time Based Access control using ACL
LAB 4 Time Based ACL

We may come across a situation where well be willing to control the users on the basis
of time
Access-list can be configured to be active on the basis of time. When we configure our
Access-list based on time then in a particular interested time slot the access-list will be active.
To configure a Time based Access-list we have to create a time-range first.
Time range is a tool where we are allowed to define the time. We can define time with two
different options
=> Absolute
=> Periodic
Using option Absolute we define the starting and ending date whereas using periodic we
define the time

Device
ASA
ASA
R1
R2
Interface
GigabitEthernet0
GigabitEthernet1
Fast Ethernet 0/0
FastEthernet 0/0
Name
Outside/0
Inside/100
---
Ip Address
10.1.1.10
192.168.1.10
10.1.1.1
192.168.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.0.0.0
255.255.255.0
Task 1 : Configure an access-list by the name Time-Acl to permit the entire host from inside
subnet to outside only from 10:00 am to 05:00 pm in between 1 Oct 2011 to 31 Oct 2011
Steps to configure:
Create a Time range by above given credentials

Configure an access-list and associate the time range with that access-list
Apply the access over an interface
Creating time-range .
ASA(config)# time-range t-range

ASA(config-time-range)#
By the above command we have created a time-range with the name t-range. After
creating the time range we have to configure the time range as per given credentials.
To define the date of time-range we use absolute option
ASA(config-time-range)# absolute start 00:00 1 Oct 2012 end 00:00 31 Oct 2012
When we are using absolute option to define the time in time range as soon as the end
time meets the access-list will be invalid forever. To define a periodic time we use option
periodic
ASA(config-time-range)# periodic daily 10:00 to 17:00
Using Periodic option in time range we define our clock time in 24 hours format.
ASA(config-time-range)# periodic daily 10:00 to 17:00
ASA(config-time-range)#exit
Verify the configured Time-range

ASA(config)# sh run time-range
!
time-range t-range
absolute start 00:00 01 October 2012 end 00:00 31 October 2012
periodic daily 10:00 to 17:00
!
Configuring an access-list using Time-range

ASA(config)# access-list Time-Acl permit ip any any time-range t-range
ASA(config)# access-list Time-Acl deny ip any any
ASA(config)# show clock

15:52:57.756 UTC Fri Oct 21 2012
access-list time-acl; 2 elements
access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) 0xcaf6f246
access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9

Because the clock is as per the time range we can see that both the entries in access-list
is active
To verify lets change the clock of our device
ASA(config)# clock set 12:00:00 1 nov 2012
ASA(config)# show clock
As soon as the absolute option is met
12:00:11.410 UTC Wed Nov 1 2012
access-list will be inactive
access-list time-acl; 2 elements
access-list time-acl line 1 extended permit ip any any time-range t-range (hitcnt=0) (inactive)
access-list time-acl line 2 extended deny ip any any (hitcnt=0) 0xb2c8c2d9
Remote Access of ASA
LAB 5 Remote Access of ASA

local access of ASA can be done using console port but when there is need of accessing
ASA from remote location we need to use virtual Terminal lines (VTY) of ASA which are blocked
by default to make use of remote access of ASA we need to configure those Virtual Terminal
lines
Remote Access of ASA can be fetched using Telnet, SSH and HTTP

Device
ASA
ASA
R1
R2
PC
Interface
Name
Ip Address
Subnet Mask
GigabitEthernet0
Outside/0
10.1.1.10
255.0.0.0
GigabitEthernet1
Inside/100
192.168.1.10
255.255.255.0
Fast Ethernet 0/0 - 10.1.1.1
255.0.0.0
FastEthernet 0/0
-192.168.1.1
255.255.255.0
NIC
-10.1.1.5
255.0.0.0
R1#ping 10.1.1.10
!!!!!
R1#telnet 10.1.1.10
Trying 10.1.1.10 ...
% Connection timed out; remote host not responding
Task 1 : Configure ASA to display a banner whenever a user logins to device.

ASA(config)# banner login Welcome to CCNP Security Lab of ASA Firewall
ASA(config)# show run banner

banner login Welcome to CCNP Security Lab of ASA Firewall
Task 2 : Configure ASA to accept telnet connections from host 10.1.1.1 from inside interface.
As telnet is disable by default over ASA we need to enable it as follows
ASA(config)# telnet 10.1.1.1 255.255.255.255 inside
herein we define which subnet is allowed to access and from which interface the access
should be granted.
Verification:
R1#telnet 10.1.1.10
Welcome to CCNP Security Lab of ASA Firewall
Password: cisco
Type help or '?' for a list of available commands.
ASA>
Default password for telnet access to ASA is set as cisco
R2#telnet 192.168.1.10
Trying 192.168.1.10 ...
% Connection timed out; remote host not responding
Telnet access from outside interface is still not allowed
Task 3 : Set the telnet access password of ASA to "netadmin"

Command to modify telnet password is "passwd"
ASA(config)# passwd netadmin
R1#telnet 10.1.1.10
Welcome to CCNP Security Lab of ASA Firewall
Password:netadmin
ASA>
Task 4 : Create a user Account on ASA and configure ASA to accept telnet connection on basis
of user accounts
Creating User Account on ASA
ASA(config)# username user1 password cisco123
Applying Authentication of local database over telnet

ASA(config)# aaa authentication telnet console LOCAL
Verification:
R1#telnet 10.1.1.10
Username: user1
Password: cisco123
ASA>
Task 5 : Configure ASA to allow the SSH access from outside interface for any one with user
account
As SSH make use of encryption its must that we generate RSA keys to activate SSH over
any device
Generating RSA Keys
ASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
SSH can be accessed only using user account only thus create a user account for
accessing of SSH and configure SSH authentication for Local database.
Verify existence of a user account if account is not available create a new account
Set the SSH authentication system to LOCAL dataase
ASA(config)# aaa authentication ssh console LOCAL
Allow SSH access for everyone from outside interface
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
SSH can be initiated from any address over outside interface as the default network is
permitted.
Verification:
R2#ssh -l user1 192.168.1.10
Password:cisco123
ASA>
Task 6 : Enable HTTP Access of ASA and access firewall using Cisco ASDM.
Enable the access of HTTP over ASA
ASA(config)# http server enable
Even after enabling HTTP services over ASA, ASA does not allow anyone to access its
ASDM Administrator need to authorize the users for access of ASDM (GUI)
Authorizing user 10.1.1.5 to access HTTP
ASA(config)# http 10.1.1.5 255.255.255.255 inside
If user account is not available create an user account
* Check the availability of ASDM image file in ASA flash

ASA(config)# show flash:
--#-- --length-- -----date/time------ path
:
12 15841428 Jan 16 2012 19:35:19 asdm-641.bin
:
Open a Browser from computer and go to Url=https://10.1.1.10
Select Proceed anyways and then Install ASDM Launcher
After Downloading and installing ASDM Launcher to computer Run Cisco ASDM Launcher
Provide the mandatory details such as Device address, username and password
And ASDM loads successfully
Routing over ASA
LAB 6 Dynamic Routing over ASA

Adaptive Security Appliance is designed in such a way that it is capable of performing
task of multiple network devices as Router, Firewall as well as VPN Concentrator.
So we can even make use of dynamic routing protocols to form our network using ASA.
Support of Dynamic Routing was not available in PIX Series its introduced in ASA in IOS version 7.0
ASA Supports 3 majorly used Dynamic routing Protocols
RIP
EIGRP
OSPF
Note: ASA is not capable of running multiple instances of EIGRP
Device
ASA
ASA
ASA
R1
R1
R1
R2
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Loopback 1
Fast Ethernet 0/0
Loopback 0
Loopback 1
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
---------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
12.12.12.12
192.168.1.1
22.22.22.22
23.23.23.23
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.0.0.0
255.255.0.0
255.255.255
Configure Default Route over all Routers pointing towards ASA
Routing over ASA
Task 1 : Configure Static Routes over ASA to make the subnets over outside interface reachable.

Verification:
ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
Gateway of last resort is not set
S
C
S
C
C
23.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside

172.16.0.0 255.255.0.0 is directly connected, DMZ
22.0.0.0 255.0.0.0 [1/0] via 192.168.1.1, outside
10.0.0.0 255.0.0.0 is directly connected, inside
192.168.1.0 255.255.255.0 is directly connected, outside
ASA# ping 22.22.22.22

!!!!!
ASA# ping 23.23.23.23
!!!!!
Task 2 : Clear all the Static Routes on ASA
ASA(config)# clear configure Route
ASA# show route

C 172.16.0.0 255.255.0.0 is directly connected, DMZ
C 10.0.0.0 255.0.0.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
Routing over ASA
Task 3 : Configure a Default Route on ASA to make all the Destinations reachable via Router R2

or
ASA(config)# route outside
192.168.1.1
ASA(config)# show route

* - candidate default,.
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
C
C
C
S*

0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
Routing over ASA
Task 4 : Configure RIP between Router R1 and ASA and make loopback addresses on Router R1
Reachable from ASA
Configuring RIP over ASA
ASA(config)# router rip
ASA(config-router)# network 10.0.0.0
ASA(config-router)# version 2
Configuring RIP over Router R1
R1(config)#router rip
R1(config-router)#network 11.0.0.0
R1(config-router)#version 2
Verification:
ASA(config-router)# show route
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
C
C
R
R
C
S*

11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:10, inside
12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:02, inside
0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
Routing over ASA
Task 5: Configure EIGRP AS 100 Between ASA and Router R3 and make loopback addresses on R3
reachable by ASA
Configuring EIGRP over ASA

ASA(config-router)# router eigrp 100
ASA(config-router)# network 172.16.1.10
Configuring EIGRP over Router R3
R3(config)#router Eigrp 100
*Mar 1 17:05:33.507: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.16.1.10 (FastEthernet0/0) is up: new adjacency
ASA(config)# show eigrp neighbors

EIGRP-IPv4 neighbors for process 100
H Address
Interface
(sec)
0 172.16.1.1
Et2
Hold
(ms)
14
Uptime
Cnt
00:00:51
SRTT
Num
20

D
C
C
R
R
C
S*
33.0.0.0 255.0.0.0 [90/158720] via 172.16.1.1, 0:01:33, DMZ

11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside
12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:05, inside
0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
RTO Q Seq
200 0 3
Routing over ASA
Task 6: Configure OSPF process 1 on outside interface of ASA and Router R2.
Configuring OSPF over ASA
ASA(config)# router ospf 1
ASA(config-router)# network 192.168.1.0 255.255.255.0 a 0
Advertise networks in OSPF Using subnet mask as ASA never use Wildcard Bits in configurations
R2(config)#router ospf 1
R2(config-router)#network 192.168.1.0 0.0.0.255 a 0
R2(config-router)#network 22.0.0.0 0.255.255.255 area 0
R2(config-router)# network 23.0.0.0 0.255.255.255 area 0
D
O
C
O
C
R
R
C
S*
33.0.0.0 255.0.0.0 [90/156160] via 172.16.1.1, 3:00:50, DMZ

23.23.23.23 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside
22.22.22.22 255.255.255.255 [110/11] via 192.168.1.1, 2:57:35, outside
11.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside
12.0.0.0 255.0.0.0 [120/1] via 10.1.1.1, 0:00:16, inside
0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
ASA# show ospf neighbor
Neighbor ID
23.23.23.23
Pri State
1 FULL/DR
Dead Time Address

0:00:38
192.168.1.1
Interface
inside
Routing over ASA
Task 7 : Redistribute the Routing information between RIP and EIGRP and verify the routing updates
Redistributing EIGRP into RIP
ASA(config)# router rip
ASA(config-router)# redistribute eigrp 100
ASA(config-router)# redistribute eigrp 100 metric 2
Redistributing RIP into EIGRP
ASA(config)# Router eigrp 100
ASA(config-router)# redistribute rip metric 128000 100 150 150 2000
Verification:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
* - candidate default, U - per-user static route
R
R
C
C
C
S*
33.0.0.0/8 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0

172.16.0.0/16 [120/2] via 10.1.1.10, 00:00:21, FastEthernet0/0
10.0.0.0/8 is directly connected, FastEthernet0/0
11.0.0.0/8 is directly connected, Loopback0
0.0.0.0/0 [1/0] via 10.1.1.10
R3#show ip route
Codes: C - connected, S - static, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
* - candidate default.
C 33.0.0.0/8 is directly connected, Loopback0
C 172.16.0.0/16 is directly connected, FastEthernet0/0
D EX 10.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 172.16.1.10
Basic NAT over ASA 8.0
LAB 7 Basic NAT with ASA 8.0

Network Address Translation is process of changing Source and destination addresses in ip
Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to
facilitate multiple host to make use of single IP Address to access Internet Services.
Configure
addressing as per
the Ip
following credentials
Device
ASA
ASA
ASA
R1
R1
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33
Configure Routing and allow ICMP Inspection

R1#ping 22.22.22.22
!!!!!
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside
interface towards outside .
When Ever a single IP is translated to another IP and translation of which is defined by
administrator manually it's called as Static Translation
Over ASA 8.0 all static translations are defined using STATIC keyword,
Configuring Static Translations over ASA
ASA80(config)# static (inside,outside) 55.56.57.58 10.1.1.1
Verification:
To view the current translations on ASA
ASA80(config)# show xlate
1 in use, 1 most used
Global 55.56.57.58 Local 10.1.1.1
interface towards DMZ.
ASA80(config)# static (inside,DMZ) 71.72.73.74 10.1.1.1
Verification:
Global 71.72.73.74 Local 10.1.1.1
Global 55.56.57.58 Local 10.1.1.1
Task 3 : Clear All the Static Translations Over ASA
To clear all the static translations over ASA at once
ASA80(config)# clear configure static
Verification:
Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60
when the traffic of inside interface destinies to any ip of DMZ subnets.
when ever we want to translate a group of address to another group we make use of dynamic
translation.
Process of Dynamic Address Translation is divided into two Steps
Define the original Address pool need to be translated

Define the translated address also known as Mapped Address Pool
Definition of Original IP addresses which are supposed to be translated are always defined using
NAT option
ASA80(config)# nat (inside) 2 10.0.0.0 255.0.0.0

Note : Number 2 in the command notates NAT ID which can be any number ranging (0-2147483647) the
same number should be used to map the translated Address pool.
Definition of Translated Address pool is done using Global option with same NAT ID used in NAT
option
ASA80(config)# global (DMZ) 2 172.16.1.50-172.16.1.60
As we use the same NAT ID the both NAT and GLOBAL pools binds together
verification:
R1#ping 33.33.33.33
.!!!!

