Iewb-Sc-Vol2 ALLSOLUTIONS v5 02

CCIE Security Lab Workbook Volume II for CCIE v3.
Copyright Information
Copyright © 2003 - 2011 Internetwork Expert, Inc. All rights reserved.
The following publication, Internetwork Expert’s CCIE Security Lab Workbook Volume II,
was developed by Internetwork Expert, Inc. All rights reserved. No part of this publication may
be reproduced or distributed in any form or by any means without the prior written permission
of Internetwork Expert, Inc.
Cisco®, Cisco® Systems, CCIE, and Cisco Certified Internetwork Expert, are registered
trademarks of Cisco® Systems, Inc. and/or its affiliates in the U.S. and certain countries.
All other products and company names are the trademarks, registered trademarks, and
service marks of the respective owners. Throughout this manual, Internetwork Expert,
Inc. has used its best efforts to distinguish proprietary trademarks from descriptive
names by following the capitalization styles used by the manufacturer.
Copyright © 2011 Internetwork Expert www.INE.com

-i-
CCIE Security Lab Workbook Volume II for CCIE v3.0

- ii -
Disclaimer
The following publication, Internetwork Expert’s CCIE Security Lab Workbook Volume II,
is designed to assist candidates in the preparation for Cisco Systems’ CCIE Security Lab
exam. While every effort has been made to ensure that all material is as complete and
accurate as possible, the enclosed material is presented on an “as is” basis. Neither the
authors nor Internetwork Expert, Inc. assume any liability or responsibility to any person or
entity with respect to loss or damages incurred from the information contained in this
workbook.
This workbook was developed by Internetwork Expert, Inc. and is an original work of the
aforementioned authors. Any similarities between material presented in this workbook
TM
and actual CCIE lab material is completely coincidental.

- iii -

- iv -
Table of Contents
IEWB-SC-VOL2 Lab 1 Solutions...................................................... 7
IEWB-SC-VOL2 Lab 2 Solutions.................................................. 131
IEWB-SC-VOL2 Lab 10 Solutions................................................ 951

-v-
CCIE Security Lab Workbook Volume II for CCIE v3.0 Lab 10

-6-
CCIE Security Lab Workbook Vol II Solutions Guide for CCIEv3.0 Lab 1
IEWB-SC-VOL2 Lab 1 Solutions

Task 1.1 Solution
ASA1:
hostname Rack4ASA
!
interface Ethernet0/0
nameif outside
ip address 183.4.125.12 255.255.255.0
no shutdown
!
nameif inside
ip address 192.10.4.12 255.255.255.0
no shutdown
Task 1.2 Solution

ASA1:
!
! Default information is only originated if there is
! a default route in the routing table of the firewall
!
router ospf 1
router-id 150.4.12.12
network 183.4.125.0 255.255.255.0 area 51
network 192.10.4.0 255.255.255.0 area 51
default-information originate
!
! Create an SLA monitor object to ping R5
!
sla monitor 1
type echo protocol ipIcmpEcho 183.4.125.5 interface outside
timeout 1000
frequency 1
!
! Start monitoring
!
sla monitor schedule 1 start-time now life forever

-7-
!
! Track the SLA object
!
track 1 rtr 1 reachability
!
! Create a default route tracking the SLA object
!
route outside 0 0 183.4.125.5 track 1
Task 1.2 Breakdown

OSPF process will only generate and propagate a default route if this route is
already present in the local routing table. This is a requirement to prevent routing
loops. Therefore, we need to have a default route in R5’s routing table pointing to
R5.
In order to ensure the default gateway rechability a monitoring process need to

track R5’s liveleness. We configure an SLA object that sends ICMP ping every
second and times operation out in one second. Since no specific values are
given in the scenario we use just the values we find “reasonable” to test this
scenario.
The next step is creating a tacking object that reflects the SLA monitor status.
The final step is configuring a static route bound to the tacking object and
configuring the routing process to advertise a default route.
Tasks 1.1-1.2 Verification

Verify OSPF adjacencies in the ASA firewall. You should see both BB2 and
SW2.
Rack4ASA(config)# show ospf neighbor
Neighbor ID Pri State Dead Time Address

Interface
150.4.8.8 1 FULL/DROTHER 0:00:30 192.10.4.8
inside
192.10.4.254 1 FULL/DR 0:00:34 192.10.4.254
inside

-8-
Verify the SLA object operational state and track object status. After this, ensure
that the default route is in the routing tables of the ASA and SW2.
Rack4ASA(config)# show sla monitor operational-state 1

Entry number: 1
Modification time: 02:28:48.943 UTC Fri Apr 10 2009
Number of Octets Used by this Entry: 1480
Number of operations attempted: 134
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 02:31:01.945 UTC Fri Apr 10 2009
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
Rack4ASA(config)# show track

Track 1
Response Time Reporter 1 reachability
Reachability is Up
2 changes, last change 00:02:13
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Rack4ASA(config)# show route | include 0.0.0.0

Gateway of last resort is 183.4.125.5 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 183.4.125.5, outside
Rack4SW2#show ip route ospf | inc 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.10.4.12, 00:05:46, Vlan255

-9-
Now shutdown R5’s VLAN125 interface and check that the ASA detects this
event. Since the default route is no longer in the routing table, it is not advertised
via OSPF.
Rack4R5(config)#interface fastEthernet 0/1

Rack4R5(config-if)#shutdown
Rack4ASA(config)# show track

Track 1
Response Time Reporter 1 reachability
Reachability is Down
3 changes, last change 00:00:47
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
Rack4ASA(config)# show route | inc 0.0.0.0
Rack4SW2#sh ip route ospf

51.0.0.0/32 is subnetted, 1 subnets
O E2 51.51.51.51 [110/20] via 192.10.4.254, 00:04:10, Vlan255

- 10 -
Task 1.3 Solution

SW2:
vlan 199
!
! Connect E0/2 ports of the ASAs using a new VLAN
!
interface range FastEthernet 0/13 , FastEthernet 0/15
switchport host
switchport access vlan 199
ASA1:
!
! Enable physical failover link
!
interface ethernet 0/2
no shutdown
!
! Configure standby IP addresses
!
interface Ethernet 0/0
ip address 183.4.125.12 255.255.255.0 standby 183.4.125.13
!
!
! Designate unit as primary and name failover interface
!
failover lan unit primary
failover lan interface failover Ethernet0/2
!
! Enable stateful faiolver on the same link
!
failover link failover Ethernet0/2
!
! Configure failover addressing
!
failover interface ip failover 10.10.10.12 255.255.255.0 standby
10.10.10.13
!
! Set interface polling timers to minimum
!
failover polltime interface msec 500 holdtime 5
!
! Disable the inside interface monitoring
!
no monitor-interface inside

- 11 -
!
! Enable failover
!
failover
ASA2:
no shutdown
!
!
!
failover interface ip failover 10.10.10.12 255.255.255.0 stan
10.10.10.13
!
failover
Task 1.3 Breakdown

The task requires configuring a failover pair. At the very least we need to enable
a failover interface, but the task asks for stateful failover. This means we need to
set up an additional stateful failover link. In our case, the simples solution would
be reusing the same interface used for basic failover.
By default all interfaces on the unit are monitored. This means we need to
explicitly disable inside interface monitoring to satisfy the scenario requirements.
Additonally, the requirement to respond to an interface failure in the shortest
amount of time translates into using shortest polling timers for the interfaces.
Notice that this does not affect the failover link polling – detecting failover link
issues is separate from detecting the physical interface failures.
Task 1.4 Solution

ASA1: (The active failover unit)
nat (inside) 1 0 0
global (outside) 1 interface
Tasks 1.3 – 1.4 Verification

Verify failover status in ASA1 first. Check the failover interface polling timers.
Notice that only one interface is being monitored. Ensure the other unit is in
standby ready state.
After this, ensure that only the outside interface is monitored by the firewall.

- 12 -
Rack4ASA(config)# show failover

Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 03:16:46 UTC Apr 10 2009
This host: Primary - Active
Active time: 160 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (183.4.125.12): Normal (Waiting)
Interface inside (192.10.4.12): Normal (Not-
Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics

Link : failover Ethernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 4 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 4 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information

Cur Max Total
Recv Q: 0 2 0
Xmit Q: 0 26 37

- 13 -
Rack4ASA(config)# show monitor-interface

Interface outside (183.4.125.12): Normal
Now simulate an interface failure by shutting down the switch port connected to
the primary unit’s outside interface. Check the failover status again.
Rack4SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack4SW2(config)#interface fastEthernet 0/12
Rack4SW2(config-if)#shutdown
Rack4SW2(config-if)#
Rack4ASA(config)# show failover

Failover On
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Last Failover at: 03:24:05 UTC Apr 10 2009
This host: Primary - Failed
Interface outside (183.4.125.13): No Link (Waiting)

Monitored)
slot 1: empty
Other host: Secondary - Active
Monitored)
slot 1: empty
<snip>

- 14 -
Rack4ASA(config)# show monitor-interface

This host: Primary - Failed
Interface outside (183.4.125.13): No Link (Waiting)
Other host: Secondary - Active
Confirm that you may still reach R5 from SW2, even with the primary firewall
failed.
Rack4SW2#telnet 183.4.125.5
Trying 183.4.125.5 ... Open
User Access Verification
Password: cisco
Rack4R5>

- 15 -
Task 1.5 Solution

!
! Access-list to classify traffic
!
access-list TCP extended permit tcp any any
access-list UDP extended permit udp any any
!
! L3/L4 class-map for UDP traffic
!
class-map UDP_TRAFFIC
match access-list UDP
!
! L3/L4 class-map for TCP traffic
!
class-map TCP_TRAFFIC
match access-list TCP
!
! TCP Inspection Map to permit TCP Option 19 (MD5 Auth)
!
tcp-map OPTION19
tcp-options range 19 19 allow
!
! Apply connection limit & inspection policy
!
policy-map global_policy
!
class TCP_TRAFFIC
set connection conn-max 5000 per-client-max 1000
set connection advanced-options OPTION19
class UDP_TRAFFIC
set connection conn-max 1000 per-client-max 500
!
! By inspecting ICMP we permit the returning packets
!
class inspection_default
inspect icmp

- 16 -
Task 1.5 Breakdown

There are two main approaches to permit returning ICMP packets: either use an
access-list on the outside interface or configure ICMP protocol inspection. Since
we are not allowed to use access-lists, ICMP inspection is our only option. Notice
that ICMP is already under the “inspection_default” class so we do not have to
create a separate access-list/class-map to match it.
For adjusting TCP/UDP session parameters we first need MPF classes matching
the respective protocols. We use access-list for matching TCP and UDP packets
and then create the respective class-maps. The last step is configuring the
classes under a policy-map. Since we do not have any specific policy-maps
applied anywhere, we use the default “global_policy” and assign our custom
classes there.

- 17 -
Task 1.5 Verification

Issue the command that lists the global inspection policy parameters. Notice the
connection limits set for every class.
Rack4ASA(config)# show service-policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Class-map: TCP_TRAFFIC
Set connection policy: conn-max 5000 per-client-max 1000
current conns 0, drop 0
Set connection advanced-options: OPTION19
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Out-of-order packets: 0 No buffer drops : 0
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Class-map: UDP_TRAFFIC
Set connection policy: conn-max 1000 per-client-max 500
current conns 0, drop 0

- 18 -
Task 1.6 Solution

static (inside,outside) 183.4.125.8 192.10.4.8
!
! By applying inspection to ICMP error messages we hide
! the identity of the host responding to traceroute probes
!
! Therefore, no inside addresses will be visible to the outside
!
inspect icmp error
!
! Access-list to permit inbound UDP traffic (traceroute ports)
! and ICMP echo messages (pings)
!
access-list OUTSIDE_IN extended permit udp any any range 33434 33524
access-list OUTSIDE_IN extended permit icmp any any echo
!
! Apply the access-list
!
access-group OUTSIDE_IN in interface outside
!
! Access-list to classify ICMP traffic
!
access-list ICMP extended permit icmp any any
!
! L3/L4 class-map for ICMP traffic
!
class-map ICMP_TRAFFIC
match access-list ICMP
!
! Policy-map to rate-limit ICMP traffic
!
policy-map OUTSIDE
class ICMP_TRAFFIC
police input 56000
police output 56000
!
! Apply the service policy
!
service-policy OUTSIDE interface outside

- 19 -
Task 1.6 Breakdown

Traceroute and Ping are the most common network testing tools and you need to
understand their work. We are mostly concerned with traceroute as ping is
relatively simple. The UNIX variant of traceroute operates by sending UDP
packets to presumably “unused” UDP ports, starting with port 33434, with
incrementing TTL starting at TTL=1. For every hop, three probes are sent with
incrementing port numbers. That is, for example hop 1 (TTL=1) three probes are
sent to port-numbers: 33434, 33435, 33436 all with TTL=1. The destination
address in all probes is sent to the IP address of the traceroute target, so every
transit hop will attempt to forward the packet. However, if the TTL has fallen to 1,
the transit router has to send back and ICMP “time-exceeded” error message,
with the header of the original UDP packet embedded. Based on the ICMP
unreachable response the probing host may determine the transit gateway IP
address and the original TTL value. As soon soon as the probing packets reach
the destination, the final hop will respond with ICMP port unreachable message
and thus tell the probing host that it probes have reached the final destination.
From the above description we may conclude the following: In order to permit
inbound traceroute we need to allow the UDP port range starting at 33434 and
up till the maximum port number that a traceroute can use. The default hop count
that the UNIX traceroute will use by default is 30, so we need to open the ports
up to 33524. Next, since the task requires hiding the identity of the hosts inside
the firewall, we configure the firewall to inspect the ICMP error messages, such
as ICMP unreachables. By default those do not have their addresses translated
to easy troubleshooting across the firewall, but enabling ICMP inspection for
error messages using the command icmp inspect error will enable
translations.
The next requiremet is permitting the ping operations inbound on the outside
interface: this is accomplished by permitting inbound ICMP echo messages – the
echo-replies from the inside are permitted automatically by the virtue of security-
levels. And the final requirement is limiting the ICMP traffic rate on the outside
interface: this requires an interface-level policy map, since applying policing
globally would affect all interfaces. We create a class-map matching ICMP traffic
and apply a policy-map with policing statements. Since no burst values are
specified we let the firewall pick up the default values for us.

- 20 -

Traceroute to the outside IP address of SW2. Notice that the real inside IP
address of the switch never shows up in the traceroute output. Also notice that
the ASA firewall does not appear as a hop in the traceroute output – the firewall
does not decrement TTL and remains “invisible” in the traceroute path. Verify that
pings work as well.
Rack4R1#traceroute 183.4.125.8
Type escape sequence to abort.

Tracing the route to 183.4.125.8
1 183.4.123.2 32 msec 28 msec 32 msec

2 183.4.123.3 56 msec 57 msec 56 msec
3 183.4.0.5 84 msec 84 msec 84 msec
4 183.4.125.8 84 msec * 84 msec
Rack4R1#ping 183.4.125.8

Sending 5, 100-byte ICMP Echos to 183.4.125.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/171/173
ms

- 21 -
Verify traffic rate-limiting for ICMP packets. Notice that policing function drops
outbound packets, as the rate exceeds 56Kbps.
Rack4SW2#ping 183.4.125.5 repeat 1000 size 1500

Sending 1000, 1500-byte ICMP Echos to 183.4.125.5, timeout is 2
seconds:
!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.
Success rate is 83 percent (25/30), round-trip min/avg/max = 4/5/8 ms
Rack4ASA(config)# show service-policy interface outside
Interface outside:
Service-policy: OUTSIDE
Class-map: ICMP_TRAFFIC
Input police Interface outside:
cir 56000 bps, bc 1750 bytes
conformed 992 packets, 120260 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface outside:
Rack4ASA(config)#

- 22 -
Task 1.7 Solution

ASA1: (the active failover unit)
!
! UNIX traceroute relies on two ICMP message types sent in response to
! UDP probes: ICMP time-exceede and port-unreachable.
!
! An object group is used to create only a single-line ACL entry.
!
object-group icmp-type TRACERT
icmp-object time-exceeded
icmp-object unreachable
!
! A single line ACL entry
!
access-list OUTSIDE_IN permit icmp any any object-group TRACERT
Task 1.7 Breakdown

Permitting outbound traceroute requires allowing the returing traffic to come back
through the firewall. In our case, UNIX traceroute variant is in use and thus the
returning traffic consist of ICMP messages. Specifically, the two message types
being used are “time-exceeded” and “port-unreachable”. However, ASA CLI
syntax does not distinguish various unreachable messages (e.g. port-
unreachable, host-unreachable and so on) so we need to permit all
“unreachable” message types. The next question is how to do this using an ACL.
A common requirement “use the minimum amount of ACL lines” typically

translates into using object groups for say multiple port of ICMP types. This is the
case in our scenario, where combinging the ICMP message types into an object
group allows us using a single ACL line as opposed to two lines we would need
otherwise.

- 23 -

Traceroute from SW2 to R1, check the access-list hit counters.
Rack4SW2#traceroute 150.4.1.1

1 183.4.125.5 4 msec 4 msec 4 msec

2 183.4.0.3 32 msec 32 msec 28 msec
3 183.4.123.2 60 msec 60 msec 56 msec
4 183.4.123.1 84 msec * 84 msec
Rack4SW2#
Rack4ASA(config)# show access-list OUTSIDE_IN

access-list OUTSIDE_IN; 5 elements
access-list OUTSIDE_IN line 1 extended permit udp any any range 33434
33464 (hitcnt=39) 0x061e01ad
access-list OUTSIDE_IN line 2 extended permit icmp any any echo
(hitcnt=5) 0x869bdf05
access-list OUTSIDE_IN line 3 extended permit icmp any any object-group
TRACERT 0xd559d01e
access-list OUTSIDE_IN line 3 extended permit icmp any any time-
exceeded (hitcnt=12) 0x00c3b80d
access-list OUTSIDE_IN line 3 extended permit icmp any any
unreachable (hitcnt=4) 0xec6c9a23

- 24 -
Task 1.8 Solution

ASA1:
!
! Port redirection from outside interface to BB2
!
static (inside,outside) tcp interface telnet 192.10.4.254 telnet
!
! Permission for port redirection
!
access-list OUTSIDE_IN extended permit tcp any host 183.4.125.12 eq
telnet
Task 1.8 Breakdown

Port redirection is normally configured using static NAT entries. The delicacy of
the situation is that we need to use the ASA’s own IP address for redirection.
This could only be done by creating an static NAT entry with the “interface”
keyword. The static NAT entry must be accompanied by an access-list entry
permitting packets to the ASA’s outside interface on the given port.

Telnet to the outside interface of the ASA and ensure the session actually
terminates on BB2.
Rack4R5#telnet 183.4.125.12
Trying 183.4.125.12 ... Open
+-----------------------------------------------------------------------+
| |
| Welcome to BB2. These commands are available for use at privilege 0 |
| |
| ping show ip bgp |
| telnet show ip bgp neighbors |
| traceroute show ip bgp summary |
| show ip route show ip interface brief |
| show ip protocols |
| |
| The reference configuration for this device is available at: |
| http://www.ine.com/downloads/bb2.txt |
| |
+-----------------------------------------------------------------------+
BB2>

- 25 -
Task 1.9 Solution

ASA1: (the active firewall unit)
!
! Destination NAT setup
!
alias (inside) 183.4.125.20 183.4.125.200
Task 1.9 Breakdown

The alias command has two functions: firstly, it performs the destination NAT
function by rewriting the destination IP and secondly it may be used to rewrite the
DNS responses. In our case, the only requirement is redirecting the traffic, so we
bind an alias on the inside interface, redirecting packets going to .20 into the host
with the IP .200. The firewall will proxy-ARP for the IP address .20 and then
translate the destination IP address to the correct one.

Start pinging the incorrect IP address from SW2 while having ICMP trace
debugging enabled in the ASA. Notice that you will also see ICMP packets
generated by the SLA probe in the debugging output. Pay attention to the fact
that packets destined to the IP address 183.4.125.20 are redirected to
183.4.125.200.
Rack4SW2#ping 183.4.125.20 repeat 100

...
Rack4ASA(config)# debug icmp trace
ICMP echo request untranslating inside:183.4.125.20 to

outside:183.4.125.200
ICMP echo request from inside:192.10.4.8 to outside:183.4.125.20 ID=14
seq=4 len=72
ICMP echo request translating inside:192.10.4.8 to outside:183.4.125.8
ICMP echo request untranslating inside:183.4.125.20 to
outside:183.4.125.200

- 26 -
Task 2.1 Solution

R1:
!
! Security zones
!
zone security OUTSIDE
zone security INSIDE
!
! Traceroute responses ACL and Class-Map
!
ip access-list extended TRACEROUTE_RESPONSES_ACL
permit icmp any any time-exceed
permit icmp any any port-unreach
!
class-map type inspect match-all TRACEROUTE_RESPONSES_CMAP

match access-group name TRACEROUTE_RESPONSES_ACL
!
! Traffic to the inside HTTP server
!
ip access-list extended INSIDE_HTTP_SERVER_ACL
permit tcp any host 183.4.46.100 eq 80
!
class-map type inspect match-all INSIDE_HTTP_SERVER_CMAP
match access-group name INSIDE_HTTP_SERVER_ACL
match protocol tcp
!
class-map type inspect match-any ALLOWED_TRAFFIC_CMAP
match protocol tcp
match protocol icmp
match protocol udp
!
! Policy for the inside->outside traffic
!
policy-map type inspect INSIDE_TO_OUTSIDE_PMAP
class type inspect ALLOWED_TRAFFIC_CMAP
inspect
class class-default
drop
!
! Policy for the outside->inside traffic
!
policy-map type inspect OUTSIDE_TO_INSIDE_PMAP
class type inspect INSIDE_HTTP_SERVER_CMAP
inspect
class TRACEROUTE_RESPONSES_CMAP
pass
class class-default
drop

- 27 -
!
! Define a zone pair and apply the policy
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE_PMAP
!
! Define a zone pair and apply the policy
!
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE_PMAP
!
! Assign the zones to the interfaces
!
interface Serial 0/0.123
zone-member security INSIDE
!
interface FastEthernet 0/0
zone-member security OUTSIDE
Task 2.1 Breakdown

This is a relatively simple ZBFW example, with only a couple of security zones
defined. Start your ZBFW configurations making a simple diagram of the security
zones and outline the traffic flows between the zones. In our case, there are two
zones: INSIDE and OUTSIDE (the names could be any at your choice).
The traffic going INSIDE to OUTSIDE includes TCP, UDP and ICMP protocols –
no other specifics have been defined. The traffic in opposite direction includes
HTTP and HTTPS sessions to a pre-defined IP as well as “traceroute return
traffic” which included ICMP port-unreachcale and ICMP time-exceeded
messages.
Traffic going from INSIDE to outside could be matching using “match protocol”
statement:
class-map type inspect match-any ALLOWED_TRAFFIC_CMAP

match protocol tcp
match protocol icmp
match protocol udp
However, matching the HTTP and HTTPS traffic to the internat server could be
accomplished in multiple ways. The solution matches an access-list allowing just
HTTP and HTTPs traffic to the server and then combines this match with “match
protocol tcp” which is sufficient to inspect HTTP and HTTPs sessions. This,
however, does not allows for deep session inspection in HTTP. But since we are
not required to do so, we could just stay with this configurartion:

- 28 -

!
match protocol tcp
An alternative configuration would look something like following:
class-map type inspect match-any PROTOCOLS_FOR_HTTP_SERVER_CMAP

match protocol http
match protocol https
!
permit tcp any host 183.4.46.100
!
match class PROTOCOLS_FOR_HTTP_SERVER_CMAP
In this situation, bot solutions work, but you should prefer the second one if deep
packet inspection has been requested. Finally, the traceroute “returning” traffic
includes two ICMP message types, and these could not be allowed by inspecting
traffic going from inside to outside. So we create an access-list matching these
messages, envelop it into a class-map and finally attach this to a policy-map, with
a pass statement – the ICMP error messages could not be inspected. Notice that
this implies that there is no corellatio among the returning ICMP error messages
and outgoing UDP probes sent by traceroute utility.

- 29 -

Generate some test traffic from a host on the inside zone.

1 183.4.123.1 28 msec 32 msec 28 msec

2 204.12.4.254 32 msec * 32 msec
Rack4R2#ping 204.12.4.254

!!!!!
Trying 204.12.4.254 ... Open
BB3>exit
[Connection to 204.12.4.254 closed by foreign host]

- 30 -
Check the inspection policy maps statistics.
Rack4R1#show policy-map type inspect zone-pair

Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE_PMAP
Class-map: ALLOWED_TRAFFIC_CMAP (match-any)

Match: protocol tcp
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
Match: protocol udp
3 packets, 24 bytes
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:34]
udp packets: [0:3]
icmp packets: [0:10]
Session creations since subsystem startup or last reset 5

Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:4:1]
Last session created 00:00:45
Last statistic reset never
Last session creation rate 3
Maxever session creation rate 5
Last half-open session total 0

- 31 -
Class-map: class-default (match-any)

Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: OUTSIDE_TO_INSIDE
Service-policy inspect : OUTSIDE_TO_INSIDE_PMAP
Class-map: INSIDE_HTTP_SERVER_CMAP (match-all)

Match: access-group name INSIDE_HTTP_SERVER_ACL
Match: protocol tcp
Inspect
Last session created never
Class-map: TRACEROUTE_RESPONSES_CMAP (match-all)

Match: access-group name TRACEROUTE_RESPONSES_ACL
Pass
2 packets, 72 bytes

Match: any
Drop
21 packets, 1020 bytes
Routing traffic (BGP) is not affected by the zone-based firewall configuration, as

by default traffic to the “self” zone is permitted. Next, telnet to BB3 and try pinging
any inside host (notice that in the real exam you don’t have access to the
backbone routers):
BB3>ping 150.4.3.3

.....
Success rate is 0 percent (0/5)
BB3>ping 150.4.1.1

!!!!!

- 32 -
Note
You can ping R1 since the traffic is classified as destined to the firewall itself
(zone self), not as transit.
Task 2.2 Solution

SW1:
access-list 160 deny tcp any any eq 139
access-list 160 permit ip any any
interface FastEthernet0/24
ip access-group 160 in
Task 2.2 Breakdown

Lateral thinking is part of the CCIE exam challenge. It is common to see a series
of requirements accompanied by some restrictions, which commonly excluded
the most obvious configuration option. Use system-thinking and keep in mind the
whole path that traffic in question may take. This often includes various layer2-
only paths, such as VLANs that may cross multiple switches. Every such
“transparent” node could be used for traffic filtering as well, leveraging port or
VLAN ACLs.
Task 2.3 Solution

R6:
!
! Reflexive ACL
!
ip access-list extended TO_BB1
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any
!
! Permit BGP & ICMP response to R6
!
ip access-list extended FROM_BB
permit tcp host 54.4.7.254 eq bgp host 54.4.7.6
permit tcp host 54.4.7.254 host 54.4.7.6 eq bgp
permit icmp any any echo-reply
evaluate MIRROR
!
interface Virtual-Template 1
ip access-group FROM_BB1 in
ip access-group TO_BB1 out
!
! Reflexive ACL expiration timeout
!
ip reflexive-list timeout 120

- 33 -
Task 2.3 Breakdown

Reflexive ACLs were the first “pseudo-stateful” firewall technique introduced into
IOS, if you don’t count the “established” option as stateful inspection. While it is
not very popular due to very limited scalability it is still a candidate to testing in
the exam. Keep in mind that there is no way to really “inspect” local traffic with
reflexive ACLs. You either need to open explicit pin-holes in the inbound ACL for
returning local packets or use a local policy-map redirecting all local traffic to a
loopback interface: this make the locally-originated traffic re-appear as transit. Be
careful with the PBR trick though as any local traffic with TTL of 1 (e.g.
PIM/OSPF hello packets) will be dropped once it re-enters the router via a
Loopback. Always use an access-list combined with the local-policy route-map.

Sessions from the “inside” of R6 are permitted across the filtering device:
Rack4R3#ping 54.4.7.254
!!!!!
Trying 54.4.7.254 ... Open
BB1>
Notice how the temporary access-list entries are created to allow the returning
traffic.
Rack4R6#show ip access-lists
...
Reflexive IP access list MIRROR
permit tcp host 54.4.7.254 eq telnet host 183.4.0.3 eq 11024 (230
matches) (time left 113)
Extended IP access list FROM_BB1
permit tcp host 54.4.7.254 eq bgp host 54.4.7.6 (3 matches)
permit icmp any any echo-reply (5 matches)
evaluate MIRROR
Extended IP access list TO_BB1
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any (5 matches)

- 34 -
Now verify that connections initiated from BB1 are blocked by the inbound
access list on the Virtual-Access interface.
BB1>ping 183.4.0.5
U.U.U
BB1>telnet 183.4.0.5
Trying 183.4.0.5 ...
% Destination unreachable; gateway or host down

- 35 -
Task 3.1 Solution

R3:
!
! Enable NAT
!
ip nat inside
!
interface Serial1/1.345
ip nat outside
!
! Static route for the new network
!
ip route 10.7.7.0 255.255.255.0 Null0
!
! ‘Create’ a new network to translate the local subnet
! and advertise it into OSPF to provide connectivity
!
router ospf 1
redistribute static subnets
!
ip nat inside source static network 10.41.41.0 10.7.7.0 /24
R4:
ip nat outside
!
interface Serial0/1
ip nat outside
!
ip nat inside
!
! Static route for the new network
!
ip route 10.4.4.0 255.255.255.0 Null0
!
! We ‘create’ a new network to translate the local subnet
! and advertise it into OSPF to provide connectivity
!
router ospf 1
!

- 36 -
Task 3.1 Breakdown

Overlapping address spaces are common when connecting two private networks
to for an extra-net for example. There are two solutions to this problem: re-
numbering one of the sites or using NAT to create non-overlapping address
ranges. We use static network-based NAT, which is an equivalent of static NAT
mappings but covers network ranges as a whole. The overlapping network is
10.41.41.0/24 and we create two different networks to mask the prefix at different
sites: 10.4.4.0/24 and 10.7.7.0/24. It would be enough to create just one extra
network, but it looks more symmetric to have two, one per site. The static NAT
entries are accompanied by static routes on every router, used to advertise newly
created subnets into OSPF – static network NAT statement does not create a
local static route by default. The overlapping subnets are never advertised in
OSPF and only the “masqueraded” networks are visible.

Ping from SW1 to the translated network to verify connectivity:
Rack4SW1#ping 10.4.4.4 source 10.41.41.7

Packet sent with a source address of 10.41.41.7
!!!!!
Rack4R3#show ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 10.7.7.7:2 10.41.41.7:2 10.4.4.4:2 10.4.4.4:2
--- 10.7.7.7 10.41.41.7 --- ---
--- 10.7.7.0 10.41.41.0 --- ---

icmp 10.4.4.4:2 10.41.41.4:2 10.7.7.7:2 10.7.7.7:2
--- 10.4.4.4 10.41.41.4 --- ---
--- 10.4.4.0 10.41.41.0 --- ---

- 37 -
Task 3.2 Solution

R5:
!
! PKI CA should be have its time synchronized with PKI clients
!
ntp master
!
! Enable PKI server on R5
!
crypto pki server INE1
issuer-name cn=INE,ou=Security
grant auto
no shutdown
%Some server settings cannot be changed after CA certificate
generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: cisco1234
!
! The password above is arbitrary
!
R3 & R4: (shared configuration)

!
! Synchronize clocks on R3/R4 with R5 server
! in order for certificates to be valid:
!
ntp server 150.4.5.5
!
! Create RSA keys: configure domain-name first
!
ip domain-name ine.com
crypto key generate rsa general modulus 512
!
! Configure & authenticate the trustpoint for AAA/CA server
!
crypto ca trustpoint INE1
enrollment url http://150.4.5.5
enrollment mode ra
crl optional
!
crypto ca authenticate INE1
crypto ca enroll INE1
!
! Common ISAKMP & IPsec settings
!
crypto isakmp policy 10
encr 3des
hash md5
!
crypto ipsec transform-set AES256 ah-md5-hmac esp-aes 256

- 38 -
R3:
!
! Traffic to encrypt
!
ip access-list extended VLAN41_TO_VLAN4
permit ip 10.7.7.0 0.0.0.255 10.4.4.0 0.0.0.255
!
! By using the looback interface as the source for ISAKMP exchange
! and IPSec packets tunneling
! we protect the communication against local physical
! interface failure
!
crypto map VPN local-address Loopback0
crypto map VPN 10 ipsec-isakmp
set peer 150.4.4.4
set transform-set AES256
match address VLAN41_TO_VLAN4
!
interface Serial1/1.345 point-to-point
crypto map VPN
R4:
!
!
permit ip 10.4.4.0 0.0.0.255 10.7.7.0 0.0.0.255
!
! By using the Looback interface for ISAKMP exchange
! and IPSec packets tunneling
! we protect the communication against local physical
! interface failure
!
crypto map VPN local-address Loopback0
set peer 150.4.3.3
set transform-set AES256
!
crypto map VPN
!
interface Serial0/1
crypto map VPN

- 39 -
Task 3.2 Breakdown

There are two options for creating the VPN here: using crypto maps that filter
traffic to encrypt or using Virtual Tunnel Interfaces between R3 and R4. We use
the crypto maps, even though the VTIs would be simpler. The reason being is the
fact that VTIs would require using an additional routing protocol to route the
protected networks over the VTI interface, or resorting to static routes. Using the
same protocol for VPN and underlying routing is also possible but not
recommended for healthy designs, as extra care need to be taken to protect
against routing loops.
The use of crypto-maps implies configuring access-lists to match the protected

traffic. In the IOS, NAT feature applies prior to encryption, so we match the post-
NAT “unique” networks. Notice that the use of VTIs make this order of operations
more clear: the traffic is first NAT’ed if NAT is enabled on the VTI and then
encapsulated in the tunnel.
The configurations are very symmetric on both R3 and R4, so you may
effectively use a notepad application to create one config, then copy it and
modify to match another router. In fact this is the recommended approach for
configuration almost anything in the CCIE exam.
By default, ISAKMP messages are sourced off the interface where the crypto-
map applies to. The same IP address is used in the outer header of the ESP-
encapsulated traffic. Of course, thie makes the whole configuration rely on the
interace status. Using the command crypto map <XXX> local-address
allows for changing the source for ISKAMP/ESP packets.and making IPsec
configuration independent of the point of attachment. This achieves the
necessary level of the IPsec redundancy.
Once again, we would like to point out the advantage of VTI-based configuration:
they are easier to read and understand, the could be bound to a logical interface,
and they offer significantly more logical approach to configuring IPsec. However,
still many deployments are based on “legacy” crypto-map syntax and therefore
you need to know it. Not to mention that the ASA firewall still does not support
the concept of VTI tunnel.
Lastly, a few words on digital-certificates based authentication. This is the most

scalable authentication technique, provided that PKI infrastructure is in place.
The lab exam only tests your knowledge of IOS PKI, which is straight-forward to
set up. A common mistake though is forgetting to synchronize time between the
CA and its clients. In the exam you may have various clock discrepancies –
either intentaional or non-international and they may affect proper authentication.
Always looks out for possible firewall fitering that may break SCEP
communications. Even if you have already requested certificates, make sure you
have opening for the SCEP when applying any possible firewall rules later.

