Академический Документы
Профессиональный Документы
Культура Документы
ASA Initialization
Uptime of device
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
ASA Initialization
From unprivileged mode we can issue few more commands like ping, traceroute and login etc.
but to make any changes on the device or to configure device we need to get into privileged mode of
that device. From Unprivileged mode issue enable command to get into privileged mode
ciscoasa> enable
Password:
ciscoasa#
The default password on ASA is Blank <null> hit Enter when prompted
When you are in privileged mode now you can start configuring your device, When you are in
privileged mode of ASA you can issue all the commands to device, to make some configuration on
device you need to get into configure mode, you can get into configure mode by issuing configure
terminal command in privileged mode
ciscoasa# configure terminal
ciscoasa(config)# enable password cisco123
ciscoasa(config)# hostname ASA
ASA(config)#
In the description of show version command you can view the licensing details of the device
which exhibits the capabilities of device functioning. ASA comes with two different licenses
Base License
Security plus License
By default ASA comes with Base License where few functions of ASA will be restricted or locked. To use
those functions we need to get an Activation Key from Cisco and Install it on Device.
ASA(config)# activation-key 0x000000000x000000000x000000000x00000000
The following features available in flash activation key are NOT
available in new activation key:
Failover is different.
flash activation key: Restricted(R)
new activation key: Unrestricted(UR)
Proceed with update flash activation key? [confirm]
Press Enter
WARNING: The running activation key was not updated with the requested key.
The flash activation key was updated with the requested key, and will become active after the next
reload.
ASA Initialization
Ip Address
192.168.1.10
10.1.1.10
172.16.1.10
Name
Outside
Inside
DMZ
Security Level
0
100
50
Simply like a router, Interface configuration in ASA is done from interface mode only.
ASA(config)# interface GigabitEthernet 0
ASA(config-if)# ip address 192.168.1.10 255.0.0.0
ASA(config-if)# no shutdown
ASA(config-if)# interface GigabitEthernet 1
ASA(config-if)# ip address 10.1.1.10 255.0.0.0
ASA(config-if)# no shutdown
ASA(config-if)# interface GigabitEthernet 2
ASA(config-if)# ip address 172.16.1.10
ASA(config-if)# no shutdown
But apart from configuring ip address in ASA we even have to configure Two more credentials
i.e. Name of interface and Trustiness of interface (Security Level). Where Name of the interface is the
any logical name (Like Inside, Outside, Private any name) given to the interface and throughout
configuration the interface will be called with that name not by their Physical names (Ethernet 0 or 1),
Assigning name to interface is mandatory. Even if you assign ip address until and unless you configure
name to it our interface will not function.
And security level is the value which defines the trustiness of an interface. The interface with
high security level value can communicate with low security value interfaces but low valued interface
cant initiate communication for high valued interfaces by default.
ASA(config-if)# interface GigabitEthernet 0
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# security-level 0
Verification
ASA(config-if)# show running-config ip
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.10 255.0.0.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 172.16.1.10 255.255.0.0
ASA Initialization
Interface
Ethernet 1
Ethernet 0
Fast Ethernet 0/0
Fast Ethernet 0/0
Name
Outside/0
Inside/100
---
Ip Address
10.1.1.10
192.168.1.10
192.168.1.1
10.1.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
255.0.0.0
As we have discussed above that ASA by default inspect all TCP and UDP traffic thats
why it allows only TCP and UCP communication whereas ICMP is not allowed by default
Because Telnet works with TCP protocol thats the reason your telnet connections are
allowed but default and not ICMP connections
Now check the connectivity from high security level to low security level i.e. from inside
to outside using ping
R1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
If we see the output of the ping test then our ping packets are not being allowed even
from high security level to low security level where as per the basic rule of ASA its supposed to
allow that connection
Task 2 : Configure ASA to inspect ICMP traffic by modifying default inspection policy and
verify the Connectivity for ICMP
To modify this default inspection policy we have to get into that class
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)#
We can modify the policy after getting into that policy
To add ICMP inspection into the policy
ASA(config-pmap-c)# inspect icmp
As soon as we start ICMP inspection our ASA starts inspection of ICMP traffic and now
icmp traffic will flow from High security level to low security level
R1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/80 ms
To remove any service from default inspection
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect icmp
As soon as we remove the inspection of ICMP again ICMP Traffic is not allowed to
transact
PC#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Task 3 : Configure ASA to allow ICMP traffic using Access-list. Dont modify default inspection
policy.
As we know ASA allow all the traffic from high security level to low security level by default
that means even ICMP echo packets which are initiated from inside subnet is allowed to go to outside
subnet. But the echo-reply packets which are sent in response to echo are will be blocked because they
are being initiated from low security level to high as there is no inspection for ICMP.
As we are interested in using access list let's not make any changes with inspection policy
than we can allow the ICMP packets from outside using Access-list
Here we are creating an access-list to allow icmp traffic
ASA(config)# access-list out_in permit icmp any any
Now we have to apply that access-list on outside interface in inbound direction so that all the
icmp traffic which is generated from that interface is allowed in to device
By this the echo-reply which is generated in respond to echoes from inside is allowed to go to
outside
ASA(config)# access-group out_in interface outside
Verification
R1#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/32/84 ms
Interface
GigabitEthernet0
GigabitEthernet1
Fast Ethernet 0/0
FastEthernet 0/0
Loopback 0
Loopback 1
Loopback 2
Name
Outside/0
Inside/100
------
Ip Address
10.1.1.10
192.168.1.10
10.1.1.1
192.168.1.1
21.1.1.1
22.1.1.1
23.1.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.0.0.0
255.255.255.0
255.0.0.0
255.0.0.0
255.0.0.0
Task 1 : Configure an Access-list on ASA to restrict the traffic from inside subnet to hosts
21.1.1.1 , 22.1.1.1 and 23.1.1.1 using http, ftp & telnet services.
We are very familiar with access-list and its services
But in ASA the access-list is little different from your router. In ASA we dont configure
access-list with numbers but we do it with Names
We have to configure multiple access-entries to achieve our required task
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq http
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq http
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq ftp
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq telnet
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq http
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq ftp
ASA(config)# access-list in-out deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq telnet
ASA(config)# access-list in-out permit ip any any
Creating a services type object group with tcp protocol as all our required services
(http, ftp & telnet) belongs to tcp.
ASA(config)# object-group service serv-obj tcp
ASA(config-service)# port-object eq http
ASA(config-service)# port-object eq ftp
ASA(config-service)# port-object eq telnet
Service object
Group
ASA(config)# access-list obj-acl permit tcp any object-group nw-host object-group serv-obj
Name of ACL
Verification
ASA(config)# show run object-group
object-group network nw-host
network-object host 21.1.1.1
network-object host 22.1.1.1
network-object host 23.1.1.1
object-group service serv-obj tcp
port-object eq www
port-object eq ftp
port-object eq telnet
ASA(config)# show access-list
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 object-group nw-host object-group serv-obj
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq www
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq ftp
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 21.1.1.1 eq telnet
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq www
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq ftp
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 22.1.1.1 eq telnet
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq www
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq ftp
access-list obj-acl line 1 extended deny tcp 10.0.0.0 255.0.0.0 host 23.1.1.1 eq telnet
R1#telnet 21.1.1.1
Trying 21.1.1.1 ...
% Connection refused by remote host
R1#telnet 22.1.1.1
Trying 22.1.1.1 ...
% Connection refused by remote host
R1#telnet 23.1.1.1
Trying 23.1.1.1 ...
% Connection refused by remote host
Interface
GigabitEthernet0
GigabitEthernet1
Fast Ethernet 0/0
FastEthernet 0/0
Name
Outside/0
Inside/100
---
Ip Address
10.1.1.10
192.168.1.10
10.1.1.1
192.168.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.0.0.0
255.255.255.0
Task 1 : Configure an access-list by the name Time-Acl to permit the entire host from inside
subnet to outside only from 10:00 am to 05:00 pm in between 1 Oct 2011 to 31 Oct 2011
Steps to configure:
By the above command we have created a time-range with the name t-range. After
creating the time range we have to configure the time range as per given credentials.
To define the date of time-range we use absolute option
ASA(config-time-range)# absolute start 00:00 1 Oct 2012 end 00:00 31 Oct 2012
ASA(config-time-range)#
When we are using absolute option to define the time in time range as soon as the end
time meets the access-list will be invalid forever. To define a periodic time we use option
periodic
ASA(config-time-range)# periodic daily 10:00 to 17:00
ASA(config-time-range)#
Using Periodic option in time range we define our clock time in 24 hours format.
ASA(config-time-range)# periodic daily 10:00 to 17:00
ASA(config-time-range)#exit
Interface
Name
Ip Address
Subnet Mask
GigabitEthernet0
Outside/0
10.1.1.10
255.0.0.0
GigabitEthernet1
Inside/100
192.168.1.10
255.255.255.0
Fast Ethernet 0/0 - 10.1.1.1
255.0.0.0
FastEthernet 0/0
-192.168.1.1
255.255.255.0
NIC
-10.1.1.5
255.0.0.0
Configure a default route on both the sides pointing towards ASA
R1#ping 10.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/25/60 ms
R1#telnet 10.1.1.10
Trying 10.1.1.10 ...
% Connection timed out; remote host not responding
Verification:
R1#telnet 10.1.1.10
Trying 10.1.1.10 ... Open
Welcome to CCNP Security Lab of ASA Firewall
User Access Verification
Password: cisco
Type help or '?' for a list of available commands.
ASA>
Default password for telnet access to ASA is set as cisco
R2#telnet 192.168.1.10
Trying 192.168.1.10 ...
% Connection timed out; remote host not responding
Telnet access from outside interface is still not allowed
R1#telnet 10.1.1.10
Trying 10.1.1.10 ... Open
Welcome to CCNP Security Lab of ASA Firewall
User Access Verification
Password:netadmin
Type help or '?' for a list of available commands.