Global 172.16.1.60 Local 10.1.1.1
Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when
the traffic of inside interface destinies to any ip of Outside subnet
PAT : Whenever we translate multiple IP Address with single IP Along with IP addresses even port
numbers get translated such translations are defined as Port Address Translations
To Translate All the traffic we can use the default subnet
ASA80(config)# nat (inside)
0.0.0.0 0.0.0.0
In ASA we have privilege to replace default subnet 0.0.0.0 with a single "0" thus above statement
can be even defined as follows
ASA80(config)# nat (inside) 5 0
Defining Translated Address

ASA80(config)# global (outside) 5 192.168.1.99
INFO: Global 192.168.1.99 will be Port Address Translated
whenever a single ip address is defined as a translated IP ASA automatically consider it as PAT no
extra options are required
Verification:
R1#ping 22.22.22.22
!!!!!
R1#ping 23.23.23.23 source loopback 0
Packet sent with a source address of 11.11.11.11
.!!!!
PAT Global 192.168.1.99(38897) Local 11.11.11.11 ICMP id 23
Advanced NAT over ASA 8.0
LAB 8 Advanced NAT with ASA 8.0

Network Address Translation is process of changing Source and destination addresses in ip
Packet in order to provide connectivity to between Private IP Address Space and Public IP and also to
facilitate multiple host to make use of single IP Address to access Internet Services.

Device
ASA
ASA
ASA
R1
R1
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255

R1#ping 22.22.22.22
!!!!!
Clear all the configurations of previous LAB Before proceeding with this LAB
Task 1 : Configure ASA to enforce translation over all the traffic such that only traffic which is
translated should bypass ASA rest should be denied.
A Special feature of PIX device was to enforce the translation on all the traffic, which has been
even inherited into ASA 8.0 by name NAT-CONTROL
Before Enabling NAT-CONTROL
R1#ping 22.22.22.22
!!!!!
R1#ping 33.33.33.33
!!!!!
To enable NAT control over ASA
ASA80(config)# nat-control
Verification:
R1#ping 22.22.22.22
.....
R1#ping 33.33.33.33 source 11.11.11.11
.....
Task 2 : Bypass the host 10.1.1.1 from Nat-Control and make sure that the host can communicate to
any other subnet without translation even when NAT Control is enabled.
NAT with ID 0 is dedicated to define no address translation, when ever NAT is to be bypassed for
some host or subnets we need to define them in Nat option only with id "0"
ASA80(config)# nat (inside) 0 10.1.1.1 255.255.255.255

nat 0 10.1.1.1 will be identity translated for outbound
0 indicates no address translation or also known as NAT Exemption

R1#ping 22.22.22.22
!!!!!
R1#ping 33.33.33.33
!!!!!
Global 10.1.1.1 Local 10.1.1.1
Global 10.1.1.1 Local 10.1.1.1
Traffic generated from other host still gets blocked due to NAT-CONTROL
R1#ping 33.33.33.33 source 11.11.11.11
.....
Task 3 : Translate traffic of 11.11.11.11 from inside subnet to 202.11.59.19 when it destinies only to
host 23.23.23.23 on outside interface
Whenever a condition is added into translations such translations are known as Policy based
translations where we define the desired condition of translation using an access-list
Creating Access-list to define the condition of translation
ASA80(config)# access-list nat1 permit ip host 11.11.11.11 host 23.23.23.23
we have created an access by name nat1 which map the traffic between host 11.11.11.11 to
23.23.23.23
Binding that access-list to NAT statement and enforcing translations only on access-list
ASA80(config)# nat (inside) 9 access-list nat1
ASA80(config)# global (outside) 9 202.11.59.19
INFO: Global 202.11.59.19 will be Port Address Translated
Verification:
R1#ping 23.23.23.23 source 11.11.11.11
!!!!!
The Same Host can't reach other destinations as they are not matching ACL in nat option.
R1#ping 22.22.22.22 source 11.11.11.11
.....
LAB 9 Basic NAT with ASA 8.4

From ASA Ver. 8.4 Cisco introduced new methods of making Network Address Translations over
ASA using Objects. All the translations are made based on network objects. legacy commands like static
and global have been eliminated and all translations happens using single command NAT.

Device
ASA
ASA
ASA
R1
R1
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33

R1#ping 22.22.22.22
!!!!!
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
interface towards outside .
For all the translations we need to create objects defining the traffic participating in translations
and the translation are applied over the objects not on traffic directly.
For purpose of Translations specially two types of objects have been introduced
Network
Service
Network type object is designed to define IP address, Subnet or Range of IP 's

Service type object is used to define services of TCP or UDP
For static translation we need two different objects defining individual host in each
Creating Network Objects
ASA84(config)# object network host-in
ASA84(config-network-object)# host 10.1.1.1
ASA84(config-network-object)# exit
Object named host-in have been created for host 10.1.1.1, another object for mapped ip is to be created
ASA84(config)# object network mapped-out
Making Static translations over objects
ASA84(config)# nat (inside,outside) source static host-in mapped-out
Verification:
ASA84(config)# show run object
object network host-in
host 10.1.1.1
object network mapped-out
host 55.56.57.58
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:55.56.57.58
flags s idle 0:00:56 timeout 0:00:00
interface towards DMZ.
Creating Object to define new mapped ip address
ASA84(config)# object network map-dmz
Defining Translation
ASA84(config)# nat (inside,DMZ) source static host-in map-dmz
Verification:
ASA84(config)# sh xlate
NAT from inside:10.1.1.1 to DMZ:71.72.73.74
ASA84(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static host-in mapped-out
translate_hits = 0, untranslate_hits = 0
2 (inside) to (DMZ) source static host-in map-dmz
ASA84(config)# show run nat
nat (inside,outside) source static host-in mapped-out
nat (inside,DMZ) source static host-in map-dmz
Task 3 : Clear All the Static Translations Over ASA
ASA84(config)# clear configure nat
Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60
when the traffic of inside interface destinies to any ip of DMZ subnets.
ASA84(config)# object network subnet-in
ASA84(config-network-object)# subnet 10.0.0.0 255.0.0.0
ASA84(config)# object network isp-range
ASA84(config-network-object)# range 172.16.1.50 172.16.1.60
Defining Translations
ASA84(config)# nat (inside,DMZ) source dynamic subnet-in isp-range
NAT from inside:10.1.1.1 to DMZ:172.16.1.59 flags i idle 0:00:13 timeout 3:00:00
1 (inside) to (DMZ) source dynamic subnet-in isp-range
Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when
the traffic of inside interface destinies to any ip of Outside subnet
creating a new object to define the mapped address
ASA84(config)# object network pat-ip
Defining Translation
ASA84(config)# nat (inside,outside) source dynamic any pat-pool pat-ip
Verification:
ICMP PAT from inside:10.1.1.1/52 to outside:192.168.1.99/52 flags ri idle 0:00:06 timeout 0:00:30
LAB 10 Advanced NAT with ASA 8.4

Along with NAT based on object groups ASA 8.4 introduced advanced options called as AutoNAT
where Translations are defined inside the objects itself.

Device
ASA
ASA
ASA
R1
R1
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33

R1#ping 22.22.22.22
!!!!!
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
interface towards outside using ASA auto NAT .
Auto NAT is the translation statements when defined inside of objects

ASA84(config)# object network host-in
ASA84(config-network-object)# nat (inside,outside) static 55.56.57.58
Verification
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static host-in 55.56.57.58
ASA84(config)# show run object
host 10.1.1.1
ASA84(config)# show run nat
!
nat (inside,outside) static 55.56.57.58
Task 2 : Configure ASA to translate any IP address sourced from any interface to the outside interface
ip of ASA.
ASA84(config)# nat (any,outside) source dynamic any interface
above option translate any IP sourcing any interface destinies to outside to IP address which is
assigned on interface outside.
1 (any) to (outside) source dynamic any interface
R3#ping 22.22.22.22
!!!!!
ICMP PAT from any:172.16.1.1/0 to outside:192.168.1.10/31798 flags ri idle 0:00:04 timeout 0:00:30
Content Filtering over ASA
LAB 11 Java, Active X & Web Filtering

Java and Active X are considered as beautiful programming languages but if we look at the other
side of these languages they are used heavily to write scripts to hack the system.
Usually these scripts are allowed into your network as they are a kind of text document but Cisco made
ASA so intelligent that it can identify as well as filter the traffic of following specific types
Active x
ftp,
https
java & url
Task 1 : Configure ASA such that it filters all the web traffic for inside subnet and drops the packets
which contain the java program
ASA make use of option filter to filter a specific data type in a service.
ASA(config)# filter java http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
Service to be filtered
Inside Subnet
Outside Subnet
Any host from 10.0.0.0/8 subnet can't download or upload any java program
Content Filtering over ASA
Task 2: Configure ASA such that it filters all the web and FTP traffic on all subnets and drops the
packets which contain the Active-x program.
ASA(config)# filter activex http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ASA(config)# filter activex ftp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Task 3 :Configure a web sense URL Filter server in Inside subnet on ip address of 10.0.1.11. Make
configurations on ASA such that it filters all the web traffic from inside subnets for URL using that URL
Filter server
ASA is not so flexible in filtering URLs on it more granularly, so ASA make help from other
supporting URL Filters to filter the web traffic for their URL.
ASA support only two URL Filters namely web sense & smart filter.
ASA(config)# url-server (inside) vendor websense host 10.0.1.11
ASA(config)# filter url http 1.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
LAB 12 Modular Policy Framework

When we call the interconnection of people as a network then we have different type
of people available in network and all the people who utilize the network are not same. Basically I
just want to say we have multiple types of users available in a same network but we always want our
network to behave uniquely for each user example a normal user should be restricted with a certain
bandwidth but a superior user should get a high bandwidth .This is how we always desire that
behavior of the same network should change depending on the user and the usage.
To facilitate us by this desired functionality of network we have a full framework available
which is called as Modular Policy Framework (MPF).Majorly MPF is depended on its three
components
1. Class-Map where we catch interesting traffic
2. Policy-Map Where We define Desired Action On interesting traffic
3. Service-Policy where we apply the condition on select interface
Interface Configuration on ASA and Other devices

Interface
Ethernet 0
Ethernet 1
Ethernet 2
Ip Address
192.168.1.10
10.1.1.10
172.16.1.10
Name
Outside
Inside
DMZ
Security Level
0
100
50
Device
R1
R2
Interface
FastEthernet 0/0
Fast Ethernet 0/0
Ip Address
10.0.1.10
192.168.1.10
Subnet Mask
255.0.0.0
255.255.255.0
R3
Fast Ethernet 0/0
172.16.0.10
255.255.0.0
Configure a default Route on both the routers pointing towards ASA
TASK 1
Configure ASA to catch the traffic from inside subnet and restrict the bandwidth usage to 8000
bits per second when its destination is R2
Steps to configure:1. Create a class-map
2. Create a policy-map
3. Define Service-policy
A class-map is a tool used to catch interesting on more granular level where we are allowed not
only to catch interesting traffic on the basis of layer 3 addresses (ip address) but even we can catch the
traffic not only by access-list but even by Its Precedence, Tunnel group, RTP and DSCP values as well.
Create an access-list to define flow of traffic here we want to catch the traffic when its starting
from Inside subnet and visiting Site-A
ASA(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
Create a class-map with any name and call the access-list in class-map
ASA(config)# class-map c-map
ASA(config-cmap)# match access-list 101
ASA(config-cmap)# exit
Now we are done with catching of interesting traffic then our next step is to define the action
over that interesting traffic to do that we are creating a policy-map
Policy map is a place where we define our desired action on the cached interesting traffic where
you have more granular options available apart from permitting and denying traffic. You have actions
like police, priority and inspect etc...
ASA(config)# policy-map p-map
We created a policy map with the name p-map here then under that policy-map we are
calling the class-map which we created. By this well binding our class-map and our policy-map then we
define the action over that
ASA(config-pmap)# class c-map
ASA(config-pmap-c)# police input 8000
Final step our configuration is to apply the created policy here we can apply the policy over a
single interface or globally over all interfaces
ASA(config)# service-policy p-map interface outside
Verification
We can verify our applied policy by generating an extended Ping for the destination of Site-A
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.10
Repeat count [5]: 30
Datagram size [100]: 1000
Increase the size of datagram to generate huge traffic
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
!!.!!.!!.!.!!.!.!!.!!.!.!!.!!.
Here we can observe the packet drop when they are exceeding policy
If we further Increase the size of datagram then more packets gets droped
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.10
Repeat count [5]: 30
Datagram size [100]: 2000
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
!.!..!..!...!...!...!..!...!..
TASK 2
Configure ASA to catch the telnet traffic from inside subnet and prioritize that when its
destination is R3
Create a class map to catch telnet traffic here I am catching the traffic using an extended ACL
ASA(config)#access-list 102 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0eq telnet
ASA(config)# class-map telnet-traffic

ASA(config-cmap)# match access-list 102
Create a policy-map to define priority action over the class
ASA(config-cmap)# policy-map inspect-telnet
ASA(config-pmap)# class telnet-traffic
ASA(config-pmap-c)# priority
Apply that policy map created on interface