- 40 -

Here is a sample dialog demonstrating the CA enrollment procedure.
Rack4R4(config)#crypto ca enroll INE1

%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the
configuration.
Please make a note of it.
Password: cisco
Re-enter password: cisco
% The fully-qualified domain name in the certificate will be:

Rack4R4.ine.com
% The subject name in the certificate will be: Rack4R4.ine.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the
fingerprint.
Rack4R4(config)#
Fingerprint: AE11D86D 62E91A73 5C430955 739EC1A3
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
Rack4R4#show crypto ca certificates

Certificate
Status: Available
Certificate Serial Number: 0x3
Certificate Usage: General Purpose
Issuer:
cn=INE
ou=Security
Subject:
Name: Rack4R4.ine.com
hostname=Rack4R4.ine.com
Validity Date:
start date: 12:28:14 UTC Jul 31 2010
end date: 12:28:14 UTC Jul 31 2011
Associated Trustpoints: INE1

- 41 -
CA Certificate
Status: Available
Certificate Usage: Signature
Issuer:
cn=INE
ou=Security
Subject:
cn=INE
ou=Security
Validity Date:
start date: 12:20:45 UTC Jul 31 2010
end date: 12:20:45 UTC Jul 30 2013
Associated Trustpoints: INE1
Now check that protected network may ping each other and that traffic is actually
encrypted:
Rack4SW1#ping 10.4.4.4 source vlan41

!!!!!
ms

Pro Inside global Inside local Outside local Outside
global
--- 10.7.7.7 10.41.41.7 --- ---
Subnet translation:
Inside global Inside local Outside local Outside global /prefix
10.7.7.0 10.41.41.0 --- --- /24

- 42 -
Rack4R3#show cry isakmp sa

dst src state conn-id slot
150.4.4.4 150.4.3.3 QM_IDLE 1 0
Rack4R3#show cry isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Encr Hash Auth DH

Lifetime Cap.
1 150.4.3.3 150.4.4.4 3des md5 rsig 1
23:58:09
Rack4R3#show cry ipsec sa
interface: Serial1/1.345
Crypto map tag: VPN, local addr. 150.4.3.3
protected vrf:
local ident (addr/mask/prot/port): (10.7.7.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.4.4.0/255.255.255.0/0/0)
current_peer: 150.4.4.4:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 150.4.3.3, remote crypto endpt.: 150.4.4.4

path mtu 1500, media mtu 1500
current outbound spi: 43910448
<snip>

- 43 -
Task 3.3 Solution

R2:
!
! Enable AAA and configure AAA list
! to prevent authentication on the console line.
!
aaa new-model
aaa authentication login CONSOLE none
!
! AAA list for local network authorizaion
! Required to apply ISAKMP authorization via
! local database
!
aaa authorization network EZVPN local
!
! Authentication list: ezVPN auth is local by default, but it does
! not hurt defining and using this list.
!
aaa authentication login EZVPN local
!
! Apply AAA list to the console
!
line console 0
login authentication CONSOLE
!
! ISAKMP policy to support Cisco VPN Clients
!
encr 3des
authentication pre-share
group 2
!
! DPD Keepalives, enabled periodically
!
crypto isakmp keepalive 10 periodic
!
! Pool to allocate addresses for remote clients
!
ip local pool EZVPN_POOL 192.168.0.1 192.168.0.50
!
! Assign this pool to ISAKMP process, so that mode config may work
! with address assignment
!
crypto isakmp client configuration address-pool local VPN_POOL

- 44 -
!
! Split-tunneling Access-List
!
ip access-list extended SPLIT_TUNNEL
permit ip 183.4.0.0 0.0.255.255 any
!
! Client configuration group
!
crypto isakmp client configuration group IELAB
key CISCO
dns 183.4.46.100
wins 183.4.46.100
domain ine.com
pool EZVPN_POOL
acl SPLIT_TUNNEL
!
! ISAKMP Profile for the EZVPN group
!
crypto isakmp profile IELAB
match identity group IELAB
isakmp authorization list EZVPN
client authentication list EZVPN
client configuration address respond
client configuration group IELAB
virtual-template 1
!
! Phase 2 encryption and authentication.
!
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
!
! IPsec profile defiens protection settings
!
crypto ipsec profile IELAB
set transform-set 3DES_SHA
set reverse-route tag 100
set isakmp-profile IELAB
!
! Virtual Template to clone access interfaces.
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IELAB
!
! Redistribute RRI routes
!
router ospf 1
redistribute static subnets route-map STATIC_TO_OSPF
!
! Only redistribute RRI routes
!
route-map STATIC_TO_OSPF
match tag 100

- 45 -
Task 3.3 Breakdown

ezVPN technology went through multiple evolution steps which has been
reflected in its configuration. The most recent and “logical” approach is the one
based on VTI interfaces and ISAKMP/IPSec profiles. The logical steps to
configuring the ezVPN server are as following (repeat them a few times in your
head for better memorization):
o Enable AAA and define AAA lists for the ezVPN server. Make sure you
protected yourself from potentional console lockouts. Notice that in the
exam you may be required to keep local authentication for the console
line.
o Define the ISAKMP authentication settings and various global ISAKMP
parameters, such as DPD keepalives or timeouts.
o Create an address-pool if you are configuring ezVPN client mode and
allow the ISAKMP to draw addresses from this pool.
o Configure the ezVPN client group and split-tunnel access-lists. Define the
group key, associate the address pool if needed and bind the split-tunnel
ACL. Define other settings as required in the scenario.
o Create an ISAKMP profile that binds together the following attributes:
o “Calling” client identity, which is normally a group name.

o Configuration group for the clients matching this profile.
o Authentication and Authorization AAA groups for ezVPN
o Virtual-Template interface numbers, that is to be defined next.
o Enables responding to ISAKMP 1.5 transaction mode address
requests for this group. Notice that the pool is still defined under the
ezVPN client group.
o Create an IPsec profile (Phase 2) settings to be used along with the future
tunnels. You will need to to define an IPsec transform-set prior to this. The
profile may need to define RRI settings if RRI is used for ezVPN.
o The next step is creating a virtual-template interface of type “tunnel” and
assigning the IPSec protection profile for this VTI. Notice that you need to
define an IP address on the VTI for ezVPN to work correctly – otherwise
IP processing will not be enabled on the interface.
o Lastly, configure the routing process for redistribution of RRI information,
e.g. using a route-map matching the tags you defined for RRIs.
We recommend you taking this sample configuration and typing it as a whole in

the notepad a few times, and then repeating this exercize the day after. You
should be able to configure the whole ezVPN server thing without ever
referencing to a manual, as it is an important security technology.

- 46 -
Note
Configure SW2 port Fa 0/20 so that the Test PC appears in VLAN 2. Configure
the Test PC IP address respectively. Here is a sample configuration.
SW2:
switchport mode access
spanning-tree portfast
Test PC:

- 47 -
Note
Next, configure the Cisco EzVPN Client application for connection with R2. Set
the parameters per the task specification.

- 48 -
When connected, check ezVPN client statistics page. Notice the split-tunnel
network downloaded from the server, the cipher and the hash.

- 49 -
Now send some traffic from R3 to the VPN client’s IP address. Check that R3
learns the new route via OSPF. Check IPsec counters and ISAKMP parameters
using the show crypto commands.
Rack4R3#show ip route 192.168.0.1

Routing entry for 192.168.0.1/32
Known via "ospf 1", distance 110, metric 20
Tag 100, type extern 2, forward metric 781
Last update from 183.4.123.2 on Serial1/0.123, 00:02:47 ago
Routing Descriptor Blocks:
* 183.4.123.2, from 150.4.2.2, 00:02:47 ago, via Serial1/0.123
Route metric is 20, traffic share count is 1
Route tag 100
Rack4R3#ping 192.168.0.1

!!!!!
Rack4R3#
Rack4R2#show crypto isakmp sa detail

IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH

Lifetime Cap.
1001 10.0.0.2 10.0.0.200 ACTIVE 3des sha psk 2

23:56:31 CD
Engine-id:Conn-id = SW:1

- 50 -
Rack4R2#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 10.0.0.2
protected vrf: (none)

remote ident (addr/mask/prot/port):
(192.168.0.1/255.255.255.255/0/0)
current_peer 10.0.0.200 port 1461
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD1F0965F(3522205279)
inbound esp sas:

spi: 0x1945AE51(423997009)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4407924/3388)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
<snip>

- 51 -
Task 3.4 Solution

auth pre-share
hash md5
encr 3des
!
crypto isakmp enable outside
!
! Configure transform-set
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
! Access-list to select traffic to encrypt
!
access-list VLAN8_TO_VLAN5 permit ip 10.8.8.0 255.255.255.0 10.5.5.0
255.255.255.0
!
! Do not forget the NAT exemption rule
!
nat (inside) 0 access-list VLAN8_TO_VLAN5
!
! Crypto map configuration
!
crypto map VPN 10 match address VLAN8_TO_VLAN5
crypto map VPN 10 set peer 183.4.125.5
crypto map VPN 10 set transform-set 3DES_MD5
!
! Apply crypto map to the outside interface
!
crypto map VPN interface outside
!
! Tunnel-group filter (filters traffic inside the IPsec tunnel)
!
access-list VPN_FILTER extended deny icmp any any echo
access-list VPN_FILTER extended deny icmp any any echo-reply
access-list VPN_FILTER extended permit ip any any
!
! Configure group-policy that applies tunnel ACL
!
group-policy VPN_POLICY internal
group-policy VPN_POLICY attributes
vpn-filter value VPN_FILTER

- 52 -
!
! Create LAN-to-LAN tunnel group to match the remote-peer
!
tunnel-group 183.4.125.5 type ipsec-l2l
!
! Apply group policy
!
tunnel-group 183.4.125.5 general-attributes
default-group-policy VPN_POLICY
!
! Configure pre-shared key for authentication
!
tunnel-group 183.4.125.5 ipsec-attributes
pre-shared-key CISCO
!
! Permit tunneled traffic to bypass outside access-list
! This is ON by default, by never hurts to make sure its enabled
!
sysopt connection permit-vpn

- 53 -
R5:
auth pre
hash md5
encr 3des
!
! ASA uses DH group2 by default, so mirror it
!
group 2
!
! Pre-shared key for the ASA
!
crypto isakmp key CISCO address 183.4.125.12
!
! Transform-set and access-list to classify traffic for IPSec
!
!
ip access-list ext VLAN5_TO_VLAN8
permit ip 10.5.5.0 0.0.0.255 10.8.8.0 0.0.0.255
!
! Static route to VLAN8
!
ip route 10.8.8.0 255.255.255.0 183.4.125.12
!
! Crypto map
!
set transform 3DES_MD5
set peer 183.4.125.12
!
crypto map VPN

- 54 -
Task 3.4 Breakdown

Configuring ASA for an IPSec tunnel looks similar to configuring an IOS router
using crypto maps, but you have the tunnel-group concept that replaces IOS
“ISAKMP profile” and “ezVPN configuration group”. There still exist global
ISAKMP policy, but all tunnel-specific settings such as authentication key are
now encapsulated under various tunnel-group settings. You may want to read the
following INE’s blog post:
http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-
group-names/
To better understand the logic that ASA uses for tunnel-group matching when
establishing an IPsec session.In our case, the tunnel-group name equals the
peer’s IP address, as we are using main mode with pre-shared keys. We are also
required to filter the tunnel-encapsulated traffic. There are two ways of doing this:
1. Disabling the sysopt connection permit-vpn command and create

ACL entries on the outside interface to filter the VPN traffic. This is legacy
and less flexible way of configuring things.
2. Creating a specific access-list and applying it under the tunnel group
policy settings, attribute vpn-filter. This is more flexible and logical
way of configuring the filtering features.
As usual, if using NAT in the firewall, do not forget to exclude the VPN traffic from
translation, since translation applies prior to encryption. Also, remember that
ISAKMP is by default off in the ASA firewall.
For the IOS configuration, you need to use crypto-maps as the ASA does not
properly interoperate with the “wildcard” IPsec SA proxy IDs used in VTI-based
IPsec implementation.

- 55 -

Simulate traffic across the VPN tunnel and confirm that TCP connections
establish across:
Rack4SW2#telnet 10.5.5.5 /source-interface vlan 8

Trying 10.5.5.5 ... Open
Password: cisco
Rack4R5>exit
Generate ICMP packets and cofirm that those are being filtered:
Rack4SW2#ping 10.5.5.5 source vlan 8

.....
Rack4SW2#
Now check the L2L VPN status.

- 56 -
Rack4ASA(config)# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 183.4.125.5
Index : 1 IP Addr : 183.4.125.5
Protocol : IPSecLAN2LAN Encryption : 3DES
Hashing : MD5
Bytes Tx : 1047 Bytes Rx : 855
Login Time : 04:49:17 UTC Fri Feb 9 2007
Duration : 0h:01m:13s
Filter Name : VPN_FILTER
Rack4ASA(config)# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
IKE Peer: 183.4.125.5

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Rack4ASA(config)# show cry ipsec sa

interface: outside
Crypto map tag: VPN, seq num: 10, local addr: 183.4.125.12

255.255.255.0
current_peer: 183.4.125.5

#pkts not compressed: 25, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: AD088D10
inbound esp sas:

spi: 0x9166C1C0 (2439430592)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
<snip>

- 57 -
Task 3.5 Solution

!
! Enable PQ for the outside interface
!
priority-queue outside
!
! Class map to match voice traffic inside a tunnel group
!
class-map VPN_VOICE
match dscp ef
match tunnel-group 183.4.125.5
!
! Class map to match traffic inside the tunnel group.
! Notice that we match the VPN traffic flow, it’s the only
! way to match “tunnel-group”. Since we have just one L2L
! tunnel, we effectively limit it to 2Mbps
!
class-map VPN_DATA
match flow ip destination-address
!
! Add policy actions to the policy map
! The order of class maps is important! See Breakdown
!
policy-map OUTSIDE
class VPN_VOICE
priority
class VPN_DATA
police output 2000000

- 58 -
Task 3.5 Breakdown

The task calls for classifying VPN-encapsulated traffic. This could be
accomplished in two ways: aggregate or per-flow. The per-flow classification is
performed using TWO commands:
class-map XXX
match tunnel-group YYY
Firstly, you can only match flows when matching tunnel-group in the same class
map. The reason is that this match command was introduced to allow per-flow
traffic policing for VPN connections. For example, if you have multiple ezVPN
clients and you the above two commands, the associated policy action will apply
to every traffic flow separately. Secondly, policing is the only working per-flow
QoS command – everything else will apply to traffic aggregately or not work at
all. Speaking of aggregate QoS, when using construct like this:
class-map ZZZ
match XXX
match tunnel-group YYY
The class-map will match traffic for ALL flows landing on the tunnel-group YYY
and matching the additional criterion XXX. Notice that you cannot police such
traffic – the ASA only supports per-flow policing for tunnel-group traffic!
In our case, we have two classes: one aggregate matching VoIP traffic for the
L2L VPN group, distinguished by EF marking and another per-flow, matching
every flow for L2L VPN. Since there is just one flow, it’s the same as aggregate –
the reason we match per-flow is that you cannot apply policing to tunnel-groups
on aggregate basis “explicitly”.
Notice that with out configuration VoIP traffic will not be policed – only a single
QoS action is applied. The reason is that for QoS actions, ASA matches flow only
against a SINGLE class in a policy map. And this is the class that is placed first
in the policy map. Thus, even though the VoIP traffic marked with EF
theoretically matches VPN_DATA and VPN_VOICE, the match is landed on the
first class in sequence – VPN_VOICE. In fact, such order-dependent
configurations are not recommended. You may want to use some other definition
for VPN_DATA, such as:
class-map VPN_DATA
match dscp 0
But this only works if all other traffic is marked with DSCP value of 0. Or
configuration matches any traffic, but results in order dependent configuration.
Unfortunately, there is no “match not” command in MPF syntax.

- 59 -

Generate VPN traffic marked with the DSCP value of EF. We will use IP SLA
operation in SW2 to accomplish this. Notice the use of “control disable” option to
shut down the control channel and make SW2 a “dumb” packet sender.
Recall that DSCP EF has the actual code-point value of 46. Therefore, the
corresponding TOS byte is 46*4=184. Set this as the TOS value for IP SLA
operation.
SW2:
ip sla 1
udp-echo 10.5.5.5 32767 source-ip 10.8.8.8 source-port 32767 control
disable
tos 184
timeout 1000
frequency 1
ip sla schedule 1 life forever start-time now
Rack4ASA(config)# show service-policy interface outside
Interface outside:
Class-map: ICMP_TRAFFIC
Input police Interface outside:
Class-map: VPN_VOICE
Priority:
Interface outside: aggregate drop 0, aggregate transmit 581
Class-map: VPN_DATA
Class-map: class-default
Default Queueing

- 60 -
Task 3.5 Solution

R5:
!
! The other option would be using QoS groups under ISAKMP profile
!
crypto map VPN 10
qos pre-classify
Task 3.5 Breakdown

What QoS pre-classification does is matches the traffic against the physical
interface policy prior to encapsulating it. Even though this match occurs like if the
traffic is not encapsulated, the QoS schedulers will account for additional
overhead added as a result of say IPsec ESP encapsulation. Effectively, QoS
preclassify makes the encapsulated traffic visible to the interface policy with the
correct traffic parameters.
Alternatively, you may create an ISAKMP profile on R5 matching the connection

with ASA firewall and associate a QoS group with the profile. This will make IOS
associate the QoS group tag will all traffic generated and terminated on the
router for this VPN tunnel. You may then match the QoS group in a policy-map,
just like in the example below:
crypto isakmp profile TUNNEL_TO_ASA

match identity address 183.4.125.12 255.255.255.255
qos-group 100
!
class-map match-all TUNNEL_TO_ASA
match qos-group 100
!
!
policy-map TEST
class TUNNEL_TO_ASA
priority 256

- 61 -

Verify that QoS pre-classification is enabled for the crypto-map:
Rack4R5#show crypto map tag VPN

Crypto Map: "VPN" idb: Loopback0 local address: 150.4.5.5
Crypto Map "VPN" 10 ipsec-isakmp

Peer = 183.4.125.12
Extended IP access list VLAN5_TO_VLAN8
0.0.0.255
Current peer: 183.4.125.12
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}
QOS pre-classification
<snip>

- 62 -
Task 4.1 Solution

ASA1: (the active failover unit)
!
! Configure AAA server
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 10.0.0.100 CISCO
!
! Traffic that requires authentication, notice that
! the virtual HTTP is also included
!
access-list AUTH permit tcp any any eq 135
access-list AUTH permit tcp any host 192.10.4.100 eq www
!
aaa authentication match AUTH inside TACACS+
!
! Virutal HTTP provides transparent redirection back
! to the URL entered by the end-user, and HTTP server
! capability for authentication
!
virtual http 192.10.4.100

- 63 -
AAA Server
Step 1:
Start by creating a new user on the AAA server. Launch the ACS application and
follow to User Setup ,then enter then name “USER1” and click the Add/Edit
button. After this, enter the Password value of “CISCO” and confirm it. Click the
Submit button when you’re done.

- 64 -
Step 2:
Add the AAA Client in the ACS. In the ACS application, click Network
Configuration then click the Add Entry button. Fill in the fields according to
the screenshot below and click Submit + Apply.

- 65 -
Task 4.1 Breakdown

This is an cut-through proxy authentication scenario where proxy IP is on the
same security interface as the users. You need to configure an authentication
service first, then create an access-list matching the traffic to authenticate as well
as traffic going to the virtual IP, next configure a cut-through proxy rule. The last
step is enabling the virtual HTTP service on the virtual IP specified in the
scenario. After this, create a user in the ACS database – no authorization
settings are required since we only need to allow session authentication.

Step 1:
Configure the Test PC interface in VLAN 255 using the IP address value of
192.10.X.200. Open the web browser, pointing to the IP address of
192.10.X.100. When authentication dialog appears, enter the username of
“USER1” and the password of “CISCO”
Step 2:
Review the authentication cache in the ASA:
Rack4ASA(config)# show uauth

Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'USER1' at 192.10.4.200, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00

- 66 -
Task 4.2 Solution

R4:
!
! Initialize AAA
!
aaa new-model
!
! Safeguard the console
!
!
! The default list will be applied to HTTP authentication
!
aaa authentication login default group tacacs+
!
! Auth-proxy is authorzied via TACACS+
!
aaa authorization auth-proxy default group tacacs+
!
! Apply AAA list to the console
!
line console 0
!
! TACACS+ server settings, use Loopback0 as source of requests
!
tacacs-server host 10.0.0.100 key CISCO
ip tacacs source-interface Loopback0
!
! Enable HTTP server and configure authentication via AAA
! HTTP server is used for auth-proxy authentication session
!
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-port 4343

- 67 -
!
! Needed for Auth-Proxy Interception
!
ip port-map https port tcp 4343
!
! Auth-proxy rule intercepts HTTP traffic
!
ip auth-proxy name AUTH_PROXY http
!
! Acess-list denies TCP 135 traffic by default
! Everythig else is permitted
!
ip access-list extended VLAN46_IN
deny tcp any any eq 135
permit ip any any
!
! Apply the auth-proxy rule and access-list
!
ip auth-proxy AUTH_PROXY
ip access-group VLAN46_IN in
AAA Server
Step 1:
Launch the ACS Server administration and click the Network Configuration
button and then click the Add Entry button. Fill in the fields per the screenshot
below and click the Submit + Apply button.

- 68 -

- 69 -
Step 2:
Configure the ACS Interface to support Auth Proxy service. Click the Interface
Configuration button then click the TACACS+ (Cisco IOS) link. Under the
New Services section, check the checkboxes corresponding to both user and
group profiles (so that it appears on both the user and group configuration pages)
and add the service name as “auth-proxy”.

- 70 -
Step 3:
Now add a new user and configure auth-proxy settings for it. Click the User
Setup button, then enter the new user name as “TCP135” and click the
Add/Edit button. On the next page, set the Password to “CISCO” and scroll
down to the TACACS+ Settings auth-proxy section of the page. Fill the
section according to the screenshot below. Notice that it activates the new “auth-
proxy” service for this user and additionally specifies the proxy ACL to be
downloaded via TACACS+.

- 71 -
Task 4.2 Breakdown

Authentication Proxy in IOS is part of the firewall feature set implemented using
CBAC. In many respects it is similar to ASA cut-through proxy but applies only
when a session on certain port is triggered across the firewall. Unlike the ASA
feature, AuthProxy expects the AAA server to return some authorization settings
in the form of the access-list to be installed for the particular session.
CBAC component performs session interception but authentication is performed

using HTTP server component. Therefore, the HTTP server should be enabled
and listening on the port configured for AuthProxy. In our scenario, we are
required to protect authentication session using HTTPs and enable AuthProxy
interception on custom port 4343. This requires adding this port to CBAC port
mapping using the command ip port-map then activation the local HTTP
secure server on port 443. Of course, since authentication is remote, HTTP
should be configured for AAA authentication. We are using the default list for
“login” authentication, which reference the TACACS+ server. Notice that this
require special care with the console line, just to make sure we are not locaked
out.

- 72 -

Step 1:
Configure the port connected to the Test PC in VLAN 46 and configure the IP
address of 183.4.46.200 for the Test PC. Set R4 as the default gateway for the
Test PC.
Step 2:
Initiate HTTPS session on port 4343 to a server behind R4, for example to R5, by
opening the URL https://150.X.5.5:4343 You should see the browser prompt,
asking you for credentials. Enter the name “TCP135” along with the password of
“CISCO”. You should see the popup “Authentication Successful!” window.
Step 3:
Now check the authentication proxy cache in R2.
Rack4R4#show ip auth-proxy cache

Authentication Proxy Cache
Client Name TCP135, Client IP 183.4.46.200, Port 1564, timeout 60,
Time Remaining 60, state ESTAB
Extended IP access list VLAN46_IN
permit tcp host 183.4.46.200 any eq 135
10 deny tcp any any eq 135
20 permit ip any any (218 matches)
Extended IP access list VLAN4_TO_VLAN41

- 73 -
Task 4.3 Solution

R5:
!
! Initialize AAA and safeguard the console
!
aaa new-model
!
line console 0
!
! Configure a list for local authentication
!
aaa authentication login LOCAL_AUTH local-case
!
! Authorize exec separately; this is possible with TACACS+
!
aaa authorization exec default group tacacs+
!
! Configure accounting for Level5 commands via TACACS+
!
aaa accounting commands 5 default start-stop group tacacs+
!
! Assign ‘clear’ command to privilege level 5
!
privilege exec level 5 clear line
privilege exec level 5 clear counters
!
! Add a user to local database, notice that password is stored
! as an md5 hash, not in the default reversible format
!
username NOC secret CISCO
!
! TACACS+ settings
!
ip tacacs source-interface loopback 0
!
! Apply AAA list to VTY lines
!
line vty 0 4
login authentication LOCAL_AUTH

- 74 -
AAA Server
Step 1:
Add R5 as AAA client to the ACS server. Click the Network Configuration
button, and then click the Add Entry button. Fill in the fields according to the
screenshot below. Click the Submit+Apply button when you’re done.

- 75 -
Step 2:
Make sure that Shell(exec) service is enabled within the ACS Interface. Click
the Interface Configuration button, then click the TACACS+ (Cisco
IOS) link, then make sure the Shell(exec) service is selected for both User
and Group profile configuration. When done, click the Submit button.

- 76 -
Step 3:
Add a new user for remote authorization in the ACS next. In the ACS Admin
utility, click the User Setup button then add new user named “NOC”. On the
next page that appears, specify the Password value of “CISCO” for this user.
Scroll down to the TACACS+ Settings and check the Shell(exec) checkbox.
Then, check the “Privilege level” field and assign the value of “5” to this field.

- 77 -
Task 4.3 Breakdown

In short,the task requires the following:
o Locally authenticate remote user logging into the device. This means we
need a local username.
o Assign the user to privilege level 5 upon login: this could be done locally,
but we are not allowed to do this. Thus, we need a remote serve to
authorize exec process.
o The above “separation” of authentication and authorization is only possible
with TACACS+, so we know which AAA protocol to use.
o Finally we need to let the new user use some privileged commands. This
could be achieved by changing the commands local privilege level to 5.
o Accounting is also required but this is trivial, as we could use the same
TACACS+ session for this purpose.
Use of Loopback interface for sourcing the TACACS+ session is a common best
practice as it allows uniquely identifying device irrespective of the outgoing
interface used to reach the AAA server:

- 78 -

Username: NOC
Password: CISCO
Rack4R5#show privilege
Current privilege level is 5
Rack4R5#clear ?
aaa Clear AAA values
backhaul-session-manager Backhaul Session Manager information
bsc Clear counters in <show bsc> command
bstun Clear counters displayed in show bstun
call Call
counters Clear counters on one or all interfaces
drip Clear drip
h323 Clear H.323 items
line Reset a terminal line
memory Memory counters
ncia Native Client Interface Architecture (NCIA)
rpms-proc Clear RPMS Process Information
scp Clear SCP commands
statistics Statistics
stun Clear counters displayed in show stun
Rack4R5#conf t
^
% Invalid input detected at '^' marker.
Rack4R5#clear counters
Clear "show interface" counters on all interfaces [confirm]

- 79 -
Verify TACACS+ Accounting. Click the Reports & Activity button in the
ACS Admin, the select TACACS+ Administration and click the TACACS+
Administration Active.csv file.

- 80 -
Task 4.4 Solution

SW1:
aaa new-model
!
! Safeguard the console line
! Disable authentication *and*
! exec authorization
!
aaa authorization exec CONSOLE none
!
line console 0
authorization exec CONSOLE
!
! Configure dot1x (EAP) authentication via RADIUS
!
aaa authentication dot1x default group radius
!
dot1x system-auth-control
!
! Create VLANs 200 and 201 (guest & auth-fail vlans)
!
vlan 200,201
!
! Guest VLAN is used for clientless hosts
! Auth-Fail VLAN is used for clients,
! that failed authentication
!
dot1x port-control auto
dot1x guest-vlan 201
dot1x auth-fail vlan 200
!
! Configure RADIUS server
!
ip radius source-interface Loopback0
!
radius-server host 10.0.0.100 key CISCO

- 81 -
Step 1:
Add the switch as a new RADIUS client in the ACS. Run the ACS Admin utility
and click the Network Configuration button then click the Add Entry button.
Fill in the form per the screenshot below and click the Submit + Apply button.

- 82 -
Step 2:
Add new user in the ACS. Click the User Setup button, then enter the name
“HOST” and lick the Add/Edit button. Set the password of “CISCO” on the next
page and click the Submit button.

- 83 -
Task 4.4 Breakdown

Authentication and Authorization for Ethernet ports is based on 802.1X standard
that implements EAP protocol to tunnel authentication/authorization process
across the switch and to the AAA server. The scenario presented references to a
number of 802.1x specific terms, such as
o Guest VLAN – VLAN to assign the port to if a 802.1x supplicant is not

detected
o AuthFAIL VLAN – VLAN to assign to the port of a 802.1x supplicant has
attempted but failed authentication
Normally, a VLAN should be authorized using the RADIUS server, but if no

authorization attributes have been received, the switch will use the static VLAN
configured on the port. VLAN authorization is configured mainly in the RADIUS
server and discussed in the next scenario.
Notice that we disabled both authentication and exec authorization for the
console line. In the older Catalyst IOS versions, exec authorization was ON by
default for console line, so by turning off your authentication you authomatically
disabled console access. This issue has been fixed in recent releases, but you
should better be careful and disable exec authorization explicitly.

- 84 -

Notice that prior to recent IOS version there was no built-in 802.1x supplication
IOS, so verifying 802.1x was problematic.
Start validating your configuration using the following show commands.
Rack4SW1#show dot1x all

Sysauthcontrol Enabled
Dot1x Protocol Version 2
Critical Recovery Delay 100
Critical EAPOL Disabled
Dot1x Info for FastEthernet0/17

-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Auth-Fail-Vlan = 200
Auth-Fail-Max-attempts = 3
Guest-Vlan = 201
Rack4SW1#test aaa group radius HOST CISCO legacy

Attempting authentication test to server-group radius using radius
User was successfully authenticated.