ASA>
Task 4 : Create a user Account on ASA and configure ASA to accept telnet connection on basis
of user accounts
Creating User Account on ASA
ASA(config)# username user1 password cisco123
Verification:
R1#telnet 10.1.1.10
Trying 10.1.1.10 ... Open
User Access Verification
Username: user1
Password: cisco123
Type help or '?' for a list of available commands.
ASA>
Task 5 : Configure ASA to allow the SSH access from outside interface for any one with user
account
As SSH make use of encryption its must that we generate RSA keys to activate SSH over
any device
Generating RSA Keys
ASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
SSH can be accessed only using user account only thus create a user account for
accessing of SSH and configure SSH authentication for Local database.
Verify existence of a user account if account is not available create a new account
ASA(config)# username user1 password cisco123
Set the SSH authentication system to LOCAL dataase
ASA(config)# aaa authentication ssh console LOCAL
Allow SSH access for everyone from outside interface
ASA(config)# ssh 0.0.0.0 0.0.0.0 outside
SSH can be initiated from any address over outside interface as the default network is
permitted.
Verification:
R2#ssh -l user1 192.168.1.10
Password:cisco123
Type help or '?' for a list of available commands.
ASA>
Task 6 : Enable HTTP Access of ASA and access firewall using Cisco ASDM.
Enable the access of HTTP over ASA
ASA(config)# http server enable
Even after enabling HTTP services over ASA, ASA does not allow anyone to access its
ASDM Administrator need to authorize the users for access of ASDM (GUI)
Authorizing user 10.1.1.5 to access HTTP
ASA(config)# http 10.1.1.5 255.255.255.255 inside
If user account is not available create an user account
ASA(config)# username user1 password cisco123
After Downloading and installing ASDM Launcher to computer Run Cisco ASDM Launcher
Provide the mandatory details such as Device address, username and password
Device
ASA
ASA
ASA
R1
R1
R1
R2
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Loopback 1
Fast Ethernet 0/0
Loopback 0
Loopback 1
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
---------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
12.12.12.12
192.168.1.1
22.22.22.22
23.23.23.23
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.0.0.0
255.255.0.0
255.255.255
Task 1 : Configure Static Routes over ASA to make the subnets over outside interface reachable.
Verification:
ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
Gateway of last resort is not set
S
C
S
C
C
Task 3 : Configure a Default Route on ASA to make all the Destinations reachable via Router R2
192.168.1.1
Task 4 : Configure RIP between Router R1 and ASA and make loopback addresses on Router R1
Reachable from ASA
Configuring RIP over ASA
ASA(config)# router rip
ASA(config-router)# network 10.0.0.0
ASA(config-router)# version 2
Configuring RIP over Router R1
R1(config)#router rip
R1(config-router)#network 11.0.0.0
R1(config-router)#network 12.0.0.0
R1(config-router)#network 10.0.0.0
R1(config-router)#version 2
Verification:
ASA(config-router)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
C
C
R
R
C
S*
Task 5: Configure EIGRP AS 100 Between ASA and Router R3 and make loopback addresses on R3
reachable by ASA
Hold
(ms)
14
Uptime
Cnt
00:00:51
SRTT
Num
20
RTO Q Seq
200 0 3
Task 6: Configure OSPF process 1 on outside interface of ASA and Router R2.
Configuring OSPF over ASA
ASA(config)# router ospf 1
ASA(config-router)# network 192.168.1.0 255.255.255.0 a 0
Advertise networks in OSPF Using subnet mask as ASA never use Wildcard Bits in configurations
R2(config)#router ospf 1
R2(config-router)#network 192.168.1.0 0.0.0.255 a 0
R2(config-router)#network 22.0.0.0 0.255.255.255 area 0
R2(config-router)# network 23.0.0.0 0.255.255.255 area 0
ASA(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
D
O
C
O
C
R
R
C
S*
Neighbor ID
23.23.23.23
Pri State
1 FULL/DR
192.168.1.1
Interface
inside
Task 7 : Redistribute the Routing information between RIP and EIGRP and verify the routing updates
Redistributing EIGRP into RIP
ASA(config)# router rip
ASA(config-router)# redistribute eigrp 100
ASA(config-router)# redistribute eigrp 100 metric 2
Redistributing RIP into EIGRP
ASA(config)# Router eigrp 100
ASA(config-router)# redistribute rip metric 128000 100 150 150 2000
Verification:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
* - candidate default, U - per-user static route
Gateway of last resort is 10.1.1.10 to network 0.0.0.0
R
R
C
C
C
S*
R3#show ip route
Codes: C - connected, S - static, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
* - candidate default.
Gateway of last resort is 172.16.1.10 to network 0.0.0.0
C 33.0.0.0/8 is directly connected, Loopback0
C 172.16.0.0/16 is directly connected, FastEthernet0/0
D EX 10.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0
D EX 11.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0
D EX 12.0.0.0/8 [170/307200] via 172.16.1.10, 00:02:34, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 172.16.1.10
Configure
addressing as per
the Ip
following credentials
Device
ASA
ASA
ASA
R1
R1
R2
R2
R3
R3
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside
interface towards outside .
When Ever a single IP is translated to another IP and translation of which is defined by
administrator manually it's called as Static Translation
Over ASA 8.0 all static translations are defined using STATIC keyword,
Configuring Static Translations over ASA
ASA80(config)# static (inside,outside) 55.56.57.58 10.1.1.1
Verification:
To view the current translations on ASA
ASA80(config)# show xlate
1 in use, 1 most used
Global 55.56.57.58 Local 10.1.1.1
Task 2 : Configure ASA such that it statically translate address 10.1.1.1 to 71.72.73.74 from inside
interface towards DMZ.
ASA80(config)# static (inside,DMZ) 71.72.73.74 10.1.1.1
Verification:
ASA80(config)# show xlate
2 in use, 2 most used
Global 71.72.73.74 Local 10.1.1.1
Global 55.56.57.58 Local 10.1.1.1
Task 3 : Clear All the Static Translations Over ASA
To clear all the static translations over ASA at once
ASA80(config)# clear configure static
Verification:
ASA80(config)# show xlate
0 in use, 2 most used
Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60
when the traffic of inside interface destinies to any ip of DMZ subnets.
when ever we want to translate a group of address to another group we make use of dynamic
translation.
Process of Dynamic Address Translation is divided into two Steps
Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when
the traffic of inside interface destinies to any ip of Outside subnet
PAT : Whenever we translate multiple IP Address with single IP Along with IP addresses even port
numbers get translated such translations are defined as Port Address Translations
To Translate All the traffic we can use the default subnet
ASA80(config)# nat (inside)
0.0.0.0 0.0.0.0
In ASA we have privilege to replace default subnet 0.0.0.0 with a single "0" thus above statement
can be even defined as follows
ASA80(config)# nat (inside) 5 0
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
Task 1 : Configure ASA to enforce translation over all the traffic such that only traffic which is
translated should bypass ASA rest should be denied.
A Special feature of PIX device was to enforce the translation on all the traffic, which has been
even inherited into ASA 8.0 by name NAT-CONTROL
Before Enabling NAT-CONTROL
R1#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/51/104 ms
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/140 ms
To enable NAT control over ASA
ASA80(config)# nat-control
Verification:
R1#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 33.33.33.33 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
Task 2 : Bypass the host 10.1.1.1 from Nat-Control and make sure that the host can communicate to
any other subnet without translation even when NAT Control is enabled.
NAT with ID 0 is dedicated to define no address translation, when ever NAT is to be bypassed for
some host or subnets we need to define them in Nat option only with id "0"
Task 3 : Translate traffic of 11.11.11.11 from inside subnet to 202.11.59.19 when it destinies only to
host 23.23.23.23 on outside interface
Whenever a condition is added into translations such translations are known as Policy based
translations where we define the desired condition of translation using an access-list
Creating Access-list to define the condition of translation
ASA80(config)# access-list nat1 permit ip host 11.11.11.11 host 23.23.23.23
we have created an access by name nat1 which map the traffic between host 11.11.11.11 to
23.23.23.23
Binding that access-list to NAT statement and enforcing translations only on access-list
ASA80(config)# nat (inside) 9 access-list nat1
ASA80(config)# global (outside) 9 202.11.59.19
INFO: Global 202.11.59.19 will be Port Address Translated
Verification:
R1#ping 23.23.23.23 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/71/132 ms
ASA80(config)# show xlate
3 in use, 3 most used
PAT Global 202.11.59.19(58154) Local 11.11.11.11 ICMP id 41
The Same Host can't reach other destinations as they are not matching ACL in nat option.
R1#ping 22.22.22.22 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside
interface towards outside .
For all the translations we need to create objects defining the traffic participating in translations
and the translation are applied over the objects not on traffic directly.
For purpose of Translations specially two types of objects have been introduced
Network
Service
Task 2 : Configure ASA such that it statically translate address 10.1.1.1 to 71.72.73.74 from inside
interface towards DMZ.
Creating Object to define new mapped ip address
ASA84(config)# object network map-dmz
ASA84(config-network-object)# host 71.72.73.74
ASA84(config-network-object)# exit
Defining Translation
ASA84(config)# nat (inside,DMZ) source static host-in map-dmz
Verification:
ASA84(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:55.56.57.58
flags s idle 0:13:44 timeout 0:00:00
NAT from inside:10.1.1.1 to DMZ:71.72.73.74
flags s idle 0:01:14 timeout 0:00:00
ASA84(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static host-in mapped-out
translate_hits = 0, untranslate_hits = 0
2 (inside) to (DMZ) source static host-in map-dmz
translate_hits = 0, untranslate_hits = 0
ASA84(config)# show run nat
nat (inside,outside) source static host-in mapped-out
nat (inside,DMZ) source static host-in map-dmz
Task 3 : Clear All the Static Translations Over ASA
ASA84(config)# clear configure nat
Task 4 : Translate all the Host in 10.0.0.0/8 subnet to an ip address pool 172.16.1.50 - 172.16.1.60
when the traffic of inside interface destinies to any ip of DMZ subnets.