Before applying the priority type policy map over the interface we have to enable priority-queue
over that interface and set the queue-limit
ASA(config)# priority-queue dmz
ASA(config-priority-queue)# queue-limit 1024
ASA(config-priority-queue)# exit
Now we can apply that policy-map over interface dmz as we have configured the priority-queue
over that interface
ASA(config)# service-policy inspect-telnet interface dmz
Virtual Firewalls
LAB 13 Virtual Firewall

One of the major advancement which was made from PIX to ASA is the capability of
virtual Firewallingover ASA.
The virtual firewall methodology enables a physical firewall to be partitioned into multiple
standalone firewalls. Each standalone firewall acts and behaves as an independent entity with its own
configuration, interfaces, security policies, routing table, and administrators.
In Cisco ASA, these virtual firewalls are known as Security contexts.
But two major features of ASA doesnt supports on when you make it into virtual Firewalls are
=>VPN
=>Dynamic Routing Protocols
Context 1
Context 2
Connect your firewall using console port and start configuring the virtual firewalls
Before making your ASA into virtual firewall make sure that you take backup of your all running
configuration, because when you change the mode of your ASA into virtual firewalls or from virtual firwall to
single mode, you will lose all the running configuration of your device.
Even if you wont take the backup by default your ASA saves the current running configuration to the flash of
ASA with file name as old_running.cfg
Virtual Firewalls
To check the current mode of your ASA

ciscoasa(config)# show mode
Security context mode: single
To checkout weather your ASA is capable of virtual firewalling you can see the details in show
version output or you can filter that output by issuing following options
ciscoasa# show version | grep Security Contexts
Security Contexts
:2
The output here gives the capability of the device to make into virtual firewalls;the above output
here gives the value as 2 that mean I am allowed to create two security contexts.
To change the mode of ASA from single to virtual
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
As soon as you issue this command your ASA will be reloaded itself and your entire current
configuration will be erased.
ciscoasa# show mode
Security context mode: multiple
As we know that ASA will make backup of running configuration in flash its visible when we see the
files on flash.
ciscoasa# show flash:
Directory of flash:/
9
-rw- 2076
07:45:11 Oct 17 2011 old_running.cfg
10
-rw- 1446
07:45:12 Oct 17 2011 admin.cfg
16128000 bytes total (16119296 bytes free)
Virtual Firewalls
To see the current context on ASA we can issue the command

ciscoasa# show context
Context Name Class Interfaces
URL
*admin default Ethernet0
flash:/admin.cfg
Total active Security Contexts: 1
From the above output we can observe that we have one Context by the name admin which we
havent created. When we change our mode from single to multiple we will be having one context created by
default and the name of that context will admin context which will have certain more preferences then
other context.
A very special property of this admin context is that the whole configurations of your physical device
will be copied to this admin context. And this context will replace the actual device. Excluding this admin
context we can make two more contexts (as on this device) then totally well be having 3 contexts (as admin
context is not counted in created context list)
If we want to configure any context then we have enter into that particular context and configure
that context
To enter the context
ciscoasa(config)# changeto context admin
ciscoasa/admin(config)#
Now we are in the context admin which we can observe by change in Hostname
And to get back to system
ciscoasa/admin(config)# changeto system
ciscoasa(config)#
Virtual Firewalls
Task 1
Create two context by the names CTX1 and CTX2 and allocate two interfaces to each context and
assign IP Addresses to the interfaces as per below credentials. And save the configuration of those contexts
in flash with respective names of context.
CTX 1
CTX 2
Interface
Ethernet 0
Ethernet 1
Ethernet 2
Ethernet 3
IP Address
1.1.1.1
192.168.1.1
2.2.2.2
172.16.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
Security level
100
0
100
0
Name of interface
Inside
Outside
Inside
Outside
Steps to Configure: Create context

Allocate interfaces
Assign configuration location
Creating Context
Remember that the names which we assign to context will be case-sensitive
ciscoasa(config)# context CTX1
Creating context 'CTX1'... Done. (2)
ciscoasa(config-ctx)# exit
Creating context 'CTX2'... Done. (3)
Allocating Interfaces to Context
To allocate interface to a context get into that context and assign the desired interface and even we
can assign one interface two different context that is called as shared interface.
ciscoasa(config-ctx)# allocate-interface ethernet0

Assigning Configuration location to context
ciscoasa(config-ctx)# config-url flash:CTX1
INFO: Converting flash:CTX1 to flash:/CTX1
WARNING: Could not fetch the URL flash:/CTX1
INFO: Creating context with default config
ciscoasa(config-ctx)# config-url flash:CTX2
INFO: Converting flash:CTX2 to flash:/CTX2
WARNING: Could not fetch the URL flash:/CTX2
Assigning Ip addresses to contexts.
ciscoasa(config)# changeto context CTX1
ciscoasa/CTX1(config)# interface ethernet0
ciscoasa/CTX1(config-if)# ip address 1.1.1.1 255.0.0.0
ciscoasa/CTX1(config-if)# nameif inside
ciscoasa/CTX1(config-if)# no shutdown
ciscoasa/CTX1(config-if)# interface ethernet1
ciscoasa/CTX1(config-if)# ip add 192.168.1.1 255.255.255.0
ciscoasa/CTX1(config-if)# nameif outside
ciscoasa/CTX1(config-if)# changeto system
ciscoasa/CTX2(config)# interface ethernet2
ciscoasa/CTX2(config-if)# nameif inside
ciscoasa/CTX2(config-if)# interface ethernet3
ciscoasa/CTX2(config-if)# nameif outside
Virtual Firewalls
Virtual Firewalls
Verifying the configurations

ciscoasa(config)# show context
Context Name Class Interfaces
*admin
default
CTX1
default Ethernet0,Ethernet1
CTX2
default Ethernet2,Ethernet3

ciscoasa/CTX1(config)# show run interface
!
interface Ethernet0
nameif inside
security-level 100
ip address 1.1.1.1 255.0.0.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
ciscoasa/CTX1# changeto system
ciscoasa(config)#
URL
flash:/admin.cfg
flash:/CTX1
flash:/CTX2

ciscoasa/CTX2(config)# show run interface
!
interface Ethernet2
nameif inside
security-level 100
ip address 2.2.2.2 255.0.0.0
!
interface Ethernet3
nameif outside
security-level 0
ip address 172.16.1.1 255.255.0.0
ciscoasa/CTX2(config)# changeto system
ciscoasa(config)#
Virtual Firewalls
Task 2
Configure context CTX1 to inspect icmp and configure an access-list to deny any traffic from inside to
outside subnets
Steps to configure: Get into specific context
Then apply the desired rules
ciscoasa/CTX1(config)# policy-map global_policy
ciscoasa/CTX1(config-pmap)# class inspection_default
ciscoasa/CTX1(config-pmap-c)# inspect icmp
PC-A#ping192.168.1.10
.!!!!
As soon as the inspection of icmp is on we can see that icmp traffic is allowed to transact
ciscoasa/CTX1(config)# changeto context CTX2
ciscoasa/CTX2(config)# access-list 101 deny ip any 172.16.0.0 255.255.0.0
ciscoasa/CTX2(config)# access-group 101 in interface inside
R2#ping 172.16.1.10
.....
We can see here no traffic is being allowed from inside to outside subnets but still the traffic from PC
is allowed to R1
PC-A#ping 1.1.1.1
!!!!!
As we did this configuration on context CTX2 it will not effect on other context CTX1by this we can
conclude that each context maintains its own configurations
Transparent Firewall
Lab 14 Transparent Firewall

If you look at a layer 2 switch it doesnt require any ip addresses as they are layer 2
device they work with MAC Address and even they behave as a hidden device into the network they
never exhibits there existence in the network
From the basics of our firewall we know that our firewall is basically a layer 3 device which
works with IP addresses and exhibits there existence into network.
Transparent Firewall is a device where you configure your layer 3 firewall to work as a layer 2
Firewall which doesnt work with IP addresses but works with MAC addresses. As it works with MAC
Addresses it doesnt exhibits his existence in the network and still capable of filtering and managing
traffic from layer 2
We have to remember here that when we are making our ASA as a transparent firewall then
few services doesnt work on ASA Firewall
Dynamic routing protocols
IPv6
Quality of Service
Multicast
To view the current mode of working of ASA issue the following command
ASA# show firewall
Firewall mode: Router
To change the mode of ASA from router mode to transparent mode issue the following
command
ASA(config)# firewall transparent
!!As soon as we issue the above command to ASA well lose our entire running configuration
ASA(config)# show firewall
Firewall mode: Transparent
As now we are working with transparent mode of firewall we dont have any ip addresses
configured so we need an IP address for our firewall to manage our device remotely.
To Assign IP address to a firewall in Transparent mode new virtual interfaces have to be
configured named Bridge Virtual Interface and IP address to the firewall is assigned to that particular
interface
Transparent Firewall
LAB Topology
Device
R1
R2
Interface
Fast Ethernet 0/0
FastEthernet 0/0
Ip Address
10.1.1.1
10.1.1.2
Subnet Mask
255.0.0.0
255.0.0.0
Task 1 : Configure ASA as Transparent Firewall and Assign the interface credentials as follows
Create a Transparent Firewall Interface (Bridge Virtual Interface) for management and
activation of device and assign IP Address 10.1.1.10
Interface
Giga Ethernet 0
Giga Ethernet 1
Name
Outside
Inside
Security level
0
100
ASA(config)# firewall transparent

Creating a Bridge Virtual Interface and assigning IP address to it
ASA(config)# interface BVI1
Configuring Interfaces and associating then to Bridge Virtual Interface 1
ASA(config)# interface GigabitEthernet0
ASA(config-if)# nameif outside
ASA(config-if)# bridge-group 1
ASA(config)# interface GigabitEthernet1
ASA(config-if)# nameif inside
ASA(config-if)# bridge-group 1
Failover- Active /Standby
LAB 15 Failover Active/Standby

ASA is very important device of every network which is mostly perimeter device failure of
which may let whole network to go down. considering this criticalness Failover of ASA has been
introduced which is an Automated process of swapping the Active Device when It goes down.
failover configuration
LAB TOPOLOGY
Device
R1
R2
Interface
Fast Ethernet 0/0
FastEthernet 0/0
Ip Address
10.1.1.1
192.168.1.1
Subnet Mask
255.0.0.0
255.0.0.0
Task 1 : Configure Failover for ASA such that when ASA1 crashes ASA2 should automatically
replace itself with ASA1
Before proceeding with failover configuration make sure Devices are licensed for it.
ASA1(config)# show version | grep Failover
Failover
: Active/Active
ASA2(config)# show version | grep Failover
Failover
: Active/Active
While making failover configuration make sure you define a standby IP Address over
every interface.
ASA1(config)# interface GigaEthernet0
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif outside
ASA1(config-if)# ip add 192.168.1.10 255.255.255.0 standby 192.168.1.7
ASA1(config-if)# interface GigaEthernet 1

ASA1(config-if)# nameif inside
ASA1(config-if)# ip add 10.1.1.10 255.0.0.0 standby 10.1.1.7
After making Basic ASA interface configuration start making Failover Interface
the interface which is being dedicated for failover should enabled
Here Interface GigaEthernet 2 is being dedicated for failover
Enable Failover and define ASA1 as primary unit.
ASA1(config)# failover lan enable
ASA1(config)# failover lan unit primary
Define the interface name which is being used as failover interface and allocate a logical
name to that interface and assign an unused IP address to the interface
ASA1(config)# failover lan interface failint GigaEthernet 2
INFO: Non-failover interface config is cleared on GigaEthernet 2 and its sub-interfaces
ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7
ASA1(config)# failover
Configuring ASA2 to be the secondary mate to ASA1

Enable all the interfaces participating in failover before making any configurations on ASA2
Configure the secondary failover configurations here as well

ASA2(config)# failover lan enable
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface failint GigaEthernet2
INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfaces
ASA2(config)#failover
As soon we issue command failover it activates the failover and look for the mate
ASA2(config)# .
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate
ASA1# sh failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failint GigaEthernet2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 08:37:46 UTC Nov 25 2012
This host: Primary - Active
Active time: 585 (sec)
Interface outside (192.168.1.10): Normal
Interface inside (10.1.1.10): Normal
Other host: Secondary - Standby Ready
Stateful Failover Logical Update Statistics
Link : Unconfigured.
ASA1(config)# show failover state

State
Last Failure Reason
Date/Time
This host Primary
Active
None
Other host - Secondary
Standby Ready Comm Failure
18:04:15 UTC Dec 29 2012
====Configuration State===
Sync Done
====Communication State===
Mac set

Task 2 : Change the Active/Standby Failover into Stateful Failover
ASA1(config)# failover link failint GigaEthernet2
ASA1# show failover

Failover On
Cable status: N/A - LAN-based failover enabled
Failover LAN Interface: failint GigaEthernet2 (up)
Interface Policy 1
Last Failover at: 08:37:46 UTC Nov 25 2012
This host: Primary - Active
Other host: Secondary - Standby Ready
Stateful Failover Logical Update Statistics
Link : failint GigaEthernet2 (up)
Stateful Obj
xmit
xerr
General
9
0
sys cmd
8
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
1
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
Logical Update Queue Information
Cur Max Total
Recv Q:
0
1
8
Xmit Q:
0
2
59
rcv
8
8
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
LAB 15 Failover Active/Active

Active / Active failover Configuring is failover facility for Context and making sure that when
one context goes down another one should replicate and deployment of failover happens on virtual
firewalls rather than physical.
failover configuration
LAB TOPOLOGY
Device
R1
R2
R3
R4
Interface
Fast Ethernet 0/0
FastEthernet 0/0
FastEthernet 0/0
FastEthernet 0/0
Ip Address
10.1.1.1
192.168.1.1
11.1.1.1
172.16.1.1
Subnet Mask
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
Task 1 : Configure Change the mode of ASA from Single to multiple