- 85 -
Next, configure R3 as a 802.1x supplicant and use its connection to SW1 for the
simulation-based verificaton.
R3:
dot1x credentials TEST
username HOST
password 0 CISCO
!
no ip address
dot1x pae supplicant
dot1x credentials TEST
SW1:
dot1x pae authenticator
dot1x violation-mode protect
dot1x guest-vlan 201

- 86 -
Wait some time for R3 to authenticate to the switch, and check the show
commands again:
Rack4R3#dot1x supplicant start TEST interface fastEthernet 0/0
Rack4SW1#show dot1x interface fastEthernet 0/3

-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Auth-Fail-Vlan = 200
Auth-Fail-Max-attempts = 3
Guest-Vlan = 201
Dot1x Authenticator Client List

-------------------------------
Domain = DATA
Supplicant = 000f.8f14.ad20
Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A

- 87 -
Task 4.5 Solution

SW1:
aaa authorization network default group radius
AAA Server:
Step 1:
Create a new group in the ACS server. Click the Group Setup button and select
any unused group. Rename it to the group named “DOT1X” and then click the
Edit Settings button. On the top of the screen, select Jump to: RADIUS
(IETF). Scroll down and set values for the following attributes:
Tunnel-Type=”VLAN”,
Tunnel-Medium-Type=”802”,
Tunnel-Private-Group-ID”=”255” (VLAN number).
When you’re done, click the Submit+Restart button.

- 88 -
Step 2:
Assign this profile to the user “HOST”. Click the User Setup button, find the
user named “HOST” and assign it to the group “DOT1X”.
Task 4.5 Breakdown

Configuring VLAN authorization for 802.1X involves setting series of attibutes in
the ACS server. It is more convenient to configure a group, instead of the user,
since most RADIUS attributes are by default only visible under group
configuration. Of course, you may configure the same setting in the user profile,
but you may have to enable them in the ACS Interface configuration.

- 89 -

To verify, once again use R3 as 802.1x supplicant, and shutdown/no-shutdown
the interface connected to R3. Use the command debug radius in SW1 to
observe the attributes passed down from the RADIUS server
Rack4SW1#debug radius
AAA/AUTHEN/8021X (0000000A): Pick method list 'default'

RADIUS/ENCODE(0000000A):Orig. component type = DOT1X
RADIUS: AAA Unsupported Attr: audit-session-id [599] 24
RADIUS: 42 37 30 39 32 35 30 37 30 30 30 30 30 30 30 35
[B709250700000005]
RADIUS: 32 46 46 31 37 33 [ 2FF173]
RADIUS: AAA Unsupported Attr: interface [170] 15
RADIUS: 46 61 73 74 45 74 68 65 72 6E 65 74 30 [ FastEthernet0]
RADIUS(0000000A): Config NAS IP: 150.4.7.7
RADIUS/ENCODE(0000000A): acct_session_id: 6
RADIUS(0000000A): sending
RADIUS(0000000A): Send Access-Request to 10.0.0.100:1645 id 1645/11,
len 179
RADIUS: authenticator C0 9C 43 B1 08 C1 07 C0 - E4 4A ED 39 8C 9A E9
07
RADIUS: User-Name [1] 6 "HOST"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Framed-MTU [12] 6 1500
RADIUS: Called-Station-Id [30] 19 "00-12-01-83-59-03"
RADIUS: Calling-Station-Id [31] 19 "00-0F-8F-14-AD-20"
RADIUS: EAP-Message [79] 24
RADIUS: 02 05 00 16 04 10 29 90 30 07 73 68 BF 45 EC 32 27 EF 1C C9
1A C5 [ )0shE2']
RADIUS: Message-Authenticato[80] 18
RADIUS: C2 CB 28 04 C3 ED CB 16 32 E1 61 9A BB CD 2F 93
[ (2a/]
RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
RADIUS: NAS-Port [5] 6 50003
RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/3"
RADIUS: State [24] 26
RADIUS: 45 41 50 3D 30 2E 32 30 34 2E 38 63 32 2E 32 3B
[EAP=0.204.8c2.2;]
RADIUS: 53 56 43 3D 30 2E 34 3B [ SVC=0.4;]
RADIUS: NAS-IP-Address [4] 6 150.4.7.7
RADIUS: Received from id 1645/11 10.0.0.100:1645, Access-Accept, len 97
RADIUS: authenticator 8C 3B 14 E0 A0 9B 78 9F - DF A1 2B 8F 61 7A 3A
CC
RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
RADIUS: Tunnel-Private-Group[81] 6 01:"255"
RADIUS: Framed-IP-Address [8] 6 255.255.255.255
RADIUS: EAP-Message [79] 6
RADIUS: 03 05 00 04
RADIUS: Class [25] 29

- 90 -
RADIUS: 43 41 43 53 3A 30 2F 31 37 37 34 61 2F 39 36 30
[CACS:0/1774a/960]
RADIUS: 39 30 37 30 37 2F 35 30 30 30 33 [ 90707/50003]
RADIUS: Message-Authenticato[80] 18
RADIUS: 3C 8F E5 66 5F D8 66 BC BC D3 D6 67 E2 3E 96 D7 [
<f_fg>]
RADIUS(0000000A): Received from id 1645/11
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Finally, verify that port connected to R3 is assigned to VLAN255:
Rack4SW1#show interfaces status
Port Name Status Vlan Duplex Speed Type

Fa0/1 connected 110 a-full a-100 10/100BaseTX
Fa0/7 notconnect 1 auto auto 10/100BaseTX
Fa0/8 notconnect 1 auto auto 10/100BaseTX
Task 5.1 Solution

R3:
router ospf 1
area 0 authentication message-digest
!
ip ospf message-digest-key 35 md5 CISCO35
R4:
ip ospf message-digest-key 1 md5 CISCO
!
!
interface Serial0/1
!
router ospf 1

- 91 -
R5:
router ospf 1
!
!
interface Serial0/1
R6:
!
router ospf 1

Check that authentication is properly configured on all interfaces.
Rack4R3#show ip ospf interface serial 1/1.345

Serial1/1.345 is up, line protocol is up
Internet Address 183.4.0.3/24, Area 0
Process ID 1, Router ID 150.4.3.3, Network Type POINT_TO_MULTIPOINT,
Cost: 781
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT,
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:03
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 6
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.4.5.5
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 35

Cost: 64

- 92 -
Next 0x0(0)/0x0(0)
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 35

Cost: 64
Next 0x0(0)/0x0(0)
Rack4R4#show ip ospf interface serial 0/1

Serial0/1 is up, line protocol is up
Process ID 1, Router ID 150.4.4.4, Network Type POINT_TO_POINT, Cost:
64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Next 0x0(0)/0x0(0)

- 93 -
Rack4R4#show ip ospf interface FastEthernet 0/0

Ethernet0/0 is up, line protocol is up
Process ID 1, Router ID 150.4.4.4, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.4.6.6, Interface address 183.4.46.6
Backup Designated router (ID) 150.4.4.4, Interface address 183.4.46.4
Flush timer for old DR LSA due in 00:00:51
Next 0x0(0)/0x0(0)
Adjacent with neighbor 150.4.6.6 (Designated Router)
Task 5.2 Solution

ASA1:
snmp-server host outside 10.0.0.100 trap community CISCO
snmp-server community CISCO
snmp-server enable traps ipsec start stop
!
! Logging via SMTP
!
logging recipient-address [email protected]
logging from-address [email protected]
logging mail critical
logging on
!
smtp-server 183.4.119.100

- 94 -

You can not do much verifications for SNMP server configuration with except to
issuing the show run command. As for the logging, you can check the levels
and destinations configured using the show logging commad.
Rack4ASA(config)# show logging

Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled

Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: level critical, 0 messages logged
ASDM logging: disabled

- 95 -
Task 5.3 Solution

SW1 & SW2:
vtp domain CCIE_SECURITY
vtp password CISCO

Check VTP status in both switches, and notice domain name and the password
values.
Rack4SW1#show vtp status

VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : CCIE_SECURITY
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
<snip>
Rack4SW2#show vtp status

VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : CCIE_SECURITY
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
<snip>
Rack4SW1#show vtp password

VTP Password: CISCO
Rack4SW2#show vtp password

VTP Password: CISCO

- 96 -
Task 6.1
IPS:
IPS# setup
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
<snip>
Continue with configuration dialog?[yes]: yes

Enter host name[IPS]: Rack4IPS
Enter IP interface[10.0.0.10/24,10.0.0.254]: 204.12.4.10/24,204.12.4.1
Enter telnet-server status[enabled]: disable
Enter web-server port[443]:
Modify current access list?[no]:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
The following configuration was entered.
service host
network-settings
host-ip 204.12.4.10/24,204.12.4.1
host-name Rack9IPS
telnet-option disabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit

- 97 -
[0] Go to the command prompt without saving this config.

[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]: 2

Configuration Saved.
IPS# reset

Verify connectivity between the sensor and the default gateway. Notice that R1
has zone-based firewall configured, and therefore you cannot ping beyond R1
yet.
Rack9IPS# ping 204.12.4.1

PING 204.12.4.1 (204.12.4.1): 56 data bytes
64 bytes from 204.12.4.1: icmp_seq=0 ttl=255 time=4.0 ms
--- 204.12.4.1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.5/2.1/4.0 ms
Rack9IPS# show statistics host

General Statistics
Last Change To Host Config (UTC) = 11-Apr-2009 04:49:52
Command Control Port Device = GigabitEthernet0/1
Network Statistics
= ge0_1 Link encap:Ethernet HWaddr 00:0F:1F:65:86:C2
= inet addr:204.12.4.10 Bcast:204.12.4.255
Mask:255.255.255.0
= UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
= RX packets:18 errors:0 dropped:0 overruns:0 frame:0
= TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
= collisions:0 txqueuelen:1000
= RX bytes:1304 (1.2 KiB) TX bytes:920 (920.0 B)
= Base address:0xdcc0 Memory:feb20000-feb40000
NTP Statistics
status = Not applicable
Memory Usage
usedBytes = 773951488
freeBytes = 149442560
totalBytes = 923394048
CPU Statistics
Usage over last 5 seconds = 0
Usage over last minute = 0
Usage over last 5 minutes = 19
Memory Statistics
Memory usage (bytes) = 773951488
Memory free (bytes) = 149442560

- 98 -
Auto Update Statistics

lastDirectoryReadAttempt = N/A
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = N/A
Auxilliary Processors Installed
Task 6.2 Solution

SW2:
monitor session 1 source vlan 125 rx
monitor session 1 destination interface Fa0/10 encapsulation dot1q
IPS:
Configure the IPS to be managed both from the AAA server and the host on the
same VLAN as the IPS (this is going to be the Test PC). This allows for
bypassing the slow WAN links when configuring the sensor using GUI.
Rack4IPS# conf t
Rack4IPS(config)# service host
Rack4IPS(config-hos)# network-settings
Rack4IPS(config-hos-net)# access-list 204.12.4.200/32
Rack4IPS(config-hos-net)# exit
Rack4IPS(config-hos)# exit
Apply Changes:?[yes]: yes
Configure the web-server settings.
Rack4IPS(config)# service web-server

Rack4IPS(config-web)# show settings
enable-tls: true <defaulted>
port: 443 <defaulted>
server-id: HTTP/1.1 compliant <defaulted>
Rack4IPS(config-web)# port 10443
Rack4IPS(config-web)# server-id IPS Web Server
Rack4IPS(config-web)# exit
Creat a VLAN-group subinterface to intercept just VLAN125’s traffic.

- 99 -
Rack4IPS# conf t
Rack4IPS(config)# service interface
Rack4IPS(config-int)# physical-interfaces GigabitEthernet/0
Rack4IPS(config-int-phy)# admin-state enabled
Rack9IPS(config-int-phy)# subinterface-type vlan-group
Rack9IPS(config-int-phy-vla)# subinterface 1
Rack9IPS(config-int-phy-vla-sub)# vlans range 125
Rack9IPS(config-int-phy-vla-sub)# exit
Rack9IPS(config-int-phy-vla)# exit
Rack9IPS(config-int-phy)# exit
Rack9IPS(config-int)# exit
Apply Changes?[yes]: yes
Assign the sub-interface to the dedicated virtual sensor vs1.
Rack4IPS(config)# service analysis-engine

Rack4IPS(config-ana)# virtual-sensor vs1
Rack9IPS(config-ana-vir)# physical-interface gigabitEthernet0/0
subinterface-number 1
Rack9IPS(config-ana-vir)# exit
Rack9IPS(config-ana)# exit

- 100 -
Now add the sensor into the IPS Manager Express for monitoring. Start the
application on the AAA server, select Devices and click the “Plus” button. Notice
that the HTTPS port is 10443, not the default 443.

- 101 -

The best way to verify that the sensor inspects the traffic Iis check for signatures
being triggered. As you remember, the ASA is constantly pinging R5 due to SLA
configuration. Thus, we may configure a signature that responds to ICMP echo
requests.
Configure the Test PC in the same VLAN as the IPS (110) and assign it the IP
address of 204.12.X.200. This address is allowed to manage the IPS sensor.
Connect to the sensor via HTTPS and launch IDM. From the main IDM menu,
select Configuration and then Signature Definitions/sig0. On the
right pane, change the Select By mode to “Sig Name” and locate all signatures
with the word “ICMP”. Point on the signature with the ID 2004 and click the
Enable button, then click the Apply button.

- 102 -
Now launch the IPS Manager Express in the AAA server. Select Event
Monitoring from the toolbar and change the Time setting to “Real Time” then
click the Apply button. You should see the ICMP Echo Request signature firing
periodically, similarly to the screenshot below.

- 103 -
Task 6.3 Solution
Note
Launch the IDM to complete this task. You may use the Test PC configured in
VLAN110 with the IP address 204.12.X.10 to accomplish this, as this is the
fastest way to access the sensor.
Select Monitoring > Active Host Blocks and then click the Add button.
Fill in the fields similar to the screenshot below, but using your rack number.
Notice that the No Timeout radio button is selected. When you’re done, click
the Apply button.

- 104 -
Note
In the IDM, select Configuration, then Blocking and next Device Login
Profiles. After this, click the Add button. Fill in the fields similar to the
screenshot below. Notice that we’re using the default username/password to
access the ASA remotely, which is “pix/cisco”. Click OK and then click Apply
Changes.

- 105 -
Note
Now select Blocking > Blocking Devices and click the Add button. Fill in
the form similar to the screenshot below and click the OK/Apply buttons in
sequence. Notice that SSH is selected as the communication protocol.

- 106 -
Now there is still a fews things left to do. First, we need to configure the ASA for
remote SSH access. Next, we should configure R1 zone-based firewall to permit
SSH sessions across R1 and to the ASA. Since there are no explicit restrictions,
we permit SSH access to the ASA from any address and permit any SSH
connections from the IPS across R1.
R1:
!
! Permit transit SSH in ZFW configuration
!
ip access-list extended SSH_FROM_IPS_ACL
permit tcp host 204.12.4.10 any eq 22
!
class-map type inspect SSH_FROM_IPS_CMAP
match access-group name SSH_FROM_IPS_ACL
match protocol tcp
!
policy-map type inspect OUTSIDE_TO_INSIDE_PMAP
class SSH_FROM_IPS_CMAP
inspect
ASA1: (the active firewall unit)

domain-name ine.com
!
! Crypto keys must be generated for SSH to work
!
crypto key generate rsa
!
ssh 0.0.0.0 0.0.0.0 outside
Lastly, we should retrieve the RSA hostkey of the ASA and add it to the known-
host keys database in the IPS. To do this, launch the IDM and navigate to
Configuration > SSH > Known Host Keys and press the Add button.
Enter the IP address of the ASA unit and press the Retrieve Host Key
button. After this, press the OK button and then the Apply button.

- 107 -

Check that the “shun” actually appears in the ASA. You may also inspect the
event logs in the IPS looking for status events. Notice that the IPS keeps a
session open with the ASA permanently.
Rack4ASA(config)# show shun

shun (outside) 183.4.46.120 0.0.0.0 0 0 0
Rack4ASA(config)# show ssh sessions
SID Client IP Version Mode Encryption Hmac State

Username
2 204.12.4.10 1.5 - 3DES - SessionStarted
pix

- 108 -
Task 6.4 Solution

IPS:
Create a new custom signature in the IDM. Follow to the Configuration

section and select the Signature Definitions > sig0 and select the
Custom Signature Wizard tab. Press Start the Wizard button.

- 109 -

- 110 -
Set Regex String to “[Pp]assword” and Service Ports to “23”. The

direction should remain as “To Service”.

- 111 -

- 112 -

- 113 -
Task 6.5 Solution

R6:
ip ips config location flash:/ips/
ip ips name IPS
ip ips notify log
!
logging host 10.0.0.100
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
interface Virtual-Template 1
ip ips IPS in
Next, we need to do the following:
1) Store the signing key from Cisco in routers NVRAM. They key in R6’s flash
memory. Simply run the command
Rack4R6#more flash:/realm-cisco.pub.key.txt
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
exit
exit
And copy-paste its contents to the router’s configuration prompt.
2) Load the signature definition file. The IPS signatures are stored in the flash
memory of the router as well. Issue the command similar to the one below:

- 114 -
Rack4R6#copy flash:/IOS-S347-CLI.pkg idconf
And wait till it loads all the engines. Notice that if you don’t have much of the
signatures “Retired” in your configuration, this process might drain the router out
of memory.
Now we need to enable the ICMP echo and echo reply signatures. The IDs for
these signatures remain the same during all versions of the IPS engine, and they
are 2004 and 2000.
Rack4R6#conf t
Rack4R6(config)#ip ips signature-definition
Rack4R6(config-sigdef)#signature 2000 0
Rack4R6(config-sigdef-sig)#status
Rack4R6(config-sigdef-sig-status)#retired false
Rack4R6(config-sigdef-sig-status)#exit
Rack4R6(config-sigdef-sig)#exit
Rack4R6(config-sigdef)#signature 2004 0
Rack4R6(config-sigdef-sig)#status
Rack4R6(config-sigdef-sig-status)#enabled true
Rack4R6(config-sigdef-sig-status)#retired false
Rack4R6(config-sigdef-sig-status)#exit
Rack4R6(config-sigdef-sig)#exit
Rack4R6(config-sigdef)#exit
Do you want to accept these changes? [confirm]
Finally, change the target value rating for the network 183.4.146.0/24
Rack4R6(config)#ip ips event-action-rules

Rack4R6(config-rul)#target-value mission-critical target-address
183.4.46.0/24
Rack4R6(config-rul)#exit
Do you want to accept these changes? [confirm]
Note
First, check the basic IPS configuration information. Notice the interfaces
enabled for IPS and syslog event notification. Also, the part of CLI configuration
is category definition.

- 115 -
Rack4R6#show ip ips all
IPS Signature File Configuration Status

Configured Config Locations: flash:/ips/
Last signature default load time: 15:16:03 UTC Apr 12 2009
Last signature delta load time: 15:25:37 UTC Apr 12 2009
Last event action (SEAP) load time: 15:45:36 UTC Apr 12 2009
General SEAP Config:

Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled
Event notification through SDEE is disabled
IPS Signature Status

Total Active Signatures: 340
Total Inactive Signatures: 1980
IPS Packet Scanning and Interface Status

IPS Rule Configuration
IPS name IPS
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Configuration
Interface Virtual-Template1
Inbound IPS rule is IPS
Outgoing IPS rule is not set
Interface Virtual-Access1
IPS Category CLI Configuration:

Category all:
Retire: True
Category ios_ips basic:
Retire: False
Check that the ICMP signatures are actually enabled in the IPS configuration.

- 116 -
Rack4R6#show ip ips signatures sigid 2000 subid 0
En - possible values are Y, Y*, N, or N*

Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-
interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW

SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- -
-- ---
2000:0 Y Y A INFO 0 1 0 200 30 FA N
100 S1
sig-name: ICMP Echo Reply
sig-string-info: My Sig Info
sig-comment: Sig Comment
Engine atomic-ip params:
fragment-status :
icmp-type : 0
l4-protocol : icmp
Rack4R6#show ip ips signatures sigid 2004 subid 0

Trait=alert-traits EC=event-count AI=alert-
interval

- 117 -
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW

SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- -
-- ---
2004:0 Y Y A INFO 0 1 0 200 30 FA N
100 S1
sig-name: ICMP Echo Request
sig-string-info: My Sig Info
sig-comment: Sig Comment
Engine atomic-ip params:
fragment-status :
icmp-type : 8
l4-protocol : icmp
Check the target value rating for VLAN46 network.
Rack4R6#show ip ips event-action-rules target-value-rating

Target Value Ratings
Target Value Setting IP range
mission-critical 183.4.46.0-183.4.46.255
Ensure that logging to the AAA/CA server is enabled in R6.
Rack4R6#show logging
<snip>
ESM: 0 messages dropped
Trap logging: level informational, 126 message lines logged

Logging to 10.0.0.100 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
13 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled

- 118 -
Generate some test traffic and ensure that the IPS engine catches it.
Rack4R6#ping 119.0.0.1

!!!!!
Rack4R6#
%IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:25 ICMP Echo Reply [119.0.0.1:0
-> 54.4.7.6:8] VRF:NONE RiskRating:25
Task 7.1 Solution

R4:
!
! Enable sequencing in log messages
!
service sequence-numbers
!
! Specify syslog host and logging level
!
logging 10.0.0.100
logging trap informational

Generate some event for syslog:
Rack4R4(config)#interface Fastethernet 0/1

000067: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to
administratively down
000068: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
Rack4R4(config-if)#no shutdown
000069: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
000070: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up

- 119 -
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0
flushes, 0 overruns, xml disabled)
Console logging: level debugging, 58 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: disabled, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Logging to 10.0.0.100, 0 message lines logged, xml disabled
Task 7.2 Solution

R4 & R6:
!
! Username for local authentication
!
username SSH password 0 CISCO
!
! Generate the RSA key
!
ip domain name ine.com
!
!
! Restrict VTY access
!
access-list 60 permit 183.4.0.0 0.0.255.255
!
! Apply access-restrictions and configure input transport
!
line vty 0 4
login local
transport input ssh
access-class 60 in

- 120 -

Check SSH service status
Rack4R4#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
Rack4R6#sho ip ssh
Connect to R6 via SSH
Rack4R4#ssh -l SSH 150.4.6.6
Password: CISCO
Rack4R6>
Trying 150.4.6.6 ...
% Connection refused by remote host
Rack4R4(config)#ip ssh source-interface FastEthernet 0/1

Rack4R4(config)#^Z
Rack4R4#ssh -l SSH 150.4.6.6
Connection refused by remote host

- 121 -
Task 7.3 Solution

R5:
!
! Access-list to classify the VPN traffic
! It uses the tunneled VPN IP addressing,
! since QoS Pre-Classification has been enabled
!
ip access-list ext VPN_TRAFFIC
permit ip 10.5.5.0 0.0.0.255 10.8.8.0 0.0.0.255
!
! Class to match VPN traffic
!
class-map VPN_TRAFFIC
match access-group name VPN_TRAFFIC
!
! Class to distinguish voice traffic (using the DSCP value)
!
class-map VOICE_TRAFFIC
match dscp ef
!
! Tunnel policy to provide priority treatment for voice traffic
! inside the VPN tunnel
!
policy-map TUNNEL_POLICY
class VOICE_TRAFFIC
priority 128
!
! Interface policy to provide minimum bandwidth guarantee
! and limit the maximum transmissin speed
!
! Here “shape” limits maxmimum speed, and “bandwidth” provides
! minimum bandwidth reservation in case of congestion
!
policy-map INTERFACE_POLICY
class VPN_TRAFFIC
shape average 2000000
bandwidth 2000
service-policy TUNNEL_POLICY
!
! Set interface bandwidth and apply the QoS Policy
!
service-policy out INTERFACE_POLICY

- 122 -

To verify the QoS processing for traffic marked with DSCP value of EF, configure
the telnet server in R5 to mark traffic with the TOS byte of 0xB8, corresponding
to the DSCP value of EF.
R5:
ip telnet tos B8
Now connect to R5 across the VPN using the telnet session and then check the
policy-map statistics. Ensure that there are matches for packets marked with
DSCP value of EF.
Rack4SW2#telnet 10.5.5.5 /source-interface vlan 8

Username: NOC
Password: CISCO
Rack4R5#show policy-map interface fastEthernet 0/1

FastEthernet0/1

- 123 -
Service-policy output: INTERFACE_POLICY
Class-map: VPN_TRAFFIC (match-all)

5 minute offered rate 2000 bps, drop rate 0 bps
Match: access-group name VPN_TRAFFIC
Traffic Shaping
Target/Average Byte Sustain Excess Interval
Increment
Rate Limit bits/int bits/int (ms)
(bytes)
2000000/2000000 12500 50000 50000 25 6250
Adapt Queue Packets Bytes Packets Bytes

Shaping
Active Depth Delayed Delayed Active
- 0 44 5096 0 0 no
Service-policy : TUNNEL_POLICY
Class-map: VOICE_TRAFFIC (match-all)

Match: dscp ef (46)
Queueing
Strict Priority
Output Queue: Conversation 72
Bandwidth 128 (kbps) Burst 3200 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0

Match: any

Match: any

- 124 -
Task 8.1 Solution

R2:
!
! Basic BGP configuration, using peer-group for smaller config
!
router bgp 100
neighbor IBGP peer-group
neighbor IBGP remote-as 100
neighbor IBGP send-community
neighbor IBGP update-source Loopback0
!
! Peer with R1,R6
!
neighbor 150.4.1.1 peer-group IBGP
neighbor 150.4.6.6 peer-group IBGP
!
redistribute static route-map STATIC_TO_BGP
!
! A /32 route used as next-hop to “drop” the packets
! It should be configured on every participating router.
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Blackhole route, the one we want to “screen”
! (In this case – route to the server under attack)
!
ip route 183.4.37.200 255.255.255.255 null0 tag 100
!
! Route-map to signal RTHB information.
!
! Note that Origin and Local Pref are changed to ensure
! that route is alwasy preferred by BGP best-path selection.
!
! No-Export community is used to contain RTBH route inside our AS.
! Match Tag is used for scalable route lookup.
!
route-map STATIC_TO_BGP permit 10
match tag 100
set local-preference 200
set origin igp
set community no-export
set ip next-hop 192.0.2.1
R1 & R6:
router bgp 100
neighbor 150.4.2.2 remote-as 100
neighbor 150.4.2.2 update-source Loopback0
!
ip route 192.0.2.1 255.255.255.255 null0

- 125 -

Ccheck that all routers see the prefix with the next-hop of 192.0.2.1, which is
routed to Null0.
Rack4R2#show ip bgp 183.4.37.200

BGP routing table entry for 183.4.37.200/32, version 9
Paths: (1 available, best #1, table Default-IP-Routing-Table, not
advertised to EBGP peer)
Flag: 0x820
Advertised to update-groups:
1
Local
192.0.2.1 from 0.0.0.0 (150.4.2.2)
Origin IGP, metric 0, localpref 200, weight 32768, valid,
sourced, best
Community: no-export

advertised to EBGP peer, Advertisements suppressed by an aggregate.)
Flag: 0x820
Not advertised to any peer
Local
192.0.2.1 from 150.4.2.2 (150.4.2.2)
Origin IGP, metric 0, localpref 200, valid, internal, best
Rack4R1#

advertised to EBGP peer, Advertisements suppressed by an aggregate.)
Local
192.0.2.1 from 150.4.2.2 (150.4.2.2)
To make sure, issue the following command to check the CEF next-hop for the
prefix. You should repeat this command on all border BGP routers.
Rack4R6#sh ip cef 183.4.37.200

183.4.37.200/32
nexthop 192.0.2.1 Null0

- 126 -
You can’t get access to the backbone routers in the real lab, but in INE-
compatible racks you could. Do a traceroute and ensure the packets are dropped
at R6.
BB1-FRS>traceroute 183.4.37.200

54.4.7.6 20 msec 20 msec 20 msec

54.4.7.6 !H * !H
Task 8.2 Solution

R2:
!
! Add new route-map entry, to propagate self-originated
! routes with a ‘higher priority’. This way,, we attract
! traffic destined to particular network to the ‘sinkhole’
! router.
! Traffic should be only diverted ‘locally’, i.e. inside our AS

! Therefor ‘no-export’ community is applied.
!
match tag 200
set origin igp
!
! In this case, we want to attract the traffic for network 112.0.0.0/8
! which is suspected to be the source of the attack. We use special
! tag to distinguish such ‘sinkhole’ networks.
!
ip route 112.0.0.0 255.0.0.0 Null0 tag 200
!
! Next, we need a way to intercept and log ICMP unreachable messages
!
ip access-list ext LOG_UNREACHABLES
permit icmp any any unreachable log
permit ip any any
!
ip access-group LOG_UNREACHABLES in
!
! Tune access-list logging to log every ACL line hit
!
ip access-list log-update threshold 1

- 127 -
!
! Redistribute static routes into OSPF so non-BGP hosts may reach it
!
route-map STATIC_TO_OSPF
match tag 200
!
router ospf 1
redistribute static subnets route-map STATIC_TO_OSPF

Known via "bgp 100", distance 200, metric 0, type internal
Redistributing via ospf 1
Last update from 150.4.2.2 00:09:35 ago
* 150.4.2.2, from 150.4.2.2, 00:09:35 ago
AS Hops 0

advertised to EBGP peer)
Local
150.4.2.2 (metric 911) from 150.4.2.2 (150.4.2.2)
54 50 60
54.4.7.254 from 54.4.7.254 (212.18.3.1)
Origin IGP, metric 0, localpref 100, valid, external
The following simulation cannot be reproduced in rental racks as it uses the

enable mode privilege. Ping the “blackbholed” host off the subnet that is
redirected to the sinkhole. Notice that the log entries in R2 contain the IP address
of the edge router that dropped the packet. This allows tracking of the network
entrance point.
BB1-FRS#ping 183.4.37.200 source 112.0.0.1
Extended IP access list LOG_UNREACHABLES
10 permit icmp any any unreachable log (5 matches)
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering
disabled)
<snip>

- 128 -
Log Buffer (4096 bytes):
%SEC-6-IPACCESSLOGDP: list LOG_UNREACHABLES permitted icmp 54.4.7.6 ->

112.0.0.1 (3/1), 1 packet
112.0.0.1 (3/1), 1 packet
112.0.0.1 (3/1), 1 packet
112.0.0.1 (3/1), 1 packet
112.0.0.1 (3/1), 1 packet

- 129 -

- 130 -

Task 1.1 Solution
ASA1:
hostname Rack4ASA1
!
nameif outside
ip address 132.1.69.9 255.255.255.0
no shutdown
!
nameif inside
ip address 132.1.29.9 255.255.255.0
no shutdown

Rack4ASA1(config)# ping 132.1.29.2
!!!!!

!!!!!

- 131 -
Task 1.2 Solution

Enable multiple-context mode in ASA2, then reboot in the system context and
create two customer contexts. Notice the new names given to the physical
interfaces inside the customer contexts. Don’t forget the mac-address auto
statement for proper traffic classification.
ASA2:
ciscoasa# conf t
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA2:
hostname Rack4ASA2
!
! Automatically generate MAC addresses for the shared interface
!
mac-address auto
!
! Configure ContexA settings
!
context ContextA
allocate-interface Ethernet0/0 outside
allocate-interface Ethernet0/1 insideA
config-url disk0:/ContextA.cfg
!
! Configure ContextA as admin-context
! Erase the old admin context
!
admin-context ContextA
no context admin noconfirm
!
! Configure ContexB settings
!
context ContextB
allocate-interface Ethernet0/0 outside
allocate-interface Ethernet0/2 insideB
config-url disk0:/ContextB.cfg

- 132 -
!
! Enable physical interfaces allocated to contexts
!
no shutdown
!
no shutdown
!
no shutdown
Rack4ASA2(config)# changeto context ContextA

Rack4ASA2/ContextA(config)# show interface
Interface insideA "", is up, line protocol is up
Available but not configured via nameif
Interface outside "", is up, line protocol is up
Available but not configured via nameif
Task 1.3 Solution

Use commands changeto context ContextA and changeto context
ContexB to change from system to respective customer context. Use the
mapped interface names inside the contexts.
ASA2/ContextA:
interface insideA
nameif inside
ip address 204.12.4.13 255.255.255.0
no shutdown
!
interface outside
nameif outside
ip address 132.1.137.113 255.255.255.0
no shutdown

- 133 -
ASA2/ContextB:
interface insideB
nameif inside
ip address 132.1.138.13 255.255.255.0
no shutdown
!
interface outside
nameif outside
ip address 132.1.137.213 255.255.255.0
no shutdown

Rack4ASA2/ContextA(config)# ping 132.1.137.7
!!!!!
Rack4ASA2/ContextA(config)# ping 204.12.4.254

!!!!!
Rack4ASA2/ContextB(config)# ping 132.1.137.7

!!!!!
Rack4ASA2/ContextB(config)# ping 132.1.138.8

!!!!!