ASA84(config)# object network subnet-in
ASA84(config-network-object)# subnet 10.0.0.0 255.0.0.0
ASA84(config)# object network isp-range
ASA84(config-network-object)# range 172.16.1.50 172.16.1.60
Defining Translations
ASA84(config)# nat (inside,DMZ) source dynamic subnet-in isp-range
ASA84(config)# show xlate
1 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to DMZ:172.16.1.59 flags i idle 0:00:13 timeout 3:00:00
ASA84(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (DMZ) source dynamic subnet-in isp-range
translate_hits = 5, untranslate_hits = 0
Task 5: Translate all the Host connected to inside interface to an single ip address 192.168.1.99 when
the traffic of inside interface destinies to any ip of Outside subnet
creating a new object to define the mapped address
ASA84(config)# object network pat-ip
ASA84(config-network-object)# host 192.168.1.99
ASA84(config-network-object)# exit
Defining Translation
ASA84(config)# nat (inside,outside) source dynamic any pat-pool pat-ip
Verification:
ASA84(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:10.1.1.1/52 to outside:192.168.1.99/52 flags ri idle 0:00:06 timeout 0:00:30
Interface
GigabitEthernet0
GigabitEthernet1
GigabitEthernet2
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback 0
Fast Ethernet 0/0
Loopback
Name
Outside/0
Inside/100
DMZ/50
-------
Ip Address
10.1.1.10
192.168.1.10
172.16.1.10
10.1.1.1
11.11.11.11
192.168.1.1
22.22.22.22
172.16.1.1
33.33.33.33
Subnet Mask
255.0.0.0
255.255.255.0
255.255.0.0
255.0.0.0
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
255.255.255
Task 1 : Configure ASA such that it statically translate address 10.1.1.1 to 55.56.57.58 from inside
interface towards outside using ASA auto NAT .
Task 2 : Configure ASA to translate any IP address sourced from any interface to the outside interface
ip of ASA.
ASA84(config)# nat (any,outside) source dynamic any interface
above option translate any IP sourcing any interface destinies to outside to IP address which is
assigned on interface outside.
ASA84(config)# show nat
Manual NAT Policies (Section 1)
1 (any) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
R3#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/48 ms
ASA84(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:55.56.57.58
flags s idle 0:19:55 timeout 0:00:00
ICMP PAT from any:172.16.1.1/0 to outside:192.168.1.10/31798 flags ri idle 0:00:04 timeout 0:00:30
Task 1 : Configure ASA such that it filters all the web traffic for inside subnet and drops the packets
which contain the java program
ASA make use of option filter to filter a specific data type in a service.
ASA(config)# filter java http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
Service to be filtered
Inside Subnet
Outside Subnet
Any host from 10.0.0.0/8 subnet can't download or upload any java program
Task 2: Configure ASA such that it filters all the web and FTP traffic on all subnets and drops the
packets which contain the Active-x program.
Task 3 :Configure a web sense URL Filter server in Inside subnet on ip address of 10.0.1.11. Make
configurations on ASA such that it filters all the web traffic from inside subnets for URL using that URL
Filter server
ASA is not so flexible in filtering URLs on it more granularly, so ASA make help from other
supporting URL Filters to filter the web traffic for their URL.
ASA support only two URL Filters namely web sense & smart filter.
ASA(config)# url-server (inside) vendor websense host 10.0.1.11
ASA(config)# filter url http 1.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0
Ip Address
192.168.1.10
10.1.1.10
172.16.1.10
Name
Outside
Inside
DMZ
Security Level
0
100
50
Device
R1
R2
Interface
FastEthernet 0/0
Fast Ethernet 0/0
Ip Address
10.0.1.10
192.168.1.10
Subnet Mask
255.0.0.0
255.255.255.0
R3
172.16.0.10
255.255.0.0
TASK 1
Configure ASA to catch the traffic from inside subnet and restrict the bandwidth usage to 8000
bits per second when its destination is R2
Steps to configure:1. Create a class-map
2. Create a policy-map
3. Define Service-policy
A class-map is a tool used to catch interesting on more granular level where we are allowed not
only to catch interesting traffic on the basis of layer 3 addresses (ip address) but even we can catch the
traffic not only by access-list but even by Its Precedence, Tunnel group, RTP and DSCP values as well.
Create an access-list to define flow of traffic here we want to catch the traffic when its starting
from Inside subnet and visiting Site-A
ASA(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
Create a class-map with any name and call the access-list in class-map
ASA(config)# class-map c-map
ASA(config-cmap)# match access-list 101
ASA(config-cmap)# exit
Now we are done with catching of interesting traffic then our next step is to define the action
over that interesting traffic to do that we are creating a policy-map
Policy map is a place where we define our desired action on the cached interesting traffic where
you have more granular options available apart from permitting and denying traffic. You have actions
like police, priority and inspect etc...
ASA(config)# policy-map p-map
We created a policy map with the name p-map here then under that policy-map we are
calling the class-map which we created. By this well binding our class-map and our policy-map then we
define the action over that
ASA(config-pmap)# class c-map
ASA(config-pmap-c)# police input 8000
Final step our configuration is to apply the created policy here we can apply the policy over a
single interface or globally over all interfaces
ASA(config)# service-policy p-map interface outside
Verification
We can verify our applied policy by generating an extended Ping for the destination of Site-A
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.10
Repeat count [5]: 30
Datagram size [100]: 1000
Increase the size of datagram to generate huge traffic
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 30, 1000-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!.!!.!!.!.!!.!.!!.!!.!.!!.!!.
Here we can observe the packet drop when they are exceeding policy
Success rate is 63 percent (19/30), round-trip min/avg/max = 20/59/92 ms
If we further Increase the size of datagram then more packets gets droped
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.10
Repeat count [5]: 30
Datagram size [100]: 2000
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 30, 2000-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!.!..!..!...!...!...!..!...!..
Success rate is 30 percent (9/30), round-trip min/avg/max = 56/72/92 ms
TASK 2
Configure ASA to catch the telnet traffic from inside subnet and prioritize that when its
destination is R3
Create a class map to catch telnet traffic here I am catching the traffic using an extended ACL
ASA(config)#access-list 102 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0eq telnet
Now we can apply that policy-map over interface dmz as we have configured the priority-queue
over that interface
ASA(config)# service-policy inspect-telnet interface dmz
Virtual Firewalls
Context 1
Context 2
Connect your firewall using console port and start configuring the virtual firewalls
Before making your ASA into virtual firewall make sure that you take backup of your all running
configuration, because when you change the mode of your ASA into virtual firewalls or from virtual firwall to
single mode, you will lose all the running configuration of your device.
Even if you wont take the backup by default your ASA saves the current running configuration to the flash of
ASA with file name as old_running.cfg
Virtual Firewalls
Virtual Firewalls
Virtual Firewalls
Task 1
Create two context by the names CTX1 and CTX2 and allocate two interfaces to each context and
assign IP Addresses to the interfaces as per below credentials. And save the configuration of those contexts
in flash with respective names of context.
CTX 1
CTX 2
Interface
Ethernet 0
Ethernet 1
Ethernet 2
Ethernet 3
IP Address
1.1.1.1
192.168.1.1
2.2.2.2
172.16.1.1
Subnet Mask
255.0.0.0
255.255.255.0
255.0.0.0
255.255.0.0
Security level
100
0
100
0
Name of interface
Inside
Outside
Inside
Outside
Virtual Firewalls
Virtual Firewalls
URL
flash:/admin.cfg
flash:/CTX1
flash:/CTX2
Virtual Firewalls
Task 2
Configure context CTX1 to inspect icmp and configure an access-list to deny any traffic from inside to
outside subnets
Steps to configure: Get into specific context
Then apply the desired rules
ciscoasa(config)# changeto context CTX1
ciscoasa/CTX1(config)# policy-map global_policy
ciscoasa/CTX1(config-pmap)# class inspection_default
ciscoasa/CTX1(config-pmap-c)# inspect icmp
PC-A#ping192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/22/40 ms
As soon as the inspection of icmp is on we can see that icmp traffic is allowed to transact
ciscoasa/CTX1(config)# changeto context CTX2
ciscoasa/CTX2(config)# access-list 101 deny ip any 172.16.0.0 255.255.0.0
ciscoasa/CTX2(config)# access-group 101 in interface inside
R2#ping 172.16.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
We can see here no traffic is being allowed from inside to outside subnets but still the traffic from PC
is allowed to R1
PC-A#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/64 ms
As we did this configuration on context CTX2 it will not effect on other context CTX1by this we can
conclude that each context maintains its own configurations
Transparent Firewall
Transparent Firewall
LAB Topology
Device
R1
R2
Interface
Fast Ethernet 0/0
FastEthernet 0/0
Ip Address
10.1.1.1
10.1.1.2
Subnet Mask
255.0.0.0
255.0.0.0
Task 1 : Configure ASA as Transparent Firewall and Assign the interface credentials as follows
Create a Transparent Firewall Interface (Bridge Virtual Interface) for management and
activation of device and assign IP Address 10.1.1.10
Interface
Giga Ethernet 0
Giga Ethernet 1
Name
Outside
Inside
Security level
0
100
failover configuration
LAB TOPOLOGY
Device
R1
R2
Interface
Fast Ethernet 0/0
FastEthernet 0/0
Ip Address
10.1.1.1
192.168.1.1
Subnet Mask
255.0.0.0
255.0.0.0
Task 1 : Configure Failover for ASA such that when ASA1 crashes ASA2 should automatically
replace itself with ASA1
Before proceeding with failover configuration make sure Devices are licensed for it.