ASA1(config)# mode multiple
ASA2(config)# mode multiple
ASA1# show mode

ASA2# show mode
Task 2 :Create two Context on ASA1 as following Credentials

Name
Ctx1
Ctx2
Interface
GigaEthernet 0
GigaEthernet 1
GigaEthernet 2
GigaEthernet 3
ASA1(config)# context Ctx1

Creating context 'ctx1'... Done. (2)
ASA1(config-ctx)# config-url ctx1
INFO: Converting ctx1 to disk0:/ctx1
WARNING: Could not fetch the URL disk0:/ctx1
ASA1(config-ctx)# allocate-interface g0
ASA1(config)# context ctx2

Creating context 'ctx2'... Done. (3)
ASA1(config-ctx)# config-url ctx2
INFO: Converting ctx2 to disk0:/ctx2
WARNING: Could not fetch the URL disk0:/ctx2
Config-Url
Flash:/ctx1
Flash:/ctx2
Task 3 : Configure Context CTX1 and CTX2 as follows

Name
Ctx1
Ctx2
Interface
GigaEthernet 0
GigaEthernet 1
GigaEthernet 2
GigaEthernet 3
Nameif
Outside
Inside
Inside
Outside
IP Address
192.168.1.10
10.1.1.10
11.1.1.10
172.16.1.10
Standby IP
192.168.1.11
10.1.1.11
11.1.1.11
172.16.1.11
ASA1(config)# changeto context ctx1

ASA1/ctx1(config)# interface gigabitEthernet 0
ASA1/ctx1(config-if)# ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
ASA1/ctx1(config-if)# no shutdown
ASA1/ctx1(config-if)# nameif outside

ASA1/ctx1(config-if)# nameif inside
ASA1/ctx1(config)# changeto context ctx2
ASA1/ctx2(config-if)# nameif inside
ASA1/ctx2(config-if)# nameif outside
Task 4 : Configure Failover on Such that Context ctx1 should be active on ASA1 and CTX2
should be active on ASA2
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface failint g4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA1(config)# failover link failint g4
Create Failover Groups and associate context to each group
ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# exit
ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# exit
Associating Groups to context created so that ctx1 can be primary and ctx2 should be
secondary on ASA1
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# exit
ASA1(config-ctx)# join-failover-group 2
ASA1(config-ctx)# exit
Configuring Failover Link ASA2

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface failint g4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA2(config)# failover link failint g4
Failover LAN became OK
Switchover enabled
Configuration has changed, replicate to mate.

Verification:
ASA1(config)# show failover
Failover On
Failover LAN Interface: failint GigabitEthernet4 (up)
Interface Policy 1
Group 1 last failover at: 05:36:55 UTC Dec 30 2012
Group 2 last failover at: 05:36:55 UTC Dec 30 2012
This host: Primary
Group 1
State:
Active
Group 2
State:
Active
ctx1 Interface outside (192.168.1.10): Normal (Waiting)
ctx1 Interface inside (10.1.1.10): Normal (Waiting)
Other host: Secondary
Group 1
State:
Standby Ready
Group 2
State:
Standby Ready
Site-to-Site IPSec VPN
LAB - 1 Making Site to Site IPSec Virtual Private Network
Points to Remember:
Majorly we used VPN technology is IPsec (Internet Protocol Security)

IPsec is a protocol suite which is designed to provide the solution for remote connectivity over an insecure
network
IPsec Provides Confidentiality and Integrity to the ip packets traversing over internet
An another supporting protocols which is always associated with IPsec is ISAKMP (Internet security
Association Key Management Protocol)
ISAKMP is purely dedicated to transfer the security keys from one device to another
ISAKMP works on UDP port no.500
For making of site to site VPN using IPSec technology, it requires
Devices which support VPN services and are licensed for it

A Static IP Address on both ends which is routable
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B
Respectively and R2 is acting as Internet
Loopbacks here demonstrates Local LAN
Interface Configuration on Router
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3
Verification for routing
R1#ping 2.2.2.2
!!!!!
R3#ping 1.1.1.1
!!!!!
Task 1 : Configure a IPSec site-to-site vpn between R1 and R3 to make the secure connection between
LAN of R1 (11.11.11.11) and R3(33.33.33.33)
Process of making an IPSec VPN can be simplified by following the sequence of configuration.
o
o
o
o
o
Define ISAKMP Credentials, the credentials which are to be used for Key Exchange
Define IPSec Credentials, which are used in data Exchange
Define interesting traffic using an access-list
Map all the credentials of VPN in a crypto map
Apply the Map on Interface
Defining ISAKMP Policy which is also called as phase 1 parameters of VPN
R1(config)#crypto isakmp enable

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
As part of device authentication we need to define a shared secret key on both side in this lab
scenario netmetric is the shared key
R1(config)#crypto isakmp key netmetric address 2.2.2.2
This Concludes Phase 1 Configuration
Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN
R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33
definition of it can be done by an simple extended access-list
R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Binding credentials using crypto map

R1(config)#crypto map vpn-map 10 ipsec-isakmp
R1(config-crypto-map)#set peer 2.2.2.2
R1(config-crypto-map)#set transform-set t-set-1
R1(config-crypto-map)#match address 101
A crypto map binds the interesting traffic and peer with a specific transform set
Application of this crypto map over as interface
R1(config)#int f 0/0
R1(config-if)#crypto map vpn-map
Over other side we need to define exactly the same credentials of phase 1 & 2 without any
change but difference in names of policies and transform-set is negligible.

R3(config)#crypto map vpn-map-2 10 ipsec-isakmp
R1(config-if)#crypto map vpn-map-2
Verification
Generating Interesting Traffic
R1#ping 33.33.33.33 source 11.11.11.11
.!!!!
As soon as VPN starts the traffic between two local LAN starts Transactions.
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn-net, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pktscompr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0
current outbound spi: 0x0(0)
R1#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 2.2.2.2 port 500
IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active
IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
Task 2 : Modify Existing VPN connection to secure the telnet access between two peers
An IPSec VPN Always catch interesting traffic based on crypto ACL (Access-list matched in crypto map is
termed as crypto ACL) , Whatever traffic is supposed to pass through VPN it need to added into ACL
Modifying Access-list of Router R1
R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
Modifying Access-list of Router R3

R3(config)#access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet
Task 3 : Imagine there is one more Peer by name Site C (R4) at ip address 3.3.3.3 with loopback ip
address 55.55.55.55, Secure the Access between Loopbacks of R1 and R4.
Create a new Access-list for catching traffic between Loopbacks
Create a Crypto map with same name but different ID ( No Need to Add a Different named VPN
Map as you can not apply more than one Map on an interface)
R3(config-crypto-map)#set transform-set
t-set-1
Site-to-Site IPSec VPN over ASA
LAB - 2 Making Site to Site IPSec Virtual Private Network Over ASA
LAB Topology
In Above topology two ASA are acting as border devices of two sites Site A & Site B
Respectively and R2 is acting as Internet where as Router R1 and Router R3 are Local LAN of their
respective sites
Device
ASA Site A
ASA Site A
ASA Site B
ASA Site B
R1
R3
Interface
E0/0
E0/1
E0/0
E0/1
F0/0
F0/0
Name-if
Outside
Inside
Outside
Inside
-- --- --
Ip Address
1.1.1.1
11.11.11.10
2.2.2.2
33.33.33.10
11.11.11.11
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA
ciscoasa-site-A# ping 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1
ciscoasa-Site-B# ping 1.1.1.1
!!!!!
Task 1 : Configure a IPSec site-to-site vpn between Site A and Site B to make the secure connection
between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services,
In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2
IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with
Site to Site VPN we need to enable IKEv1 here
ciscoasa-site-A(config)# crypto ikev1 enable Outside
Configure all the Credentials of ISAKMP in a policy
ciscoasa-site-A(config)# crypto ikev1 policy 10
ciscoasa-site-A(config-ikev1-policy)# encryption aes
ciscoasa-site-A(config-ikev1-policy)# hash sha
ciscoasa-site-A(config-ikev1-policy)# group 2
ciscoasa-site-A(config-ikev1-policy)# authentication pre-share
ciscoasa-site-A(config-ikev1-policy)# lifetime 6000
Defining Pre-share key using Tunnel Group options
A tunnel group specially designed to define the attributes related to VPN and its Functionality, The name
of tunnel group of type L2L should be always the Peer Address
ciscoasa-site-A(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ciscoasa-site-A(config)# tunnel-group 2.2.2.2 ipsec-attributes
ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
Configure IPSec Credentials for both devices
ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac
Definition of Interesting Traffic using Access-list
ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Create a Crypto map and bind all the credentials with that MAP
ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2
ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set
ciscoasa-site-A(config)# crypto map mymap 10 match address 101
Apply The MAP on interface facing to Internet
ciscoasa-site-A(config)# crypto map mymap interface Outside
Make the VPN Configuration on Other Side As well

ciscoasa-Site-B(config)# crypto ikev1 enable Outside
ciscoasa-Site-B(config)# crypto ikev1 policy 10
ciscoasa-Site-B(config-ikev1-policy)# authentication pre-share
ciscoasa-Site-B(config-ikev1-policy)# encryption aes
ciscoasa-Site-B(config-ikev1-policy)# hash sha
ciscoasa-Site-B(config-ikev1-policy)# group 2
ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600
ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ciscoasa-Site-B(config)# tunnel-group 1.1.1.1 ipsec-attributes
ciscoasa-Site-B(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac
Define interesting traffic by means of an access-list again which is mirrored to other side
ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11
Crypto MAP Creation and Application
ciscoasa-Site-B(config)# crypto map mymap 10 match address 109
ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1
ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set
ciscoasa-Site-B(config)# crypto map mymap interface outside
Verification
Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN
R1#ping 33.33.33.33
.!!!!
Verification of ISAKMP functionality
ciscoasa-site-A# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
Verification if IPSec Functionality
ciscoasa-site-A# show crypto ipsec sa
interface: Outside
Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1
access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33
current_peer: 2.2.2.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 80
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
ciscoasa-Site-B# show crypto isakmp sa

IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ciscoasa-Site-B# show crypto ipsec sa

interface: outside
Site-to-Site IPSec VPN using CA Server
LAB - 3 Making Site to Site IPSec Virtual Private Network with
Points to Remember:
Digital Certificate is issued by an external Authority after Verification

Any Other Device who have the certificate from same authority can form VPN with each other
A Certificate Authority can be any server flavor Operating system or a Cisco router
The process of requesting and enrolling a certificate is done over SCEP protocol
Simple Certificate Enrollment Protocol(SCEP) is devoloped over HTTP so it also work on TCP/80
This Authentication which is done by an External Authentication Server is also called as PKI (Public Key
Infrastucture)
Whenever the authentication of VPN is set to Digital Certificates Peers Exchange there
certificates As Soon as they confirm that the issuer is same for both the certificates they form vpn with
each other
LAB Topology
Respectively and R2 is acting as Internet as well as Certificate Authority.
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
R1#ping 2.2.2.2
!!!!!
R3#ping 1.1.1.1
!!!!!
Task 1 : Configure Router R1 to Act as Certificate Authority, and request Certificates From Router R1
and R3
Prerequisite
Make sure that you have enabled HTTP services on the router which is acting as CA Server
And Ensure proper clock is synchronized between peers and Server before making CA
Thus Configure NTP on all the Routers Participating in VPN and make sure they are sync.
Verification
R1#show clock
11:41:56.595 UTC Sat Jan 5 2013
R2#show clock
11:42:02.871 UTC Sat Jan 5 2013
R3#show clock
11:42:04.805 UTC Sat Jan 5 2013
R2(config)#ip http server
R2#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
once verify the services and pre-requisite start making router R2 as Certificate Authority (CA)
R2(config)#crypto pki server ios_ca
R2(cs-server)#grant auto
R2(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:********
Re-enter password:********
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled
% Certificate Server enabled.
Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.
To enroll a certificate on Router R1 create a Trust point where all the properties of local Router and
address of CA is to be defined
R1(config)#crypto pki trustpoint ca_r1
R1(ca-trustpoint)#enrollment url http://1.1.1.2
R1(ca-trustpoint)#revocation-check none
After we define the CA Server Address we need get certificate from CA
To Enroll yourself and Get CA Certificate into your Router
R1(config)#crypto pki authenticate ca_r1
Certificate has the following attributes:
Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A
Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
To enroll the certificate from the CA Server
R1(config)#crypto pki enroll ca_r1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:*******
Re-enter password:*******
% The subject name in the certificate will include: R1.lab.local
% Include the router serial number in the subject name? [yes/no]: no
% The IP address in the certificate is 1.1.1.1
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate ca_r1 verbose' command will show the fingerprint.
Jan 5 15:51:37.984: %PKI-6-CERTRET: Certificate received from Certificate Authority
Repeat the process with Router R3 as well

R3(config)#crypto pki trustpoint ca_r3
R3(ca-trustpoint)#enrollment url http://1.1.1.2
R3(ca-trustpoint)#serial-number none
R3(ca-trustpoint)#ip-address 2.2.2.2
R3(ca-trustpoint)#revocation-check none
Authenticate Router R3 to CA
R3(config)#crypto pki authenticate ca_r3
Certificate has the following attributes:
Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A
Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD
% Do you accept this certificate? [yes/no]: yes
Enroll Router R3 to CA
R3(config)#crypto pki enroll ca_r3
%
Password:********
Re-enter password:*********
% The subject name in the certificate will include: R3.lab.local
% The IP address in the certificate is 2.2.2.2
% The 'show crypto ca certificate ca_r3 verbose' command will show the fingerprint.
Jan 5 16:03:58.279: %PKI-6-CERTRET: Certificate received from Certificate Authority