- 134 -
Task 1.4 Solution

SW1:
ip route 132.1.138.0 255.255.255.0 132.1.137.213
ip route 204.12.4.0 255.255.255.0 132.1.137.113
!
! Redistribute static subnets to provide full connectivity
!
router ospf 1
ASA2/ContextA & ContextB:

route outside 0 0 132.1.137.7
Note
Confirm that other routers can see the networks redistributed into IGP as OSPF
external prefixes. Keep in mind that you cannot reach SW2 or BB3 right now, as
the necessary firewall configurations have not been applied yet.
Rack4R2#show ip route ospf

O E2 204.12.4.0/24 [110/20] via 132.1.0.1, 00:02:37, Serial0/0.1234
O IA 10.0.0.0 [110/138] via 132.1.0.4, 01:45:40, Serial0/0.1234
132.1.0.0/16 is variably subnetted, 10 subnets, 2 masks
O E2 132.1.138.0/24 [110/20] via 132.1.0.1, 00:02:37, Serial0/0.1234
O IA 132.1.170.0/24 [110/74] via 132.1.0.1, 01:44:21, Serial0/0.1234
O 132.1.0.4/32 [110/64] via 132.1.0.4, 01:45:40, Serial0/0.1234
O 132.1.0.1/32 [110/64] via 132.1.0.1, 01:45:40, Serial0/0.1234
O 132.1.0.3/32 [110/64] via 132.1.0.3, 01:45:40, Serial0/0.1234
O IA 132.1.35.0/24 [110/192] via 132.1.0.4, 01:45:40, Serial0/0.1234
O IA 132.1.45.0/24 [110/128] via 132.1.0.4, 01:45:40, Serial0/0.1234
O IA 132.1.115.0/24 [110/138] via 132.1.0.4, 01:45:40,
Serial0/0.1234
O IA 150.4.7.7/32 [110/75] via 132.1.0.1, 01:44:16, Serial0/0.1234
O IA 150.4.5.5/32 [110/129] via 132.1.0.4, 01:45:40, Serial0/0.1234
O 150.4.4.4/32 [110/65] via 132.1.0.4, 01:45:42, Serial0/0.1234
O 150.4.3.3/32 [110/65] via 132.1.0.3, 01:45:42, Serial0/0.1234
O 150.4.1.1/32 [110/65] via 132.1.0.1, 01:45:42, Serial0/0.1234

- 135 -
Task 1.5 Solution

ASA1:
router rip
version 2
no auto-summary
network 132.1.0.0
!
rip authentication key CISCO key_id 1
!
! Access-list to permit only the default route
!
access-list DEFAULT_ONLY standard permit host 0.0.0.0
!
! Permit only the default route to R2.
!
router rip
distribute-list DEFAULT_ONLY out interface inside
R2:
key chain RIP
key 1
key-string CISCO
!
ip rip authentication key-chain RIP
1 Pitfall
Do not apply a key-chain to an interface before it has been created in
the global configuration. When making changes to a key-chain, remove
it from the interface and reapply it after the changes have been made.

- 136 -

Check that R2 is configured for RIP authentication.
Rack4R2#show ip protocols | beg is "rip"

Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 2 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: ospf 1 (internal, external 1 & 2, nssa-external 1 &
2)
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 RIP
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
132.1.0.0
Passive Interface(s):
VoIP-Null0
Serial0/0
Serial0/0.1234
Serial0/1
Virtual-Access1
Loopback0
Routing Information Sources:
Gateway Distance Last Update
132.1.29.9 120 00:00:11
Distance: (default is 120)
Using RIP packet debugging, confirm that R2 receives authenticated RIP

updates with only the default route.
Rack4R2#debug ip rip
RIP protocol debugging is on
Rack4R2#
RIP: received packet with text authentication CISCO
RIP: received v2 update from 132.1.29.9 on Ethernet0/0
0.0.0.0/0 via 0.0.0.0 in 1 hops
Rack4R2#show ip route rip

R* 0.0.0.0/0 [120/1] via 132.1.29.9, 00:00:19, Ethernet0/0
Rack4ASA1(config)# show route

- 137 -
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -

BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
R 204.12.4.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside

R 10.0.0.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.138.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.170.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.0.4 255.255.255.255 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.0.1 255.255.255.255 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.0.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.0.3 255.255.255.255 [120/1] via 132.1.29.2, 0:00:07, inside
C 132.1.29.0 255.255.255.0 is directly connected, inside
R 132.1.35.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
R 132.1.45.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
C 132.1.69.0 255.255.255.0 is directly connected, outside
R 132.1.115.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:07, inside
R 150.4.6.0 255.255.255.0 [120/1] via 132.1.69.6, 0:00:07, outside
R 150.4.2.0 255.255.255.0 [120/1] via 132.1.29.2, 0:00:11, inside
R 150.4.7.7 255.255.255.255 [120/1] via 132.1.29.2, 0:00:11, inside
R 150.4.5.5 255.255.255.255 [120/1] via 132.1.29.2, 0:00:11, inside
R 150.4.4.4 255.255.255.255 [120/1] via 132.1.29.2, 0:00:11, inside
R 150.4.3.3 255.255.255.255 [120/1] via 132.1.29.2, 0:00:11, inside
R 150.4.1.1 255.255.255.255 [120/1] via 132.1.29.2, 0:00:11, inside
Task 1.6 Solution

R6:
key chain RIP
key 1
key-string CISCO
!
! Apply key-chain to the interface
!
ip rip authentication mode md5
ip rip authentication key-chain RIP
ASA1:
rip authentication mode md5

- 138 -

Check the protocol settings for the authentication key. Enable RIP packets
debugging to confirm the reception of authenticated RIP updates.
Rack4R6#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 5 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Ethernet0/0 2 2 RIP
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
132.1.0.0
150.4.0.0
Routing Information Sources:
Gateway Distance Last Update
132.1.69.9 120 00:00:04
Distance: (default is 120)
Rack4R6#
RIP: received packet with MD5 authentication
RIP: received v2 update from 132.1.69.9 on Ethernet0/0
0.0.0.0/0 via 0.0.0.0 in 1 hops
<snip>

- 139 -
Task 1.7 Solution

ASA1:
!
! Access-List for policy NAT
!
access-list ICMP extended permit icmp any any
!
! Translate all inside addresses
!
nat (inside) 1 0.0.0.0 0.0.0.0
!
! Policy NAT for ICMP packets
!
nat (inside) 2 access-list ICMP
global (outside) 2 132.1.69.222
!
! Static NAT to keep BGP session intact
!

- 140 -

Enable ICMP tracing in the firewall. Send some ICMP packets through the
firewall ( the returning packets will be blocked though). Confirm that the firewall
translates the source IP addresses using the PAT pool.
Rack4ASA1(config)# debug icmp trace
Rack4R2#ping 150.4.6.6 timeout 0

.....
Rack4ASA1(config)#
seq=115 len=72
ICMP echo request translating inside:132.1.29.2/73 to
outside:132.1.69.222/1
seq=115 len=72
<output omitted>
Password:
Rack4R6>
Rack4ASA1(config)# show xlate

1 in use, 1006 most used
PAT Global 132.1.69.9(1024) Local 132.1.29.2(11019)

- 141 -
Task 1.8 Solution

R6:
!
! Configure BGP password
!
router bgp 100
neighbor 150.4.2.2 password CISCO
The static route to R6’s Loopback0 IP address in R2 is required, because eBGP

session will not start when the destination is only reachable via the default route.
R2:
!
! Set BGP password
!
router bgp 100
neighbor 150.4.6.6 password CISCO
!
ip route 150.4.6.6 255.255.255.255 132.1.29.9
ASA1:
!
! A TCP inspection policy, that permits TCP option 19
! This option is used to authenticate the BGP peering
! It carries the actual hash value.
!
tcp-map BGP
!
! Class-map to classify BGP traffic
!
class-map BGP
match port tcp eq bgp
!
! Actual policy that disables TCP random-sequencing for
! BGP sessions and applies TCP inspection policy
!
class BGP
set connection advanced-options BGP
set connection random-sequence-number disable

- 142 -

Rack4R2#show ip bgp neighbors 150.4.6.6 routes
BGP table version is 17, local router ID is 150.4.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path

*>i112.0.0.0 150.4.6.6 0 100 0 54 50 60 i
*>i113.0.0.0 150.4.6.6 0 100 0 54 50 60 i
*>i114.0.0.0 150.4.6.6 0 100 0 54 i
*>i115.0.0.0 150.4.6.6 0 100 0 54 i
*>i116.0.0.0 150.4.6.6 0 100 0 54 i
*>i117.0.0.0 150.4.6.6 0 100 0 54 i
*>i118.0.0.0 150.4.6.6 0 100 0 54 i
*>i119.0.0.0 150.4.6.6 0 100 0 54 i
Total number of prefixes 8
Task 1.9 Solution

We have to use static PAT (not just a single bi-directional NAT entry) because
there is another task that maps different ports on the same outside IP to the
different inside IP.
ASA1:
static (inside,outside) tcp 132.1.69.100 80 132.1.29.100 80
!
! Time-range to match weekdays
!
time-range WEEKDAYS
periodic weekdays 00:00 to 23:59
!
! Access-Control Policy
!
access-list OUTSIDE_IN permit tcp any host 132.1.69.100 eq 80 time
WEEKDAYS
access-list OUTSIDE_IN permit tcp any host 132.1.69.100 eq 443 time
WEEKDAYS

- 143 -

Verify the time-rage in ASA1 by switching the system clock to a date on the
weekday/weekends and seeing if the time-range becomes active.
Rack4ASA1(config)# show time-range
time-range entry: WEEKDAYS (inactive)

used in: IP ACL entry
Rack4ASA1(config)# show clock

16:09:51.722 UTC Sun Jan 17 1993
Rack4ASA1(config)# clock set 16:09:51 Feb 13 2007

Rack4ASA1(config)# show time-range
time-range entry: WEEKDAYS (active)


- 144 -
Task 1.10 Solution

Configure additional static PAT entries for the additional ports. Enable FTP
inspection on port 10021.
ASA1:
!
! Static PAT
!
static (inside,outside) tcp 132.1.69.100 ftp 132.1.29.101 ftp
!
! Configure ACL to permit TCP connections on ports 21/10021
!
access-list OUTSIDE_IN extended permit tcp any host 132.1.69.100 eq ftp
10021
!
! Match port 10021
!
class-map FTP_10021
match port tcp eq 10021
!
! Inspect FTP on port 10021
!
class FTP_10021
inspect ftp

- 145 -
Tasks 1.9 - 1.10 Verification

Using the ip alias command configure R2 to respond on requests sent to the IP
addresses 132.X.29.100 and 132.X.29.101. Simulate connections to ports 21,
80, 443 and 10021 after that. Make sure R2 receives TCP SYN packets and
responds with RST segments.
R2:
ip alias 132.1.29.100 80
ip alist 132.1.29.101 21
Rack4R2#debug ip tcp transactions

TCP special event debugging is on
Rack4R6#telnet 132.1.69.100 80
Trying 132.1.69.100, 80 ...
Rack4R6#telnet 132.1.69.100 21
Trying 132.1.69.100, 21 ...
Rack4R6#telnet 132.1.69.100 10021

Trying 132.1.69.100, 10021 ...
Rack4R6#telnet 132.1.69.100 443

Trying 132.1.69.100, 443 ...
Rack4R2#
TCP: sending RST, seq 0, ack 2814639545
TCP: sent RST to 132.1.69.6:11034 from 132.1.29.100:80
Rack4R2#
TCP: connection attempt to port 0
Rack4R2#
Rack4R2#

- 146 -
Task 1.11 Solution

ASA2/ContextB:
!
! Permit HTTP, SMTP, FTP protocols in the ACL
!
access-list OUTSIDE_IN permit tcp any any eq 80
!
!
! Two regexps to match EXE/DLL files. Notice the use of []
! for lower/upper case matching.
!
regex EXE ".*\.[eE][xX][eE]"
regex DLL ".*\.[dD][lL][lL]"
!
! Class-map that matches any of DLL/EXE files
!
class-map type regex match-any BANNED_FILES
match regex EXE
match regex DLL
!
! FTP-specific inspection map
! Matches PUT command along with filenames *.EXE/*.DLL
!
class-map type inspect ftp match-all FTP_BANNED_FILES
match filename regex class BANNED_FILES
match request-command put
!
! FTP-specific inspection policy. Reset on upload attempts
! for files named *.exe/*.dll
!
policy-map type inspect ftp FTP_POLICY
parameters
class FTP_BANNED_FILES
reset
!
! Apply FTP policy to global FTP inspection rule
!
inspect ftp strict FTP_POLICY

- 147 -
!
! Regexp to match domain cyberspam.org
!
regex SPAM_DOMAIN "cyberspam.org"
!
! SMTP inspection policy
!
policy-map type inspect esmtp SMTP_POLICY
!
! Log local-domain violations
!
parameters
mail-relay INE.com action log
!
! Reset connection for offending transactions
!
match invalid-recipients count gt 10
reset
!
! Drop connection containing a message from “cyberspam.org”
!
match sender-address regex SPAM_DOMAIN
drop-connection
!
! Apply ESMTP inspection policy globally
!
no inspect esmtp
inspect esmtp SMTP_POLICY

- 148 -

Using the show commands check that the inspection policies apply globally .
Rack4ASA2/ContextB# show service-policy global inspect esmtp
Global policy:
Inspect: esmtp SMTP_POLICY, packet 0, drop 0, reset-drop 0
mask-banner, count 0
mail-relay domain INE.com, log 0
match invalid-recipients count gt 10
reset, packet 0
match sender-address regex SPAM_DOMAIN
drop-connection, packet 0
Rack4ASA2/ContextB# show service-policy global inspect ftp
Global policy:
Inspect: ftp strict FTP_POLICY, packet 0, drop 0, reset-drop 0
Rack4ASA2/ContextB# show service-policy global
Global policy:
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp strict FTP_POLICY, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-
drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop
Inspect: esmtp SMTP_POLICY, packet 0, drop 0, reset-drop 0

- 149 -
Task 1.12 Solution

ASA1:
ntp authentication-key 1 md5 CISCO
ntp authenticate
ntp trusted-key 1
ntp server 54.4.2.254 key 1

Check the clocks are synchronized and the peer is authenticated.
Rack4ASA1(config)# show ntp status

Clock is synchronized, stratum 5, reference is 54.4.2.254
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is afc8e5d3.987208eb (00:20:35.595 UTC Wed Jun 16 1993)
clock offset is -2.2748 msec, root delay is 28.82 msec
root dispersion is 15892.94 msec, peer dispersion is 15890.63 msec
Rack4ASA1(config)# show ntp associations detail
54.4.2.254 configured, authenticated, our_master, sane, valid, stratum 4

ref ID 127.127.7.1, time afc8e5ad.8f19be1e (00:19:57.558 UTC Wed Jun 16 1993)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15905.060
<snip>
Task 2.1 Solution

One trick used in this task is inspection of ICMP traffic, which was introduced in
IOS 12.2(15)T. Since 12.3(14)T, IOS allows for inspection of router-generated
traffic for some protocols, including ICMP. This allows to overcome the well-
known issue with the local traffic not generating CBAC states.

- 150 -
R5:
!
! Inspection rule for TCP/UDP traffic
!
ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT icmp router-traffic
!
ip access-list extended FROM_BB2
!
! OSPF, IGP Routing Traffic
!
permit ospf any any
!
! HTTP access
!
permit tcp any any eq www
!
! SSH access
!
deny tcp 192.10.4.0 0.0.0.255 any eq 22
permit tcp any any eq 22
!
deny ip any any log
!
! Apply ACL and inspection rule
!
ip inspect INSPECT out

- 151 -
Task 2.2 Solution

It is important to notice that CBAC uses different timers for UDP and DNS idles
sessions.
R5:
ip inspect tcp idle-time 1800
ip inspect udp idle-time 180
ip inspect dns-timeout 10
Task 2.1 & 2.2 Verification
Note
Check global CBAC timeouts using the show command. Next, initiate some
traffic from behind R5 and off R5 itself and make sure it creates CBAC sessions.
Rack4R5#show ip inspect config

Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 1800 sec -- udp idle-time is 180 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 10 sec
Inspection Rule Configuration
Inspection name INSPECT
tcp alert is on audit-trail is off timeout 1800
udp alert is on audit-trail is off timeout 180
icmp alert is on audit-trail is off timeout 10
inspection of router local traffic is enabled
Trying 192.10.4.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| http://www.internetworkexpert.com/downloads/bb2.txt |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB2>

- 152 -
Rack4R5#ping 192.10.4.254

!!!!!
Rack4R5#show ip inspect sessions

Established Sessions
Session 8469ACC0 (132.1.35.3:57817)=>(192.10.4.254:23) tcp SIS_OPEN
Session 8469A9F8 (192.10.4.5:8)=>(192.10.4.254:0) icmp SIS_OPEN
Look at the ingress access-list and notice the matches for OSPF protocol traffic.
Rack4R5#show ip access-lists FROM_BB2

10 permit ospf any any (16 matches)
20 permit tcp any any eq www
30 deny tcp 192.10.4.0 0.0.0.255 any eq 22
40 permit tcp any any eq 22
50 deny ip any any log (1 match)
Task 2.3 Solution

This task uses the NAT Virtual Interface feature. All traffic ingress on interfaces
enabled for NAT using the command ip nat enable is routed across the
virtual NVI0 interface. This allows for symmetrical application of NAT rules (no
more inside or outside domains), plus you may now use automatic static routes
toward NVI0 interface when configuring NAT pools.
R4:
!
! Configure NAT inside/outside interfaces
!
ip nat enable
!
ip nat enable
!
interface Serial0/1
ip nat enable

- 153 -
!
! Redistribute static subnets describing NAT pools
!
router ospf 1
!
! NAT pool with the “add-route” option
!
ip nat pool NAT_POOL 132.1.255.1 132.1.255.101 prefix-length 24 add-
route
!
! Source list for dynamic NAT
!
ip access-list extended VLAN4
permit ip 132.1.4.0 0.0.0.255 any
!
! Dynamic NAT rule
!
ip nat source list VLAN4 pool NAT_POOL
!
! Static PAT for the HTTP/FTP servers
!
ip nat source static tcp 132.1.4.101 20 132.1.255.100 20

- 154 -
Note
Turn SW1 into a host temporarily. Don’t forget to bring it back to the original
configuration after that.
SW1:
no ip routing
ip default-gateway 132.1.4.4
!
interface Vlan 4
ip address 132.1.4.7 255.255.255.0
Ping R3 from SW1 and check the NAT NVI translation table on R4 after that.
Notice the translated IP address for SW1’s IP.
Rack4SW1#clear arp-cache
Rack4SW1#ping 150.4.3.3

!!!!!
ms
Rack4SW1#
Rack4R4#show ip nat nvi translations

Pro Source global Source local Destin local Destin
global
icmp 132.1.255.2:27 132.1.4.7:27 150.4.3.3:27
150.4.3.3:27
--- 132.1.255.2 132.1.4.7 --- ---
<snip>

- 155 -
Task 2.4 Solution

The frame-relay mapping on R6 is configured so that packets send to 54.X.2.6
are routed to BB1 and back. In order to make R6 accept packets sourced from
itself, use the option allow-self-ping when configuring uRPF.
R6:
!
! Make sure CEF is enabled globally
!
ip cef
!
! Enable uRPF
!
interface Serial0/0/0
ip verify unicast reverse-path allow-self-ping

Rack4R6#show ip interface serial 0/0/0
Serial0/0/0 is up, line protocol is up
Internet address is 54.4.2.6/24
Broadcast address is 255.255.255.255
<snip>
IP verify source reachable-via RX, allow default
2 verification drops
0 suppressed verification drops
0 verification drop-rate
Rack4R6#ping 54.4.2.6

!!!!!

- 156 -
Task 3.1 Solution

The task configuration is straightforward based on the VTI interfaces. EIGRP 34
is enabled on the tunnel interface and both protected segments are advertised
into the new IGP. The tunnels are sources off Loopback0 interfaces, and thus
could survive any physical interface failure.
R3:
!
! ISAKMP policy, changing ISAKMP SA lifetime
!
lifetime 2400
!
! ISAKMP pre-shared key
!
!
! IPsec transform
!
crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
crypto ipsec profile TUNNEL

set transform-set DES_MD5
!
interface Tunnel 0
tunnel source Loopback0
tunnel destination 150.4.4.4
ip address 132.1.34.3 255.255.255.0
tunnel protection ipsec profile TUNNEL
!
router eigrp 34
no auto-summary
network 10.3.3.0 0.0.0.255
network 132.1.34.3 0.0.0.0

- 157 -
R4:
!
! ISAKMP policy, changing ISAKMP SA lifetime
!
lifetime 2400
!
! ISAKMP pre-shared key
!
!
! IPsec transform
!
crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
crypto ipsec profile TUNNEL

set transform-set DES_MD5
!
interface Tunnel 0
ip address 132.1.34.4 255.255.255.0
tunnel protection ipsec profile TUNNEL
!
router eigrp 34
no auto-summary
network 10.4.4.0 0.0.0.255
network 132.1.34.4 0.0.0.0

- 158 -

Start by checking ISAKMP and IPSec SAs for the VPN tunnel. Notice that both
SAs are sourced off Loopback0 interfaces and thus could survive any physical
interface failures. The remaining ISAKMP SA lifetime is ticking down from 40
minutes, which is 2400 seconds. IPSec SA appers to be healthy based on the
incrementing packet counters.


Lifetime Cap.
1001 150.4.3.3 150.4.4.4 ACTIVE des sha psk 1

00:35:21
Rack4R3#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 150.4.3.3


path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x21514F9F(558976927)
<snip>

- 159 -
Check that the VPN routes are received over Tunnel0 interface. Ensure
connectivity exists between the two segments.
Rack4R3#show ip route eigrp

D 10.4.4.0 [90/297246976] via 132.1.34.4, 00:05:07, Tunnel0
Rack4R3#ping 10.4.4.4 source fastEthernet 0/0

!!!!!
ms
Task 3.2 Solution

ASA1:
!
! Local IP pool for address allocation
!
ip local pool CCIEPOOL 10.255.255.1-10.255.255.254
!
! Group policy for VPN users
!
group-policy CCIELAB internal
group-policy CCIELAB attributes
dns-server value 132.1.29.50
vpn-idle-timeout 1800
default-domain value INE.com
address-pools value CCIEPOOL
!
! Tunnel group for VPN users, group password is configured here
! By default local client authentication (xauth) is enabled
!
tunnel-group CCIELAB type remote-access
tunnel-group CCIELAB ipsec-attributes
!
! Assign the group policy to tunnel-group
!
tunnel-group CCIELAB general-attributes
default-group-policy CCIELAB

- 160 -
!
! Username for local authentication
!
username CCIEUSER password CISCO
!!!!!!!!!!!!!!!!!!!!!!!
!
! IPsec settings !
!
!!!!!!!!!!!!!!!!!!!!!!!
!
! Crypto transform
!
!
! Dynamic crypto map for dynamic connections
!
crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5
!
! Actual crypto map only uses dynamic crypto map
!
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
!
! ISAKMP configuration follows
!
encryption 3des
hash sha
group 2

- 161 -
Note
To perform the testing, configure SW2 to relocate the Test PC into VLAN69. After
this, configure the Cisco VPN client in the Test PC with the information to
connect to ASA1:
SW2:
interface Fa0/20
switchport host
switchport access vlan 69|
Test PC:

- 162 -
After you have launched the VPN client, select Connections > New and
create a new entry.

- 163 -
When you’re done, connect to the firewall and authenticate using the
username/password pair CCIEUSER/CISCO. After this, check the VPN sessions
in the firewall. Pay attention to the cipher/hash used for the IPSec session.
Rack4ASA1(config)# show vpn-sessiondb remote
Session Type: Remote
Username : CCIEUSER
Index : 1
Assigned IP : 10.255.255.1 Public IP : 132.1.69.200
Protocol : IPSec Encryption : 3DES
Hashing : SHA1
Client Type : WinNT Client Ver : 4.8.01.0300
Group Policy : CCIELAB
Tunnel Group : CCIELAB
Login Time : 15:07:25 UTC Thu Mar 18 1993
Filter Name :
NAC Result : N/A
Posture Token:
Now that you know the remote client IP address you can ping it from ASA1.
Check the IPSec SA statistics to make 100% your traffic is encrypted.

- 164 -

!!!!!
Rack4ASA1(config)# show crypto ipsec sa

interface: outside
Crypto map tag: DYNAMIC, seq num: 10, local addr: 132.1.69.9

(10.255.255.1/255.255.255.255/0/0)
current_peer: 132.1.69.200, username: CCIEUSER
dynamic allocated peer ip: 10.255.255.1

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp
failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments
created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
local crypto endpt.: 132.1.69.9, remote crypto endpt.:

132.1.69.200

current outbound spi: 240250A9
<snip>
Task 3.3 Solution

This task uses IPSec encryption transport mode. Only ICMP traffic between the
respective Loopback0 interfaces of R1 and R6 is encrypted. The use of transport
mode assumes that there are just TWO endpoint IP addresses used to exchange
the encrypted traffic. Based on this, in order to make the configuration work, you
should source the ISAKMP SA off the same addresses used for the endpoints.
This is accomplished using the local-address parameter to the crypto map.
Additionally, set peer statement under the crypto map should reference the
same IP addresses used for the endpoints.

- 165 -
R1:
!
! ISAKMP policy
!
encr 3des
!
! Pre-shared key for R6
!
!
! IPsec transform-set, uses transport mode for minimum overhead
!
crypto ipsec transform-set 3DES_SHA_TRANS esp-3des esp-sha-hmac
mode transport
!
!
ip access-list extended PINGS
permit icmp host 150.4.1.1 host 150.4.6.6
!
crypto map ENCRYPT_PINGS local-address Loopback0
crypto map ENCRYPT_PINGS 10 ipsec-isakmp
set peer 150.4.6.6
set transform-set 3DES_SHA_TRANS
match address PINGS
!
! Apply the crypto map
!
crypto map ENCRYPT_PINGS

- 166 -
R6:
!
! ISAKMP settings
!
encr 3des
!
! Pre-shared key for R1
!
!
! IPsec transform-set, uses transport mode for minimum overhead
!
crypto ipsec transform-set 3DES_SHA_TRANS esp-3des esp-sha-hmac
mode transport
!
!
ip access-list extended PINGS
!
! Crypto map
!
crypto map ENCRYPT_PINGS local-address Loopback0
crypto map ENCRYPT_PINGS 10 ipsec-isakmp
set peer 150.4.1.1
set transform-set 3DES_SHA_TRANS
match address PINGS
!
crypto map ENCRYPT_PINGS
We are not allowed to modify the outside access-list in the ASA, so we use
IPSec pass-through inspection. It dynamically opens holes for the IPSec
sessions.
ASA1:
inspect ipsec-pass-thru
!
! Static mapping required since we enabled dynamic NAT earlier
! R1 should translate to itself
!

- 167 -

Rack4R1#ping 150.4.6.6 source loopback 0

!!!!!
Rack4R1#show cry isa sa

dst src state conn-id slot
150.4.6.6 150.4.1.1 QM_IDLE 1 0
Rack4R1#show cry ipsec sa
Crypto map tag: ENCRYPT_PINGS, local addr. 150.4.1.1
protected vrf:
current_peer: 150.4.6.6:500
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9

path mtu 1500, media mtu 1500
current outbound spi: E6EDEFFE
inbound esp sas:

spi: 0x95E36CF6(2514709750)
in use settings ={Transport, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: ENCRYPT_PINGS
IV size: 8 bytes
<snip>

- 168 -
Task 3.4 Solution

Configuring a basic GET VPN scenario is straightforward as multicast routing has
be pre-configured for you. Most of the configuration should be done on the key
server, which is R2 in our case. The access-list to specify the protected traffic
should cover the packets sourced off any Loopback0 subnet to the group range
239.0.0.0/8. Group members are configured in similar manner, using pre-shared
keys to authenticate with the key server.
R2:
!
! ISAKMP settings
!
encr 3des
hash md5
group 2
!
! Group pre-shared keys to authenticate any group member
!
crypto isakmp key CISCO address 150.4.0.0 255.255.0.0
!
! GET VPN transform set to be pushed down to the members
!
crypto ipsec transform-set GETVPN_TS esp-3des esp-md5-hmac
!
! GET VPN profile that specifies the transform set
!
crypto ipsec profile GETVPN_PROFILE
set transform-set GETVPN_TS
!
! The RSA key needs to be generated in the server for key signing
!
crypto key generate rsa general-keys label GETVPN_KEYS modulus 512
exportable
!
! Access-list that specifies the protected traffic
!
access-list 100 permit ip 150.4.0.0 0.0.255.255 239.0.0.0 0.255.255.255

- 169 -
!
! GDOI group settings
!
crypto gdoi group GETVPN_GROUP
identity number 1234
server local
rekey authentication mypubkey rsa GETVPN_KEYS
rekey transport unicast
sa ipsec 1
profile GETVPN_PROFILE
match address ipv4 100
replay time window-size 5
R3:
encr 3des
hash md5
group 2
!
! PSK to authenticate with the server
!
!
crypto gdoi group GETVPN_GROUP_GM
server address ipv4 150.4.2.2
!
! Crypto map uses Loopback0 for ISAKMP session
! Set the GET VPN group that uses R2 as the server
!
crypto map GETVPN_MAP local-address Loopback0
crypto map GETVPN_MAP 10 gdoi
set group GETVPN_GROUP_GM
!
crypto map GETVPN_MAP
R4:
encr 3des
hash md5
group 2

!
crypto gdoi group GETVPN_GROUP_GM
crypto map GETVPN_MAP local-address Loopback0

crypto map GETVPN_MAP 10 gdoi
set group GETVPN_GROUP_GM
!
crypto map GETVPN_MAP

- 170 -

Start by verifying the control plane connections. R2 should have two ISAKMP
SAs with both group members. The group members should have registered with
the key server and downloaded the ACL and the traffic encryption key.
Rack4R2#show crypto isakmp sa

dst src state conn-id slot status
150.4.2.2 150.4.4.4 GDOI_IDLE 1004 0 ACTIVE
150.4.2.2 150.4.3.3 GDOI_IDLE 1005 0 ACTIVE
Rack4R3#show crypto gdoi

GROUP INFORMATION
Group Name : GETVPN_GROUP_GM

Group Identity : 1234
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : 150.4.2.2
Group Server list : 150.4.2.2
GM Reregisters in : 2113 secs

Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS 150.4.2.2:

access-list permit ip 150.4.0.0 0.0.255.255 239.0.0.0 0.255.255.255
TEK POLICY:
Serial1/0.1234:
IPsec SA:
sa direction:inbound
spi: 0xD4632445(3563267141)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2230)
Anti-Replay(Time Based) : 5 sec interval
IPsec SA:
sa direction:outbound
spi: 0xD4632445(3563267141)

- 171 -
Rack4R4#show crypto gdoi

GROUP INFORMATION
Group Name : GETVPN_GROUP_GM

Group Identity : 1234
Rekeys received : 0

Rekeys received
Cumulative : 0

access-list permit ip 150.4.0.0 0.0.255.255 239.0.0.0 0.255.255.255
TEK POLICY:
Serial0/0.1234:
IPsec SA:
spi: 0xD4632445(3563267141)
IPsec SA:
spi: 0xD4632445(3563267141)
Now join R4 Loopback0 interface to the group address 239.1.1.1 and ping this
address off R3. Ensure you receive responses to the ping requests.

- 172 -
R4:
interface Loopback0
ip igmp join-group 239.1.1.1
Rack4R3#ping 239.1.1.1 source loopback 0 repeat 100

Reply to request 0 from 132.1.0.4, 256 ms

Reply to request 0 from 132.1.0.4, 269 ms
Check IPSec SAs in R3 and R3. Confirm the R3 encrypts the multicast packets
and R4 decrypts them.
Rack4R3#show crypto ipsec sa interface serial 1/0.1234
Crypto map tag: GETVPN_MAP, local addr 150.4.3.3

current_peer port 848
<snip>
Crypto map tag: GETVPN_MAP, local addr 150.4.4.4

<snip>

- 173 -
Task 4.1 Solution

R5:
aaa new-model
!
! Create two authentication lists for the HTTP server
! and the console line.
!
aaa authentication login HTTP group tacacs+
!
! Authorize exec via TACACS+. To manage the router user
! needs exec privilege-level of 15 when accessing via HTTP
!
!
! TACACS+ server communication settings
!
!
! Enable HTTP server and configure authentication settings
!
ip http server
ip http port 8080
ip http authentication aaa login-authentication HTTP
line console 0

- 174 -
ACS:
Step 1:
Start by adding R5 as a TACACS+ client to the ACS server. Run the ACS Admin
utility, select Network Configuration and click the Add Entry button. Fill in
the fields according to the screenshot below, then click the Submit + Restart
button.

- 175 -
Step 2:
Click the User Setup button, then enter the name “R5WEB” and click the
Add/Edit button. Set the Password field on the next page to “CISCO” and
confirm the password.

- 176 -
Step 3:
Enable the following TACACS+ settings in the user’s profile. (Make sure they are
enabled for user’s profile in the ACS interface configuration). On the TACACS+
Settings section of the page check the Shell (exec) checkbox and set the
Privilege Level field to 15.