ASA1(config)# show version | grep Failover
Failover
: Active/Active
ASA2(config)# show version | grep Failover
Failover
: Active/Active
While making failover configuration make sure you define a standby IP Address over
every interface.
ASA1(config)# interface GigaEthernet0
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.1.10 255.255.255.0 standby 192.168.1.7
After making Basic ASA interface configuration start making Failover Interface
the interface which is being dedicated for failover should enabled
ASA1(config-if)# interface GigaEthernet 2
ASA1(config-if)# no shutdown
Here Interface GigaEthernet 2 is being dedicated for failover
Enable Failover and define ASA1 as primary unit.
ASA1(config)# failover lan enable
ASA1(config)# failover lan unit primary
Define the interface name which is being used as failover interface and allocate a logical
name to that interface and assign an unused IP address to the interface
ASA1(config)# failover lan interface failint GigaEthernet 2
INFO: Non-failover interface config is cleared on GigaEthernet 2 and its sub-interfaces
ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7
ASA1(config)# failover
As soon we issue command failover it activates the failover and look for the mate
ASA2(config)# .
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate
ASA1# sh failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failint GigaEthernet2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 08:37:46 UTC Nov 25 2012
This host: Primary - Active
Active time: 585 (sec)
Interface outside (192.168.1.10): Normal
Interface inside (10.1.1.10): Normal
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (192.168.1.7): Normal
Interface inside (10.1.1.7): Normal
Stateful Failover Logical Update Statistics
Link : Unconfigured.
rcv
8
8
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
failover configuration
LAB TOPOLOGY
Device
R1
R2
R3
R4
Interface
Fast Ethernet 0/0
FastEthernet 0/0
FastEthernet 0/0
FastEthernet 0/0
Ip Address
10.1.1.1
192.168.1.1
11.1.1.1
172.16.1.1
Subnet Mask
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
Interface
GigaEthernet 0
GigaEthernet 1
GigaEthernet 2
GigaEthernet 3
Config-Url
Flash:/ctx1
Flash:/ctx2
Interface
GigaEthernet 0
GigaEthernet 1
GigaEthernet 2
GigaEthernet 3
Nameif
Outside
Inside
Inside
Outside
IP Address
192.168.1.10
10.1.1.10
11.1.1.10
172.16.1.10
Standby IP
192.168.1.11
10.1.1.11
11.1.1.11
172.16.1.11
Task 4 : Configure Failover on Such that Context ctx1 should be active on ASA1 and CTX2
should be active on ASA2
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface failint g4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA1(config)# failover link failint g4
ASA1(config)# failover interface ip failint 7.7.7.1 255.0.0.0 standby 7.7.7.7
ASA1(config)# failover
Create Failover Groups and associate context to each group
ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# exit
ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# exit
Associating Groups to context created so that ctx1 can be primary and ctx2 should be
secondary on ASA1
ASA1(config)# context ctx1
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# exit
ASA1(config)# context ctx2
ASA1(config-ctx)# join-failover-group 2
ASA1(config-ctx)# exit
Points to Remember:
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B
Respectively and R2 is acting as Internet
Loopbacks here demonstrates Local LAN
Interface Configuration on Router
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3
Verification for routing
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure a IPSec site-to-site vpn between R1 and R3 to make the secure connection between
LAN of R1 (11.11.11.11) and R3(33.33.33.33)
Process of making an IPSec VPN can be simplified by following the sequence of configuration.
o
o
o
o
o
Define ISAKMP Credentials, the credentials which are to be used for Key Exchange
Define IPSec Credentials, which are used in data Exchange
Define interesting traffic using an access-list
Map all the credentials of VPN in a crypto map
Apply the Map on Interface
Defining ISAKMP Policy which is also called as phase 1 parameters of VPN
As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33
definition of it can be done by an simple extended access-list
Over other side we need to define exactly the same credentials of phase 1 & 2 without any
change but difference in names of policies and transform-set is negligible.
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#hash md5
R3(config)#crypto isakmp key netmetric address 1.1.1.1
Verification
Generating Interesting Traffic
R1#ping 33.33.33.33 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms
As soon as VPN starts the traffic between two local LAN starts Transactions.
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn-net, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pktscompr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0
current outbound spi: 0x0(0)
R1#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 2.2.2.2 port 500
IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active
IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
Task 2 : Modify Existing VPN connection to secure the telnet access between two peers
An IPSec VPN Always catch interesting traffic based on crypto ACL (Access-list matched in crypto map is
termed as crypto ACL) , Whatever traffic is supposed to pass through VPN it need to added into ACL
Modifying Access-list of Router R1
R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet
Task 3 : Imagine there is one more Peer by name Site C (R4) at ip address 3.3.3.3 with loopback ip
address 55.55.55.55, Secure the Access between Loopbacks of R1 and R4.
Create a new Access-list for catching traffic between Loopbacks
R1(config)#access-list 102 permit ip host 11.11.11.11 host 55.55.55.55
Create a Crypto map with same name but different ID ( No Need to Add a Different named VPN
Map as you can not apply more than one Map on an interface)
R3(config)#crypto map vpn-map 11 ipsec-isakmp
R3(config-crypto-map)#set peer 3.3.3.3
R3(config-crypto-map)#set transform-set
t-set-1
R3(config-crypto-map)#match address 102
LAB - 2 Making Site to Site IPSec Virtual Private Network Over ASA
LAB Topology
In Above topology two ASA are acting as border devices of two sites Site A & Site B
Respectively and R2 is acting as Internet where as Router R1 and Router R3 are Local LAN of their
respective sites
Interface Configuration on Router
Device
ASA Site A
ASA Site A
ASA Site B
ASA Site B
R1
R3
Interface
E0/0
E0/1
E0/0
E0/1
F0/0
F0/0
Name-if
Outside
Inside
Outside
Inside
-- --- --
Ip Address
1.1.1.1
11.11.11.10
2.2.2.2
33.33.33.10
11.11.11.11
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA
Verification for routing
ciscoasa-site-A# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1
ciscoasa-Site-B# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms
Task 1 : Configure a IPSec site-to-site vpn between Site A and Site B to make the secure connection
between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services,
In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2
IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with
Site to Site VPN we need to enable IKEv1 here
ciscoasa-site-A(config)# crypto ikev1 enable Outside
Configure all the Credentials of ISAKMP in a policy
ciscoasa-site-A(config)# crypto ikev1 policy 10
ciscoasa-site-A(config-ikev1-policy)# encryption aes
ciscoasa-site-A(config-ikev1-policy)# hash sha
ciscoasa-site-A(config-ikev1-policy)# group 2
ciscoasa-site-A(config-ikev1-policy)# authentication pre-share
ciscoasa-site-A(config-ikev1-policy)# lifetime 6000
Defining Pre-share key using Tunnel Group options
A tunnel group specially designed to define the attributes related to VPN and its Functionality, The name
of tunnel group of type L2L should be always the Peer Address
ciscoasa-site-A(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ciscoasa-site-A(config)# tunnel-group 2.2.2.2 ipsec-attributes
ciscoasa-site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
Configure IPSec Credentials for both devices
ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac
Definition of Interesting Traffic using Access-list
ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Create a Crypto map and bind all the credentials with that MAP
ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2
ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set
ciscoasa-site-A(config)# crypto map mymap 10 match address 101
Apply The MAP on interface facing to Internet
ciscoasa-site-A(config)# crypto map mymap interface Outside
Verification
Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms
Verification of ISAKMP functionality
ciscoasa-site-A# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
Verification if IPSec Functionality
ciscoasa-site-A# show crypto ipsec sa
interface: Outside
Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1
access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 80
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
Points to Remember:
Whenever the authentication of VPN is set to Digital Certificates Peers Exchange there
certificates As Soon as they confirm that the issuer is same for both the certificates they form vpn with
each other
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B
Respectively and R2 is acting as Internet as well as Certificate Authority.
Loopbacks here demonstrates Local LAN
Interface Configuration on Router
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3
Verification for routing
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Router R1 to Act as Certificate Authority, and request Certificates From Router R1
and R3
Prerequisite
Make sure that you have enabled HTTP services on the router which is acting as CA Server
And Ensure proper clock is synchronized between peers and Server before making CA
Thus Configure NTP on all the Routers Participating in VPN and make sure they are sync.
Verification
R1#show clock
11:41:56.595 UTC Sat Jan 5 2013
R2#show clock
11:42:02.871 UTC Sat Jan 5 2013
R3#show clock
11:42:04.805 UTC Sat Jan 5 2013
R2(config)#ip http server
R2#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
once verify the services and pre-requisite start making router R2 as Certificate Authority (CA)
R2(config)#crypto pki server ios_ca
R2(cs-server)#grant auto
R2(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:********
Re-enter password:********
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
Jan 5 15:00:57.435: %SSH-5-ENABLED: SSH 1.99 has been enabled
% Certificate Server enabled.
Jan 5 15:01:00.063: %PKI-6-CS_ENABLED: Certificate server now enabled.
To enroll a certificate on Router R1 create a Trust point where all the properties of local Router and
address of CA is to be defined
R1(config)#crypto pki trustpoint ca_r1
R1(ca-trustpoint)#enrollment url http://1.1.1.2
R1(ca-trustpoint)#revocation-check none
After we define the CA Server Address we need get certificate from CA
To Enroll yourself and Get CA Certificate into your Router
R1(config)#crypto pki authenticate ca_r1
Certificate has the following attributes:
Fingerprint MD5: B853F5E4 1DEFC727 3C2FFF84 994AA49A
Fingerprint SHA1: 38F6ED36 A70ACE41 B20EE59E 81ABBCCC B8038ADD
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
To enroll the certificate from the CA Server
R1(config)#crypto pki enroll ca_r1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:*******
Re-enter password:*******
% The subject name in the certificate will include: R1.lab.local
% Include the router serial number in the subject name? [yes/no]: no
% The IP address in the certificate is 1.1.1.1
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate ca_r1 verbose' command will show the fingerprint.