Verify certificates
R1#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=ios_ca
Subject:
Name: R1.lab.local
IP Address: 1.1.1.1
ipaddress=1.1.1.1+hostname=R1.lab.local
Validity Date:
start date: 15:51:36 UTC Jan 5 2013
end date: 15:51:36 UTC Jan 5 2014
Associated Trustpoints: ca_r1
R3#show crypto pki certificates

Certificate
Status: Available
Issuer:
cn=ios_ca
Subject:
Name: R3.lab.local
IP Address: 2.2.2.2
ipaddress=2.2.2.2+hostname=R3.lab.local
Validity Date:
end date: 16:03:56 UTC Jan 5 2014
Associated Trustpoints: ca_r3
R1#sh crypto pki trustpoints

Trustpoint ca_r1:
Subject Name:
cn=ios_ca
Serial Number: 01
Certificate configured.
SCEP URL: http://1.1.1.2:80/cgi-bin
Verification on CA Server i.e Router R2

R2#show crypto pki server
Certificate Server ios_ca:
Status: enabled
State: enabled
Task 2 : Configure a IPSec site-to-site vpn between R1 and R3 using PKI authentication to make the
secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
Process of making an IPSec VPN can be simplified by following the sequence of configuration.
o
o
o
o
o
Define ISAKMP Credentials, the credentials which are to be used for Key Exchange
Define IPSec Credentials, which are used in data Exchange
Define interesting traffic using an access-list
Map all the credentials of VPN in a crypto map
Apply the Map on Interface

R1(config-isakmp)#authentication rsa-sig
As part of device authentication we are using rsa-signatures here so no need to define any preshare key.
As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33

A crypto map binds the interesting traffic and peer with a specific transform set
Application of this crypto map over as interface
R3(config-isakmp)#authentication rsa-sig
No Need to define any pre-share key as we are using Authentication as rsa-sig(i.e Digital
Certificates)
Verification
R1#ping 33.33.33.33 source 11.11.11.11
.!!!!
As soon as VPN starts the traffic between two local LAN starts Transactions.
Peer: 2.2.2.2 port 500
IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
LAB - 4 Making Site to Site IPSec VPN Over ASA with PKI
LAB Topology
In Above topology two ASA are acting as border devices of two sites Site A & Site B
Respectively and R2 is acting as Internet as well as a CA server where as Router R1 and Router R3 are
Local LAN of their respective sites
Device
ASA Site A
ASA Site A
ASA Site B
ASA Site B
R1
R3
Interface
E0/0
E0/1
E0/0
E0/1
F0/0
F0/0
Name-if
Outside
Inside
Outside
Inside
-- --- --
Ip Address
1.1.1.1
11.11.11.10
2.2.2.2
33.33.33.10
11.11.11.11
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA
ciscoasa-site-A# ping 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1
ciscoasa-Site-B# ping 1.1.1.1
!!!!!
Task 1 : Configure Router R2 as CA server and Enroll ASA Site A and Site B to that CA Server
R2(config)#ip http server

R2#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
once verify the services and pre-requisite start making router R2 as Certificate Authority (CA)
R2(config)#crypto pki server ios_ca
R2(cs-server)#grant auto
R2(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:********
Re-enter password:********
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled
% Certificate Server enabled.
Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.
To verify the certificate server
R2#sh crypto pki server
Certificate Server ios_ca:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=ios_ca
CA cert fingerprint: B853F5E4 1DEFC727 3C2FFF84 994AA49A
Granting mode is: auto
Last certificate issued serial number: 0x3
CA certificate expiration timer: 15:00:58 UTC Jan 5 2016
CRL NextUpdate timer: 21:00:59 UTC Jan 5 2013
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
To enroll a certificate on ASA1 create a Trust point where all the properties of ASA1 is configured and
ciscoasa-site-A (config)# crypto ca trustpoint ios_ca

ciscoasa-site-A (config-ca-trustpoint)# enrollment url http://1.1.1.2
ciscoasa-site-A (config-ca-trustpoint)# revocation-check none
Authenticate to CA Server
ciscoasa-site-A (config)# crypto ca authenticate ios_ca
INFO: Certificate has the following attributes:
Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a
Do you accept this certificate? [yes/no]: yes
Generate RSA Keys and then Enroll to CA Server
ciscoasa-site-A (config)# crypto key generate rsa
ciscoasa-site-A (config)# crypto ca enroll ios_ca

%
Password: ********
Re-enter password: ********
% The fully-qualified domain name in the certificate will be: ciscoasa-site-A

% Include the device serial number in the subject name? [yes/no]: no
The certificate has been granted by CA!
To enroll a certificate on ASA2 create a Trust point where all the properties of ASA2 is configured and
ciscoasa-site-B (config)# crypto ca trustpoint ios_ca

ciscoasa-site-B (config-ca-trustpoint)# enrollment url http://2.2.2.1
ciscoasa-site-B (config-ca-trustpoint)# revocation-check none
Authenticate to CA Server
ciscoasa-site-B (config)# crypto ca authenticate ios_ca
INFO: Certificate has the following attributes:
Fingerprint: b853f5e4 1defc727 3c2fff84 994aa49a
Do you accept this certificate? [yes/no]: yes
Generate RSA Keys and then Enroll to CA Server
ciscoasa-site-B (config)# crypto key generate rsa
ciscoasa-site-B (config)# crypto ca enroll ios_ca

%
Password: ********
Re-enter password: ********
% The fully-qualified domain name in the certificate will be: ciscoasa-site-B

% Include the device serial number in the subject name? [yes/no]: no
The certificate has been granted by CA!

Verification
ciscoasa-site-A(config)# show crypto ca certificates
Certificate
Status: Available
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=ios_ca
Subject Name:
hostname=ciscoasa
Validity Date:
end date: 18:18:26 UTC Jan 5 2014
Associated Trustpoints: ios_ca
ciscoasa-site-B(config)# show crypto ca certificates

Certificate
Status: Available
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=ios_ca
Subject Name:
hostname=ciscoasa
Validity Date:
end date: 18:18:26 UTC Jan 5 2014
Associated Trustpoints: ios_ca
Task 2 : Configure a IPSec site-to-site vpn between Site A and Site B using PKI to make the secure
connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services,
In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2
IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with
Site to Site VPN we need to enable IKEv1 here
ciscoasa-site-A(config)# crypto ikev1 enable Outside
Configure all the Credentials of ISAKMP in a policy
ciscoasa-site-A(config)# crypto ikev1 policy 10
ciscoasa-site-A(config-ikev1-policy)# encryption aes
ciscoasa-site-A(config-ikev1-policy)# hash sha
ciscoasa-site-A(config-ikev1-policy)# group 2
ciscoasa-site-A(config-ikev1-policy)# authentication rsa-sig
ciscoasa-site-A(config-ikev1-policy)# lifetime 6000
As we have certificates as authentication no need to define pre-share key
Configure IPSec Credentials for both devices
ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac
Definition of Interesting Traffic using Access-list
ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Create a Crypto map and bind all the credentials with that MAP
ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2
ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set
ciscoasa-site-A(config)# crypto map mymap 10 match address 101
Apply The MAP on interface facing to Internet
ciscoasa-site-A(config)# crypto map mymap interface Outside
Make the VPN Configuration on Other Side As well
ciscoasa-Site-B(config)# crypto ikev1 enable Outside

ciscoasa-Site-B(config)# crypto ikev1 policy 10
ciscoasa-Site-B(config-ikev1-policy)# authentication rsa-sig
ciscoasa-Site-B(config-ikev1-policy)# encryption aes
ciscoasa-Site-B(config-ikev1-policy)# hash sha
ciscoasa-Site-B(config-ikev1-policy)# group 2
ciscoasa-Site-B(config-ikev1-policy)# lifetime 5600
ciscoasa-Site-B(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac
Define interesting traffic by means of an access-list again which is mirrored to other side
ciscoasa-Site-B(config)# access-list 109 permit ip host 33.33.33.33 host 11.11.11.11
Crypto MAP Creation and Application
ciscoasa-Site-B(config)# crypto map mymap 10 match address 109
ciscoasa-Site-B(config)# crypto map mymap 10 set peer 1.1.1.1
ciscoasa-Site-B(config)# crypto map mymap 10 set ikev1 transform-set t-set
ciscoasa-Site-B(config)# crypto map mymap interface outside
Verification
Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN
R1#ping 33.33.33.33
.!!!!
Verification of ISAKMP functionality
ciscoasa-site-A# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
Verification if IPSec Functionality
ciscoasa-site-A# show crypto ipsec sa
interface: Outside
ciscoasa-Site-B# show crypto isakmp sa

IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ciscoasa-Site-B# show crypto ipsec sa

interface: outside
Site-to-Site GRE VPN
LAB - 5 Making Site to Site GRE Virtual Private Network
Points to Remember:
GRE is an only tunneling protocol which is used to form a tunnel between two sites
GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite
It adds an extra interface for each peer which allows us to configure Routing and QoS
GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE
GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly
connected
we need a static IP on both peers who are participation in a GRE tunnel
LAB Topology
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
R1#ping 2.2.2.2
!!!!!
R3#ping 1.1.1.1
!!!!!
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their
public IP address as peer address to each other.
o
o
o
o
GRE VPN's is always configured using virtual interfaces called as tunnels which do have an ip address
which is to be assigned by administrator,
Apart from ip address a Tunnel interface needs its association with physical interfaces which is done
by defining tunnel source and tunnel destination
Tunnel source is association of your tunnel with a physical interface you have, it can be associated by
defining an ip address or the name of interface it defines the starting point of tunnel.
Tunnel destination is defining the end point of the tunnel which physical ip address of remote device
generally termed as peer address
R1(config)#interface tunnel 0
R1(config-if)#ip add 6.6.6.1 255.0.00.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.2
If authentication is desired over tunnel, then we can configure a pre-share key over tunnel.
In GRE Authentication is Optional unlike IPSec where its mandatory.
R1(config-if)#tunnel key 123456
Configure the following configuration over other side device as well
R2(config-if)#ip add 6.6.6.32255.0.00.0
R2(config-if)#tunnel source FastEthernet 0/0
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
C
C
C
S*

6.0.0.0/8 is directly connected, Tunnel0
0.0.0.0/0 [1/0] via 1.1.1.2
Tunnel Is Acting as a Directly connected network to other side
R1#ping 6.6.6.2
!!!!!
R3#ping 6.6.6.1
!!!!!
Tunnel Communication is working well, But when local lan communication is desired its not working.
R1#ping 33.33.33.33
U.U.U
R3#ping 11.11.11.11
U.U.U
Task 2 : Route the traffic of both side local LAN using static routing via tunnel to make the local LAN
reachable.
R1(config)#ip route 33.33.33.0 255.255.255.0 6.6.6.2
Adding a static route reachable via tunnel will make the local LAN communication work well either next
hop can be tunnel or the ip of Next hop Tunnel Address
R3(config)#ip route 11.11.11.0 255.255.255.0 tunnel 0
As soon routes are added in routing table local LAN will be Reachable
R1#show ip route
33.0.0.0/24 is subnetted, 1 subnets
S
33.33.33.0 [1/0] via 6.6.6.2
C 6.0.0.0/8 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 1.1.1.2
R1#ping 33.33.33.33
!!!!!
R3#ping 11.11.11.11
!!!!!
Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
GRE/IPSec with Crypto - Map
LAB - 6 GRE Over IPSec VPN with Crypto-Map
Points to Remember:
GRE is an only tunneling protocol which is used to form a tunnel between two sites
GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite
It adds an extra interface for each peer which allows us to configure Routing and QoS
GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE
GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly
connected
we need a static IP on both peers who are participation in a GRE tunnel
LAB Topology
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
R1#ping 2.2.2.2
!!!!!
R3#ping 1.1.1.1
!!!!!
R1(config-if)#ip add 6.6.6.1 255.0.00.0
R2(config-if)#ip add 6.6.6.32255.0.00.0
R1#ping 6.6.6.2
!!!!!
R3#ping 6.6.6.1
!!!!!
Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to
make the local LAN reachable.
we need to advertise the tunnel address as common address between peers
R1(config)#router eigrp 100
R1(config-router)#net 11.0.0.0
!! Do not Advertise Physical networks in Dynamic Routing
R1#show ip route
C
D
C
C
S*

33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0
0.0.0.0/0 [1/0] via 1.1.1.2
R3#show ip route
C
C
C
D
S*

11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0
0.0.0.0/0 [1/0] via 2.2.2.1
R1#ping 33.33.33.33
!!!!!
Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPsec VPN
solution with crypto-maps.
As per task our interesting traffic as all GRE Traffic sourced from 1.1.1.1 and destinies at 2.2.2.2
Make sure that your access list catches GRE Traffic.
R1(config)#access-list 101 permit gre host 1.1.1.1 host 2.2.2.2
Appling the crypto map to interface

R1(config)#access-list 101 permit gre host 2.2.2.2 host 1.1.1.1

Verification
R1#ping 33.33.33.33
.!!!!
Peer: 2.2.2.2 port 500
IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255
LAB - 7 GRE Over IPSec VPN with IPSec Profiles
R1(config-if)#ip add 6.6.6.1 255.0.00.0
R2(config-if)#ip add 6.6.6.32255.0.00.0
R1#ping 6.6.6.2
!!!!!
R3#ping 6.6.6.1
!!!!!
Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to
make the local LAN reachable.
we need to advertise the tunnel address as common address between peers
!! Do not Advertise Physical networks in Dynamic Routing
R1#show ip route
C
D
C
C
S*

33.0.0.0/8 [90/297372416] via 6.6.6.2, 00:03:02, Tunnel0
0.0.0.0/0 [1/0] via 1.1.1.2
R3#show ip route
C
C
C
D
S*

11.0.0.0/8 [90/297372416] via 6.6.6.1, 00:01:19, Tunnel0
0.0.0.0/0 [1/0] via 2.2.2.1
R1#ping 33.33.33.33
!!!!!
Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPSec Profile.
As per task we are supposed to use IPSEC PROFILE to protect the traffic of tunnel thus creating
an IPSec Profile.
An IPSec Profile is a replacement of crypto-map which is used to apply a security policy only for
tunnel interfaces, An IPSec Profile doesn't need any access-list or peer address
R1(config)#crypto ipsec profile demo-profile
R1(ipsec-profile)#set transform-set t-set-1
IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing
through that tunnel
R1(config-if)#tunnel protection ipsec profile demo-profile


IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing
through that tunnel

Verification
R1#ping 33.33.33.33
.!!!!
Peer: 2.2.2.2 port 500
IPSEC FLOW: permit gre 1.1.1.1/255.255.255.255,2.2.2.2/255.255.255.255
Dynamic Multipoint VPN
LAB - 8 Site-to-Site Dynamic Multipoint VPN (DMVPN)
DMVPN is a Cisco proprietary VPN service.