- 177 -

Rack4R5#debug aaa authentication
AAA Authentication debugging is on
Rack4R5#debug tacacs
TACACS access control debugging is on
Rack4R5#debug tacacs packet

TACACS+ packets debugging is on
Note
Connect to R5 from the AAA server using the URL http://10.0.0.5:8080.

Authenticate using the username/password pair R5WEB/CISCO. Observe the
debugging output in R5. R5 starts by authenticating the new user using the HTTP
list.
AAA/BIND(0000000A): Bind i/f

AAA/AUTHEN/LOGIN (0000000A): Pick method list 'HTTP'
TPLUS: Queuing AAA Authentication request 10 for processing
TPLUS: processing authentication start request id 10
TPLUS: Authentication start packet created for 10(R5WEB)
TPLUS: Using server 10.0.0.100
TPLUS(0000000A)/0/NB_WAIT/83C52644: Started 5 sec timeout
TPLUS(0000000A)/0/NB_WAIT: socket event 2
T+: Version 192 (0xC0), type 1, seq 1, encryption 1
T+: session_id 432296654 (0x19C452CE), dlen 13 (0xD)
T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
T+: svc:LOGIN user_len:5 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
T+: user: R5WEB
T+: port:
T+: rem_addr:
T+: data:
T+: End Packet
TPLUS(0000000A)/0/NB_WAIT: wrote entire 25 bytes request
Note
The AAA server prompts for a password:
TPLUS(0000000A)/0/READ: socket event 1

TPLUS(0000000A)/0/READ: Would block while reading
TPLUS(0000000A)/0/READ: read entire 12 header bytes (expect 16 bytes
data)

- 178 -

TPLUS(0000000A)/0/READ: read entire 28 bytes response
T+: session_id 432296654 (0x19C452CE), dlen 16 (0x10)
T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
T+: msg: Password:
T+: data:
T+: End Packet
TPLUS(0000000A)/0/83C52644: Processing the reply packet
TPLUS: Received authen response status GET_PASSWORD (8)
TPLUS: Queuing AAA Authentication request 10 for processing
TPLUS: processing authentication continue request id 10
TPLUS: Authentication continue packet generated for 10
TPLUS(0000000A)/0/WRITE/83C52644: Started 5 sec timeout
The router sends the password entered by the user back to the server:

T+: session_id 432296654 (0x19C452CE), dlen 10 (0xA)
T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
T+: User msg: <elided>
T+: User data:
T+: End Packet
TPLUS(0000000A)/0/WRITE: wrote entire 22 bytes request
data)
The server responds with success authentication status:

T+: session_id 432296654 (0x19C452CE), dlen 6 (0x6)
T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0, data_len:0
T+: msg:
T+: data:
T+: End Packet
TPLUS: Received authen response status PASS (2)

- 179 -
The local router prepares and sends an authorization request for the “shell” of the
new user.
TPLUS: Queuing AAA Authorization request 10 for processing

TPLUS: processing authorization request id 10
TPLUS: Inappropriate protocol: 24
TPLUS: Sending AV service=shell
TPLUS: Sending AV cmd*
TPLUS: Authorization request created for 10(R5WEB)
TPLUS: using previously set server 10.0.0.100 from group tacacs+
TPLUS(0000000A)/0/NB_WAIT/83C52644: Started 5 sec timeout
TPLUS(0000000A)/0/NB_WAIT: socket event 2
T+: session_id 2840345914 (0xA94C3D3A), dlen 32 (0x20)
T+: AUTHOR, priv_lvl:15, authen:1 method:tacacs+
T+: svc:1 user_len:5 port_len:0 rem_addr_len:0 arg_cnt:2
T+: user: R5WEB
T+: port:
T+: rem_addr:
T+: arg[0]: size:13 service=shell
T+: arg[1]: size:4 cmd*
T+: End Packet
The server responds with the priv-lvl=15 AV pair, instructing to put the user onto
the highest privilege level. This finishes the authentication/authorization process.
TPLUS(0000000A)/0/NB_WAIT: wrote entire 44 bytes request

TPLUS(0000000A)/0/READ: Would block while reading
data)
T+: session_id 2840345914 (0xA94C3D3A), dlen 18 (0x12)
T+: AUTHOR/REPLY status:1 msg_len:0, data_len:0 arg_cnt:1
T+: msg:
T+: data:
T+: arg[0] size:11
T+: priv-lvl=15
T+: End Packet
TPLUS: Processed AV priv-lvl=15
TPLUS: received authorization response for 10: PASS

- 180 -
Task 4.2 Solution

R3:
aaa new-model
!
! Authenticate login and authorize exec via TACACS+
!
!
! TACACS+ server
!
!
! Assign specified commands to level 2
!
privilege exec level 2 undebug all
privilege exec all level 2 debug
!
! Safeguard the console
!
line console 0

- 181 -
ACS:
Step 1:
Add a new AAA client to the ACS server. Start the ACS Admin utility, click the
Network Configuration button and then click the Add Entry button. Fill the
fields according to the screenshot below and click the Submit + Apply button.

- 182 -
Step 2:
Add new user named “USER1” and specify the exec auto-command. Click the
User Setup button enter the name “USER1” and click the Add/Edit button.
Specify the password value of “CISCO” on the next screen. Under the TACACS+
Settings section of the profile fill the fields according to the screenshot below.
When done, click the Submit button.

- 183 -
Step 2:
Add another user named “USER2” with the shell exec privilege level of 2. Click
User Setup, enter the name “USER2” and click the Add/Edit button. On the
next screen, set the Password field to “CISCO” and set the values under
TACACS+ Settings section of the profile per the screenshot below:

- 184 -
Note
The effect of “no hangup” options is that your telnet session is not disconnected
after the auto-command has been executed. Try this by connecting to R2 and
logging in as USER1.
Username: USER1
Password: CISCO
Line User Host(s) Idle Location

0 con 0 idle 00:25:34
*130 vty 0 USER1 idle 00:00:00 132.1.0.2
Interface User Mode Idle Peer Address
After this, the system prompts you to login once again. Login as USER2 and
check your privilege level. Make sure you have access to debug and undebug
commands.
Username: USER2
Password: CISCO
Rack4R3#debug ?
IUA ISDN adaptation Layer options
aaa AAA Authentication, Authorization and
Accounting
aal2_xgcpspi AAL2_XGCP Service Provider Interface.
<output omitted>
Rack4R3#undebug ?
all Enable all debugging
call Call Information
<output omitted>

- 185 -
Task 4.3 Solution

R6:
aaa new-model
!
! Authenticate users and authorize exec locally
!
aaa authentication login default local
aaa authorization exec default local
!
! Users
!
username NOC privilege 0 password 0 CISCO
username ADMIN privilege 15 password 0 CISCO
!
! Level 1 enable secret
!
enable secret level 1 LEVEL1
!
! Safeguard the console line
!
!
line console 0

Login to R6 using the names NOC and ADMIN respectively and check the
privilege levels and the commands available to the users.
Rack4R1#telnet 150.4.6.6 /source-interface loopback 0

Username: ADMIN
Password: CISCO

- 186 -

Username: NOC
Password: CISCO
Rack4R6>show privilege
^
Rack4R6>?
Exec commands:
<1-99> Session number to resume
call Voice call
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC
Rack4R6>enable 1
Password: LEVEL1
Rack4R6>show privilege
Task 5.1 Solution

We configure special port-filter policy map on control plane host subinterface.
Notice that the port-filter class-map matches all closed ports but excludes the two
explicitly specified port numbers 2001 and 7001. The aggregate control plane
policing applies to all traffic with except to BGP and OSPF packets.
R1:
class-map type port-filter match-all CLOSED_PORTS
match closed-ports
match not port tcp 2001
match not port tcp 7001
!
class-map match-all ROUTING_TRAFFIC
match access-group name ROUTING_TRAFFIC
!
!
policy-map COPP
class ROUTING_TRAFFIC
class class-default
police rate 10000 pps

- 187 -
!
policy-map type port-filter PORT_FILTER
class CLOSED_PORTS
drop
!
control-plane host
service-policy type port-filter input PORT_FILTER
!
control-plane
service-policy input COPP
Note
Check the active control plan features and packet counters for each sub-
interface.
Rack4R1#show control-plane features

Total 2 features configured
Control plane aggregate path features :
--------------------------------------------------------
Control-plane Policing activated Apr XX 200X 01:0
--------------------------------------------------------
Control plane host path features :
--------------------------------------------------------
TCP/UDP Portfilter activated Apr XX 200X 01:0
--------------------------------------------------------
Rack4R1#show control-plane counters

Feature Path Packets processed/dropped/errors
Aggregate 37039/0/0
Host 5062/0/0
Transit 54/0/0
Cef-exception 31923/0/0
Check the open ports in R1 and confirm that 2001 and 7001 are not auto-
detected (even though the rotary feature is configured):

- 188 -
Rack4R1#show control-plane host open-ports

Active internet connections (servers and established)
Prot Local Address Foreign Address Service
State
tcp *:23 *:0 Telnet
LISTEN
tcp *:179 150.4.2.2:54555 BGP
ESTABLIS
tcp *:80 *:0 HTTP CORE
LISTEN
tcp *:179 *:0 BGP
LISTEN
udp *:67 *:0 DHCPD Receive
LISTEN
Check the aggregate control plane policy:
Rack4R1#show policy-map control-plane

Control Plane
Service-policy input: COPP
Class-map: ROUTING_TRAFFIC (match-all)

5 minute offered rate 0 bps
Match: access-group name ROUTING_TRAFFIC

Match: any
police:
rate 10000 pps, burst 2 packets
conformed 88 packets; actions:
transmit
exceeded 0 packets; actions:
drop
conformed 0 pps, exceed 0 pps

- 189 -
Task 5.2 Solution

We configure R6 with SNMPv3 to leverage its encryption capabilities. We need
to configure an engine ID for the remote entity (the AAA server) to be able to
send informs. We create a special user that is to be used to encrypt the SNMP
message, i.e. its credentials are used for encryption. We enable informs with the
AAA server for reliable delivery. Don’t forget to configure ASA1 firewall to permit
the SNMP messages through.
R6:
snmp-server engineID remote 10.0.0.100 ABCD12345678
snmp-server group TRAP v3 priv
snmp-server user TRAP TRAP remote 10.0.0.100 v3 auth sha CISCO priv
3des CISCO
snmp-server host 10.0.0.100 informs version 3 priv TRAP
!
snmp-server enable traps envmon temperature
ASA1:
access-list OUTSIDE_IN permit udp any any eq 162

Configure R6 to send syslog messages via SNMP. Set the level of the syslog
messages to informational. Generate a syslog message, for example by entering
and leaving configuration mode. Check R6’s SNMP statistics after this.
R6:
logging history informational
snmp-server enable traps syslog
Rack4R6# conf t
Rack4R6(config)#exit
%SYS-5-CONFIG_I: Configured from console by console

- 190 -
Rack4R6#show snmp
Chassis: FTX1128F0GA
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
4 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP Dispatcher:
queue 0/75 (current/max), 0 dropped
SNMP Engine:
queue 0/1000 (current/max), 0 dropped
SNMP logging: disabled
SNMP Manager-role output packets

0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs
4 Inform-request PDUs
3 Timeouts
0 Drops
SNMP Manager-role input packets
0 Inform request PDUs
0 Trap PDUs
0 Response PDUs
0 Responses with errors
SNMP informs: enabled

Informs in flight 1/25 (current/max)
Logging to 10.0.0.100.162
1 sent, 1 in-flight, 0 retries, 0 failed, 0 dropped

- 191 -
Task 6.1 Solution

IPS:
In this solution, we show you how to reset the sensor. First off you erase the
current configuration and reboot the sensor. Then you configure network
settings, including the hostname and the IP address.
ips# erase current-config

Warning: Removing the current-config file will result in all
configuration being reset to default, including system information such
as IP address.
User accounts will not be erased. They must be removed manually using
the "no username" command.
Continue? []: yes
Warning: The edit operation has no effect on the running configuration
ips# reset
Warning: Executing this command will stop all applications and reboot
the node.
Continue with reset? []: yes
sensor# conf t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# host-ip 132.1.170.10/24,132.1.170.1
sensor(config-hos-net)# login-banner-text "Welcome to IPS"
sensor(config-hos-net)# host-name Rack4IPS
sensor(config-hos-net)# exi
sensor(config-hos)# exi

sensor(config-hos-net)# show settings
network-settings
-----------------------------------------------
host-ip: 132.1.170.10/24,132.1.170.1 default:
10.1.9.201/24,10.1.9.1
host-name: Rack4IPS default: sensor
telnet-option: disabled default: disabled
access-list (min: 0, max: 512, current: 0)
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: "Welcome to IPS" default:
-----------------------------------------------

- 192 -
Task 6.2 Solution

Configure the management ACL entries for the two subnets specified and enable
the telnet option. HTTP server is listening on the port number 443 by default.
IPS:
Rack4IPS# conf t
Rack4IPS(config-hos-net)# telnet-option enabled
Rack4IPS(config)#
Enable SPAN monitoring in SW2, capturing the traffic received on interface

FasEthernet 0/14 which connects to ASA2’s Ethernet 0/2.
SW2:
monitor session 1 source interface FastEthernet 0/14 both
monitor session 1 destination interface FastEthernet 0/10
IPS:
Enable physical interface and assign it to virtual sensor:
Rack4IPS# conf t
Rack4IPS(config-int)# physical-interfaces GigabitEthernet0/0
Rack4IPS(config-ana-vir)# physical-interface GigabitEthernet0/0

- 193 -

First, try connecting to the sensor using telnet. Source the connection off R5’s
VLAN5 interface, which is in the subnet 10.0.0.0/24.
Rack4R5#telnet 132.1.170.10 /source-interface FastEthernet 0/1

Trying 132.1.170.10 ... Open
"Welcome to IPS"
login: cisco
Password: ciscoids4210
<snip>
Rack4IPS#
Now check that the interface is actually being monitored. Using CLI, enable the
ICMP echo signature in the IPS:
Rack4IPS# conf t
Rack4IPS(config)# service signature-definition sig0
Rack4IPS(config-sig)# signatures 2004 0
Rack4IPS(config-sig-sig)# status
Rack4IPS(config-sig-sig-sta)# enabled true
Rack4IPS(config-sig-sig-sta)# exit
Rack4IPS(config-sig-sig)# exit
Rack4IPS(config-sig)# exit
Now ping ASA2’s outside interface from SW1 and make sure the alert is
produced and stored in the event store:
Rack4SW1#ping 132.1.137.113

!!!!!
Rack4SW1#

- 194 -
Rack4IPS# show events alert past 00:05:00
evIdsAlert: eventId=1241061131028812060 severity=informational

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 398
time: 2009/04/30 02:53:31 2009/04/30 02:53:31 UTC
signature: description=ICMP Echo Request id=2004 version=S1
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 132.1.137.7
target:
os: idSource=unknown relevance=relevant type=unknown
riskRatingValue: attackRelevanceRating=relevant
targetValueRating=medium 35
threatRatingValue: 35
interface: ge0_0
protocol: icmp
Task 6.3 Solution

ASA2/ContextA & ContextB:
!
! Add local username to authenticate the IPS
!
username IPSNAC password CISCO
!
ssh 132.1.170.10 255.255.255.255 outside
!
! Generate the key to start SSH
!
domain-name INE.com
crypto key generate rsa general-keys modulus 512
!
! Enable local authentication for SSH
!
aaa authentication ssh console LOCAL

- 195 -
IPS:
For this task, we’ll configure network access using CLI. First, we set up the
“never-block” host, under the general sub-section of network-access section.
Add never-blocked host first:
Rack4IPS# conf t
Rack4IPS(config)# service network-access
Rack4IPS(config-net)# general
Rack4IPS(config-net-gen)# never-block-hosts 132.1.138.100
Rack4IPS(config-net-gen)# exit
Create a user-profile to access the ASA firewall. Include the username and the
password in the profile.
Rack4IPS(config-net)# user-profiles ASA2

Rack4IPS(config-net-use)# username IPSNAC
Rack4IPS(config-net-use)# password
Enter password[]: CISCO
Re-enter password: CISCO
Rack4IPS(config-net-use)# exit
Now add two firewall devices to the IPS configuration. The devices correspond to
the firewall contexts in ASA2. Attach the user profile created to every device and
configure SSH as the communication protocol.
Rack4IPS(config-net)# firewall-devices 132.1.137.113

Rack4IPS(config-net-fir)# communication ssh-3des
Rack4IPS(config-net-fir)# profile-name ASA2
Rack4IPS(config-net-fir)# exit
Rack4IPS(config-net)# exit

- 196 -
The last thing to do is import the public keys of every context’s SSH server in the
public key ring of the IPS. This will allow the IPS connecting to the virtual
firewalls using SSH.
Rack4IPS(config)# ssh host-key 132.1.137.113

MD5 fingerprint is C0:98:84:CE:70:07:17:2A:3C:F3:57:89:8E:1A:C2:5E
Bubble Babble is xemom-getad-duhab-suryd-nomen-bivit-lysuf-zofyl-gugob-
fudom-huxox
Would you like to add this to the known hosts table for this
host?[yes]: yes
Rack4IPS(config)# ssh host-key 132.1.137.213

MD5 fingerprint is 84:7D:68:4E:22:CD:C8:23:3C:EA:4E:D3:B8:E6:22:E8
Bubble Babble is ximih-zivip-gycot-tipeg-tohab-fehur-hucac-gilyk-pozet-
kafoh-bixax
Would you like to add this to the known hosts table for this
host?[yes]: yes
Rack4IPS(config)#

Verify that the IPS started SSH sessions with both security contexts in the
firewall.
Rack4ASA2/ContextB(config)# show ssh sessions

Username
IPSNAC
Rack4ASA2/ContextB(config)# changeto context ContextA

Rack4ASA2/ContextA(config)# show ssh sessions

Username
IPSNAC

- 197 -
Task 6.4 Solution

IDM:
Start the IPS Device Manager GUI interface and navigate to Configuration panel.
Select Policies > Event Action Rules > rules0 and then click on the
Target Value Rating tab.
Click the Add button and fill the fields according to the screenshot below.

- 198 -
Now click on the Event Action Override tab and click the Add button. Fill
the fields according to the screenshot below and click OK when done.
Click the Apply button when you done configuring Event Processing Rules.

- 199 -
Task 6.4 Breakdown

Recall the formula for Risk Rating (RR), which defines the potential impact of a
particular attack against the particular server:
RR = (Fidelity*Severity*TVR)/(100*100).
Target Value Ratings (TVR) values are as follows: low (75), medium (100), high
(150), mission-critical (200). You assign them to the company’s assets, identified
by the IP addresses. Default TVR value is medium (100).
Signature severity values are: info (25), low (50), medium (75), high (100). They
describe how dangerous the attack is. They are part of signature definition.
Finally, fidelity values tell how well a signature “recognizes” the corresponding
attack. They are also a part of signature definition and range from 0 to 100.
The “ICMP Echo” signature has severity value of 25 and fidelity rating value of
100 by default. We are not allowed to change those per the task requirements.
Therefore, to get into the 50-100 corridor for the “low severity” and the “high
fidelity” signature we should assign TVR of “mission-critical” for subnet
132.X.138.0/24.

Generate some ping packets toward SW2. Even though you cannot ping it, the
IPS will process them and trigger the signature 2004 enabled previously. Notice
that due to VLAN138 having mission-critical value, the event override rule
triggers and causes the IPS to issue a block command for the source of the
attack (SW1).
.....

- 200 -
Rack4IPS# show events alert past 00:05:00

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 398
time: 2009/04/30 03:44:24 2009/04/30 03:44:24 UTC
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
actions:
blockRequested: true
targetValueRating=mission-critical 60
interface: ge0_0
protocol: icmp
The second alert is a summary generated for 5 ICMP echo packets across the
default summarization interval.

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 398
time: 2009/04/30 03:44:54 2009/04/30 03:44:54 UTC
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
summary: final=true initialAlert=1241061131028812689
summaryType=Regular 5
alertDetails: Regular Summary: 5 events this interval ;

- 201 -
targetValueRating=mission-critical 60
interface: ge0_0
protocol: icmp
Now login to ASA2 firewall, into any context, and check the active shuns. There
should be one installed for SW1.
Rack4ASA2/ContextA(config)# changeto context ContextB

Rack4ASA2/ContextB(config)# show shun
shun (outside) 132.1.137.7 0.0.0.0 0 0 0
Task 7.1 Solution
R1:
!
! CEF is required to match protocols
! (should be already enable though)
!
ip cef
!
! Class-map to match URL containing the patterns
!
class-map match-any VIRUS
match protocol http url "*root.exe"
match protocol http url "*cmd.exe"
!
! Drop virus HTTP traffic
!
policy-map MITIGATE
class VIRUS
drop
!
! Apply the service policy
!
interface Serial FastEthernet0/0
service-policy input MITIGATE

- 202 -

To verify your configuration, simulate an HTTP requests for the file named
root.exe from SW1 across R1. Notice the increment in packet counters for the
class matching the URLs in the show policy-map output on R1.
Rack4SW1#copy http://150.4.2.2/root.exe null:

%Error opening http://150.4.2.2/root.exe (I/O error)
Rack4SW1#
Rack4R1#show policy-map interface Fastethernet 0/0

FastEthernet0/0
Service-policy input: MITIGATE
Class-map: VIRUS (match-any)

Match: protocol http url "*root.exe"
5 minute rate 0 bps
Match: protocol http url "*cmd.exe"
0 packets, 0 bytes
5 minute rate 0 bps
drop

Match: any

- 203 -
Task 7.2 Solution

SW1:
Notice the reverse logic of matching the SNMP packets. We deny the legitimate
SNMP packets in the access-list and permit all other SNMP packets. Next, we
configure a VLAN ACL that drops the packets matching the access-list and
forwards everything else (don’t forget the trailing forward entry, or all non-
matching IP traffic will be dropped).
ip access-list extended SNMP_TO_VLAN137

!
deny udp 132.1.0.0 0.0.0.255 132.1.137.0 0.0.0.255 eq snmp
!
! Take care to drop only SNMP traffic to VLAN137, not the transit SNMP
!
permit udp any 132.1.137.0 0.0.0.255 eq snmp
deny ip any any
!
! VLAN filter configuration
!
vlan access-map SNMP_SECURITY 10
action drop
match ip address SNMP_TO_VLAN137
!
vlan access-map SNMP_SECURITY 20
action forward
!
! Apply VLAN filter
!
vlan filter SNMP_SECURITY vlan-list 137

- 204 -
Task 7.3 Solution
R1:
aaa new-model
!
! Authenticate login via TACACS+ and configure
! safeguard settings for the console
!
!
! TACACS+ server settings
!
!
! Generate RSA key-pair to activate SSH
!
ip domain name INE.com
!
!
! Enable SSH as input transport
!
line vty 0 4
transport input ssh
login authentication default
!
! Apply the AAA lists to the console
!
line console 0

- 205 -
SW1:
aaa new-model
!
!
!
! Generate RSA keys
!
!
!
line vty 0 15
transport input ssh
login authentication default
!
line console 0

- 206 -
ACS:
Step 1:
Add R1 and SW1 as the AAA Clients to the ACS. Run the ACS Admin utility,
click the Network Configuration button, and then click the Add Entry
button. Fill in the fields according to the screenshot below and click Submit +
Apply when done.
Repeat the same steps with SW1 using its Loopback0 IP address.

- 207 -
Step 2:
Add new user to the ACS database. Click the User Setup button, enter the
name “SSH” and click the Add/Edit button. Specify the Password value of
“CISCO” for this user and click Submit when you’re done.

Rack4R1#test aaa group tacacs+ SSH CISCO legacy
Attempting authentication test to server-group tacacs+ using tacacs+
Trying 150.4.1.1 ...
Rack4SW1#ssh -l SSH 150.4.1.1
Password: CISCO
Rack4R1>
Task 7.4
R6:
!
! Disable DHCP/BOOTP
!
no ip bootp server
no service dhcp
!
! Disable CDP/ProxyARP
!
no cdp enable
no ip proxy-arp
!
! Rate-Limit ICMP unreachables
!
ip icmp rate-limit unreachable 1000
!
banner login $
Access to this device or the attached networks is prohibited without
express written permission.
$

- 208 -

You may use the command show control-plan open-ports to check the
listening TCP/UDP ports. However, DHCP port will not show up until you
configure at least one DHCP pool. You can check the IP services active on the
interface using the commands below:
Rack4R6#show ip interface FastEthernet 0/0

Ethernet0/0 is up, line protocol is up
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
<snip>
Rack4R6#show cdp int FastEthernet 0/0
Rack4R6#
Task 8.1 Solution

The legacy CAR command is more CPU effective than modern MQC policing.
However, this advantage is not very noticeable, so in modern devices you can
use just the MQC police command.
R6:
!
! Classify traffic
!
access-list 100 permit icmp any any echo
!
! Apply the input rate-limit
!
rate-limit input access-group 100 128000 4000 4000 conf transmit
exceed drop

- 209 -

Rack4R6#show interfaces serial 0/0/0 rate-limit
Serial0/0
Input
matches: access-group 100
params: 128000 bps, 4000 limit, 4000 extended limit
conformed 558 packets, 281232 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
last packet: 52ms ago, current burst: 0 bytes
last cleared 00:02:43 ago, conformed 13000 bps, exceeded 0 bps
Task 8.2 Solution

SW1:
switchport port-security
switchport port-security violation shutdown
switchport port-security mac-address 1234.5678.9abc

Rack4SW1#show port-security interface fastEthernet 0/16
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Rack4SW1#show port-security interface fastEthernet 0/16 address

Secure Mac Address Table
-----------------------------------------------------------------------
-
Vlan Mac Address Type Ports Remaining
Age
(mins)
---- ----------- ---- ----- ------------
-
1 1234.5678.9abc SecureConfigured Fa0/16 -
-----------------------------------------------------------------------
-

- 210 -
Task 8.3 Solution

In this task, we know what the source of the attack is. When you know the source
of the DoS attack, you can use RTBH to drop traffic sourced off the known
subnet. This is done by the virtue of the uRPF feature that drops packets
sourced off the subnets that are resolved to Null0 locally. We configure the edge
routers with a special /32 route to Null0 and advertise the source subnet within
the borders of our AS. The next hop of the filtered prefix is adjusted to the /32
route that resolves to Null0. Thus, the border routers drop all traffic sourced off
this subnet ingress on the interfaces configured for uRPF.
R2:
!
! Inject static routes into BGP
!
router bgp 100
redistribute static route-map STATIC_TO_BGP
!
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Blackhole route, the one we want to screen
! In this case – source network, that will be
! filtered out by the virtue of CEF uRPF processing
!
ip route 115.0.0.0 255.0.0.0 null0 tag 100
!
! Route-map to signal RTHB information.
! The Origin and Local Pref are changed to ensure
! that injected route is always preferred
!
! No-Export community is used to contain the RTBH prefix within
! our AS. Match Tag is used for scalable route lookup.
!
! Set ip next-hop propagates the ‘Null next-hop to peers
!
match tag 100
set origin igp
set ip next-hop 192.0.2.1

- 211 -
R6:
!
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Ensure that CEF is on (it sure is, based on the previous tasks).
!
ip cef
!
! Enable uRPF on the edge, to drop packets based on source IP
! (Note that it has be already previously enabled).
!
interface Serial 0/0
ip verify unicast reverse-path
!
! Disable the ICMP unreachables
!
interface Null0
no ip unreachables

Check R6’s BGP table. Notice that the prefix 115.0.0.0/8 is learned both via
eBGP from BB1 and from R2. The latter prefix is preferred due to high local
preference value.
Rack4R6#show ip bgp
BGP table version is 17, local router ID is 150.4.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path

*> 112.0.0.0 54.4.2.254 0 0 54 50 60 i
*> 113.0.0.0 54.4.2.254 0 0 54 50 60 i
*> 114.0.0.0 54.4.2.254 0 0 54 i
*>i115.0.0.0 192.0.2.1 0 200 0 i
* 54.4.2.254 0 0 54 i
*> 116.0.0.0 54.4.2.254 0 0 54 i
*> 117.0.0.0 54.4.2.254 0 0 54 i
*> 118.0.0.0 54.4.2.254 0 0 54 i
*> 119.0.0.0 54.4.2.254 0 0 54 i
*> 132.1.0.0 0.0.0.0 0 32768 i
*> 150.4.0.0 0.0.0.0 0 32768 i

- 212 -
Check the prefix 115.0.0.0/8 in R6’s RIB. Notice that is has the next-hop value of
192.0.2.1 and this prefix resolves to Null0. Thus the CEF entry for 115.0.0.0/8
points to Null0 as well.

Known via "bgp 100", distance 200, metric 0, type internal
Last update from 192.0.2.1 00:01:28 ago
* 192.0.2.1, from 150.4.2.2, 00:01:28 ago
AS Hops 0
Rack4R6#show ip cef 115.0.0.0

115.0.0.0/8, version 68, epoch 0
0 packets, 0 bytes
via 192.0.2.1, 0 dependencies, recursive
next hop 192.0.2.1, Null0 via 192.0.2.1/32
valid null adjacency
The next part of the verification could not be performed on a rental rack, since
most likely you don’t have privileged exec access to BB1. However, we provide it
for the sake of clarity. When you ping off the interfaces with the IP 115.0.0.1 the
ping packets are dropped. When you ping off subnet 112.0.0.0/24 the packets
can reach the inside devices.
BB1-FRS#ping 150.4.6.6 source loopback 115 timeout 1

.....
BB1-FRS#ping 150.4.6.6 source loopback 112 timeout 1

!!!!!

- 213 -

- 214 -
Note
The non-configured IPS sensor in this scenario breaks the network into two
segments. You need to configure the IPS appliance for inline monitoring to obtain
connectivity though the network. See the respective section for the IPS solutions.
Task 1.1 Solution

ASA1:
hostname Rack4ASA1
!
! Create the Redundant interface and add members to it
!
interface redundant 8
member-interface Ethernet 0/1
member-interface Ethernet 0/0
!
! With redundant interfaces, nothing is configured on physical ones
!
no shutdown
!
no shutdown
!
! Configure the Redundant interface and sub-interface
!
interface redundant8
nameif IN
security-level 99
ip address 174.1.127.12 255.255.255.0
ospf authentication-key CISCO
ospf authentication
!

- 215 -
interface redundant8.124
vlan 124
nameif OUT
security-level 1
ip address 174.1.124.12 255.255.255.0
!
! Configure Unicast RPF for packets arriving on
! IN interface ip verify reverse-path interface IN
!
router ospf 1
network 174.1.127.12 255.255.255.255 area 51
!
! Since we didn’t use “default-information originate always”
! we need to ! have a default route for OSPF to advertise it.
!
route OUT 0 0 174.1.124.4
SW1:
!
! Configure dot1q trunking for the interface to ASA1. Make native VLAN
! 127 so that traffic passes untagged. Optionally we can set “portfast
! trunk” for direct transition of trunk to STP forwarding state.
!
switchport trunk encap dot1q
switchport mode trunk
switchport trunk native vlan 127
spanning-tree portfast trunk
SW2:
switchport trunk native vlan 127
spanning-tree portfast trunk

- 216 -

Check basic connectivity. Verify ASA interface redundancy. Be aware, that this
feature is not preemptive, so after testing it may be necessary to manually select
which interface is active. Command to accomplish this is redundant-
interface redundant 8 active-member Ethernet 0/1.
Rack4ASA1# ping 174.1.124.4

!!!!!

!!!!!
Rack4ASA1# show nameif

Interface Name Security
Redundant8 IN 99
Redundant8.124 OUT 1
For redundancy testing, shutdown SW1’s Fa0/13 interface, check redundancy

and connectivity again. After test bring up Fa0/13 again and make sure that
Ethernet0/1 is the active interface on ASA1.

- 217 -
Rack4ASA1# show interface redundant 8 detail | grep Member

Member Ethernet0/1(Active), Ethernet0/0
Rack4SW1(config)#interface fastEthernet 0/13

Rack4SW1(config-if)#shutdown
Rack4ASA1# show interface redundant 8 detail | grep Member


!!!!!