Jan 5 15:51:37.984: %PKI-6-CERTRET: Certificate received from Certificate Authority
Task 2 : Configure a IPSec site-to-site vpn between R1 and R3 using PKI authentication to make the
secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
Process of making an IPSec VPN can be simplified by following the sequence of configuration.
o
o
o
o
o
Define ISAKMP Credentials, the credentials which are to be used for Key Exchange
Define IPSec Credentials, which are used in data Exchange
Define interesting traffic using an access-list
Map all the credentials of VPN in a crypto map
Apply the Map on Interface
Defining ISAKMP Policy which is also called as phase 1 parameters of VPN
As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33
definition of it can be done by an simple extended access-list
Over other side we need to define exactly the same credentials of phase 1 & 2 without any
change but difference in names of policies and transform-set is negligible.
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#authentication rsa-sig
R3(config-isakmp)#group 2
R3(config-isakmp)#hash md5
R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac
No Need to define any pre-share key as we are using Authentication as rsa-sig(i.e Digital
Certificates)
R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
R3(config)#crypto map vpn-map-2 10 ipsec-isakmp
R3(config-crypto-map)#set peer 1.1.1.1
R3(config-crypto-map)#set transform-set t-set-2
R3(config-crypto-map)#match address 101
R1(config)#int f 0/0
R1(config-if)#crypto map vpn-map-2
Verification
Generating Interesting Traffic
R1#ping 33.33.33.33 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms
As soon as VPN starts the traffic between two local LAN starts Transactions.
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn-net, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pktscompr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0
current outbound spi: 0x0(0)
R1#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 2.2.2.2 port 500
IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active
IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255
LAB - 4 Making Site to Site IPSec VPN Over ASA with PKI
LAB Topology
In Above topology two ASA are acting as border devices of two sites Site A & Site B
Respectively and R2 is acting as Internet as well as a CA server where as Router R1 and Router R3 are
Local LAN of their respective sites
Interface Configuration on Router
Device
ASA Site A
ASA Site A
ASA Site B
ASA Site B
R1
R3
Interface
E0/0
E0/1
E0/0
E0/1
F0/0
F0/0
Name-if
Outside
Inside
Outside
Inside
-- --- --
Ip Address
1.1.1.1
11.11.11.10
2.2.2.2
33.33.33.10
11.11.11.11
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices Site ASA
Verification for routing
ciscoasa-site-A# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/72/150 msR3#ping 1.1.1.1
ciscoasa-Site-B# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/74/90 ms
Task 1 : Configure Router R2 as CA server and Enroll ASA Site A and Site B to that CA Server
To enroll a certificate on ASA2 create a Trust point where all the properties of ASA2 is configured and
address of CA is to be defined
Task 2 : Configure a IPSec site-to-site vpn between Site A and Site B using PKI to make the secure
connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33)
By default ISAKMP services are disabled in ASA we need to enable the ISAKMP Services,
In ASA > 8.3 ISAKMP is termed as IKEv1 and IKEv2
IKEv1 is dedicated for Site to Site and IPSec VPN and IKEv2 for SSL VPN, As we are working with
Site to Site VPN we need to enable IKEv1 here
ciscoasa-site-A(config)# crypto ikev1 enable Outside
Configure all the Credentials of ISAKMP in a policy
ciscoasa-site-A(config)# crypto ikev1 policy 10
ciscoasa-site-A(config-ikev1-policy)# encryption aes
ciscoasa-site-A(config-ikev1-policy)# hash sha
ciscoasa-site-A(config-ikev1-policy)# group 2
ciscoasa-site-A(config-ikev1-policy)# authentication rsa-sig
ciscoasa-site-A(config-ikev1-policy)# lifetime 6000
As we have certificates as authentication no need to define pre-share key
Configure IPSec Credentials for both devices
ciscoasa-site-A(config)# crypto ipsec ikev1 transform-set t-set esp-3des esp-md5-hmac
Definition of Interesting Traffic using Access-list
ciscoasa-site-A(config)# access-list 101 permit ip host 11.11.11.11 host 33.33.33.33
Create a Crypto map and bind all the credentials with that MAP
ciscoasa-site-A(config)# crypto map mymap 10 set peer 2.2.2.2
ciscoasa-site-A(config)# crypto map mymap 10 set ikev1 transform-set t-set
ciscoasa-site-A(config)# crypto map mymap 10 match address 101
Apply The MAP on interface facing to Internet
ciscoasa-site-A(config)# crypto map mymap interface Outside
Verification
Initiating a Connection from Router R1 destinies to Router R3 which is as per interesting traffic of VPN
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/102/144 ms
Verification of ISAKMP functionality
ciscoasa-site-A# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
Verification if IPSec Functionality
ciscoasa-site-A# show crypto ipsec sa
interface: Outside
Crypto map tag: mymap, seq num: 10, local addr: 1.1.1.1
access-list 101 extended permit ip host 11.11.11.11 host 33.33.33.33
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 442, #pkts decrypt: 362, #pkts verify: 442
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 80
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
Points to Remember:
GRE is an only tunneling protocol which is used to form a tunnel between two sites
GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite
It adds an extra interface for each peer which allows us to configure Routing and QoS
GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE
GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly
connected
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B
Respectively and R2 is acting as Internet
Loopbacks here demonstrates Local LAN
Interface Configuration on Router
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3
Verification for routing
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their
public IP address as peer address to each other.
o
o
o
o
GRE VPN's is always configured using virtual interfaces called as tunnels which do have an ip address
which is to be assigned by administrator,
Apart from ip address a Tunnel interface needs its association with physical interfaces which is done
by defining tunnel source and tunnel destination
Tunnel source is association of your tunnel with a physical interface you have, it can be associated by
defining an ip address or the name of interface it defines the starting point of tunnel.
Tunnel destination is defining the end point of the tunnel which physical ip address of remote device
generally termed as peer address
R1(config)#interface tunnel 0
R1(config-if)#ip add 6.6.6.1 255.0.00.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.2
If authentication is desired over tunnel, then we can configure a pre-share key over tunnel.
In GRE Authentication is Optional unlike IPSec where its mandatory.
R1(config-if)#tunnel key 123456
Configure the following configuration over other side device as well
R2(config)#interface tunnel 123
R2(config-if)#ip add 6.6.6.32255.0.00.0
R2(config-if)#tunnel source FastEthernet 0/0
R2(config-if)#tunnel destination 1.1.1.1
R2(config-if)#tunnel key 123456
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
C
C
C
S*
R1#ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms
R3#ping 6.6.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
Tunnel Communication is working well, But when local lan communication is desired its not working.
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Task 2 : Route the traffic of both side local LAN using static routing via tunnel to make the local LAN
reachable.
R1(config)#ip route 33.33.33.0 255.255.255.0 6.6.6.2
Adding a static route reachable via tunnel will make the local LAN communication work well either next
hop can be tunnel or the ip of Next hop Tunnel Address
R3(config)#ip route 11.11.11.0 255.255.255.0 tunnel 0
As soon routes are added in routing table local LAN will be Reachable
R1#show ip route
C 1.0.0.0/8 is directly connected, FastEthernet0/0
33.0.0.0/24 is subnetted, 1 subnets
S
33.33.33.0 [1/0] via 6.6.6.2
C 6.0.0.0/8 is directly connected, Tunnel0
C 11.0.0.0/8 is directly connected, Loopback0
S* 0.0.0.0/0 [1/0] via 1.1.1.2
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms
R3#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/59/96 ms
Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
Points to Remember:
GRE is an only tunneling protocol which is used to form a tunnel between two sites
GRE provides only Encapsulation service by Preparatory GRE protocol which is at no.47 in TCP/IP Suite
It adds an extra interface for each peer which allows us to configure Routing and QoS
GRE do not support and Encryption or Hashing Service so we not have any secure transaction over a GRE
GRE creates a virtual Point-to-Point link between two remotely connected devices to act as if they are directly
connected
LAB Topology
In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B
Respectively and R2 is acting as Internet
Loopbacks here demonstrates Local LAN
Interface Configuration on Router
Device
R1
R1
R2
R2
R3
R3
Interface
F0/0
loopback
F0/0
F0/1
F0/0
loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3
Verification for routing
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their
public IP address as peer address to each other.
R1(config)#interface tunnel 0
R1(config-if)#ip add 6.6.6.1 255.0.00.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.2
R1(config-if)#tunnel key 123456
Configure the following configuration over other side device as well
R2(config)#interface tunnel 123
R2(config-if)#ip add 6.6.6.32255.0.00.0
R2(config-if)#tunnel source FastEthernet 0/0
R2(config-if)#tunnel destination 1.1.1.1
R2(config-if)#tunnel key 123456
R1#ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms
R3#ping 6.6.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to
make the local LAN reachable.
we need to advertise the tunnel address as common address between peers
R1(config)#router eigrp 100
R1(config-router)#net 11.0.0.0
R1(config-router)#net 6.0.0.0
!! Do not Advertise Physical networks in Dynamic Routing
R3(config)#router eigrp 100
R3(config-router)#network 33.0.0.0
R3(config-router)#network 6.0.0.0
As soon routes are added in routing table local LAN will be Reachable
R1#show ip route
C
D
C
C
S*
R3#show ip route
C
C
C
D
S*
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms
Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPsec VPN
solution with crypto-maps.
Defining ISAKMP Policy which is also called as phase 1 parameters of VPN
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
As part of device authentication we need to define a shared secret key on both side in this lab
scenario netmetric is the shared key
R1(config)#crypto isakmp key netmetric address 2.2.2.2
This Concludes Phase 1 Configuration
Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN
R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
As per task our interesting traffic as all GRE Traffic sourced from 1.1.1.1 and destinies at 2.2.2.2
definition of it can be done by an simple extended access-list
Make sure that your access list catches GRE Traffic.