DMVPN make use of NHRP and MGRE as two special services to make a Dynamic VPN service successful.
Next Hop Resolution Protocol (NHRP) is a special query process designed to inquire unknown address of peers
MGRE is a multi-point GRE tunnel which is capable to work without a fixed tunnel destination
Its mandatory for a hub to be always on a static IP address to be reachable to spokes. A spoke either can
be on static IP or on Dynamic IP Address.
whenever VPN process starts from a spoke to another spoke the Query of unknown address reaches to
HUB. HUB resolves the query as per it NHRP Database and back to spoke with current address using
which the Peering will be formed.
LAB Topology
In Above topology Router R4 is acting as HUB, Router R1 & R3 are acting as spokes and R2 is
acting as Internet
Loopbacks on routers here demonstrates Local LAN of each site.
Interface Configuration on Devices
Device
R1
R1
R2
R2
R2
R3
R3
R4
R4
Interface
F0/0
Loopback
F0/0
F0/1
F1/0
F0/0
Loopback
F0/0
Loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.2
3.3.3.2
2.2.2.3
33.33.33.33
3.3.3.3
44.44.44.44
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers
R1#ping 3.3.3.3
!!!!!
R3#ping 3.3.3.3
!!!!!
Task 1 : Configure Dynamic Multipoint tunnels between Router R1, R2,R3 R4 where R4 Acting as HUB
and R1 and R3 are spokes do not use a static peer address or fixed tunnel destination.
configure GRE Tunnels on all the routers (HUB and Spokes both in same subnet) as the fixed
tunnel destination is not allowed
Make the mode of tunnel as Multipoint GRE, When a tunnel is configured in Multipoint mode its capable
to be terminated on different destinations
R1(config-if)#ip address 6.6.6.1 255.0.00.0
R1(config-if)#tunnel source fastEthernet 0/0
R1(config-if)#tunnel mode gre multipoint
Configure the following configuration over other side device as well with different IP address of same
subnet
R3(config-if)#ip address 6.6.6.3 2255.0.00.0
R4(config)#interface Tunnel 0
R4(config-if)#ip add 6.6.6.4 255.0.0.0
Make NHRP configurations on HUB and Spokes

Configuring NHRP for HUB router
R4(config-if)#ip nhrp network-id 123
R4(config-if)#ip nhrp map multicast dynamic
Configuring NHRP for spoke routers
while configuring NHRP over spoke we need to define the Next Hop Server (NHS) which is HUB
and bind the tunnel and physical IP address of HUB
R1(config-if)#ip nhrp nhs 6.6.6.4
R1(config-if)#ip nhrp map 6.6.6.4 3.3.3.3
R1(config-if)#ip nhrp map multicast 3.3.3.3
R3(config)#interface Tunnel0
R3(config-if)#ip nhrp nhs 6.6.6.4
R3(config-if)#ip nhrp map 6.6.6.4 3.3.3.3
R3(config-if)#ip nhrp map multicast 3.3.3.3
As we complete NHRP configuration the HUB device records all the addresses in its database
R4#show ip nhrp detail
6.6.6.1/32 via 6.6.6.1, Tunnel0 created 00:14:30, expire 01:45:29
Type: dynamic, Flags: unique nat registered
NBMA address: 1.1.1.1
6.6.6.3/32 via 6.6.6.3, Tunnel0 created 00:10:10, expire 01:49:49
Type: dynamic, Flags: unique nat registered
NBMA address: 2.2.2.3
And when all ip addresses are registered in database all the tunnels will be reachable to each
other's even without a strict tunnel destination

Verification:
Connectivity between Spoke to others
R1#ping 6.6.6.4
!!!!!
R1#ping 6.6.6.3
!!!!!
Connectivity between HUB and others
R4#ping 6.6.6.1
!!!!!
R4#ping 6.6.6.3
!!!!!
Task 2 : Configure Dynamic Routing between peers using EIGRP as routing protocols and make all the
loopbacks reachable to each others
To make the routes reachable to other spoke we need to break the split horizon on tunnel
interface and disable the next hop changes on tunnel so that the routes from one spoke should reach to
other spokes without any change
R4(config-if)#no ip split-horizon eigrp 100
R4(config-if)#no ip next-hop-self eigrp 100
Verification
R3#show ip route
D 11.0.0.0/8 [90/310172416] via 6.6.6.1, 00:25:46, Tunnel0
D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:25:53, Tunnel0
S* 0.0.0.0/0 [1/0] via 2.2.2.2
R1#sh ip route
D 33.0.0.0/8 [90/310172416] via 6.6.6.3, 00:26:57, Tunnel0
D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:27:05, Tunnel0
S* 0.0.0.0/0 [1/0] via 1.1.1.2
Task 3 : Protect The tunnels which is created between HUB and Spokes using IPSec Profile.

As part of device authentication we need to define a shared secret key , on all devices key word
netmetric is the shared key with the address 0.0.0.0 as address is not fixed .
R1(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0

Repeat the steps with other devices as well


=====================================================================================


Verification:
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
conn-id slot status
2.2.2.3
3.3.3.3
QM_IDLE
1002 0 ACTIVE
1.1.1.1
3.3.3.3
QM_IDLE
1001 0 ACTIVE
R3#show crypto isakmp sa
dst
src
state
conn-id slot status
2.2.2.3
3.3.3.3
QM_IDLE
1002 0 ACTIVE
1.1.1.1
2.2.2.3
QM_IDLE
1001 0 ACTIVE
dst
src
state
conn-id slot status
1.1.1.1
2.2.2.3
QM_IDLE
1001 0 ACTIVE
1.1.1.1
3.3.3.3
QM_IDLE
1002 0 ACTIVE
R1#ping 33.33.33.33 source loopback 0
!!!!!
R3#ping 11.11.11.11 source 33.33.33.33
!!!!!
R3#traceroute 11.11.11.11
Tracing the route to 11.11.11.11
1
6.6.6.1
360
msec * 140 msec
Remote Access VPN Router as Server
LAB - 9 Remote Access VPN Router as Server (Easy VPN)
When a user gets connected an IP Address needs to be assigned to the user to make him part of LAN
Distinguished rules can be configured for each group of users using ISAKMP Client Groups
AAA must be used to make the VPN User authentication.
Only VPN server is to be configured with all the VPN configurations client doesnt need any specific VPN configs
Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on
internet. VPN Initiation can be done only by clients using an Application called Cisco VPN Client
LAB Topology
In Above topology Router R1 is acting as VPN Server and RouterR2 is Internet to make the
connectivity between networks.
Loopback1 on router R1 here demonstrates Local LAN.
Device
R1
R1
R2
R2
R3
R3
PC
Interface
F0/0
Loopback
F0/0
F0/1
F0/0
Loopback
NIC
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
C:\>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=232ms TTL=45
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 229ms, Maximum = 232ms, Average = 230msR3
R3#ping 1.1.1.1
!!!!!
Task 1 : Configure Router R1 as a Easy VPN server. Create a Group of Users "Sales" and secure the
access of 11.0.0.0/8 subnet for them.
Configure Basic ISAKMP Credentials for key Exchange process
R1(config-isakmp)#encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# group 2
No need to define a specific pre-share key as the authentication is desired by using username and
password
Define IPSec Transform Set
R1(config)#crypto ipsec transform-set t-set esp-3des esp-sha-hmac
As VPN Authentication is desired by using user accounts AAA Services need to configured with ISAKMP
Enabling AAA services on router and creating a new authentication and authorization methods
R1(config)#aaa new-model
R1(config)#aaa authentication login vpn-users local
R1(config)#aaa authorization network vpn-groups local
As the Authentication is set to Local creating a new user account on local Database
R1(config)#username user1 password 0 cisco123
Interesting traffic to secured can be define in an Access-list which is termed as Split Access-list
R1(config)#access-list 109 permit ip 11.0.0.0 0.255.255.255 any
A pool of IP needs to defined from where the Address is allocated to remote devices
R1(config)#ip local pool vpn 10.1.1.1 10.1.1.50
Creating Group for VPN clients where all the credentials defined for client are configured
R1(config)#crypto isakmp client configuration group Sales
R1(config-isakmp-group)# key ciscoabc
R1(config-isakmp-group)# pool vpn
R1(config-isakmp-group)# acl 109
A normal crypto map makes peer address definition as a mandatory credential as we do not mention any
specific peer address we make a dynamic crypto map which is capable of working without Peer as well.
R1(config)#crypto dynamic-map d-map 10
R1(config-crypto-map)#set transform-set t-set
R1(config-crypto-map)#reverse-route
As the dynamic crypto map cannot be applied over interface directly bind the dynamic map with a
Normal Crypto map
R1(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map
Bind the AAA and VPN configuration in Crypto map
R1(config)#crypto map mymap client authentication list vpn-users
R1(config)#crypto map mymap isakmp authorization list vpn-groups
R1(config)#crypto map mymap client configuration address respond
Apply the map to interface connected to internet i.e FastEthernet 0/0
R1(config)#interface FastEthernet0/0
R1(config-if)# crypto map mymap
Task 2 : Configure PC as a VPN client of Router R1 and Verify the IP Address Assigned and connectivity
Download and Install Cisco VPN Client Software Select New option
and define all your credentials required to be authenticate
Select the connection Entry Created and Connect to it
as soon as Connection Initiate the User Authentication Prompt Pops-up
After Successful Authentication VPN Gets Connected and Status of VPN Can be verified in status tab in
Statistics options
IP Address Assigned to Client is

10.1.1.5
To check the secured LAN details

select Tab: Route Details

dst
src
1.1.1.1
2.2.2.3
state
QM_IDLE
conn-id
1001
slot status
0 ACTIVE
Task 3 : Configure Router R3 as a VPN client of Router R1 to secure the communication of lacal LAN of
R3 and R1 (Loopbacks)and Verify the IP Address Assigned and connectivity
Define the VPN client configuration on Router R3 with all the same user credentials
R3(config)#crypto ipsec client ezvpn ez-remote
R3(config-crypto-ezvpn)# connect auto
R3(config-crypto-ezvpn)# group Sales key ciscoabc
R3(config-crypto-ezvpn)# mode client
R3(config-crypto-ezvpn)# peer 1.1.1.1
R3(config-crypto-ezvpn)# username user1 password cisco123
Apply crypto map on both the interfaces
Interface on which Local LAN traffic is inbound to router Apply it on as inside
R3(config)#interface Loopback0
R3(config-if)#crypto ipsec client ezvpn ez-remote inside
Interface through which router is connected to internet Apply as outside
R3(config)#interface FastEthernet0/0
R3(config-if)#crypto ipsec client ezvpn ez-remote outside
Verification:
To Verify Assigned Address on Router
R3#show ip interface brief
Interface
IP-Address
FastEthernet0/0
2.2.2.2
FastEthernet0/1
unassigned
NVI0
unassigned
Loopback0
33.33.33.33
Loopback1
10.1.1.3
OK?
YES
YES
NO
YES
YES
Method
manual
unset
unset
manual
manual
Status
up
administratively down
up
up
up
To Verify the Connectivity between Loopbacks

R3#ping 11.11.11.11 source 33.33.33.33
!!!!!
Verification of VPN Establishment at Client Router
dst
src
1.1.1.1
2.2.2.2
state
QM_IDLE
conn-id
1002
slot status
0 ACTIVE
Verification of VPN Establishment at Server Router

dst
src
1.1.1.1
2.2.2.3
1.1.1.1
2.2.2.2
state
QM_IDLE
QM_IDLE
conn-id
1001
1002
slot status
0 ACTIVE
0 ACTIVE
Protocol
up
down
up
up
up
R3#show crypto ipsec sa

Crypto map tag: FastEthernet0/0-head-0, local addr 2.2.2.2
#pkts not compressed: 0, #pkts compr. failed: 0
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x47AC3BBD(1202469821)
Remote Access VPN - ASA as Server
LAB - 10 Remote Access VPN ASA as Server (Easy VPN)

LAB Topology
In Above topology ASA is acting as VPN Server and RouterR2 is Internet to make the
Router R1 here demonstrates Local LAN.
Device
ASA
ASA
R1
R2
R2
PC
Interface
G0
G1
F0/0
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.10
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC
C:\>ping 1.1.1.1
Task 1 : Configure ASA as a Easy VPN server.