!!!!!
The IN interface of the ASA should pass untagged traffic, but still it should
represent VLAN 127. We need to make the native VLAN on trunk to be 127 for
both switches. Verify OSPF neighbor on the IN interface.
Rack4SW1#show interfaces FastEthernet 0/13 trunk

Port Mode Encapsulation Status Native vlan
Fa0/13 on 802.1q trunking 127
!
Rack4SW2#show interfaces fastEthernet 0/12 trunk
Rack4ASA1# show ospf neighbor

Interface
150.4.7.7 1 FULL/DR 0:00:32 174.1.127.7 IN
Rack4ASA1# show ospf interface IN | grep authentication

Simple password authentication enabled

- 218 -
For Unicast RPF check testing purposes create a Loopback on switch 1 (make
sure not to advertise the Loopback subnet into OSPF), ping the ASA inside
interface and check the dropped packets. Make sure to remove the Loopback
after test.
Rack4ASA1# show ip verify statistics interface IN

interface IN: 0 unicast rpf drops
!
Rack4SW1#conf t
Rack4SW1(config)#interface loopback 2
Rack4SW1(config-if)#ip address 1.1.1.1 255.255.255.255
Rack4SW1#ping 174.1.127.12 source loopback 2 repeat 2

..
!
Rack4ASA1# show route IN | grep 1.1.1.1
Rack4ASA1# show ip verify statistics interface IN
interface IN: 2 unicast rpf drops
Task 1.2 Solution

ASA2:
hostname Rack4ASA2
!
! Configure interfaces as required
!
no shutdown
nameif VLAN135
security-level 10
ip address 174.1.135.13 255.255.255.0
!
no shut
nameif VLAN132
no shut
security-level 90
ip address 192.10.4.13 255.255.255.0
!
! Access-list used to advertise only the default route
!
access-list DEFAULT_ROUTE permit host 0.0.0.0

- 219 -
!
! Access-list used to advertise everything but the default route
!
access-list NO_DEFAULT_ROUTE deny host 0.0.0.0
access-list NO_DEFAULT_ROUTE permit any
!
! Configure RIP filtering and originate default route
!
router rip
version 2
no auto-summary
network 174.1.0.0
network 192.10.4.0
distribute-list NO_DEFAULT_ROUTE out interface VLAN135
distribute-list DEFAULT_ROUTE out interface VLAN132
!
! Configure RIP MD5 authentication
!
rip authentication key CISCO key 1
!
rip authentication key CISCO key 1

Verify basic connectivity and RIP configuration.
Rack4ASA2# ping 192.10.4.254

!!!!!

!!!!!

Ethernet0/0 VLAN135 10
Ethernet0/1 VLAN132 90

- 220 -
Rack4ASA2# more system:running-config | grep rip au|et0/0|et0/1

Confirm that R5 receives RIP updates from the ASA, but not the default route
and make sure that BB2 receives the default route. Since access to BBS is
forbidden, one way to test that BB2 gets the default route from ASA2 is to create
a Loopback on R5 (DO NOT advertise it into RIP) and ping the BB2 subnet with
source Loopback. For ICMP to work we need to permit it through ASA2. Make
sure to remove the testing configuration afterwards.
Rack4R5#show ip route rip

R 222.22.2.0/24 [120/8] via 174.1.135.13, 00:00:04, FastEthernet0/0
Rack4ASA2# show run access-list TEST

access-list TEST extended permit icmp host 1.1.1.1 host 192.10.4.254
echo
Rack4ASA2# show run access-group

access-group TEST in interface VLAN135
Rack4ASA2# show running-config route

route VLAN135 1.1.1.1 255.255.255.255 174.1.135.5 1
Rack4R5#show running-config interface loopback 1

interface Loopback1
ip address 1.1.1.1 255.255.255.255

!!!!!

- 221 -
Task 1.3 Solution

For ACL to not contain ip addresses we need to configure name to ip address
mapping for host/networks involved in the ACL.
ASA1:
!
! Use the hostnames instead of IPs in the access-lists
!
name 174.1.124.100 ACS_POST_NAT_IP
name 10.0.0.100 ACS_PRE_NAT_IP
name 174.1.124.6 R6_POST_NAT_IP
name 150.4.6.6 R6_PRE_NAT_IP
name 150.4.5.5 R5
!
! Configure static NAT for R6 Loopback and ACS
!
static (IN,OUT) ACS_POST_NAT_IP ACS_PRE_NAT_IP 250 200 udp 300
static (IN,OUT) R6_POST_NAT_IP R6_PRE_NAT_IP
!
access-list OUTSIDE_IN permit tcp any host ACS_POST_NAT_IP eq 49
access-list OUTSIDE_IN permit udp any host ACS_POST_NAT_IP eq 1645
access-list OUTSIDE_IN permit tcp host R5 host 174.1.124.6 eq bgp
access-list OUTSIDE_IN permit icmp any any echo
access-list OUTSIDE_IN permit icmp any any echo-reply
!
access-group OUTSIDE_IN in interface OUT

Verify that R5 and R6 have iBGP peering established using the translated
address. Verify translation on the ASA. Check ICMP connectivity through the
firewall.

- 222 -
Rack4R5#show ip bgp summary | b Neighbor

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
174.1.124.6 4 100 1881 1893 15 0 0 1d07h
8
204.12.4.254 4 54 2978 2982 15 0 0 2d01h
2
Rack4ASA1# show conn long | i R6

TCP OUT:R5/179 (R5/179) IN:R6_PRE_NAT_IP/51342 (R6_POST_NAT_IP/51342),
flags UIO, idle 27s, uptime 1D7h, timeout 1h0m, bytes 72394
Rack4ASA1# show running-config names | i R6

name 174.1.124.6 R6_POST_NAT_IP
name 150.4.6.6 R6_PRE_NAT_IP

!!!!!
ms
Rack4ASA1# show conn long | i ICMP

ICMP OUT:R5/6 (R5/6) IN:R6_PRE_NAT_IP/0 (R6_POST_NAT_IP/0), idle 0s,
uptime 4s, timeout 2s, bytes 2736
ICMP OUT:R5/6 (R5/6) IN:R6_PRE_NAT_IP/0 (R6_POST_NAT_IP/0), idle 0s,
uptime 4s, timeout 2s, bytes 2736
Task 1.4 Solution

To accomplish the task we need to use object-group nesting, where 2 object
groups of same type can be grouped into another object group.
ASA1:
! First create both object-groups
object-group network HOSTS1
network-object host 10.0.0.100
!
object-group network HOSTS2
!
! Configure the nested object-group
object-group network HOSTS
group-object HOSTS1
group-object HOSTS2

- 223 -
!
! Call the nested object-group in the ACL
access-list INSIDE_IN deny icmp object-group HOSTS any echo
access-list INSIDE_IN permit ip any any
!
access-group INSIDE_IN in interface IN

For testing purposes, we create a Loopback with the IP address of 10.0.0.100 on
SW1 and ping a subnet on the outside of the ASA.
Rack4SW1#show running-config interface loopback 1

Building configuration...
Current configuration : 66 bytes

!
interface Loopback1
ip address 10.0.0.101 255.255.255.255
Rack4SW1#show running-config | i ip route

ip route 174.1.124.0 255.255.255.0 174.1.127.12
Rack4SW1#ping 174.1.124.4 source loopback 1 re 2

..
Rack4ASA1# show access-list INSIDE_IN

access-list INSIDE_IN; 5 elements
access-list INSIDE_IN line 1 extended deny icmp object-group HOSTS any
echo 0x46c042b5
access-list INSIDE_IN line 1 extended deny icmp host ACS_PRE_NAT_IP
any echo (hitcnt=0) 0xac973a88
access-list INSIDE_IN line 1 extended deny icmp host 10.0.0.101 any
echo (hitcnt=2) 0x592263e6
echo (hitcnt=0) 0xf1d5e758
echo (hitcnt=0) 0x896d495d

- 224 -
Task 1.5 Solution

Although the discussion is about the Exchange Server, ESMTP inspection needs
to be applied globally. Since by default ESMTP on port 25 is inspected we need
to add inspection for port 2525.
ASA2:
static (VLAN132,VLAN135) 174.1.135.200 192.10.4.200
!
! Permit traffic on ports 25 and 2525 for SMTP server
!
access-list OUTSIDE_IN permit tcp any host 174.1.135.200 eq 25
access-group OUTSIDE_IN in interface VLAN135
!
! Create the class-map for port TCP 2525 matching
!
class-map SMTP_PORT_2525
!
! Apply inspection policy for ESMTP on port 2525
!
class SMTP_PORT_2525
inspect esmtp

Rack4ASA2# show service-policy global inspect esmtp
Global policy:
match cmd line length gt 512
drop-connection log, packet 0
match cmd RCPT count gt 100
match body line length gt 998

- 225 -
log, packet 0
match header line length gt 998
match sender-address length gt 320
match MIME filename length gt 255
match ehlo-reply-parameter others
mask, packet 0
Class-map: SMTP_PORT_2525
match cmd line length gt 512
match cmd RCPT count gt 100
match body line length gt 998
log, packet 0
match header line length gt 998
match sender-address length gt 320
match MIME filename length gt 255
match ehlo-reply-parameter others
mask, packet 0
Task 1.6 Solution

You can only configure a solution for this task after you have finished the VPN
section configurations.
ASA2:
!
! Permit HTTP and FTP control session
!
!
! Identify HTTP traffic and FTP data session
!
access-list DATA permit tcp host 192.10.4.75 eq 80 any
access-list DATA permit tcp host 192.10.4.75 eq 20 any
!
! Create class-maps to match traffic
!
class-map DATA
match access-list DATA

- 226 -
class-map VOICE
match rtp 16384 16383
class-map L2L_VPN_TRAFFIC
match tunnel-group Rack4ASA1.INE.com
!
class-map RA_VPN_TRAFFIC
match tunnel-group IPSECGROUP
!
! Create policy-map with required traffic restrictions
!
policy-map OUTSIDE
class DATA
class VOICE
priority
class L2L_VPN_TRAFFIC
class RA_VPN_TRAFFIC
police output 64000
!
! Enable priority queuing on VLAN135 interface
!
priority-queue VLAN135
!
! Apply policy-map
service-policy OUTSIDE interface VLAN135

Verify that priority-queuing is enabled on VLAN135 and verify traffic is policed as
asked.
Rack4ASA2# show priority-queue config vlAN135
Priority-Queue Config interface VLAN135

current default range
queue-limit 2048 2048 0 - 2048
tx-ring-limit 80 80 3 – 256
Rack4ASA2# show service-policy interface vlAN135
Interface VLAN135:
Class-map: DATA
Output police Interface VLAN135:

- 227 -

Class-map: VOICE
Priority:
Interface VLAN135: aggregate drop 0, aggregate transmit 0
Class-map: L2L_VPN_TRAFFIC
Class-map: RA_VPN_TRAFFIC
Default Queueing
Task 1.7 Solution

Configure Syslog to use TCP, since we’re asked a reliable protocol. As any other
task in Security lab take a closer look to the diagram and see if any other
permission is needed. In this case, we need to allow syslog traffic on the OUT
interface of ASA1 coming from ASA2 VLAN135 interface to the translated IP of
AAA.
ASA2:
!
! Enable logging on the ASA. Be aware that it’s not enabled by default
! as on routers
!
logging enable
!
! Facility 22 corresponds to LOCAL6; (16 corresponds to LOCAL0)
!
logging facility 22
!
! Set up syslog server and TCP protocol/port for communications
! 1470 is the default syslog port for TCP
!
! Configure logging on the translated address of AAA
!
logging host VLAN135 174.1.124.100 6/1470

- 228 -
ASA1:
! Configure permissions for syslog traffic to pass
access-list OUTSIDE_IN permit tcp host 174.1.135.13 host
ACS_POST_NAT_IP eq 1470

Since there is no syslog server running on TCP on the AAA machine, we can
only check the proper configuration on ASA.
Rack4ASA2# show logging

Facility: 22
Debug-trace logging: disabled
Console logging: level informational, 31 messages logged
Trap logging: level informational, facility 22, 29 messages logged
Logging to VLAN135 174.1.124.100 tcp/1470 retry: Attempt 2
Device ID: disabled
Mail logging: disabled
Task 2.1 Solution

Create inspection rules. We could then apply the rule on outbound direction for
interface Fa0/0, or inbound direction for all Fa0/1, S0/0, S0/1. Since we have no
specific requirement, we can use either, but the first option is simpler as it needs
less configuration.
R5:
!
! Configure CBAC for telnet and smtp with audit-trail
!
ip inspect name MYCBAC telnet audit-trail on
ip inspect name MYCBAC smtp audit-trail on
!
! Enable logging to the ACS. Use Loopback 0 as source since from behind
! ASA1 Loopback0 is reachable.
!
logging host 174.1.124.100
logging trap info

- 229 -
logging on
logging source-interface loopback 0
!
! Create access-list to drop traffic TCP traffic on port 23 & 25 that
! is initiated by 192.10.4.50
!
deny tcp host 192.10.4.50 eq 23 any
permit ip any any
!
! Apply inspection in Outbound direction and ACL in inbound
!
interface fastEthernet 0/0
ip inspect MYCBAC out
ASA2:
!
! Allow telnet and smtp traffic to pass through the ASA2, coming on
! VLAN135 interface
!
ASA1:
!
! Allow syslog traffic from R5 Loopback 0 to AAA server to pass through
! ASA1, coming on OUT interface
!
access-list OUTSIDE_IN permit udp host R5 host 174.1.124.100 eq 514

There is no 192.10.4.50 host on that subnet. For verification, we will permit telnet
traffic destined to BB2 192.10.4.254 to pass through ASA2. Make sure to remove
any testing configuration afterwards. Verify CBAC configuration.
Rack4ASA2# show run access-list OUTSIDE_IN | i 192.10.4.254

telnet

- 230 -
Trying 192.10.4.254 ... Open
+---------------------------------------------------------------------+
|
|
| Welcome to BB2. These commands are available for use at privilege 0
|
| |
| ping show ip bgp
|
| telnet show ip bgp neighbors
|
| traceroute show ip bgp summary
|
| show ip route show ip interface brief
|
| show ip protocols
|
|
|
| The reference configuration for this device is available at:
|
| http://www.internetworkexpert.com/downloads/bb2.txt
|
|
|
+---------------------------------------------------------------------+

Session 84663CB8 (174.1.145.4:13135)=>(192.10.4.254:23) telnet SIS_OPEN
*Jun 8 15:33:05.985: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet
Rack4R5#clear ip inspect session 84663CB8

*Jun 8 15:41:47.372: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session:
initiator (174.1.145.4:13135) sent 157 bytes -- responder
(192.10.4.254:23) sent 1593 bytes
Rack4R5#clear ip inspect session 84663CB8

*Jun 8 15:41:47.372: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session:
initiator (174.1.145.4:13135) sent 157 bytes -- responder
(192.10.4.254:23) sent 1593 bytes

- 231 -

one-minute (sampling period) thresholds are [unlimited : unlimited]
connections
max-incomplete tcp connections per host is unlimited. Block-time 0
minute.
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo
bytes
Inspection name MYCBAC
telnet alert is on audit-trail is on timeout 3600

smtp max-data 20000000 alert is on audit-trail is on timeout 3600

- 232 -
Task 2.2 Solution

R5:
!
! Create access-list to identify host 192.10.4.60
!
access-list 99 permit host 192.10.4.60
!
! Add the required port mapping only for the host in ACL 99
!
ip port-map ftp port 80 list 99
ip port-map http port 21 list 99
!
! Add additional inspections to the inspect from task 2.1
!
ip inspect name MYCBAC http
ip inspect name MYCBAC ftp
!
! Edit the ACL and enter in new deny statements.
!
no permit ip any any
permit ip any any

- 233 -
ASA2:
!
! Allow ftp control connection traffic from any host to 192.10.4.60 to
! pass through ASA2, coming on VLAN135 interface
!
!
! Configuration required only for passive FTP
! First identify FTP traffic in ACL
!
access-list FTP permit tcp any host 192.10.4.60 eq 80
!
! Create the class-map for matching non-default FTP traffic
!
class-map FTP_PORT_80
match access-list FTP
!
! Configure & apply inspection policy for FTP on port 80 only on
! VLAN135 interface
!
policy-map VLAN135
class FTP_PORT_80
inspect ftp
!
service-policy VLAN135 interface VLAN135

Verify HTTP and FTP port mapping and CBAC inspection for this traffic.
Rack4R5#show ip port-map http

Default mapping: http tcp port 80
system defined
Host specific: http tcp port 21 in list
99 user defined
Rack4R5#show ip port-map ftp

Default mapping: ftp tcp port 21
system defined
Host specific: ftp tcp port 80 in list
99 user defined

connections

- 234 -

minute.
bytes
Inspection name MYCBAC
telnet alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
http alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
Task 2.3 Solution

R3:
!
! Create security zones
!
zone security A
zone security B
zone security C
!
! Class-maps to identigy TCP/UDP/ICMP traffic
!
class-map type inspect TCP
match protocol tcp
class-map type inspect UDP
match protocol udp
class-map type inspect ICMP
match protocol icmp
!
! Policy for A to C zone traffic
!
policy-map type inspect A_TO_C
class TCP
inspect
class UDP
inspect
class ICMP
pass
!
! Policy for B to C zone traffic
!
policy-map type inspect B_TO_C
class TCP
inspect
class UDP
inspect
class ICMP
pass

- 235 -
!
! Policy for C to B zone traffic
!
policy-map type inspect C_TO_B
class ICMP
pass
!
! Policy for C to A zone traffic
!
policy-map type inspect C_TO_A
class ICMP
pass
!
! Policy for A to B zone traffic
!
policy-map type inspect A_TO_B
class ICMP
pass
!
! Policy for B to A zone traffic
!
policy-map type inspect B_TO_A
class ICMP
pass
!
! Define zone pairs and apply policy
!
zone-pair sec AB source A dest B
service-policy type inspect A_TO_B
!
zone-pair sec AC source A dest C
service-policy type inspect A_TO_C
!
zone-pair sec BA source B dest A
service-policy type inspect B_TO_A
!
zone-pair sec BC source B dest C
service-policy type inspect B_TO_C
!
zone-pair sec CA source C dest A
service-policy type inspect C_TO_A
!
zone-pair sec CB source C dest B
service-policy type inspect C_TO_B
!
! Assign zones to interfaces
zone security A
!
zone security B

- 236 -

zone security C
!
! Different approaches to traffic classification
! Combined ACL classification
!
ip access-list extended ACS_SERVER
permit ip any host 10.0.0.100
!
ip access-list extended TACACS
!
! ACL + Match protocol
!
class-map type inspect match-all TACACS
match access-group name ACS_SERVER
match access-group name TACACS
!
class-map type inspect match-all RADIUS
match protocol radius
!
class TACACS
inspect
class RADIUS
inspect
ip access-list extended ASA2_LOGGING

permit tcp host 174.1.135.13 host 10.0.0.100 eq 1470
!
ip access-list extended R5_TO_ACS
permit udp host 150.4.5.5 host 10.0.0.100
!
class-map type inspect match-all ASA2_LOGGING
match access-group name ASA2_LOGGING
!
class-map type inspect match-all R5_LOGGING
match protocol syslog
match access-group name R5_TO_ACS
!
class R5_LOGGING
inspect
class ASA2_LOGGING
inspect

- 237 -

Generate some ICMP, TCP and UDP traffic from zone B to zone C. The ICMP
traffic to R3 itself is not affected by the zone-based firewall feature

!!!!!

!!!!!

!!!!!
Trying 174.1.23.2 ... Open
Password:
Rack4R2>
Rack4SW2#traceroute 174.1.23.2

1 174.1.38.3 4 msec 0 msec 4 msec

2 174.1.23.2 28 msec * 28 msec

- 238 -
Rack4R3#show policy-map type inspect zone-pair BC

Zone-pair: BC
Service-policy inspect : B_TO_C
Class-map: TCP (match-all)

Match: protocol tcp
Inspect
tcp packets: [0:54]

Last statistic reset 00:03:06
Class-map: UDP (match-all)

Match: protocol udp
Inspect
udp packets: [0:7]

Class-map: ICMP (match-all)

Pass

Match: any
0 packets, 0 bytes
Rack4R3#show policy-map type inspect zone-pair CB

Zone-pair: CB
Service-policy inspect : C_TO_B

Pass
2 packets, 72 bytes
<snip>

- 239 -
Notice above that we have matching TCP traffic (telnet), ICMP traffic (PING) and
UDP traffic (UDP echo generated by traceroute) for zone BC and ICMP traffic for
zone CB (this ICMP is actually in response to the traceroute). Remember that
traceroute on Cisco is implemented using UDP Echo as initiator and ICMP as
response.
Rack4R2#ping 174.1.23.3

!!!!!
Task 2.4 Solution

R3:
ip access-list extended TELNET_PORT_3020
!
! Add port 3020 for telnet application, but first remove the mapping
! used on port 3020 for CIFS
!
access-list 99 permit any
!
no ip port-map cifs port tcp 3020
ip port-map telnet port 3020 list 99
!
class-map type inspect TELNET
match protocol telnet
!
! Class-map to match telnet traffic on both ports, 23 and 3020
class-map type inspect TELNET_PORT_3020
match access-group name TELNET_PORT_3020
!
! Enable audit-trail
parameter-map type inspect AUDIT
audit-trail on
!
! Policy-map for telnet inspection and audit trail for port 3020

- 240 -
Make sure that the order of inspection in the policy-map is

TELNET_PORT_3020, then TELNET and then TCP. Otherwise, for example,
telnet traffic on port 3020 will match both the TELNET and TCP class.

class type inspect TELNET_PORT_3020
inspect AUDIT
class type inspect TELNET
inspect
!
! Remove and Add TCP to move it to the bottom of the policy.
!
no class type inspect TCP
class type inspect TCP
inspect
!
! Re-configure policy-maps to log ICMP passing through the firewall
! traffic
!
class ICMP
pass log
!
class ICMP
pass log
policy-map type inspect B_TO_C
class ICMP
pass log
policy-map type inspect B_TO_A
class ICMP
pass log
class ICMP
pass log
policy-map type inspect C_TO_B
class ICMP
pass log
R2:
!
! Configure R2 to listen on port 3020 for telnet
!
line vty 15
rotary 20
password cisco

- 241 -

Verify telnet port-mapping. For testing generate telnet traffic from AAA server to
R2 on ports 23 and 3020; also ICMP to check logging. Also make sure there is
nothing matching the class-default.
Rack4R3#show ip port-map telnet

Default mapping: telnet tcp port 23
system defined
Default mapping: telnet tcp port 3020
user defined
Rack4R3#show policy-map type inspect zone-pair AC

Zone-pair: AC
Service-policy inspect : A_TO_C
Class-map: UDP (match-all)

Match: protocol udp
Inspect

Pass
Class-map: TELNET_PORT_3020 (match-all)

Match: protocol telnet
Match: access-group name TELNET_PORT_3020
Inspect
tcp packets: [0:50]

- 242 -

Class-map: TELNET (match-all)

Inspect
tcp packets: [0:31]

Class-map: TCP (match-all)

Match: protocol tcp
Inspect

Match: any
0 packets, 0 bytes

- 243 -
Since logging buffered is not configured on R3, the logging messages appeared
only on console. In the real lab it may be good idea to ask the proctor if allowed
to do logging buffered for logging tracking.
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-
(AC:TELNET_PORT_3020):Start telnet session: initiator (10.0.0.100:3050)
-- responder (174.1.23.2:3020)
%FW-6-SESS_AUDIT_TRAIL: (target:class)-(AC:TELNET_PORT_3020):Stop
telnet session: initiator (10.0.0.100:3050) sent 47 bytes -- responder
(174.1.23.2:3020) sent 76 bytes
%FW-6-LOG_SUMMARY: 4 packets were passed from 174.1.23.2:0 =>
10.0.0.100:8 (target:class)-(CA:ICMP)
%FW-6-LOG_SUMMARY: 4 packets were passed from 10.0.0.100:8 =>
174.1.23.2:0 (target:class)-(AC:ICMP

- 244 -
Task 2.5 Solution

R3:
!
! Match Websense traffic in an ACL
!
ip access-list extended WEBSENSE
!
! Call the ACL in a class-map
!
class-map type inspect WEBSENSE
match access-group name WEBSENSE
!
! Since for CA zone all inspections are specific(not general as all TCP
! traffic) we can append this one as well.
!
class WEBSENSE
inspect
R6:
ip inspect name HTTP_FILTER http
!
! Configure “fail open”, so if server is down, HTTP traffic is still
! allowed
!
ip urlfilter allow-mode on
!
! Exclude the two domains
!
ip urlfilter exclusive-domain permit internetworkexpert.com
ip urlfilter exclusive-domain permit ine.com
ip urlfilter audit-trail
ip urlfilter server vendor websense 10.0.0.100
!
! Apply inspection
!
interface Serial 0/0/0
ip inspect HTTP_FILTER out

- 245 -

Rack4SW1#copy flash: http://54.4.8.254
Source filename [config.text]?
Address or name of remote host [54.4.8.254]?
Destination filename [config.text]?
%Error writing http://54.4.8.254/config.text (I/O error)
Rack4R3#show policy-map type inspect zone-pair CA | section WEBSENSE

Class-map: WEBSENSE (match-all)
Match: access-group name WEBSENSE
Inspect
tcp packets: [0:35]


- 246 -
Task 3.1 Solution

ASA1:
!
!
aaa-server RADIUS protocol radius
aaa-server RADIUS (IN) host 10.0.0.100
key CISCO
authentication-port 1812
accounting-port 1813
!
! Split-tunneling ACL
!
access-list SPLIT_TUNNEL permit ip 174.1.127.0 255.255.255.0 any
!
! Local address pool
!
ip local pool IPSECPOOL 10.105.105.1-10.105.105.50
!
! Group policy to specify split-tunneling & address pool
!
group-policy IPSECPOLICY internal
group-policy IPSECPOLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
address-pools value IPSECPOOL
!
! Tunnel group for RA users, configure authentication & apply policy
!
tunnel-group IPSECGROUP type ipsec-ra
tunnel-group IPSECGROUP general-attributes
authentication-server-group RADIUS
default-group-policy IPSECPOLICY
!
! Group pre-shared key
!
tunnel-group IPSECGROUP ipsec-attributes
!
! ISAKMP policy
!
hash sha
encryption 3des
group 2
!
crypto isakmp enable OUT

- 247 -
!
! Transform-set
!
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
!
! Create dynamic crypto map and link it to static crypto map
!
crypto dynamic-map DYNAMIC 10 set transform-set 3DES_SHA
!
!
! Apply crypto map on OUT interface
crypto map VPN interface OUT
!
! Permit VPN traffic to bypass input ACL
!

- 248 -
ACS:
Step 1:
Add ASA1 as a RADIUS client to the ACS. Click Network Configuration

then Add Entry and enter the IP address of the firewall’s inside interface
(172.X.127.12) along with the client’s name “Rack4ASA1-R”. Select RADIUS
(VPN3000/PIX 7.x/ASA) as the authentication protocol. Click Submit +
Apply when you’re done.
Step 2:
Add new user “IPSECUSER” to the ACS server. Click the User Setup button,
then enter the name “IPSECUSER” and click the Add/Edit button. On the next
page, specify the password value of “CISCO” and click the Submit button.

- 249 -

The easiest way to verify this scenario is making R5 into a ezVPN client.
R5:
encr 3des
group 2
!
crypto ipsec client ezvpn ASA1
connect auto
group IPSECGROUP key CISCO
local-address FastEthernet0/1
mode client
peer 174.1.124.12
username IPSECUSER password CISCO
xauth userid mode local
Rack4R5#show running-config interface fastEthernet 0/1 | i crypto

crypto ipsec client ezvpn ASA1 inside
Rack4R5#show running-config interface serial 0/0 | i crypto

crypto ipsec client ezvpn ASA1

174.1.124.12 204.12.4.5 QM_IDLE 1007 0 ACTIVE
Rack4R5#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6
Tunnel name : ASA1

Inside interface list: FastEthernet0/1
Outside interface: Serial0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 10.105.105.1 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
Address : 174.1.127.0
Mask : 255.255.255.0
<snip>

- 250 -
Rack4ASA1# show vpn-sessiondb remote
Session Type: IPsec
Username : IPSECUSER Index : 7

Protocol : IKE IPsec
License : IPsec
Encryption : 3DES Hashing : SHA1
Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP
Login Time : 13:44:40 UTC Wed Jun 10 2009
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Check for passed authentication in the AAA server

- 251 -
Task 3.2 Solution

ASA1:
!
! Configure and enable additional ISAKMP policy
!
auth rsa-sig
hash sha
encryption 3des
group 2
!
! Identity hostname is needed to match the hostname in certificate
! for tunnel group lookup process. Otherwise, the CN is used.
!
crypto isakmp identity hostname
!
! Create IPsec transform-set
!
crypto ipsec transform-set AES256_MD5 esp-aes-256 esp-md5-hmac
!
! Configure domain-name and generate RSA key
!
domain-name INE.com
yes
!
! Sync time with the AAA/CA server
!
!
! Configure CA trustpoint
!
crypto ca trustpoint IE1
enrollment url http://10.0.0.100/certsrv/mscep/mscep.dll
revocation-check none
!
! Tunnel-group for remote endpoint
!
tunnel-group Rack4ASA2.INE.com type ipsec-l2l
tunnel-group Rack4ASA2.INE.com ipsec-attributes
trust-point IE1
!
!
access-list VLAN127_TO_VLAN132 permit ip 174.1.127.0 255.255.255.0
192.10.4.0 255.255.255.0

- 252 -
!
! Actual crypto-map (not the set trustpoint entry)
!
crypto map VPN 10 set transform-set AES256_MD5
!
! Needed to initiate the VPN connection
!
crypto map VPN 10 set trustpoint IE1
!
crypto map VPN interface OUT
!
!
! Authenticate and enroll with CA
!
crypto ca authenticate IE1
crypto ca enroll IE1
!
! Permit SCEP traffic from ASA2 VLAN135 interface to AAA server through
! ASA1
!
name 174.1.135.13 ASA2_VLAN135
access-list OUTSIDE_IN extended permit tcp host ASA2_VLAN135 host
ACS_POST_NAT_IP eq www
ASA2:
!
! Configure and enable ISAKMP
!
auth rsa-sig
hash sha
encryption 3des
group 2
!
crypto isakmp identity hostname
!
crypto isakmp enable VLAN135
!
! Create IPsec transform-set
!
crypto ipsec transform-set AES256_MD5 esp-aes-256 esp-md5-hmac
!
! Configure domain-name and generate RSA key
!
domain-name INE.com

- 253 -
!
! Sync time with the AAA/CA server
!
ntp server 174.1.124.100
!
! Configure CA trustpoint
!
enrollment url http://174.1.124.100/certsrv/mscep/mscep.dll
!
! Tunnel-group for remote endpoint
!
tunnel-group Rack4ASA1.INE.com type ipsec-l2l
tunnel-group Rack4ASA1.INE.com ipsec-attributes
trust-point IE1
!
!
174.1.127.0 255.255.255.0
!
! The crypto-map
!
crypto map VPN 10 set trustpoint IE1
crypto map VPN 10 set transform-set AES256_MD5
!
crypto map VPN interface VLAN135
!
!
! Authenticate and enroll with CA
!
!
! Add route for VLAN 127 to trigger the IPSec process
route VLAN135 174.1.127.0 255.255.255.0 174.1.135.5 1
R3:
!
! Configure HTTP inspection for SCEP traffic
class-map type inspect match-all WEB
match protocol HTTP
!
class WEB
inspect

- 254 -

You can’t access the backbone routers in the real exam. Here we can do the
verification by mean of user mode access to the backbone router or by issuing
traffic to VLAN 132 from SW1.
Rack4SW1#ping 192.10.4.254

.!!!!
ms
Rack4ASA1# show crypto isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
rekey)
Total IKE SA: 1
1 IKE Peer: ASA2_VLAN135

Encrypt : 3des Hash : SHA
Auth : rsa Lifetime: 86400
Lifetime Remaining: 85778
Rack4ASA1# show crypto ipsec sa peer 174.1.135.13

peer address: ASA2_VLAN135
access-list VLAN127_TO_VLAN132 permit ip 174.1.127.0

255.255.255.0 192.10.4.0 255.255.255.0
local ident (addr/mask/prot/port):
(174.1.127.0/255.255.255.0/0/0)
(192.10.4.0/255.255.255.0/0/0)
current_peer: ASA2_VLAN135

failed: 0
created: 0
reassembly: 0

- 255 -

ASA2_VLAN135

current outbound spi: 998213CA
inbound esp sas:

spi: 0x596B0835 (1500186677)
transform: esp-aes-256 esp-md5-hmac no compression
slot: 0, conn_id: 32768, crypto-map: VPN
sa timing: remaining key lifetime (kB/sec): (3914999/28101)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x998213CA (2575438794)
transform: esp-aes-256 esp-md5-hmac no compression
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
Task 3.3 Solution

R1:
!
! Create Tunnel interface
interface Tunnel0
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 145
tunnel mode gre multipoint
tunnel key 145
!
! Enable OSPF On loopback and Tunnel interface
!
router ospf 2
router-id 10.255.1.1
log-adjacency-changes
network 10.255.1.1 0.0.0.0 area 0
network 10.255.255.1 0.0.0.0 area 0

- 256 -
!
! Create Loopback and configure it so it’s advertised as /24 in OSPF.
! By default the OSPF network type on Loopback is LOOPBACK and it’s
! advertised as /32 no matter the mask.
!
interface Loopback1
ip address 10.255.1.1 255.255.255.0
ip ospf network point-to-point
!
! Configure OSPF broadcast type and increase OSPF priority such that R1
! will “always” be the DR. I say “always” because DR election is not a
! preemptive process.
!
interface Tunnel0
ip ospf network broadcast
ip ospf priority 2
R5:
interface Tunnel0
ip address 10.255.255.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 10.255.255.1 150.4.1.1
ip nhrp map multicast 150.4.1.1
ip nhrp nhs 10.255.255.1
tunnel key 145
interface Loopback1
ip address 10.255.5.5 255.255.255.0
!
router ospf 2
network 10.255.5.5 0.0.0.0 area 0
network 10.255.255.5 0.0.0.0 area 0
!
interface Tunnel0
R4:
interface Tunnel0
ip address 10.255.255.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 10.255.255.1 150.4.1.1
ip nhrp nhs 10.255.255.1
tunnel key 145
!