R1(config)#access-list 101 permit gre host 1.1.1.1 host 2.2.2.2
Binding credentials using crypto map
R1(config)#crypto map vpn-map 10 ipsec-isakmp
R1(config-crypto-map)#set peer 2.2.2.2
R1(config-crypto-map)#set transform-set t-set-1
R1(config-crypto-map)#match address 101
Appling the crypto map to interface
R1(config)#int f 0/0
R1(config-if)#crypto map vpn-map
Over other side we need to define exactly the same credentials of phase 1 & 2 without any
change but difference in names of policies and transform-set is negligible.
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#hash md5
R3(config)#crypto isakmp key netmetric address 1.1.1.1
Task 1 : Configure Site to Site VPN using GRE tunnels between Router R1 and Router R2 using their
public IP address as peer address to each other.
R1(config)#interface tunnel 0
R1(config-if)#ip add 6.6.6.1 255.0.00.0
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.2
R1(config-if)#tunnel key 123456
Configure the following configuration over other side device as well
R2(config)#interface tunnel 123
R2(config-if)#ip add 6.6.6.32255.0.00.0
R2(config-if)#tunnel source FastEthernet 0/0
R2(config-if)#tunnel destination 1.1.1.1
R2(config-if)#tunnel key 123456
R1#ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/76 ms
R3#ping 6.6.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/84 ms
Task 2 : Route the traffic of both side local LAN using Dynamic routing Protocol EIGRP via tunnel to
make the local LAN reachable.
we need to advertise the tunnel address as common address between peers
R1(config)#router eigrp 100
R1(config-router)#net 11.0.0.0
R1(config-router)#net 6.0.0.0
!! Do not Advertise Physical networks in Dynamic Routing
R3(config)#router eigrp 100
R3(config-router)#network 33.0.0.0
R3(config-router)#network 6.0.0.0
As soon routes are added in routing table local LAN will be Reachable
R1#show ip route
C
D
C
C
S*
R3#show ip route
C
C
C
D
S*
R1#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms
Local LAN Communication of both sides is working well and traffic is reachable via Tunnels as routed.
Task 3 : Protect The GRE tunnel which is created between Host 1.1.1.1 and 2.2.2.2 using IPSec Profile.
Defining ISAKMP Policy which is also called as phase 1 parameters of VPN
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
As part of device authentication we need to define a shared secret key on both side in this lab
scenario netmetric is the shared key
R1(config)#crypto isakmp key netmetric address 2.2.2.2
This Concludes Phase 1 Configuration
Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN
R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
As per task we are supposed to use IPSEC PROFILE to protect the traffic of tunnel thus creating
an IPSec Profile.
An IPSec Profile is a replacement of crypto-map which is used to apply a security policy only for
tunnel interfaces, An IPSec Profile doesn't need any access-list or peer address
R1(config)#crypto ipsec profile demo-profile
R1(ipsec-profile)#set transform-set t-set-1
IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing
through that tunnel
R1(config)#interface tunnel 0
R1(config-if)#tunnel protection ipsec profile demo-profile
IPSec Profiles are applied on directly Tunnel Interface and they secure every traffic passing
through that tunnel
R3(config)#interface tunnel 0
R3(config-if)#tunnel protection ipsec profile demo-profile
Its mandatory for a hub to be always on a static IP address to be reachable to spokes. A spoke either can
be on static IP or on Dynamic IP Address.
whenever VPN process starts from a spoke to another spoke the Query of unknown address reaches to
HUB. HUB resolves the query as per it NHRP Database and back to spoke with current address using
which the Peering will be formed.
LAB Topology
In Above topology Router R4 is acting as HUB, Router R1 & R3 are acting as spokes and R2 is
acting as Internet
Loopbacks on routers here demonstrates Local LAN of each site.
Interface Configuration on Devices
Device
R1
R1
R2
R2
R2
R3
R3
R4
R4
Interface
F0/0
Loopback
F0/0
F0/1
F1/0
F0/0
Loopback
F0/0
Loopback
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.2
3.3.3.2
2.2.2.3
33.33.33.33
3.3.3.3
44.44.44.44
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers
Verification for routing
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms
R3#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Dynamic Multipoint tunnels between Router R1, R2,R3 R4 where R4 Acting as HUB
and R1 and R3 are spokes do not use a static peer address or fixed tunnel destination.
configure GRE Tunnels on all the routers (HUB and Spokes both in same subnet) as the fixed
tunnel destination is not allowed
Make the mode of tunnel as Multipoint GRE, When a tunnel is configured in Multipoint mode its capable
to be terminated on different destinations
R1(config)#interface tunnel 0
R1(config-if)#ip address 6.6.6.1 255.0.00.0
R1(config-if)#tunnel source fastEthernet 0/0
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 123456
Configure the following configuration over other side device as well with different IP address of same
subnet
R3(config)#interface tunnel 0
R3(config-if)#ip address 6.6.6.3 2255.0.00.0
R3(config-if)#tunnel source FastEthernet 0/0
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel key 123456
R4(config)#interface Tunnel 0
R4(config-if)#ip add 6.6.6.4 255.0.0.0
R4(config-if)#tunnel source FastEthernet 0/0
R4(config-if)#tunnel mode gre multipoint
R4(config-if)#tunnel key 123456
Task 2 : Configure Dynamic Routing between peers using EIGRP as routing protocols and make all the
loopbacks reachable to each others
R1(config)#router eigrp 100
R1(config-router)#network 11.11.11.11
R1(config-router)#network 6.0.0.0
R3(config)#router eigrp 100
R3(config-router)#network 33.33.33.33
R3(config-router)#network 6.0.0.0
R4(config)#router eigrp 100
R4(config-router)#network 44.44.44.44
R4(config-router)#network 6.0.0.0
To make the routes reachable to other spoke we need to break the split horizon on tunnel
interface and disable the next hop changes on tunnel so that the routes from one spoke should reach to
other spokes without any change
R4(config)#interface tunnel 0
R4(config-if)#no ip split-horizon eigrp 100
R4(config-if)#no ip next-hop-self eigrp 100
Verification
R3#show ip route
C 2.0.0.0/8 is directly connected, FastEthernet0/0
C 33.0.0.0/8 is directly connected, Loopback0
C 6.0.0.0/8 is directly connected, Tunnel0
D 11.0.0.0/8 [90/310172416] via 6.6.6.1, 00:25:46, Tunnel0
D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:25:53, Tunnel0
S* 0.0.0.0/0 [1/0] via 2.2.2.2
R1#sh ip route
C 1.0.0.0/8 is directly connected, FastEthernet0/0
D 33.0.0.0/8 [90/310172416] via 6.6.6.3, 00:26:57, Tunnel0
C 6.0.0.0/8 is directly connected, Tunnel0
C 11.0.0.0/8 is directly connected, Loopback0
D 44.0.0.0/8 [90/297372416] via 6.6.6.4, 00:27:05, Tunnel0
S* 0.0.0.0/0 [1/0] via 1.1.1.2
Task 3 : Protect The tunnels which is created between HUB and Spokes using IPSec Profile.
R1(config)#interface tunnel 0
R1(config-if)#tunnel protection ipsec profile demo-profile
R3(config)#interface tunnel 0
R3(config-if)#tunnel protection ipsec profile demo-profile
=====================================================================================
R4(config)#crypto isakmp enable
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#encryption 3des
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 2
R4(config-isakmp)#hash md5
R4(config)#crypto isakmp key netmetric address 0.0.0.0 0.0.0.0
R4(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac
R4(config)#interface tunnel 0
R4(config-if)#tunnel protection ipsec profile demo-profile
When a user gets connected an IP Address needs to be assigned to the user to make him part of LAN
Distinguished rules can be configured for each group of users using ISAKMP Client Groups
AAA must be used to make the VPN User authentication.
Only VPN server is to be configured with all the VPN configurations client doesnt need any specific VPN configs
Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on
internet. VPN Initiation can be done only by clients using an Application called Cisco VPN Client
LAB Topology
In Above topology Router R1 is acting as VPN Server and RouterR2 is Internet to make the
connectivity between networks.
Loopback1 on router R1 here demonstrates Local LAN.
Interface Configuration on Devices
Device
R1
R1
R2
R2
R3
R3
PC
Interface
F0/0
Loopback
F0/0
F0/1
F0/0
Loopback
NIC
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.2
33.33.33.33
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers
Verification for routing
C:\>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=232ms TTL=45
Reply from 1.1.1.1: bytes=32 time=231ms TTL=45
Reply from 1.1.1.1: bytes=32 time=230ms TTL=45
Reply from 1.1.1.1: bytes=32 time=229ms TTL=45
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 229ms, Maximum = 232ms, Average = 230msR3
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms
Task 1 : Configure Router R1 as a Easy VPN server. Create a Group of Users "Sales" and secure the
access of 11.0.0.0/8 subnet for them.
Configure Basic ISAKMP Credentials for key Exchange process
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)# group 2
No need to define a specific pre-share key as the authentication is desired by using username and
password
Define IPSec Transform Set
R1(config)#crypto ipsec transform-set t-set esp-3des esp-sha-hmac
As VPN Authentication is desired by using user accounts AAA Services need to configured with ISAKMP
Enabling AAA services on router and creating a new authentication and authorization methods
R1(config)#aaa new-model
R1(config)#aaa authentication login vpn-users local
R1(config)#aaa authorization network vpn-groups local
As the Authentication is set to Local creating a new user account on local Database
R1(config)#username user1 password 0 cisco123
Interesting traffic to secured can be define in an Access-list which is termed as Split Access-list
R1(config)#access-list 109 permit ip 11.0.0.0 0.255.255.255 any
A pool of IP needs to defined from where the Address is allocated to remote devices
R1(config)#ip local pool vpn 10.1.1.1 10.1.1.50
Creating Group for VPN clients where all the credentials defined for client are configured
R1(config)#crypto isakmp client configuration group Sales
R1(config-isakmp-group)# key ciscoabc
R1(config-isakmp-group)# pool vpn
R1(config-isakmp-group)# acl 109
A normal crypto map makes peer address definition as a mandatory credential as we do not mention any
specific peer address we make a dynamic crypto map which is capable of working without Peer as well.