Enable Isakmp IKEv1 and configure its credentials
ciscoasa(config)#crypto ikev1 enable outside
ciscoasa(config)#crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 36000
Define an IPSec Transform Set

ciscoasa(config)#crypto ipsec ikev1 transform-set t-set esp-3des esp-sha-hmac
Defining Pool of IP Address to be allocated to clients
ciscoasa(config)#ip local pool demo-pool 10.1.1.1-10.1.1.50
Creating User Account for VPN Access
ciscoasa(config)#username user1 password cisco123
Creating a VPN Group by name Ra-ASA and defining there attributes

ciscoasa(config)#tunnel-group Ra-ASA type remote-access
ciscoasa(config)#tunnel-group Ra-ASA general-attributes
ciscoasa-site-A(config-tunnel-ipsec)# address-pool demo-pool
ciscoasa(config)#tunnel-group Ra-ASA ipsec-attributes
ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
Binding all the credentials with a crypto map
ciscoasa(config)#crypto dynamic-map d-map1 1 set ikev1 transform-set t-set

ciscoasa(config)#crypto dynamic-map d-map1 1 set reverse-route
ciscoasa(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map1
Applying the Crypto Map over Interface
ciscoasa(config)#crypto map mymap interface outside

Task 2: Configure PC to be VPN client for ASA.
Verification:
ciscoasa(config)# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 2.2.2.3
Type : user
Role : responder
Rekey : no
State : AM_ACTIVE
ciscoasa(config)# show crypto ipsec sa

interface: outside
Crypto map tag: d-map1, seq num: 1, local addr: 1.1.1.1
current_peer: 2.2.2.3, username: user1
dynamic allocated peer ip: 10.1.1.1
current outbound spi: 27287AB7
current inbound spi : FBD9BDEF

Reverse Route Added in ASA routing table
ciscoasa(config)# show route
C
S
C
S*

10.1.1.1 255.255.255.255 [1/0] via 1.1.1.2, outside
0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside
To view protocol specific results

ciscoasa# show crypto protocol statistics ikev1
[IKEv1 statistics]
Encrypt packet requests: 86
Encapsulate packet requests: 86
Decrypt packet requests: 140
Decapsulate packet requests: 140
HMAC calculation requests: 147
SA creation requests: 3
SA rekey requests: 0
SA deletion requests: 2
Next phase key allocation requests: 6
Random number generation requests: 95
Failed requests: 0
ciscoasa# show crypto protocol statistics ipsec
[IPsec statistics]
Encrypt packet requests: 4
Encapsulate packet requests: 4
Decrypt packet requests: 4
Decapsulate packet requests: 4
HMAC calculation requests: 4
SA creation requests: 6
SA rekey requests: 0
SA deletion requests: 4
Next phase key allocation requests: 0
Random number generation requests: 3
Failed requests: 0
Client Less SSL VPN - IOS CLI
LAB - 11 Client Less SSL VPN- Router as Server (CLI)
SSL Works on TCP port number 443

Initially Introduced by Netscape later introduced as standard VPN Protocol by Name TLS(Transport Layer
Security)
It provides security from Transport Layer (i.e. layer 4 ) to Application Layer (i.e. layer 7)
Authentication happens only based on digital certificates. pre-share authentication is not supported.
When SSL VPN is configured to establish using only a web Browser and no other application is required its called
as Client-Less SSL VPN
Only web enabled services like HTTP,FTP and Email are supported Over an Client Less SSL VPN
Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on
internet. VPN Initiation can be done only by clients using a web browser
LAB Topology
In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the
connectivity between networks and PC is our client with a browser.

Device
R1
R1
R2
R2
PC
Interface
F0/0
Loopback
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0

C:\>ping 1.1.1.1
Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with
port number 443
SSL VPN configuration is mainly divided into two parts
1. Configuring Gateway
2. Configuring Context
Gateway define the interface and the ports where the SSL services are supposed to be enabled
and by default all the newly created gateways will be in disabled mode which can has to be enabled
manuallu using "insiervice"
Creating and Enabling SSL Gateway
R1(config )#webvpn gateway ssl_gw
R1(config-webvpn-gateway)# ip address 1.1.1.1 port 443
R1(config-webvpn-gateway)# inservice
Context define the user policy and the environment of SSL VPN.
Creating a Context and defining the web page properties of that context.
R1(config )#webvpn context ssl_ctx
R1(config-webvpn-context)# title "Netmetric-Infosolutions"
R1(config-webvpn-context)# title-color green
R1(config-webvpn-context)# gateway ssl_gw
R1(config-webvpn-context)# inservice
Creating a user account for SSL access as authentication is mandatory and by default its set to
local authentication
R1(config )#username user1 password cisco123
Verification:
Open Browser and enter the url as http://1.1.1.1
As we do not have any digital certificate issued by Certificate authorities a warning is posted
don't worry and select proceed anyways
Enter the user credentials when prompted then Login
Once authenticated successfully we get default SSL Page where we are allowed enter the desired
URL to communicate the local LAN
Task 2 : Modify Existing SSL VPN connection and provide users a login banner and Bookmark list on
SSL VPN Web Page to ease the access of local services.
URL list can be defined under context configuration
R1(config-webvpn-gateway)#webvpn context ssl_ctx
R1(config-webvpn-context)#url-list "Servers"
R1(config-webvpn-url)#Heading "Business Servers"
R1(config-webvpn-url)#url-text Server1 url-value http://11.11.11.11
R1(config-webvpn-url)#url-text Server2 url-value http://17.14.12.34
R1(config-webvpn-url)#exit
Newly created URL List can be applied to users by associating it to default group policy not only
URL List but also the banner can be defined in Policy it self
R1(config-webvpn-context)#policy group demo_ssl
R1(config-webvpn-group)#url-list "Servers"
R1(config-webvpn-group)#banner "Welcome to Netmetric Solutions"
R1(config-webvpn-group)#exit
Making the policy created as default policy so that it should be applied to all users
R1(config-webvpn-context)#default-group-policy demo_ssl

Verification:

Banner message will be displayed as login succeeds
URL List which is defined under policy is on web page after Login
Task 3 : Imagine a Tacacs+ server on address 11.11.11.49, Configure SSL Server to authenticate users
using that Tacacs+ server.
Enable AAA services and define address of Tacacs server
R1(config)#aaa new-model
R1(config)#tacacs-server host 11.11.11.49 key ciscot
Define a new authentication method with Tacacs option
R1(config)#aaa authentication login ssl-auth group tacacs+
Call the authentication method in web VPN Context

R1(config)#webvpn context ssl_ctx
R1(config-webvpn-context)#aaa authentication list ssl-auth
LAB - 12 Client Less SSL VPN- Router as Server (GUI)

LAB Topology
In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the
connectivity between networks and PC is our client with a browser.

Device
R1
R1
R2
R2
PC
Interface
F0/0
Loopback
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
C:\>ping 1.1.1.1
Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with
port number 443 using Cisco Configuration Professional
Select Configure
Select SSL VPN Manager
Select 1
Select 2
Configure Prerequisite before getting started with SSL VPN

Enable AAA and generate Self signed certificate

After completing Prerequisite starting WebVPN Wizard
Its Optional to enable Secure SDM access requires only if in future you plan to use SDM through
same interface.
Select Authentication method for users in following options
Select ADD if some

more users are desired
Following step allows to configure Bookmark List (URL-LIST) for users
As we are working with client-less SSL VPN no need to enable full tunnel support thus deselect
option
Select Webpage design from drop down themes
As you select finish you are done by making a SSL VPN

Verification:
Clientless SSL VPN - ASA
LAB - 13 Clientless SSL VPN ASA as Server (WebVPN)

LAB Topology
In Above topology ASA is acting as SSL VPN Server and RouterR2 is Internet to make the
Router R1 here demonstrates Local LAN.
Device
ASA
ASA
R1
R2
R2
PC
Interface
G0
G1
F0/0
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.10
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC
C:\>ping 1.1.1.1

Task 1 : Configure ASA as a SSL VPN Server.
Get Started with ASDM
Goto tab: Wizards>VPN Wizards> select : Clientless SSL VPN Wizard
A simple six step Wizard help to Configure a SSL VPN
Define Connecion Profile name selectthe interface on which SSL Services are to initiated
Select the user authentication method and modify the user account database
Either go for a creation of new policy or modify the existing policy which comes by default
The Bookmark List visible for users can be modified and whatever bookmark is created here will
be available after successful login of user
Adding a Bookmark LIst by name Local_servers and adding some bookmarks by name Server1
and Server2
Conclude the VPN configuration by Hitting Finish

Verification:
Login to the ASA with the defines URL in SSL Profile https://1.1.1.1/vpn
A warning is issued by browser as its not a trusted digital certificate

Login using the user credentials
Basic SSL VPN Page seen on ASA based VPN with a web Bookmark list
Select Server1to go to that address
Monitoring of SSL VPN

Select Monitoring > VPN >VPN Statistics > Sessions
Filter can be set to view only Clientless SSL

VPN Sessions

Double Click Session to get a full view of session details
Cisco IOS Classic Firewall
LAB 1 Classic IOS Firewall (CBAC)

When you say you are working with ACLs it means you are filtering the traffic on the basis of their names(i.e.
IP Addresses) or services and more over you cannot configure ACL to be such intelligent that it should identify the
originator of traffic and reply traffic. To make the packet filtering more enhanced we came up with Context-based access
control (CBAC) it intelligently filters TCP and UDP packets based on application layer protocol session information.in CBAC
we dont work with IP Addresses now we allow or deny the services from inside to outside or vise-versa. And even CBAC
maintains a state table in which it makes the record of traffic going out of interface and depending on that it will allow
the incoming traffic
Interface Configuration
Device
Outside
DMZ
CBAC-FW
PC
Interface
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/1
Fast Ethernet 1/0
NIC
IP Address
2.2.2.2
3.3.3.3
1.1.1.1 (Connected to PC)
2.2.2.1 (Connected to outside)
3.3.3.1 (Connected to DMZ)
1.1.1.2
Configure RIP on All Devices and advertise all connected network to make reachability
Task 1:
We want to make sure that an INSIDER can Access Outside network as well as DMZ
An Outsider Cant access inside network but can access DMZ network
And DMZ Cant access any network both Inside and Outside
Steps to configure:
Use any routing protocol to make networks reachable we are using rip in this case
Block all the inbound traffic for private or local network
Allow traffic to only DMZ Network from outside
Create an inspection rule depending on the interesting traffic for each interface
Apply the inspection rule on the respective interfaces
By using a simple block statement in access-list we are denying all the traffic for inside network
from other networks
CBAC-FW(config)#access-list 101 deny ip any any
CBAC-FW(config)#int f 0/0
CBAC-FW(config-if)#ip access-group 101 OUT
Now when all the traffic is blocked from other network to inside network then even the reply
traffic for the queries done from inside network is blocked
To allow that reply traffic we are making an inspection rule with desired protocols and services
to be inspected and maintain a state table
CBAC-FW(config)#ip inspect name my-cbac tcp
CBAC-FW(config)#ip inspect name my-cbac icmp
CBAC-FW(config)#ip inspect name my-cbac udp
With the above commands we are starting to maintain the state table for tcp, udp and icmp now
we will apply this inspection rule on the interface which is connected to outside
CBAC-FW(config)#int f 0/1
CBAC-FW(config-if)#ip inspect my-cbac out
Now we dont want DMZ to interact with any network
CBAC-FW(config)#interface FastEthernet1/0
CBAC-FW(config-if)#ip access-group 102 in
But we want outside network should be able to communicate with dmz so create a separate
inspection for that traffic
CBAC-FW(config)#ip inspect name cbac-dmz http

CBAC-FW(config)#ip inspect name cbac-dmz telnet
CBAC-FW(config)#ip inspect name cbac-dmz icmp
Apply that inspection rule on the interface in outbound direction on which DMZ is connected
CBAC-FW(config-if)# ip inspect cbac-dmz out
From outside allow only the specific traffic which is meant for the DMZ network and block all the
rest traffic
CBAC-FW(config)#access-list 103 permit ip any host 3.3.3.3
CBAC-FW(config-if)#ip access-group 103 in
The traffic which is generated from inside is allowed to go to outside network and reply is
allowed to come back
From outside the connection is not successful to inside but its successful to DMZ
Outside>ping 1.1.1.2
U.U.U
Outside>ping 3.3.3.3
!!!!!
Zone Based Firewall
Lab 2 Zone Based Policy IOS Firewall