- 257 -
router ospf 2
network 10.255.4.4 0.0.0.0 area 0
network 10.255.255.4 0.0.0.0 area 0
!
interface Loopback1
ip address 10.255.4.4 255.255.255.0
!
interface Tunnel0

Verify OSPF adjacencies and confirm that Loopback 1 is advertised as /24 on all
R1, R4 and R5. Verify that R1 is the OSPF DR
Rack4R1#show ip ospf neighbor

Interface
10.255.4.4 1 FULL/DROTHER 00:00:38 10.255.255.4
Tunnel0
10.255.5.5 1 FULL/BDR 00:00:37 10.255.255.5
Tunnel0
Rack4R1#show ip ospf interface tunnel 0

Tunnel0 is up, line protocol is up
Process ID 2, Router ID 10.255.1.1, Network Type BROADCAST, Cost:
11111
Transmit Delay is 1 sec, State DR, Priority 2
Backup Designated router (ID) 10.255.5.5, Interface address
10.255.255.5
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Next 0x0(0)/0x0(0)
Adjacent with neighbor 10.255.5.5 (Backup Designated Router)

- 258 -

O 10.255.5.0 [110/11112] via 10.255.255.5, 00:31:27, Tunnel0
O 10.255.4.0 [110/11112] via 10.255.255.4, 00:32:37, Tunnel0
Task 3.4 Solution

R1, R4, R5:
!
! Create isakmp policy to match requirements
encr 3des
hash md5
group 1
!
! Wildcard pre-shared key
!
crypto isakmp key CISCO address 150.4.0.0 255.255.0.0
!
! Transport-mode can be used since packets are already encapsulated
! into GRE
!
crypto ipsec transform-set AES256_SHA_TRANS esp-aes 256 esp-sha-hmac
mode transport
!
! Ipsec Profile to be applied to tunnel interface
!
crypto ipsec profile DMVPN_PROFILE
set transform-set AES256_SHA_TRANS
!
! Apply the tunnel protection
!
interface Tunnel0
tunnel protection ipsec profile DMVPN_PROFILE
ip nhrp shortcut
ip nhrp redirect

Check ISAKMP and IPSec SA’s. Verify OSPF adjacencies and that packets get
encrypted/decrypted.

- 259 -

150.4.1.1 150.4.5.5 QM_IDLE 1002 0 ACTIVE
150.4.1.1 150.4.4.4 QM_IDLE 1004 0 ACTIVE
Rack4R1#show crypto ipsec sa peer 150.4.5.5
interface: Tunnel0


current outbound spi: 0x83427F34(2202173236)
inbound esp sas:

spi: 0xEBAECEBF(3954101951)
transform: esp-256-aes esp-sha-hmac ,
conn id: 3, flow_id: 3, crypto map: Tunnel0-head-0
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x83427F34(2202173236)
IV size: 16 bytes
Status: ACTIVE
<snip>

- 260 -
Task 4.1 Solution

ASA1:
!
! The first exception is needed to allow ASA2 requesting a certificate
! via SCEP.
!
access-list CUT_THROUGH_HTTP deny tcp host 174.1.135.13 host
ACS_POST_NAT_IP eq 80
access-list CUT_THROUGH_HTTP permit tcp any host ACS_POST_NAT_IP eq 80
!
aaa authentication match CUT_THROUGH_HTTP OUT LOCAL
!
username WEBUSER password CISCO
!
access-list OUTSIDE_IN permit tcp any host ACS_POST_NAT_IP eq 80
!
auth-prompt prompt "Access to this server is for authorized personnel
only."

Rack4ASA1# show uauth
Current Most Seen
user 'WEBUSER' at 174.1.124.160, authenticated
Task 4.2 Solution

R6:
aaa new-model
!
! Configure console authentication method to none
!
!
! Authenticate users and authorize exec via TACACS+
!
!
! TACACS server config
!
!
line console 0

- 261 -
ASA1:
!
! Allow telnet traffic to R6
!
ACS:
Step 1:
Add R6 as AAA client to the ACS. Run the ACS Admin utility and click the
Network Configuration button, then enter the AAA Client Hostname,
AAA Client IP address of 150.X.6.6 and the key of “CISCO”. Select TACACS+
(Cisco IOS) for the Authentication protocol.

- 262 -
Step 2:
Add new named “TROUBLEMAKER”. Click the User Setup button, then enter
the name “TROUBLEMAKER” click the Add/Edit button. Specify the
Password of “CISCO” on the next page. Scroll down the page to “TACACS+
Settings” and check the Shell(exec) field. Check the Privilege Level field
and set the value to 15.

- 263 -
Note
Initiate telnet traffic from Test PC to R6 translated address. Verify Passed

authentication log on AAA server afterwards.
Trying 174.1.124.6 ... Open
Username: TROUBLEMAKER
Password:
Rack4R6#

- 264 -
Task 4.3 Solution

ASA1:
username TROUBLEMAKER password CISCO
!
! Authentication config
!
access-list AUTH_TELNET permit tcp host 174.1.124.50 host 174.1.124.6
eq telnet
aaa authentication match AUTH_TELNET OUT LOCAL

Configure IP address on test PC to be 174.1.124.50 and telnet to R6 translated
address. Check authentication on ASA1.

Current Most Seen
user 'TROUBLEMAKER' at 174.1.124.50, authenticated
Task 4.4 Solution

R6:
!
! Account for commands and exec start/stop
!
aaa accounting exec default start-stop group tacacs+
ASA1:
!
!
aaa-server TACACS+ protocol tacacs
aaa-server TACACS+ (IN) host 10.0.0.100 CISCO
!
! Account with TACACS+ server for telnet connections
!
aaa accounting match AUTH_TELNET OUT TACACS+

- 265 -
ACS:
Step 1:
Add ASA1 as an AAA Client in the ACS. Click the Network Configuration
button then specify the AAA Client Name “Rack4ASA1-T” along with the IP
address of 174.X.127.12. Set the Key value to “CISCO” and set the
authentication protocol to “TACACS+”. Click the Add Entry button when you’re
done.

- 266 -

Initiate a telnet connection from the Test PC and verify Accounting Logs in the
AAA server.
Task 5.1 Solution

Make sure you entered the root view using the command enable view prior to
applying the parser view configuration. To enter the view, you must be an
authenticated user. You cannot use the console for authenticated access per the
task requirements, but you can work around this by logging in via SSH into the
router as “ADMIN” and entering the root view. After this, you may configure the
parser view.
R4:
aaa new-model
aaa authentication login default none
aaa authentication login VTY local
aaa authorization exec VTY local
!
enable secret cisco

- 267 -
!
! CLI View for the OPERATOR user
!
parser view HTTP
secret 0 CISCO
commands configure include all ip http
commands configure include ip
commands exec include configure terminal
commands exec include configure
!
username OPERATOR privilege 15 view HTTP password 0 CISCO
username ADMIN privilege 15 password 0 CISCO
!
!
line vty 0 4
transport input ssh
login authentication VTY
authorization exec VTY
!
ip domain-name INE.com

Verify that SSH access is allowed and telnet not. Verify authorization rights for
both users.
Trying 10.255.255.4 ...
Rack4R4#ssh -l OPERATOR 10.255.255.4
Password:
Rack4R4#show parser view

Current view is 'HTTP'
Rack4R4(config)#?
Configure commands:
do To run exec commands in config mode
exit Exit from configure mode
ip Global IP configuration subcommands
Rack4R4(config)#ip ?
Global IP configuration subcommands:
accounting-threshold Sets the maximum number of accounting entries
accounting-transits Sets the maximum number of transit entries
http HTTP server configuration

- 268 -
Rack4R4(config)#interface Fa0/1
^
Rack4R4#ssh -l ADMIN 10.255.255.4
Password:
Rack4R4#conf t
Rack4R4(config)#?
Configure commands:
aaa Authentication, Authorization and
Accounting.
access-list Add an access list entry
alarm-interface Configure a specific Alarm Interface Card
alias Create command alias
appfw Configure the Application Firewall policy
archive Archive the configuration
arp Set a static ARP entry
async-bootp Modify system bootp parameters
backhaul-session-manager Configure Backhaul Session Manager
banner Define a login banner
bba-group Configure BBA Group
beep Configure BEEP (Blocks Extensible
Exchange
Protocol)
boot Modify system boot parameters
bridge Bridge Group.
buffers Adjust system buffer pool parameters
busy-message Display message when connection to host
fails
call Configure Call parameters
call-history-mib Define call history mib parameters
carrier-id Name of the carrier associated with this
trunk
group
Rack4R4(config)#interface Fa0/1
Rack4R4(config-if)#

- 269 -
Task 5.2 Solution
Note
This task requires you decrypting the 7-type password configured in SW1’s
VLAN67 interface. This could be done using the following trick:
1) Configure a key-chain and copy-paste the 7-type password
key chain TEST

key 1
key-string 7 00111D0D0A541C085C
2) Use the command show key chain to see the clear-text password:
Key-chain TEST:
key 1 -- text "unknown3"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R6:
ip ospf authentication
ip ospf authentication-key unknown3
!
!
SW1
interface Vlan67

- 270 -

Verify OSPF adjacencies and check that plaint text authentication is being used
Rack4SW1#show ip ospf neighbor

Interface
174.1.127.12 1 FULL/DR 00:00:37 174.1.127.12
Vlan127
150.4.6.6 1 FULL/DR 00:00:39 174.1.67.6
Vlan67
Rack4SW1#show ip ospf interface vlan 67

Vlan67 is up, line protocol is up
Next 0x0(0)/0x0(0)
Rack4SW1#debug ip ospf packet

Jun 10 03:09:43.962: OSPF: rcv. v:2 t:1 l:48 rid:150.4.6.6
aid:0.0.0.51 chk:D145 aut:1 auk: from Vlan67

- 271 -
Task 6.1 Solution

It is best practices to first erase current configuration and reset the sensor. Be
aware that erasing configuration will NOT erase user accounts. Then we
configure network settings and NTP.
IPS:
ips(config)# service host
ips(config-hos)# network-settings
ips(config-hos-net)# host-name Rack4IPS
ips(config-hos-net)# exit
ips(config-hos)# exit
Rack4IPS# conf t
ips(config-hos-net)# host-ip 174.1.38.10/24,174.1.38.3
Rack4IPS(config-hos-net)# telnet-option enabled
Rack4IPS(config)# service web-server

Rack4IPS(config-web)# port 443
Rack4IPS(config-web)# enable-tls true
Rack4IPS(config-web)# exit
Rack4IPS(config)# exit

- 272 -

Rack4IPS(config-hos)# ntp-option enabled
Rack4IPS(config-hos-ena)# ntp-servers 54.4.8.254 key-id 1
Rack4IPS(config-hos-ena)# ntp-keys 1 md5-key CISCO
Rack4IPS(config-hos-ena)# exit
R3:
class-map type inspect match-any IPS_MANAGEMENT
!
class type inspect IPS_MANAGEMENT
inspect

Verify connectivity with default gateway. Make sure you can telnet and browse
through HTTPS from the AAA server. For the NTP section, there is a trick; you
actually need to accomplish Task 6.2 first since traffic pattern from IPS C&C
interface to BB1 NTP server is through the IPS inline VLAN pair.
Rack4IPS(config-hos)# show settings

network-settings
-----------------------------------------------
host-ip: 174.1.38.10/24,174.1.38.3 default: 192.168.1.2/24,192.168.1.1
telnet-option: enabled default: disabled
-----------------------------------------------
network-address: 10.0.0.100/32
-----------------------------------------------
-----------------------------------------------
login-banner-text: <defaulted>
-----------------------------------------------
time-zone-settings
-----------------------------------------------
offset: 0 minutes default: 0
standard-time-zone-name: UTC default: UTC
-----------------------------------------------
ntp-option
-----------------------------------------------
enabled
-----------------------------------------------
ntp-keys (min: 1, max: 1, current: 1)
-----------------------------------------------
key-id: 1
-----------------------------------------------
md5-key: CISCO
-----------------------------------------------

- 273 -
-----------------------------------------------
ntp-servers (min: 1, max: 1, current: 1)
-----------------------------------------------
ip-address: 54.4.8.254
key-id: 1
Rack4IPS# show statistics host | b NTP

NTP Statistics
= remote refid st t when poll reach delay
offset jitter
= *54.4.8.254 CHU_AUDIO(1) 4 u 39 64 377 84.983
3310.91 0.119
= LOCAL(0) 73.78.73.84 5 l 49 64 377 0.000
0.000 0.001
= ind assID status conf reach auth condition last_event cnt
= 1 64212 f614 yes yes ok sys.peer reachable 1
= 2 64213 9014 yes yes none reject reachable 1
status = Synchronized
Rack4IPS(config-web)# show settings

enable-tls: true default: true
port: 443 default: 443
server-id: HTTP/1.1 compliant <defaulted>
To verify that telnet/https access is permitted from the ACS server, we will
shutdown the Fa0/0 on R3 and create a Loopback interface with the IP address
10.0.0.100. Make sure to remove the Loopback and bring up Fa0/0 after testing.
Rack4R3#show running-config interface loopback 1


!
interface Loopback1
ip address 10.0.0.100 255.255.255.255
end

Trying 174.1.38.10 ... Open
login: cisco
Password:
Last login: Tue Mar 16 16:32:57 on pts/0
<snip>

- 274 -
Rack4R3#telnet 174.1.38.10 443 /source-interface loopback 1

Trying 174.1.38.10, 443 ... Open
Task 6.2 Solution

This task should be configured to allow the network partitions to communicate
properly. As noticed from the diagram, the IPS breaks the network into 2 parts.
Configure switch port as a trunk and allow only necessary VLANs as generally
best practices.

Rack4IPS(config-int-phy)# subinterface-type inline-vlan-pair
Rack4IPS(config-int-phy-inl)# subinterface 1
Rack4IPS(config-int-phy-inl-sub)# vlan1 106
Rack4IPS(config-int-phy-inl-sub)# vlan2 102
Rack4IPS(config-int-phy-inl-sub)# exit
Rack4IPS(config-int-phy-inl)# exit
Assign the subinterface to the analysis engine:

SW2:
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 102,106

- 275 -

To check if the inline VLAN pair works, we could ping from R2 to R6 on subnet
174.1.255.0. Since the IPS got NTP synchronized with BB1, we know it works.
Rack4R2#ping 174.1.255.6

!!!!!
Task 6.3 Solution

Define a new signature using the IPS CLI. This could be configured as well by
using the GUI.
IPS:
Rack4IPS# conf t
Rack4IPS(config-sig-sig)# engine atomic-ip
Rack4IPS(config-sig-sig-ato)# specify-l4-protocol yes
Rack4IPS(config-sig-sig-ato-yes)# l4-protocol other-protocol
Rack4IPS(config-sig-sig-ato-yes-oth)# other-ip-protocol-id 77
Rack4IPS(config-sig-sig-ato-yes-oth)# exit
Rack4IPS(config-sig-sig-ato)# event-action log-attacker-packets
Rack4IPS(config-sig-sig-ato)# exit
Rack4IPS(config-sig-sig)# alert-severity high

- 276 -

First we need to check that signature is created as required. Since we can‘t
generate traffic for protocol number 77, we can’t test the signature.
Rack4IPS(config-sig)# show settings | b 60001

sig-id: 60001
subsig-id: 0
-----------------------------------------------
alert-severity: high default: medium
sig-fidelity-rating: 75 <defaulted>
promisc-delta: 0 <defaulted>
sig-description
-----------------------------------------------
sig-name: My Sig <defaulted>
sig-string-info: My Sig Info <defaulted>
sig-comment: Sig Comment <defaulted>
alert-traits: 0 <defaulted>
release: custom <defaulted>
-----------------------------------------------
engine
-----------------------------------------------
atomic-ip
-----------------------------------------------
event-action: log-attacker-packets default: produce-
alert
fragment-status: any <defaulted>
specify-l4-protocol
-----------------------------------------------
yes
-----------------------------------------------
l4-protocol
-----------------------------------------------
other-protocol
-----------------------------------------------
other-ip-protocol-id: 77
alert-frequency
-----------------------------------------------
summary-mode
-----------------------------------------------
summarize
-----------------------------------------------
summary-interval: 15 <defaulted>
summary-key: Axxx <defaulted>
specify-global-summary-threshold
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------

- 277 -
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
status
-----------------------------------------------
enabled: true default: true
Task 6.4 Solution

Create the new signature using the CLI and not the IDM GUI wizard. The
summary mode “fire-all” ensures an event will be triggered for every matching
packet.
IPS:
Rack4IPS(config-sig-sig)# engine service-http
Rack4IPS(config-sig-sig-ser)# de-obfuscate true
Rack4IPS(config-sig-sig-ser)# event-action deny-attacker-inline
Rack4IPS(config-sig-sig-ser)# service-ports 80,8080
Rack4IPS(config-sig-sig-ser)# regex
Rack4IPS(config-sig-sig-ser-reg)# specify-uri-regex yes
Rack4IPS(config-sig-sig-ser-reg-yes)# uri-regex
[cC][mM][dD]\.[eE][xX][eE]
Rack4IPS(config-sig-sig-ser-reg-yes)# exi
Rack4IPS(config-sig-sig-ser-reg)# exi
Rack4IPS(config-sig-sig-ser)# exi
Rack4IPS(config-sig-sig)# sig-description
Rack4IPS(config-sig-sig-sig)# sig-name "HTTP cmd.exe"
Rack4IPS(config-sig-sig-sig)# exit
Rack4IPS(config-sig-sig)# sig-fidelity-rating 50
Rack4IPS(config-sig-sig)# alert-frequency
Rack4IPS(config-sig-sig-ale)# summary-mode fire-all
Rack4IPS(config-sig-sig-ale-fir)# exit
Rack4IPS(config-sig-sig-ale)# exit

- 278 -

Our created signature matches the string “cmd.exe” as being case insensitive,
which may be required or not. In the question this is not stated.
Rack4IPS# show events
Rack4SW2#copy http://150.4.6.6/cmd.exe null:
Rack4IPS# show statistics denied-attackers

Denied Attackers and hit count for each.
174.1.38.8 = 11
Statistics for Virtual Sensor vs0
Denied Attackers with percent denied and hit count for each.
Attacker Address Victim Address Port Protocol Requested
Percentage Actual Percentage Hit Count
174.1.38.8 100
100 11
This will block SW2 and may break the topology. Make sure to remove the block
after testing. You may accomplish it through the GUI or CLI.
Rack4IPS# clear denied-attackers

Warning: Executing this command will delete all addresses from the list
of attackers currently being denied by the sensor.
Continue with clear? [yes]: yes
Rack4IPS#
Task 7.1 Solution

Be aware that “service password-encryption” does not encrypt all passwords on
a Cisco router. In our case it will not encrypt ISAKMP keys.
R3, R4:.
!
! Encrypt line passwords and enable
service password-encryption
!
! Encrypt OSPF keys and ISAKMP pre-shared keys
password encryption aes
key config-key password-encrypt CISCO123

- 279 -

Rack4R3#show running-config | i password 7 |-key|enable p
enable password 7 13061E010803
ip ospf authentication-key 7 106D202A2638
ip ospf message-digest-key 1 md5 7 05282F3C0263
ip ospf message-digest-key 1 md5 7 0802657D2A36
password 7 14141B180F0B
Rack4R4#show running-config | i password 7|-key|enable p|isakmp key

enable password 7 121A0C041104
username OPERATOR privilege 15 view HTTP password 7 05282F3C0263
username ADMIN privilege 15 password 7 123A2C243124
crypto isakmp key 6 HAgfDicIg[WHUGd^BNDRUXfiKJAAAB address 150.4.0.0
255.255.0.0
password 7 094F471A1A0A
password 7 094F471A1A0A
Task 7.2 Solution

R6:
ip access-list extended RFC2827_IN
deny ip 10.0.0.0 0.0.0.255 any log
deny ip 174.1.0.0 0.0.255.255 any log
deny ip 150.4.0.0 0.0.15.255 any log
1000 permit ip any any
!
ip access-list extended RFC2827_OUT
permit ip 10.0.0.0 0.0.0.255 any
permit ip 174.1.0.0 0.0.255.255 any
permit ip 150.4.0.0 0.0.15.255 any
!
interface virtual-template 1
ip access-group RFC2827_IN in
ip access-group RFC2827_OUT out

Since we can’t configure BB1 we will test only outbound filtering. Create a
Loopback on R2 with ip address not in the allowed range and ping BB1. Make
sure to remove it after testing.
R2
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!

- 280 -
Rack4R2#ping 54.4.8.254 source loopback 2 repeat 2

..
R6
!
Rack4R6# debug ip icmp
Rack4R6#
ICMP: dst (54.4.8.254) administratively prohibited unreachable sent to
2.2.2.2
Rack4R6#
ICMP: dst (54.4.8.254) administratively prohibited unreachable sent to
2.2.2.2
Task 7.3 Solution

R6:
ip access-list extended FILTER_IP_OPTION
deny ip any any option sdb
permit ip any any
!
ip access-group FILTER_OP_OPTION in
Task 7.4 Solution

ICMP Unreachables are process switched. Thus we need a local policy route-
map to redirect unreachables to Null0.
SW2:
!
ip access-list extended UNREACHABLES_TO_RFC1918
permit icmp any 10.0.0.0 0.255.255.255 unreachable
!
route-map FILTER_UNREACHABLES permit 10
match ip address UNREACHABLES_TO_RFC1918
set interface Null0
!
ip local policy route-map FILTER_UNREACHABLES

- 281 -

For testing purposes disable OSPF between R3 and SW2, shutdown Loopback
on SW2 and create a static route on R3 for the SW2 Loopback. Next, ping the
new Loopback from R3 with the source address from RFC1918 range (10.0.0.3).
Verify that no unreachable are being sent.
Rack4R3#ping 150.4.8.8 source 174.1.38.3

U.U.U
Rack4R3#
ICMP: dst (174.1.38.3) host unreachable rcv from 174.1.38.8

.....
Task 7.5 Solution

R6:
!
! Identify interfaces involved in NAT process. We have PPP over FR, so
! nat statement is applied NOT on Serial interface
!
interface virtual-template 1
ip nat outside
!
ip nat inside
!
ip nat inside
!
interface loopback0
ip nat inside

- 282 -
!
! Identify Loopback range
!
ip access-list standard LOOPBACKS
permit 150.4.0.0 0.0.255.255
!
! Create NAT pool and configure PAT
!
ip nat pool NAT_POOL 192.168.1.50 192.168.1.51 prefix-length 24
ip nat inside source list LOOPBACKS pool NAT_POOL overload
!
ip route 192.168.1.50 255.255.255.254 Null0
!
! Announce NAT pool into BGP
!
router bgp 100
network 192.168.1.50 mask 255.255.255.254
!
! Comply with RFC2827 as Task 7.2 requires
!
ip access-list extended RFC2827_OUT
permit ip 192.168.1.50 0.0.0.1 any
ip access-list extended RFC2827_IN

40 deny ip 192.168.1.50 0.0.0.1 any log

Verify that only packets sourced from range 150.4.0.0/16 are being translated.

!!!!!

!!!!!

- 283 -

global
icmp 192.168.1.51:27 150.4.2.2:27 54.4.8.254:27
54.4.8.254:27
Rack4R6#
Task 7.6 Solution

We need match on certain string in HTTP packets, so do application inspection.
CEF is required.
R6:
!
! CEF is required to match protocol
!
ip cef
!
! Match the string in HTTP packets
!
class-map match-all WORM
match protocol http url "*root.exe*"
!
policy-map MITIGATE_WORM
class WORM
drop
!
interface Virtual-Template1
service-policy input MITIGATE_WORM
Task 7.7 Solution

R4:
!
! Load FPM IP and TCP protocol definitions on router
!
load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/tcp.phdf
!
! Match telnet traffic in both directions
!
class-map type access-control match-any TELNET
match field TCP dest-port eq 23
match field TCP source-port eq 23

- 284 -
!
! Match TCP over IP
!
class-map type stack match-all TCP_TRAFFIC
match field IP protocol eq 0x6 next TCP
!
! Drop matched traffic
!
policy-map type access-control BLOCK_TELNET
class TELNET
drop
!
policy-map type access-control INTERFACE_POLICY
class TCP_TRAFFIC
service-policy BLOCK_TELNET
!
! Apply policy-map
!
service-policy type access-control output INTERFACE_POLICY
!
service-policy type access-control output INTERFACE_POLICY

Initiate telnet traffic from behind R4 and observe packets matching the policy.
Trying 174.1.145.1 ...
% Connection timed out; remote host not responding
Rack4R4#show policy-map type access-control interface serial 0/0
Serial0/0
Service-policy access-control output: INTERFACE_POLICY
Class-map: TCP_TRAFFIC (match-all)

Match: field IP protocol eq 0x6 next TCP
Service-policy access-control : BLOCK_TELNET
Class-map: TELNET (match-any)

Match: field TCP dest-port eq 23
Match: field TCP source-port eq 23

- 285 -
drop

Match: any

0 packets, 0 bytes
Match: any
Task 8.1 Solution

R6:
!
! Identify the VLANs subnet
!
access-list 100 permit tcp any 174.1.255.0 0.0.0.255
!
! Intercept connections to servers in list
!
ip tcp intercept list 100
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 1200 high 1500
ip tcp intercept mode watch
ip tcp intercept drop-mode random

Advertise the local network into BGP so that a backbone router can see it. This is
needed only for verification purpose. Additionally, in the real exam you won’t be
able to access the backbone routers. Next, simulate traffic to a non-existent host
in VLAN 255 to watch the debugging output on R6.

- 286 -
Rack4R6#debug ip tcp intercept

TCP intercept debugging is on
Rack4R6#conf t
Rack4R6(config)#router bgp 100
Rack4R6(config-router)#network 174.1.255.0 mask 255.255.255.0
Rack4R6#
10:59:07.615: %SYS-5-CONFIG_I: Configured from console by console
BB1#telnet 174.1.255.200
Trying 174.1.255.200 ...
Rack4R6#
*10:59:15.851: INTERCEPT: new connection (54.4.8.254:20209 SYN ->
174.1.255.200:23)
*10:59:17.851: INTERCEPT: client packet passed in SYNSENT (54.4.8.254:20209 ->
174.1.255.200:23)
* 10:59:21.851: INTERCEPT: client packet passed in SYNSENT (54.4.8.254:20209 ->
174.1.255.200:23)
* 10:59:29.931: INTERCEPT: client packet passed in SYNSENT (54.4.8.254:20209 ->
174.1.255.200:23)
* 10:59:30.851: INTERCEPT: SYNSENT timing out (54.4.8.254:20209 <->
174.1.255.200:23)
* 10:59:30.851: INTERCEPT(*): (54.4.8.254:20209 RST -> 174.1.255.200:23)
Another way is to create a route to Null0 for SW1’s Vlan67 IP address on R2 and
then telnet from SW1 to R2. This will trigger the TCP intercept feature on R6.
Trying 174.1.255.2 ...
Trying 174.1.255.2 ...
Rack4R6#show tcp intercept statistics

Watching new connections using access-list 100
2 incomplete, 0 established connections (total 2)
5 connection requests per minute
Rack4R6#show tcp intercept connections

Incomplete:
Client Server State Create Timeout
Mode
174.1.67.7:58576 174.1.255.2:23 SYNSENT 00:00:14 00:00:00
W
<snip>

- 287 -
Task 8.2 Solution

ASA2:
!
! Disallow fragmented packets
!
fragment chain 1 VLAN135
!
! Match TCP traffic to server
!
access-list TRAFFIC_TO_SERVER permit tcp any host 192.10.4.50
!
class-map TRAFFIC_TO_SERVER
match access-list TRAFFIC_TO_SERVER
!
! Create TCP map for TCP normalization
tcp-map NORMALIZE
checksum-verification
reserved-bits clear
syn-data drop
!
! Options of kind 6 and 7 are TCP Echo and Echo Reply
!
!
! Apply the policy
!
class TRAFFIC_TO_SERVER
set connection conn-max 2000 embryonic-conn-max 500
set connection advanced-options NORMALIZE

Rack4ASA2(config)# show service-policy global
Global policy:
Inspect: dns migrated_dns_map_1, packet 0, drop 0, reset-drop 0
drop 0
0

- 288 -

Class-map: TRAFFIC_TO_SERVER
Set connection policy: conn-max 2000 embryonic-conn-max 500
current embryonic conns 0, current conns 0, drop 0
Set connection advanced-options: NORMALIZE
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Out-of-order packets: 0 No buffer drops : 0
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared : 0

- 289 -
Task 8.3 Solution

IDM:
Step 1:
Activate/Enable ICMP Smurf Signature and Edit signature settings as follows.

Navigate to Configuration | Policies | Signature Definitions |
sig0. Change Select by to “DoS” and select the “ICMP Smurf Attack”
signature, then click the Edit button.

- 290 -
Step 2:
Tune the signature’s Event Action to “Request Rate Limit” and set External
Rate-limit Percentage to 25%:

- 291 -
Step 3:
Add new blocking device login profile. Navigate to Configuration |

Blocking | Device Login Profiles and click the Add button. Set the
Login Password and Enable Password to “cisco”.

- 292 -
Step 4:
Add new blocking device. Navigate to Configuration | Blocking |

Blocking Devices and click the Add button. Fill the fields according to the
following screenshot.

- 293 -
Step 5:
Add new blocking device interface. Navigate to Configuration | Blocking

> Router Blocking Device Interfaces and click the Add button.

- 294 -

Simulate ICMP Smurf attack off SW1 towards R6. Make sure that the IPS sensor
installs a policy-map in R2 to limit the attack rate.
SW1:
interface Loopback100
ip address 174.1.123.12 255.255.255.0
Rack4SW1#ping 150.4.6.6 source loopback 100 repeat 50 timeout 0

..................................................
Rack4R2#show policy-map interface serial 0/0.23
Serial0/0.23
Service-policy output: IDS_RL_POLICY_MAP_1
Class-map: IDS_RL_CLASS_MAP_icmp-xxBx-0_1 (match-any)

Match: access-group name IDS_RL_ACL_icmp-xxBx-0_1
5 minute rate 0 bps
police:
cir 25 %
conformed 50 packets, 5200 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop

Match: any
Rack4R2#show ip access-lists IDS_RL_ACL_icmp-xxBx-0_1

Extended IP access list IDS_RL_ACL_icmp-xxBx-0_1
10 permit icmp any host 174.1.123.12 echo-reply (50 matches)

- 295 -

- 296 -

Task 1.1 Solution
ASA1:
hostname ASA1
!
! Configure the OUT redundant interface
!
member-interface eth0/1
nameif OUT
ip address 163.1.124.12 255.255.255.0
!
! Configure the IN redundant interface
!
nameif IN
ip address 163.1.127.12 255.255.255.0
security-level 100
!
! With redundant interfaces, nothing is configured on physical ones
!
interface eth0/0
no shut
!
interface eth0/1
no shut
!
interface eth0/2
no shut
!
! Create access-list for EIGRP Route Filtering, matching SW1 Loopback
! And VLAN 72
!
access-list EIGRP standard permit host 150.4.7.0
access-list EIGRP standard permit host 192.10.4.0
!
! Configure EIGRP 100 process and filter updates towards R4. Match both
! Interfaces for EIGRP process using 1 summarized network command
!
router eigrp 100
no auto-summary
network 163.1.124.0 255.255.252.0
distribute-list EIGRP out interface OUT

- 297 -
!
! Create access-list for NAT Exemption. We are required that SW1
! Loopback and VLAN72 are NOT translated when passing through ASA. This
! is NAT Exemption and NOT Identity NAT
!
access-list NONAT permit ip host 150.4.7.7 any
access-list NONAT permit ip 192.10.4.0 255.255.255.0 any
!
! Configure NAT Exemption and PAT
!
nat (IN) 0 access-list NONAT

nat (IN) 1 0 0
global (OUT) 1 163.1.124.200
!
! Allow only R3, R4, and R5 Loopback0 to ping the ASA1 interface. By
! default ICMP echo is allowed from all sources on ASA interfaces. When
! configuring explicit entries, it behaves like an ACL with an
! implicit DENY in the end. So all other ICMP traffic destined to ASA
! OUT interface is dropped
!
icmp permit host 150.4.3.3 echo OUT

Check basic connectivity. Verify EIGRP neighbors and that R4 receives only
routes for VLAN72 and SW1 Loopback. Test interface redundancy for IN which
has 2 member interfaces.
ASA1# ping 163.1.127.7

!!!!!
Rack4R4#ping 163.1.124.12

.....