R1(config)#crypto dynamic-map d-map 10
R1(config-crypto-map)#set transform-set t-set
R1(config-crypto-map)#reverse-route
As the dynamic crypto map cannot be applied over interface directly bind the dynamic map with a
Normal Crypto map
R1(config)#crypto map mymap 1 ipsec-isakmp dynamic d-map
Bind the AAA and VPN configuration in Crypto map
R1(config)#crypto map mymap client authentication list vpn-users
R1(config)#crypto map mymap isakmp authorization list vpn-groups
R1(config)#crypto map mymap client configuration address respond
Apply the map to interface connected to internet i.e FastEthernet 0/0
R1(config)#interface FastEthernet0/0
R1(config-if)# crypto map mymap
Task 2 : Configure PC as a VPN client of Router R1 and Verify the IP Address Assigned and connectivity
Download and Install Cisco VPN Client Software Select New option
and define all your credentials required to be authenticate
After Successful Authentication VPN Gets Connected and Status of VPN Can be verified in status tab in
Statistics options
state
QM_IDLE
conn-id
1001
slot status
0 ACTIVE
Task 3 : Configure Router R3 as a VPN client of Router R1 to secure the communication of lacal LAN of
R3 and R1 (Loopbacks)and Verify the IP Address Assigned and connectivity
Define the VPN client configuration on Router R3 with all the same user credentials
R3(config)#crypto ipsec client ezvpn ez-remote
R3(config-crypto-ezvpn)# connect auto
R3(config-crypto-ezvpn)# group Sales key ciscoabc
R3(config-crypto-ezvpn)# mode client
R3(config-crypto-ezvpn)# peer 1.1.1.1
R3(config-crypto-ezvpn)# username user1 password cisco123
Apply crypto map on both the interfaces
Interface on which Local LAN traffic is inbound to router Apply it on as inside
R3(config)#interface Loopback0
R3(config-if)#crypto ipsec client ezvpn ez-remote inside
Interface through which router is connected to internet Apply as outside
R3(config)#interface FastEthernet0/0
R3(config-if)#crypto ipsec client ezvpn ez-remote outside
Verification:
To Verify Assigned Address on Router
R3#show ip interface brief
Interface
IP-Address
FastEthernet0/0
2.2.2.2
FastEthernet0/1
unassigned
NVI0
unassigned
Loopback0
33.33.33.33
Loopback1
10.1.1.3
OK?
YES
YES
NO
YES
YES
Method
manual
unset
unset
manual
manual
Status
up
administratively down
up
up
up
state
QM_IDLE
conn-id
1002
slot status
0 ACTIVE
state
QM_IDLE
QM_IDLE
conn-id
1001
1002
slot status
0 ACTIVE
0 ACTIVE
Protocol
up
down
up
up
up
In Above topology ASA is acting as VPN Server and RouterR2 is Internet to make the
connectivity between networks.
Router R1 here demonstrates Local LAN.
Interface Configuration on Devices
Device
ASA
ASA
R1
R2
R2
PC
Interface
G0
G1
F0/0
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.10
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC
Verification for routing
C:\>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=232ms TTL=45
Reply from 1.1.1.1: bytes=32 time=231ms TTL=45
Reply from 1.1.1.1: bytes=32 time=230ms TTL=45
Reply from 1.1.1.1: bytes=32 time=229ms TTL=45
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 229ms, Maximum = 232ms, Average = 230msR3
Verification:
ciscoasa(config)# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.3
Type : user
Role : responder
Rekey : no
State : AM_ACTIVE
Its mandatory for a vpn server to be always on a static IP address to be reachable from anywhere on
internet. VPN Initiation can be done only by clients using a web browser
LAB Topology
In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the
connectivity between networks and PC is our client with a browser.
Loopback1 on router R1 here demonstrates Local LAN.
Interface
F0/0
Loopback
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers
Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with
port number 443
SSL VPN configuration is mainly divided into two parts
1. Configuring Gateway
2. Configuring Context
Gateway define the interface and the ports where the SSL services are supposed to be enabled
and by default all the newly created gateways will be in disabled mode which can has to be enabled
manuallu using "insiervice"
Creating and Enabling SSL Gateway
R1(config )#webvpn gateway ssl_gw
R1(config-webvpn-gateway)# ip address 1.1.1.1 port 443
R1(config-webvpn-gateway)# inservice
Context define the user policy and the environment of SSL VPN.
Creating a Context and defining the web page properties of that context.
R1(config )#webvpn context ssl_ctx
R1(config-webvpn-context)# title "Netmetric-Infosolutions"
R1(config-webvpn-context)# title-color green
R1(config-webvpn-context)# gateway ssl_gw
R1(config-webvpn-context)# inservice
Creating a user account for SSL access as authentication is mandatory and by default its set to
local authentication
R1(config )#username user1 password cisco123
Verification:
Open Browser and enter the url as http://1.1.1.1
As we do not have any digital certificate issued by Certificate authorities a warning is posted
don't worry and select proceed anyways
Once authenticated successfully we get default SSL Page where we are allowed enter the desired
URL to communicate the local LAN
Task 2 : Modify Existing SSL VPN connection and provide users a login banner and Bookmark list on
SSL VPN Web Page to ease the access of local services.
URL list can be defined under context configuration
R1(config-webvpn-gateway)#webvpn context ssl_ctx
R1(config-webvpn-context)#url-list "Servers"
R1(config-webvpn-url)#Heading "Business Servers"
R1(config-webvpn-url)#url-text Server1 url-value http://11.11.11.11
R1(config-webvpn-url)#url-text Server2 url-value http://17.14.12.34
R1(config-webvpn-url)#exit
Newly created URL List can be applied to users by associating it to default group policy not only
URL List but also the banner can be defined in Policy it self
R1(config-webvpn-context)#policy group demo_ssl
R1(config-webvpn-group)#url-list "Servers"
R1(config-webvpn-group)#banner "Welcome to Netmetric Solutions"
R1(config-webvpn-group)#exit
Making the policy created as default policy so that it should be applied to all users
R1(config-webvpn-context)#default-group-policy demo_ssl
URL List which is defined under policy is on web page after Login
Task 3 : Imagine a Tacacs+ server on address 11.11.11.49, Configure SSL Server to authenticate users
using that Tacacs+ server.
Enable AAA services and define address of Tacacs server
R1(config)#aaa new-model
R1(config)#tacacs-server host 11.11.11.49 key ciscot
Define a new authentication method with Tacacs option
R1(config)#aaa authentication login ssl-auth group tacacs+
In Above topology Router R1 is acting as SSL VPN Server , RouterR2 is Internet to make the
connectivity between networks and PC is our client with a browser.
Loopback1 on router R1 here demonstrates Local LAN.
Interface
F0/0
Loopback
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on all routers
Verification for routing
C:\>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=232ms TTL=45
Reply from 1.1.1.1: bytes=32 time=231ms TTL=45
Reply from 1.1.1.1: bytes=32 time=230ms TTL=45
Reply from 1.1.1.1: bytes=32 time=229ms TTL=45
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 229ms, Maximum = 232ms, Average = 230msR3
Task 1 : Configure Router R1 as a SSL VPN server and enable the SSL service on IP Address 1.1.1.1 with
port number 443 using Cisco Configuration Professional
Select Configure
Select 1
Select 2
Its Optional to enable Secure SDM access requires only if in future you plan to use SDM through
same interface.
As we are working with client-less SSL VPN no need to enable full tunnel support thus deselect
option
In Above topology ASA is acting as SSL VPN Server and RouterR2 is Internet to make the
connectivity between networks.
Router R1 here demonstrates Local LAN.