Somehow using CBAC we succeeded to maintain the state table in our router and even configured our router to work
as firewall. But very soon after working with CBAC Network Admins realized that there are few short comings in working with
CBAC majorly, CBAC failed to filter the applications for specific users (i.e. you cannot configure inspection rule for set of users
rules are applicable on all users) and when you are working with multiple interfaces as the number of interfaces increases the
complications in implementing CBAC increases.to meet these short comings a new method of implementing Firewall has been
introduced Zone Based Firewall herein we are configuring ACLs to catch interesting traffic and we are configuring a group of
interfaces as a single zone and then the rules will be applied on them.
Steps to configure:
Use any routing protocol to make networks reachable we are using rip in this case
Create Security Zones and associate interfaces with zones
Create a class map of type inspect to define the interesting traffic
Create a policy map of type inspect to define the action on interesting traffic
Create Zone pairs to define the source and destination of traffic
Device
Outside
DMZ
ZBF
PC
Interface
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/1
Fast Ethernet 1/0
NIC
IP Address
2.2.2.2
3.3.3.3
1.1.1.1 (Connected to PC)
2.2.2.1 (Connected to outside)
3.3.3.1 (Connected to DMZ)
1.1.1.2
We are implementing the same typical DMZ network Setup here what we did in previous lab
Zone Based Firewall
First of all we are configuring RIP on all devices to advertise all networks and making all the
three networks reachable from every one
Check the Reachability from each device to each device then proceed with configuration
Unlike CBAC where I implement the rules depending on the interfaces here I want to implement
the rules on the group of interfaces which I call as a zone, as per our requirement I am creating three
zones named DMZ, OUTSIDE and INSIDE
ZBF(config)#zone security INSIDE
ZBF(config-sec-zone)#exit
ZBF(config)#zone security OUTSIDE
ZBF(config)#zone security DMZ
After Creating of Security zones there will be no change in the behavior of device then you
associate those zones with interfaces
ZBF(config)#int f 0/0
ZBF(config-if)#zone-member security INSIDE
ZBF(config)#int f 0/1
ZBF(config-if)#zone-member security OUTSIDE
ZBF(config-if)#int f 1/0
ZBF(config-if)#zone-member security DMZ
Remember that as soon as we associate those zones with interfaces the communication within
all the zones will be blocked and no two interfaces belongs to different zones can communicate neither
an unzone interface (interface which is not associated with any zone) can communicate to a zoned
interface but two interfaces which belongs to same zone and even the two interfaces which are unzone
can communicate with each other.
Now we need to create a class map of type inspect to identify the interesting traffic. Before
defining interesting traffic in class-map we need to create an access list to define source and destination
of desired inspection traffic and even we need to define the protocol which we want to inspect
ZBF(config)#access-list 101 permit ip any any
ZBF(config)#class-map type inspect c-map-1
ZBF(config-cmap)#match access-group 101
ZBF(config-cmap)#match protocol icmp
Zone Based Firewall
After defining the traffic in class map now its time to define the action on the interesting traffic
for that we need to create a policy map of type inspect then call the class of interesting traffic. In that
class define the desired action. As per our requirement we need inspection to be done on our traffic so
we are defining inspect as our action.
ZBF(config)#policy-map type inspect p-map-1
ZBF(config-pmap)#class c-map-1
ZBF(config-pmap-c)#inspect
Now the only left out task is to apply that policy map and to define the source and the
destination of our traffic this is done by configuring zone-pairs
ZBF(config)#zone-pair security allow-in-out source INSIDE destination OUTSIDE
ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1
ZBF(config-sec-zone-pair)#exit
With this task our insiders can access outside network now but outsiders cant access inside as
we defined source to be INSIDE and destination to be OUTSIDE. Remember that this zone pair works
unidirectional only
As we want insiders to access DMZ as well and even we want outsiders to access DMZ so we
need to create two more zone pairs with respective source and destinations
ZBF(config)#zone-pair security allow-in-dmz source INSIDE destination DMZ
ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1
ZBF(config)#zone-pair security allow-out-dmz source OUTSIDE destination DMZ
ZBF(config-sec-zone-pair)##service-policy type inspect p-map-1
Zone Based Firewall
Verification
Beginning from outside I am pinging to inside and DMZ
OUTSIDE>ping 1.1.1.2
.....
OUTSIDE>ping 3.3.3.3
!!!!!
We can observe from above that as per our requirement outsider can visit DMZ but cannot Visit
INSIDE network. Now lets make a connection from DMZ
DMZ#ping 1.1.1.2
.....
DMZ#ping 2.2.2.2
.....
DMZ is not allowed to visit either INSIDE or OUTSIDE network

But An Insider can visit both the other networks DMZ and OUTSIDE
By this we Achieved our desired Network Security
Zone Based Firewall
Basic Sensor Initialization
LAB 1 Basic Sensor Initialization

An Intrusion Prevention System has the capability to detect and prevent misuse and
abuse of, and unauthorized access to, network resources
An Intrusion Prevention / Detection system is an advanced filtering device dedicated to
filter the content of network up to layer 7 which is not only capable to filter on basis of content
but also the structure of the packet.
The most common method of filtering traffic over a sensor is using signatures . where
signature can be defined as pre defined pattern or structure of malicious traffic.
A Sensor is a layer 2 device placed mostly behind firewall and configured to filter the
malicious traffic in inbound and outbound directions of network
Basic Configuration of sensor can be done by Command Line Interface through console
port to initiate the sensor and its services.
Task 1 : Initiate the sensor and configure the basic services and interface configurations as
following options.
Host Name
Ip Address
Subnet Mask
Default Gateway
Https port
Telnet
Permitted Host
NMSIPS
10.1.1.10
255.0.0.0
10.1.1.1
443
Enabled
10.0.0.0 255.0.0.0
Step 1
Connect IPS Console port to Com port of computer using a Console Cable to access the CLI of
Device
Step 2
Open a terminal Emulator application like Hyper terminal or putty.
Step 3 : Login Sensor using user credentials.
Sensor login: Cisco

Password: ***********
sensor#
Step 4: As sensor initializes issue the SETUP option to make basic configuration and follow the
interactive mode of Sensor
sensor# setup
System Configuration Dialog
At any point you may enter a question mark '?' for help .
User ctrlc to abort configuration dialog at any prompt .
Default settings are in square brackets ' [] ' .
Current Configuration:
service host
networksettings
hostip 192.168.1.10/24,192.168.1.1
host-name sensor
telnet option disabled
ftp-timeout 300
no login-banner-text
exit
timezone-settings
offset 0
standard- time-zone name UTC
exit
summertime-option disabled
ntpoption disabled
exit
service webserver
port 443
exit
Setup Configuration last modified: Sat Nov 24 09:37:20 2012
Continue with configuration dialog?[yes]: Yes

As the Setup command executes current configuration of device is displayed and prompt
for modification of current configuration appears type YES to make changes as desired.
Enter Hostname
Continue with configuration dialog?[yes]: Yes

IP Address of
Enter host name [sensor] : NMSIPS
Sensor
Enter IP interface []; 10.1.1.10/24,10.1.1.1
Enter telnetserver status [disabled] : enabled
Enter web-server port [443]; <Enter>
port number on
which GUI is
Modify current access list? [no] yes
supposed to work
Current access list entries :
No entries
Permit: 10.0.0.0/8
Permit:
Modify system clock setting?[no]: no
Modify interface/virtual sensor configuration? [No]: no
Modify default threat prevention settings? [No]: no
the following configuration was entered.
service host
networksettings
hostip 10.1.1.10/24,10.1.1.1
host-name nms
telnet option enabled
access-list 10.0.0.0/32
ftp-timeout 300
no login-banner-text
exit
timezone-settings
offset 0
standard- time-zone name UTC
exit
summertime-option disabled
ntpoption disabled
exit
Access-list here defines the

list of users permitted to
access the sensor remotely
[0] Go to the command prompt without saving this config

[1] Return to setup without saving this config
[2] save this configuration and exit setup
select desired options
as per requrement
Enter you selection [2]: 2

Select second option to save basic config and end setup utility
-----Configuration saved---------------
Task 2 : Initiate web access of sensor through web browser.

Step 1 : Connect the computer to Sensor via Ethernet and assign the IP Address on computer in
same subnet to sensor.
C:\>ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::79b9:ae4b:fc78:88fd%16
IPv4 Address. . . . . . . . . . . . : 10.1.1.2
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . : 10.1.1.1
Step 2: Start a browser (Internet Explorer/Firefox)
go to url (https://<ip address of sensor>) https://10.1.1.10 accept security

warning message then type Username & password of your sensor when prompted.
After successful logging you should see Sensor Dashboard
IDS-Promiscuous mode of Sensor
LAB 2 Promiscuous Mode - IDS

An Intrusion Detection System has the capability to only detect misuse and abuse of,
and unauthorized access to, network resources
An Intrusion Detection system is always placed in offline mode or promiscuous mode
where device does not have capability to drop any traffic but it informs about the misuse to
administrator and Admin takes the action immediately. As IDS is not inline device it will not add
any latency in network.
In Promiscuous mode, Sensor is not Placed in between the transit path of network
rather its connected to switch and a copy of the traffic is sent to Sensor.
LAB Topology
R1 => FastEthernet
10.1.1.1
R2 =>FastEthernet
10.1.1.2
Task 1 : Configure Sensor in Promiscuous mode to work as Intrusion Detection System .

A Promiscuous mode device need a copy of traffic thus always the switch in network is
used to monitor the traffic and send the copy of packet from a port another.
Step: 1 Enable SPAN on the switch interfaces
SW1(config)#monitor session 1 source interface fa0/1

SW1(config)#monitor session 1 destination interface fa0/23
Step: 2 On IDS Sensor
Go to configure Interfaces; Select interface on which switch is connected

(e.v.Ethernet 2/0) and click enable button then Apply.
Click
here
Click
here
Go to configure Analysis Engine Virtual Sensor then Click vs0 and edit
Click
here
Highlight Fastethernet 2/0 interface on the list and click Assign button. Then
click OK and Apply the changes to the sensor
Click
here
Click
here
Verification:
Switch#sh monitor session 1
Session 1
--------Source Ports:
RX Only:
None
TX Only:
None
Both:
Fa0/1
Source VLANs:
RX Only:
None
TX Only:
None
Both:
None
Destination Ports: Fa0/23
Filter VLANs:
None
To Test it, let's simulate an attack. Ping from your PC to Router R1

C:\>ping 10.1.1.1
Pinging 10.1.1.1with 32 bytes of data:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
Go to monitoring Events, check show past events radio button and select 1
minute. then click on view button
See the signatures Logs on the Event viewer to get logs click Refresh tab
Click
here
Click
here
Highlight the Event log and click Details to see more log details. Here the
picture output for Event details.
Attacker student Pc
IP
Target Router IP
aaaa
aaaa
IPS-Inline mode of Sensor
LAB 3 Inline Mode - IPS

An Intrusion Prevention System has the capability to only detect misuse and abuse of,
and unauthorized access to, network resources
An Intrusion Prevention system is always placed in inline mode in transit path of network
such that all data traffic is supposed to pass through the sensor, then it do have capability to
drop any traffic and also it informs about the misuse to administrator.
An IPS is inline device it will add some latency in network for traffic filtering.
In Promiscuous mode, Sensor is not Placed in between the transit path of network
rather its connected to switch and a copy of the traffic is sent to Sensor.
LAB Topology
R1 => FastEthernet
10.1.1.1
R2 =>FastEthernet
10.1.1.2
Connect Fast Ethernet 2/0 and Fast Ethernet 2/1 of sensor to Router R1 and R2 Respectively
Task 1 : Configure Sensor in Inline mode to work as Intrusion Prevention System .

Step 1 : Enable Interfaces of Sensor.
Go to configuration Interface, select Fastethernet 2/0 & Fastethernet 2/1 and Enable then
Apply to Sensor
Step 2 : Define a Interface Pair

Go to configuration Interface configuration Select Interface Pairs Add.
Then enter a name for interface pair, Select fa2/0 and 2/1 interface on the list, make
some description and click on OK Apply to the sensor.
Step 3 : Associate Interface Pair with Analysis Engine
Go to configuration analysis Engine Virtual Sensors Select vs0 and click

Edit select newly created interface pair {pair-1} on the list and click Assign. Then
click OK and apply changes to the sensor.
2
4
Verification:
IPS-Inline VLAN mode of Sensor
LAB 4 Inline VLAN Mode - IPS

Inline interface mode of Sensor requires two dedicated interfaces for monitoring traffic
but in a case we have only single interface and we are in need of inline filtering we can devide
our network in VLANs and filter the traffic based on VLAN where.
an Inline VLAN mode of filtering traffic divides network into two different VLANS and
enforce the traffic to pass through IPS using a VLAN pairing over it. and an IPS here act as Inter
VLAN Router.
R1 => FastEthernet
10.1.1.1
R2 =>FastEthernet
Switch=> FastEthernet 0/1
Switch => FastEthernet 0/2
10.1.1.2
VLAN10
VLAN20
Connect
R1- F0/1 ==> SW F0/1
R2 F0/1 to SW F0/2
Task 1 : Configure Sensor in Inline VLAN mode to work as Intrusion Prevention System .
Step 1 : Configure VLANs on Switch
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#exit
Step 2 : Associate VLANs with Interfaces respectively
Switch(config)#interface range fa0/1

Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config)#interface range fa0/2
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Step 3 : Enable Interface on Sensor
Go to configuration interface configuration Interfaces select

Fastethernet 2/0 and click enable button and apply changes to the sensor
Step 4 : Create a VLAN pair
Go to configuration interface configuration Vlan pair then Click Add

button.
Step 5 : Associate VLAN Pair with Analysis Engine
Go to configuration Analysis Engine Virtual sensor select vs0 virtual

sensor 0 on the list and click edit. Highlight Fastethernet 2/0.1 interface on the list
and click assign button. Then Click ok and apply the changes to the sensor.
1

Netmetric CCNP Security Workbook 2.0 ASA Initialization

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Netmetric CCNP Security Workbook 2.0 ASA Initialization

Загружено:

Авторское право:

Доступные форматы

Netmetric CCNP Security Workbook 2.

LAB 1 Basic ASA Configuration

Task-1 Getting Started With ASA

IOS Version of ASA

ciscoasa up 33 mins 30 secs

Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz

Netmetric CCNP Security Workbook 2.0

Configuring Enable Password

Netmetric CCNP Security Workbook 2.0

Task-2 Configuring Interfaces as per following Credentials

Netmetric CCNP Security Workbook 2.0

ASA(config-if)# interface GigabitEthernet 1

ASA identify only the word inside perfectly

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

LAB 2 Default security policy modifications and ACL in ASA

Configure the Ip addressing as per following credentials

Configure a default route on both the sides pointing towards ASA

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

Task 1 : Verify the Connectivity for telnet and ICMP

Lets make a connection of telnet from PC to Router R1

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

We can see the default inspection policy in running configuration of device

Services available by default

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

Netmetric CCNP Security Workbook 2.0

Basic ASA Initialization - II

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

LAB 3 Object Groups in ACL

Configure the Ip addressing as per following credentials

Configure a default route on both the sides pointing towards ASA

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10

Verify Routing and connectivity

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

Apply the access-list using access-group option in global configuration mode

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

Task 2 : Rewrite the above created access-list using objects groups

Using those object groups in access list

Application of access-list on interface inside in inbound direction

Network object group

Netmetric CCNP Security Workbook 2.0

ALC and Object Groups

Netmetric CCNP Security Workbook 2.0

Time Based Access control using ACL

LAB 4 Time Based ACL

Configure the Ip addressing as per following credentials

Configure a default route on both the sides pointing towards ASA

Netmetric CCNP Security Workbook 2.0

Time Based Access control using ACL

Create a Time range by above given credentials

ASA(config)# time-range t-range

Netmetric CCNP Security Workbook 2.0

Time Based Access control using ACL

Verify the configured Time-range