Interface Configuration on Devices
Device
ASA
ASA
R1
R2
R2
PC
Interface
G0
G1
F0/0
F0/0
F0/1
NIC
Ip Address
1.1.1.1
11.11.11.10
11.11.11.11
1.1.1.2
2.2.2.1
2.2.2.3
Subnet
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
255.0.0.0
*Configure a default route pointing towards Internet (i.e. Router R2) on ASA as well as PC
Verification for routing
C:\>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=232ms TTL=45
Reply from 1.1.1.1: bytes=32 time=231ms TTL=45
Reply from 1.1.1.1: bytes=32 time=230ms TTL=45
Reply from 1.1.1.1: bytes=32 time=229ms TTL=45
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 229ms, Maximum = 232ms, Average = 230msR3
Define Connecion Profile name selectthe interface on which SSL Services are to initiated
Select the user authentication method and modify the user account database
Either go for a creation of new policy or modify the existing policy which comes by default
The Bookmark List visible for users can be modified and whatever bookmark is created here will
be available after successful login of user
Adding a Bookmark LIst by name Local_servers and adding some bookmarks by name Server1
and Server2
Basic SSL VPN Page seen on ASA based VPN with a web Bookmark list
Interface Configuration
Device
Outside
DMZ
CBAC-FW
PC
Interface
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/1
Fast Ethernet 1/0
NIC
IP Address
2.2.2.2
3.3.3.3
1.1.1.1 (Connected to PC)
2.2.2.1 (Connected to outside)
3.3.3.1 (Connected to DMZ)
1.1.1.2
Configure RIP on All Devices and advertise all connected network to make reachability
Task 1:
We want to make sure that an INSIDER can Access Outside network as well as DMZ
An Outsider Cant access inside network but can access DMZ network
And DMZ Cant access any network both Inside and Outside
Steps to configure:
Use any routing protocol to make networks reachable we are using rip in this case
Block all the inbound traffic for private or local network
Allow traffic to only DMZ Network from outside
Create an inspection rule depending on the interesting traffic for each interface
Apply the inspection rule on the respective interfaces
By using a simple block statement in access-list we are denying all the traffic for inside network
from other networks
CBAC-FW(config)#access-list 101 deny ip any any
CBAC-FW(config)#int f 0/0
CBAC-FW(config-if)#ip access-group 101 OUT
Now when all the traffic is blocked from other network to inside network then even the reply
traffic for the queries done from inside network is blocked
To allow that reply traffic we are making an inspection rule with desired protocols and services
to be inspected and maintain a state table
CBAC-FW(config)#ip inspect name my-cbac tcp
CBAC-FW(config)#ip inspect name my-cbac icmp
CBAC-FW(config)#ip inspect name my-cbac udp
With the above commands we are starting to maintain the state table for tcp, udp and icmp now
we will apply this inspection rule on the interface which is connected to outside
CBAC-FW(config)#int f 0/1
CBAC-FW(config-if)#ip inspect my-cbac out
Now we dont want DMZ to interact with any network
CBAC-FW(config)#access-list 102 deny ip any any
CBAC-FW(config)#interface FastEthernet1/0
CBAC-FW(config-if)#ip access-group 102 in
But we want outside network should be able to communicate with dmz so create a separate
inspection for that traffic
From outside allow only the specific traffic which is meant for the DMZ network and block all the
rest traffic
CBAC-FW(config)#access-list 103 permit ip any host 3.3.3.3
CBAC-FW(config)#access-list 103 deny ip any any
CBAC-FW(config)#interface FastEthernet0/1
CBAC-FW(config-if)#ip access-group 103 in
The traffic which is generated from inside is allowed to go to outside network and reply is
allowed to come back
From outside the connection is not successful to inside but its successful to DMZ
Outside>ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Outside>ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/112 ms
Steps to configure:
Use any routing protocol to make networks reachable we are using rip in this case
Create Security Zones and associate interfaces with zones
Create a class map of type inspect to define the interesting traffic
Create a policy map of type inspect to define the action on interesting traffic
Create Zone pairs to define the source and destination of traffic
Interface Configuration
Device
Outside
DMZ
ZBF
PC
Interface
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/0
Fast Ethernet 0/1
Fast Ethernet 1/0
NIC
IP Address
2.2.2.2
3.3.3.3
1.1.1.1 (Connected to PC)
2.2.2.1 (Connected to outside)
3.3.3.1 (Connected to DMZ)
1.1.1.2
We are implementing the same typical DMZ network Setup here what we did in previous lab
First of all we are configuring RIP on all devices to advertise all networks and making all the
three networks reachable from every one
Check the Reachability from each device to each device then proceed with configuration
Unlike CBAC where I implement the rules depending on the interfaces here I want to implement
the rules on the group of interfaces which I call as a zone, as per our requirement I am creating three
zones named DMZ, OUTSIDE and INSIDE
ZBF(config)#zone security INSIDE
ZBF(config-sec-zone)#exit
ZBF(config)#zone security OUTSIDE
ZBF(config-sec-zone)#exit
ZBF(config)#zone security DMZ
ZBF(config-sec-zone)#exit
After Creating of Security zones there will be no change in the behavior of device then you
associate those zones with interfaces
ZBF(config)#int f 0/0
ZBF(config-if)#zone-member security INSIDE
ZBF(config)#int f 0/1
ZBF(config-if)#zone-member security OUTSIDE
ZBF(config-if)#int f 1/0
ZBF(config-if)#zone-member security DMZ
Remember that as soon as we associate those zones with interfaces the communication within
all the zones will be blocked and no two interfaces belongs to different zones can communicate neither
an unzone interface (interface which is not associated with any zone) can communicate to a zoned
interface but two interfaces which belongs to same zone and even the two interfaces which are unzone
can communicate with each other.
Now we need to create a class map of type inspect to identify the interesting traffic. Before
defining interesting traffic in class-map we need to create an access list to define source and destination
of desired inspection traffic and even we need to define the protocol which we want to inspect
ZBF(config)#access-list 101 permit ip any any
ZBF(config)#class-map type inspect c-map-1
ZBF(config-cmap)#match access-group 101
ZBF(config-cmap)#match protocol icmp
After defining the traffic in class map now its time to define the action on the interesting traffic
for that we need to create a policy map of type inspect then call the class of interesting traffic. In that
class define the desired action. As per our requirement we need inspection to be done on our traffic so
we are defining inspect as our action.
ZBF(config)#policy-map type inspect p-map-1
ZBF(config-pmap)#class c-map-1
ZBF(config-pmap-c)#inspect
Now the only left out task is to apply that policy map and to define the source and the
destination of our traffic this is done by configuring zone-pairs
ZBF(config)#zone-pair security allow-in-out source INSIDE destination OUTSIDE
ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1
ZBF(config-sec-zone-pair)#exit
With this task our insiders can access outside network now but outsiders cant access inside as
we defined source to be INSIDE and destination to be OUTSIDE. Remember that this zone pair works
unidirectional only
As we want insiders to access DMZ as well and even we want outsiders to access DMZ so we
need to create two more zone pairs with respective source and destinations
ZBF(config)#zone-pair security allow-in-dmz source INSIDE destination DMZ
ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1
ZBF(config-sec-zone-pair)#exit
ZBF(config)#zone-pair security allow-out-dmz source OUTSIDE destination DMZ
ZBF(config-sec-zone-pair)##service-policy type inspect p-map-1
ZBF(config-sec-zone-pair)#exit
Verification
Beginning from outside I am pinging to inside and DMZ
OUTSIDE>ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
OUTSIDE>ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/80 ms
We can observe from above that as per our requirement outsider can visit DMZ but cannot Visit
INSIDE network. Now lets make a connection from DMZ
DMZ#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
DMZ#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
A Sensor is a layer 2 device placed mostly behind firewall and configured to filter the
malicious traffic in inbound and outbound directions of network
Basic Configuration of sensor can be done by Command Line Interface through console
port to initiate the sensor and its services.
Task 1 : Initiate the sensor and configure the basic services and interface configurations as
following options.
Host Name
Ip Address
Subnet Mask
Default Gateway
Https port
Telnet
Permitted Host
NMSIPS
10.1.1.10
255.0.0.0
10.1.1.1
443
Enabled
10.0.0.0 255.0.0.0
Step 1
Connect IPS Console port to Com port of computer using a Console Cable to access the CLI of
Device
Step 2
Open a terminal Emulator application like Hyper terminal or putty.
sensor# setup
System Configuration Dialog
At any point you may enter a question mark '?' for help .
User ctrlc to abort configuration dialog at any prompt .
Default settings are in square brackets ' [] ' .
Current Configuration:
service host
networksettings
hostip 192.168.1.10/24,192.168.1.1
host-name sensor
telnet option disabled
ftp-timeout 300
no login-banner-text
exit
timezone-settings
offset 0
standard- time-zone name UTC
exit
summertime-option disabled
ntpoption disabled
exit
service webserver
port 443
exit
Setup Configuration last modified: Sat Nov 24 09:37:20 2012
Enter Hostname
Permit: 10.0.0.0/8
Permit:
Modify system clock setting?[no]: no
Modify interface/virtual sensor configuration? [No]: no
Modify default threat prevention settings? [No]: no
the following configuration was entered.
service host
networksettings
hostip 10.1.1.10/24,10.1.1.1
host-name nms
telnet option enabled
access-list 10.0.0.0/32
ftp-timeout 300
no login-banner-text
exit
timezone-settings
offset 0
standard- time-zone name UTC
exit
summertime-option disabled
ntpoption disabled
exit
C:\>ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::79b9:ae4b:fc78:88fd%16
IPv4 Address. . . . . . . . . . . . : 10.1.1.2
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . : 10.1.1.1
In Promiscuous mode, Sensor is not Placed in between the transit path of network
rather its connected to switch and a copy of the traffic is sent to Sensor.
LAB Topology
Interface Configuration
R1 => FastEthernet
10.1.1.1
R2 =>FastEthernet
10.1.1.2
Click
here
Click
here
Go to configure Analysis Engine Virtual Sensor then Click vs0 and edit
Click
here
Highlight Fastethernet 2/0 interface on the list and click Assign button. Then
click OK and Apply the changes to the sensor
Click
here
Click
here
Verification:
Switch#sh monitor session 1
Session 1
--------Source Ports:
RX Only:
None
TX Only:
None
Both:
Fa0/1
Source VLANs:
RX Only:
None
TX Only:
None
Both:
None
Destination Ports: Fa0/23
Filter VLANs:
None
Go to monitoring Events, check show past events radio button and select 1
minute. then click on view button
See the signatures Logs on the Event viewer to get logs click Refresh tab
Click
here
Click
here
Highlight the Event log and click Details to see more log details. Here the
picture output for Event details.
Attacker student Pc
IP
Target Router IP
aaaa
aaaa
In Promiscuous mode, Sensor is not Placed in between the transit path of network
rather its connected to switch and a copy of the traffic is sent to Sensor.
LAB Topology
Interface Configuration
R1 => FastEthernet
10.1.1.1
R2 =>FastEthernet
10.1.1.2
Connect Fast Ethernet 2/0 and Fast Ethernet 2/1 of sensor to Router R1 and R2 Respectively
2
4
Verification:
Interface Configuration
R1 => FastEthernet
10.1.1.1
R2 =>FastEthernet
Switch=> FastEthernet 0/1
Switch => FastEthernet 0/2
10.1.1.2
VLAN10
VLAN20
Connect
R1- F0/1 ==> SW F0/1
R2 F0/1 to SW F0/2
Task 1 : Configure Sensor in Inline VLAN mode to work as Intrusion Prevention System .
Step 1 : Configure VLANs on Switch
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#exit