- 298 -

!!!!!
ASA1# show eigrp neighbors

EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 163.1.127.7 Red2 12 04:45:03 816 4896 0 5
0 163.1.124.4 Red1 13 04:46:13 1 200 0 11

D EX 192.10.4.0/24 [170/284416] via 163.1.124.12, 00:00:24,
FastEthernet0/1
D EX 150.4.7.0/24 [170/284416] via 163.1.124.12, 00:00:24,
FastEthernet0/1
ASA1# show interface redundant 1 | i Member

Member Ethernet0/1(Active)
ASA1# show interface redundant 2 | i Member

You can test the translations by establishing telnet connections from SW1. First
try using the IP address of VLAN 127 interface, and verify that the address is
translated to the correct global address. Next, try sourcing from the loopback and
verify that R4 sees the traffic with the address without translation.
Password:
Rack4R4>show users
0 con 0 idle 00:07:21
* 66 vty 0 idle 00:00:00 163.1.124.200
Rack4R4>

- 299 -
Rack4SW1#telnet 150.4.4.4 /source Loopback0

Password:
Rack4R4>show users
0 con 0 idle 00:07:48
* 66 vty 0 idle 00:00:00 150.4.7.7
Rack4R4>
Task 1.2 Solution

Things are not always as they seem. The output of show interface for the
contexts shows "Redundant9 through Redundant12" for interface names. When
configuring redundant interfaces, the ASA will only let you specify numbers 1-8.
Here, the names seen are just aliases (so the physical interface is unknown from
the context) chosen when interfaces are allocated.
ASA2:
!
! Configure the ASA to function in multiple context mode
!
mode multiple
!
! After changing modes, reboot and configure contexts.
!
interface eth0/0
no shutdown
interface eth0/1
no shutdown
interface eth0/2
no shutdown
hostname ASA2
!
! Allocate-interfaces to contexts using appropriate mappings
!
context A
allocate-interface Ethernet0/0 Redundant9
config-url disk0:/a.cfg

- 300 -
!
context B
config-url disk0:/b.cfg
!
! Notice that the show output lists Context and then Hostname.
! Make sure to adjust the prompt to match.
!
prompt context hostname
ASA2/Context A:
!
! Enter Context configuration mode
!
Changeto context A
!
! Configure interfaces with appropriate names, security-levels, MAC
!
interface Redundant9
mac-address 00aa.00aa.0000
nameif AOUT
security-level 0
ip address 163.1.132.113 255.255.255.0
!
mac-address 00aa.00aa.0001
nameif AIN
security-level 100
ip address 163.1.136.13 255.255.255.0
!
! Configure default route pointing towards R2
!
route AOUT 0 0 163.1.132.2
!
! Permit ICMP echo from BB3 translated address to R6 Fa0/0 interface.
! be as specific as possible
!
access-list OUTS permit icmp host 163.1.132.213 host 163.1.136.6 echo
access-group OUTS in interface AOUT
ASA2/Context B:
!
! Enter Context configuration mode
!
changeto context B

- 301 -
!
! Configure interfaces with appropriate names, security-levels, MAC
!
mac-address 00bb.00bb.0000
nameif BOUT
security-level 0
ip address 163.1.132.213 255.255.255.0
!
mac-address 00bb.00bb.0002
nameif BIN
security-level 100
ip address 204.12.4.13 255.255.255.0
!
! Configure PAT for VLAN 133 traffic
!
nat (BIN) 1 204.12.4.0 255.255.255.0
global (BOUT) 1 interface
!
! Configure default route pointing towards R2
!
route BOUT 0 0 163.1.132.2
!
! Since ICMP is not a stateful protocol, ICMP echo will reach R6 but
! echo reply will get dropped by the ASA. In order to fix it we have 2
! options: either permit echo reply from R6 in an ACL and apply it to
! BOUT interface; either configure “ICMP inspect” in global policy.
! Since we’ve already used an ACL for Context A we need use inspection
!
inspect icmp
R2:
!
! Create route so that R2 knows how to reach VLAN136
!
ip route 163.1.136.0 255.255.255.0 163.1.132.113
R6:
!
! Although permissions for ICMP traffic have been configured, R6 does
! not have an route back to VLAN132 network so ICMP echo replies from
! R6 to BB3 will be dropped. Packets will be black-holed since
! R6 has a summary route for 163.1.0.0/16 to Null0. Thus, we need
! to create a specific static route on R6.
!
ip route 163.1.132.213 255.255.255.255 163.1.126.13

- 302 -

Verify that “show interface” output from both contexts matches the task
requirement. Verify that ping from BB3 to R6 is successful, traffic being
translated in context B, but not in context A. For testing you can temporarily add
a SVI and a route to SW1, since you will not have access to backbone devices in
the actual lab.
SW1:
interface vlan 133
ip address 204.12.4.250 255.255.255.0
ip route 163.1.136.0 255.255.255.0 204.12.4.13
A/ASA2# show interface

Interface Redundant9 "AOUT", is up, line protocol is up
MAC address 00aa.00aa.0000, MTU 1500
IP address 163.1.132.113, subnet mask 255.255.255.0
Traffic Statistics for "AOUT":
45 packets input, 3754 bytes
4 packets output, 112 bytes
17 packets dropped
Interface Redundant10 "AIN", is up, line protocol is up
MAC address 00aa.00aa.0001, MTU 1500
Traffic Statistics for "AIN":
0 packets dropped
B/ASA2# show interface

Interface Redundant11 "BOUT", is up, line protocol is up
MAC address 00bb.00bb.0000, MTU 1500
Traffic Statistics for "BOUT":
38 packets dropped
Interface Redundant12 "BIN", is up, line protocol is up
MAC address 00bb.00bb.0002, MTU 1500
Traffic Statistics for "BIN":
25 packets dropped

- 303 -
Rack4SW1#ping 163.1.136.6 re 100000

seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
B/ASA2# show xlate

PAT Global 163.1.132.213(31422) Local 204.12.4.250 ICMP id 13
PAT Global 163.1.132.213(48540) Local 204.12.4.250 ICMP id 12
B/ASA2# changeto context A
A/ASA2# show xlate

A/ASA2# show conn
ICMP AOUT 163.1.132.213:31422 AIN 163.1.136.6:0, idle 0:00:00, bytes
676152
ICMP AOUT 163.1.132.213:31422 AIN 163.1.136.6:0, idle 0:00:00, bytes
676152
Task 2.1 Solution

R3:
!
! Configure inspection for icmp, tcp, udp, smtp for both traffic
! passing through the router and traffic initiated by the router
!
ip inspect name MYFW icmp router-traffic
ip inspect name MYFW tcp router-traffic
ip inspect name MYFW udp router-traffic
ip inspect name MYFW smtp max-data 10000000
!
! Log all packets dropped by CBAC
!
ip inspect log drop-pkt
!
! Change the hash table size to 4096, default it’s 1024
!
ip inspect hashtable-size 4096

- 304 -
!
! Create custom tcp inspection for port 999 with idle timeout of 999
! seconds and maximum 20000 concurrent sessions
!
ip port-map user-1 port tcp 999 description CUSTOMAPP
ip inspect name MYFW user-1 timeout 999
ip inspect name MYFW parameter max-sessions 20000
!
! Configure inbound ACL and allow only HSRP traffic. Although there is
! An EBGP session between R1 and R3, since we’re inspecting locally
! generated traffic on R3 there is no need to allow BGP traffic in ACL
!
1000 deny ip any any
10 permit udp host 163.1.13.1 eq 1985 host 224.0.0.2 eq 1985
!
! Apply the access-list inbound and inspection outbound
!
ip inspect MYFW out

For verification of the custom port inspection, you can configure R1 for a basic
NAT translation to listen on port 999. Make sure to remove configuration after
testing.
R1:
interface loopback0
ip nat inside
!
ip nat outside
!
ip nat inside source static tcp 150.4.1.1 23 interface fastEthernet0/0
999
Then, telnet from R4 and you can see the session on the firewall.
Rack4R4#telnet 163.1.13.1 999

Trying 163.1.13.1, 999 ... Open

- 305 -
Password:
Rack4R1>
Rack4R3#show ip inspect sessions detail

Session 8464DDA8 (163.1.54.4:49948)=>(163.1.13.1:999) user-1 SIS_OPEN
Created 00:00:36, Last heard 00:00:08
Bytes sent (initiator:responder) [30:77]
In SID 163.1.13.1[999:999]=>163.1.54.4[49948:49948] on ACL VLAN13_IN
(10 matches)
ICMP inspection can be verified by pinging from R4 to R1. To verify udp

inspection we can make R1 a DNS server and make a DNS query from R4.
R1:
ip host TEST 163.1.13.1
ip dns server
R4:
ip name-server 163.1.13.1
Rack4R4#ping TEST
Translating "TEST"...domain server (163.1.13.1) [OK]

!!!!!
ms

Session 8464DDA8 (163.1.54.4:55879)=>(163.1.13.1:53) udp SIS_OPEN
(1 matches)
Session 8464D550 (163.1.54.4:8)=>(163.1.13.1:0) icmp SIS_OPEN
ECHO request
In SID 163.1.13.1[0:0]=>163.1.54.4[0:0] on ACL VLAN13_IN (5
matches)

- 306 -
Task 2.2 Solution

R5:
!
! Create the two security zones
!
!
! Configure class maps to match TCP, UDP and ICMP traffic.
!
class-map type inspect CMAP_TCP
match protocol TCP
class-map type inspect CMAP_UDP

match protocol UDP
class-map type inspect CMAP_ICMP

match protocol ICMP
!
! Configure policy map for traffic sourced from INSIDE and destined to
! OUTSIDE. Inspect TCP and UDP. Inspect ICMP and limit it to 32kbps
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class CMAP_TCP
inspect
class CMAP_UDP
inspect
class CMAP_ICMP
inspect
police rate 32000 burst 6000
!
! Create the zone-pair for traffic sourced from INSIDE zone destined to
! OUTSIDE zone. Attach the firewall policy to the zone-pair
!
zone-pair security ZP_INISIDE_TO_OUTSIDE source INSIDE dest OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
! Create ACL to match ICMP Echo and Echo-Reply
!
ip access-list extended ACL_ICMP
permit icmp any any echo
!
! Create ACL to match other traffic needed in future sections
!
ip access-list extended ACL_OTHERSECT

- 307 -
!
! Configure class-map to match ICMP Echo and Echo-Reply
!
class-map type inspect CMAP_ICMP_ECHO_AND_ECHO_REPLY
match access-group name ACL_ICMP
match protocol icmp
!
! Configure class-map to match traffic that needs to be permitted for
! other sections to work
!
class-map type inspect match-any CMAP_OTHER
match access-group name ACL_OTHERSECT
!
! Configure policy firewall for traffic sourced from OUTSIDE, INSIDE
and destined to the router itself
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_ICMP_ECHO_AND_ECHO_REPLY
pass
class CMAP_OTHER
pass
!
policy-map type inspect PMAP_INSIDE_TO_SELF
class CMAP_ICMP_ECHO_AND_ECHO_REPLY
pass
!
! Create the zone-pairs for traffic sourced from INSIDE, OUTSIDE zones
! to SELF ZONE. Attach the firewall policy to the zone-pair
!
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE dest self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
zone-pair security ZP_INSIDE_TO_SELF source INSIDE dest self

service-policy type inspect PMAP_INSIDE_TO_SELF
!
! Assign interfaces to security zones
!
interface Serial0/1

- 308 -

For testing purposes we will create a VLAN5 SVI on SW1 and simulate traffic
from the INSIDE security zone to the OUTSIDE security zone and vice versa.
SW1:
Interface Vlan5
ip address 10.5.5.100 255.255.255.0
no shutdown
!
ip route 163.1.35.0 255.255.255.0 10.5.5.5
ip route 163.1.45.0 255.255.255.0 10.5.5.5
ip route 163.1.54.0 255.255.255.0 10.5.5.5

!!!!!

!!!!!

!!!!!
Rack4R5#show policy-map type inspect zone-pair ZP_INISIDE_TO_OUTSIDE |

section CMAP_ICMP
Class-map: CMAP_ICMP (match-all)
Inspect

- 309 -

Trying 163.1.35.3 ... Open
Password:
Rack4R3>exit
Trying 163.1.54.4 ... Open
Password:
Rack4R4>exit
Trying 163.1.45.4 ... Open
Password:
Rack4R4>exit
Rack4R5# show policy-map type inspect zone-pair ZP_INISIDE_TO_OUTSIDE |

section CMAP_TCP
Class-map: CMAP_TCP (match-all)
Match: protocol tcp
Inspect
tcp packets: [0:386]

<snip>

- 310 -
R3:
ip dns server
R4:
ip dns server
SW1:
ip domain-lookup
Rack4SW1#ping TEST

!!!!!
Rack4SW1#ping TEST

!!!!!
Rack4R5# show policy-map type inspect zone-pair ZP_INISIDE_TO_OUTSIDE |

section CMAP_UDP
Class-map: CMAP_UDP (match-all)
Match: protocol udp
Inspect
udp packets: [0:4]


- 311 -
Let’s check if ICMP echo and echo-reply are permitted to the self-zone meaning
the router itself; other traffic should be dropped.

!!!!!
Trying 10.5.5.5 ...
Rack4R4#ping 163.1.54.5

!!!!!
ms
Trying 163.1.54.5 ...
Rack4R3#ping 163.1.35.5

!!!!!
Trying 163.1.35.5 ...

- 312 -
Rack4R5#show policy-map type inspect zone-pair ZP_INSIDE_TO_SELF

Zone-pair: ZP_INSIDE_TO_SELF
Service-policy inspect : PMAP_INSIDE_TO_SELF
Class-map: CMAP_ICMP_ECHO_AND_ECHO_REPLY (match-all)

Match: access-group name ACL_ICMP
Pass

Match: any
2 packets, 48 bytes
Rack4R5#show policy-map type inspect zone-pair ZP_OUTSIDE_TO_SELF

Zone-pair: ZP_OUTSIDE_TO_SELF
Service-policy inspect : PMAP_OUTSIDE_TO_SELF
Class-map: CMAP_ICMP_ECHO_AND_ECHO_REPLY (match-all)

Match: access-group name ACL_ICMP
Pass
Class-map: CMAP_OTHER (match-any)

Match: access-group name ACL_OTHERSECT
0 packets, 0 bytes
Pass
0 packets, 0 bytes

Match: any

- 313 -
Task 3.1 Solution

R3:
!
! Configure the new HSRP group which will serve as crypto endpoint.
!
ip address 99.99.99.3 255.255.255.0 secondary
standby 99 ip 99.99.99.99
standby 99 name HA
standby 99 timers msec 500 msec 1500
ip ospf hello-interval 2
!
! Configure an ISAKMP policy and a key
!
crypto isakmp key cisco address 163.1.132.113
!
! Configure the transform-set and proxy ACL
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
! Bound the proxy ACL and transform-set in a Crypto Map
!
crypto map MYMAP 10 ipsec-isakmp
set peer 163.1.132.113
set transform-set MYSET
reverse-route static
match address 101
!
! Apply the crypto-map and enable IPSec HA
!
crypto map MYMAP redundancy HA
!
! Permit VPN traffic in the firewall
!
20 permit udp host 163.1.132.113 eq 500 host 99.99.99.99 eq 500
30 permit esp host 163.1.132.113 host 99.99.99.99
40 permit ip 163.1.13.0 0.0.0.255 163.1.136.0 0.0.0.255
50 permit gre host 163.1.13.100 host 163.1.12.2

- 314 -
R1:
!
! Configure the new HSRP group which will serve as crypto endpoint.
! Secondary subnet is used as we need to encrypto the primary prefix
!
standby 99 ip 99.99.99.99
standby 99 name HA
ip ospf hello-interval 2
!
! Configure an ISAKMP policy and a key
!
!
!
!
!
set peer 163.1.132.113
set transform-set MYSET
match address 101
reverse-route static
!
! Apply the crypto-map and enable IPSec HA
!
crypto map MYMAP redundancy HA
R2:
NAT will be configured on both Tunnel and Serial interface because: if IPSec is
initiated from R3 traffic will enter in the Serial0/0 interface; if IPSec is initiated
from R1 traffic will enter the Tunnel interface.

- 315 -
!
! Configure the GRE Tunnel to SW2, needed so that R3 can route
! “around” R1.
!
interface Tunnel1
ip address 163.1.33.2 255.255.255.0
ip nat outside
tunnel source 163.1.12.2
!
interface Serial0/0
ip nat outside
!
! Configure static routes for R6 Loopback and HSRP HA subnet
!
ip route 6.0.0.1 255.255.255.255 163.1.132.113
ip route 99.99.99.99 255.255.255.255 163.1.33.1
!
! Create static NAT for R6 Loopback
!
ip nat inside source static 6.0.0.1 163.1.132.113 no-alias
!
ip nat inside
R6:
!
! Configure an ISAKMP policy and key
!
!
! Create the Loopback, actually the NAT’ed crypto endpoint
!
interface Loopback6
ip address 6.0.0.1 255.255.255.255
!
! Disable NAT-T. It’s sufficient to disable it at one end
!
no crypto ipsec nat-transparency udp
!
!

- 316 -
!
!
set peer 99.99.99.99
match address 101
set transform MYSET
!
! Configure the IPSec initiator/responder to be Loopback6
!
crypto map MYMAP local-address loopback6
!
! Apply the crypto map
!
crypto map MYMAP
!
! R6 needs a route for crypto endpoint and for VLAN 13, destination of
! encrypted traffic
!
ip route 99.99.99.0 255.255.255.0 163.1.136.13
ip route 163.1.13.0 255.255.255.0 163.1.136.13
ASA2/Context A:
!
! Configure routes for R6 loopback and for VLAN13. Task requires that
! ASA2 has reachability to SW2 through the IPSec tunnel
!
route AIN 6.0.0.1 255.255.255.255 163.1.136.6
route AIN 163.1.13.0 255.255.255.0 163.1.136.6
!
! Permit ESP and UDP 500 traffic from R1/R3 HSRP address to R6 Loopback
!
access-list OUTS permit udp host 99.99.99.99 eq 500 host 6.0.0.1 eq 500
access-list OUTS permit esp host 99.99.99.99 host 6.0.0.1
SW2:
!
! Configure the GRE Tunnel terminating on R2
!
interface tunnel1
ip address 163.1.33.33 255.255.255.0
tunnel source 163.1.13.100
!
! SW2 needs a route for crypto endpoint through the GRE Tunnel
!
ip route 163.1.132.113 255.255.255.255 163.1.33.2

- 317 -
R1:
!
! Create a track object for R3’s Loopback. Create a track 2 object that
! has a TRUE value only when the object 1 is false
!
track 1 ip route 150.4.3.3 255.255.255.255 reachability
track 2 list boolean and
object 1 not
!
! In the case that R1 is the active HSRP router and needs to trigger
! the IPSec process it needs a static route for the crypto endpoint
! towards SW2. The route is tracked so it’s live only when R1 does not
! receive the Loopback subnet from R3; meaning that R3 is down
!
ip route 163.1.132.113 255.255.255.255 163.1.13.100 track 2

For verification we will initiate traffic from SW2 to R6’s Fa0/0 and ASA2 AIN
interfaces. We will initiate traffic first when R3 is HSRP active. Then we will
shutdown R3 Fa0/0 so that R1 is HSRP active.
Rack4R3#show standby brief

P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 13 100 Active local 163.1.13.1 163.1.13.13
Fa0/0 99 100 Active local 163.1.13.1 99.99.99.99

.!!!!
ms
Rack4SW2#ping 163.1.136.13

!!!!!
ms

- 318 -
Rack4R3#sho crypto isakmp sa

163.1.132.113 99.99.99.99 QM_IDLE 1095 0 ACTIVE
150.4.3.3 150.4.4.4 GDOI_IDLE 1094 0 ACTIVE
150.4.3.3 150.4.5.5 GDOI_IDLE 1073 0 ACTIVE
Rack4R3#sho crypto ipsec sa peer 163.1.132.113
interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 99.99.99.99


163.1.132.113
current outbound spi: 0xC47952D4(3296285396)
inbound esp sas:

spi: 0xF1A22B8(253371064)
conn id: 1, flow_id: 1, crypto map: MYMAP
IV size: 8 bytes
Status: ACTIVE
<snip>
outbound esp sas:
spi: 0xC47952D4(3296285396)
IV size: 8 bytes
Status: ACTIVE
<snip>

- 319 -
Now we’ll make R1 HSRP active for both groups by shutting down R3’s
connection to VLAN13:
R3:
shutdown
Rack4R1#show standby brief

|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 13 100 Active local unknown 163.1.13.13
Fa0/0 99 100 Active local unknown 99.99.99.99

.!!!!
ms
Rack4SW2#ping 163.1.136.13

!!!!!
ms
Rack4R1#sho crypto isakmp sa

163.1.132.113 99.99.99.99 QM_IDLE 1001 0 ACTIVE

- 320 -



163.1.132.113
current outbound spi: 0x3824B646(941930054)
inbound esp sas:

spi: 0x4F2285AA(1327662506)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x3824B646(941930054)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 321 -
Task 3.2 Solution

R2:
!
! Configure R2 as NTP master, stratum level 9
!
ntp master 9
!
! Configure R2 as CA server
!
crypto pki server TEST
grant auto
no shut
!
! Enable HTTP server
!
ip http server
R1, R3:
!
! Configure R2 Loopback as NTP server
!
!
! Generate the RSA pair of keys
!
crypto key generate rsa mod 1024
!
! Configure the Trustpoint
!
crypto pki trustpoint IE1
serial-number
!
! Retrieve CA certificate and enroll
!

- 322 -
R6:
R6 does not have a route to R2’s Loopback and static routes are not allowed.
Therefore, we need to create static translations on ASA2.
!
! Configure R2 Loopback as NTP server
!
!
! Generate the RSA pair of keys
!
crypto key generate rsa mod 1024
!
! Configure the Trustpoint
!
crypto pki trustpoint IE1
serial-number
!
! Retrieve CA certificate and enroll
!
A/ASA2:
!
! Create the static for R2 Loopback, being as specific as possible
!
static (AOUT,AIN) tcp 163.1.136.20 www 150.4.2.2 www netmask
255.255.255.255
static (AOUT,AIN) udp 163.1.136.20 ntp 150.4.2.2 ntp netmask
255.255.255.255
The existing isakmp policy configured in Task 3.1 used a sequence number of
10. By removing the pre-shared keys for the peer, certificates will be used with
the default ISAKMP policy, since the default ISAKMP policy uses RSA
signatures.

- 323 -
R1, R3:
!
! Remove the ISAKMP pre-shared key and modify ISAKMP policy 10 to use
! RSA-SIG as authentication method
!
no crypto isakmp key cisco address 163.1.132.113
auth rsa-sig
R6:
!
! Remove the ISAKMP pre-shared key and modify ISAKMP policy 10 to use
! RSA-SIG as authentication method
!
no crypto isakmp key cisco address 99.99.99.99
auth rsa-sig

Verify NTP synchronization and that certificates are issued with serial number
included. After we will check that IPSec is established but RSA-SIG is used as
authentication method.
Rack4R2#show crypto pki cert

CA Certificate
Status: Available
Issuer:
cn=TEST
Subject:
cn=TEST
Validity Date:
start date: 10:12:35 UTC Jun 11 2009
end date: 10:12:35 UTC Jun 10 2012
Associated Trustpoints: TEST
Rack4R2#show crypto pki server

Certificate Server TEST:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=TEST
CA cert fingerprint: 6A302D86 D2AD7041 CD921B80 91F1116D
Granting mode is: auto
Last certificate issued serial number: 0x5
CA certificate expiration timer: 10:12:35 UTC Jun 10 2012
CRL NextUpdate timer: 16:09:15 UTC Jun 13 2009
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage

- 324 -
Rack4R1#show ntp status

nominal freq is 249.5901 Hz, actual freq is 249.5903 Hz, precision is
2**18
reference time is CDE5EF63.6A79EFA0 (11:05:07.415 UTC Fri Jun 19 2009)

2**18
reference time is CDE5EFB5.8D0C4956 (11:06:29.550 UTC Fri Jun 19 2009)
clock offset is 13.4712 msec, root delay is 49.97 msec

2**24
reference time is CDE5F1C7.C4381701 (11:15:19.766 UTC Fri Jun 19 2009)
Rack4R1#sho crypto pki certificate

Certificate
Status: Available
Issuer:
cn=TEST
Subject:
Name: Rack4R1.INE.com
Serial Number: FCZ092774JK
serialNumber=FCZ092774JK+hostname=Rack4R1.INE.com
Validity Date:
end date: 10:21:54 UTC Jun 19 2010
Associated Trustpoints: IE1
CA Certificate
Status: Available
Issuer:
cn=TEST
Subject:
cn=TEST
Validity Date:
end date: 10:20:14 UTC Jun 18 2012
Associated Trustpoints: IE1

- 325 -

..!!!
ms
Make sure to clear out existing crypto sessions, and verify that the output of
show crypto isakmp sa detail shows Rasig as the Auth method.
Rack4R6#sho crypto isakmp sa detail

T - cTCP encapsulation, X - IKE Extended Authentication

Lifetime Cap.
1003 6.0.0.1 99.99.99.99 ACTIVE des sha rsig 1

23:59:16 D


current outbound spi: 0x89C7918F(2311557519)
PFS (Y/N): N, DH group: none

- 326 -
inbound esp sas:

spi: 0x7023A8F7(1881385207)
conn id: 2007, flow_id: NETGX:7, sibling_flags 80000046, crypto
map: MYMAP
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x89C7918F(2311557519)
conn id: 2008, flow_id: NETGX:8, sibling_flags 80000046, crypto
map: MYMAP
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
No ACL entries on ASA2 are necessary, since R6 initiates the certificate request,
as well as the NTP query. No ACL entries are needed on R3, since the "router-
traffic" keyword is used for UDP and TCP.

Session 886CC2F8 (163.1.13.3:123)=>(150.4.2.2:123) udp SIS_OPEN
Shut down R3's Fa0/0 interface, and verify that the tunnel initiates from R1, and
shows rsig as well.

- 327 -

.!!!!
ms
Rack4R1#sho crypto isakmp sa detail


Lifetime Cap.
1002 99.99.99.99 163.1.132.113 ACTIVE des sha rsig 1

23:59:30 D

- 328 -
Task 3.3 Solution

You may want to configure the NAT translations for Task 7.2 before completing
this section. With the translations configuring the Test PC and the AAA server on
VLAN 4 will not require any route information, as the ASA will have a local
translated address.
ASA1:
!
! Configure RADIUS server and set an authorization password,
! used when retrieving authorization settings
!
aaa-server RAD protocol radius
aaa-server RAD (OUT) host 10.0.0.100 CISCO
radius-common-pw CISCO
!
! Configure the ASA to request client certificate on outside interface
!
ssl certificate-authentication interface OUT port 443
!
! Configure default WebVPN group to authorize via RADIUS
!
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group RAD
authorization-required
!
! Use OU field from client’s certificate to authorize
! with RADIUS server
!
username-from-certificate OU
!
! Configure the default WebVPN group to authenticate with
! digital certificates
!
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication certificate
!
! A trustpoint to verify a client’s certificate
!
enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
!
! Enable WebVPN on the outside interface
!
webvpn
enable OUT

- 329 -
ACS:
Step 1:
Add ASA1 as AAA client. Click Network Configuration then Add Entry
and configure per the screenshot below.
If you configure using the address at this point, you may need to add a route on
the ACS server for return traffic. If you configure after adding the translations in
Task 7.1, use the translated client address of 10.0.0.12.

- 330 -
Step 2:
Configure RADIUS interface to enable a particular attribute in user profiles. Click

Interface Configuration and select RADIUS (Cisco VPN
3000/ASA/PIX 7.x+). Check the WebVPN-Content-Filter-
Parameters-attribute for the User.

- 331 -
Step 3:
Add a new user with the name WEBVPN (matching the OU field of digital
certificates, as we will create them later) and password CISCO (the common
RADIUS authorization password configured on the ASA). Click User Setup
then enter the user name “WEBVPN” and click Add/Edit and sent the
Password field value to “CISCO”

- 332 -
Step 4:
Set content filter parameters attribute in the user profile per the screenshot
below.

- 333 -

We assing the Test PC to VLAN4, obtain a certificate from the CA and test the
WebVPN.
Step1:
Configure Test PC in VLAN 4:

SW2:
interface Fa 0/20
Test PC:

- 334 -
Step 2:
Request a digital certificate from CA server using the web-browser.

- 335 -

- 336 -
Notice that OU field (Department) is set up to match the previously configured

user in the AAA server.

- 337 -
Step 3:
Install certificate just requested:

- 338 -
Step 4:
Connect to https://10.0.0.12 and select identity certificate for authentication:
Step 4:
Check the WebVPN session status in the ASA firewall.

ASA1(config)# show vpn-sessiondb webvpn
Session Type: WebVPN
Username : WEBVPN Index : 1

Public IP : 10.0.0.199
Protocol : Clientless
License : SSL VPN
Encryption : RC4 Hashing : SHA1
Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 18:47:49 UTC Thu Jun 11 2009
ASA1(config)#

- 339 -
Task 3.4 Solution

Although the configuration was almost complete in the initial configuration, make
sure that your configured policy isn't breaking traffic flows. With ZBF configured
on R5, some additions to the policy need to be made.
R5:
!
permit udp host 150.4.3.3 eq 848 host 150.4.5.5 eq 848
permit ip host 192.168.4.4 host 192.168.5.5
!
crypto map MYMAP
!
crypto map MYMAP
R5 has the crypto map configured on one interface, which is sufficient for GDOI
initialization, but is not sufficient to encrypt the traffic out to R4, since it is not
configured on the egress interface. ISAKMP is also enabled by default, but could
have been disabled in the initial configuration with the command no crypto
isakmp enable.
R3:
crypto gdoi group group1
identity number 1
server local
rekey authentication mypubkey rsa Rack4R3.INE.com
Looking at the configuration on R3, we can see that authentication is configured,

however if the key pair referenced does not exist, rekeying will not take place.
We can add the key pair configured in the earlier section to use for rekeying.
In order to trigger a rekey, you can change the ACL on R3 by adding or removing
an entry.

- 340 -
Rack4R3(config)#ip access-list extended 134

Rack4R3(config-ext-nacl)#no 10
Rack4R3(config-ext-nacl)#10 permit ip 192.168.0.0 0.0.255.255
192.168.0.0 0.0.255.255
Rack4R3(config-ext-nacl)#exit
Rack4R3#

%GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group group1
from address 150.4.3.3 with seq # 1

Rack4R3#sho crypto gdoi ks
Total group members registered to this box: 2
Key Server Information For Group group1:

Group Name : group1
Group Identity : 1
Group Members : 2
ACL Configured:
access-list 134
Rack4R3#show crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group group1 : 1
Group Member ID : 150.4.4.4

Group ID : 1
Group Name : group1
Key Server ID : 150.4.3.3
Rekeys sent : 1
Rekeys retries : 2
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 1 2 3 0

Rcvd seq num : 0 0 0 0
Group Member ID : 150.4.5.5

Group ID : 1
Group Name : group1
Key Server ID : 150.4.3.3
Rekeys sent : 1
Rekeys retries : 2
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 1 2 3 0

Rcvd seq num : 0 0 0 0

- 341 -
Rack4R3#sho crypto gdoi ks policy

Key Server Policy:
For group group1 (handle: 2147483650) server 150.4.3.3 (handle:
2147483650):
# of teks : 2 Seq num : 3

KEK POLICY (transport type : Unicast)
spi : 0x63B70A741CBCD7B0B41D4C66AAD586C5
management alg : disabled encrypt alg : 3DES
crypto iv length : 8 key size : 24
orig life(sec): 86400 remaining life(sec): 85946
sig hash algorithm : enabled sig key length : 162
sig size : 128
sig key name : Rack4R3.INE.com
TEK POLICY (encaps : ENCAPS_TUNNEL)

spi : 0x877F2A6B access-list : 134
# of transforms : 0 transform : ESP_3DES
hmac alg : HMAC_AUTH_SHA
alg key size : 24 sig key size : 20
orig life(sec) : 1800 remaining life(sec) : 220
override life (sec): 0 antireplay window size: 64
TEK POLICY (encaps : ENCAPS_TUNNEL)

spi : 0xA90C489F access-list : 134
# of transforms : 0 transform : ESP_3DES
hmac alg : HMAC_AUTH_SHA
alg key size : 24 sig key size : 20
orig life(sec) : 1800 remaining life(sec) : 1345
override life (sec): 0 antireplay window size: 64

!!!!!

150.4.5.5 150.4.3.3 GDOI_REKEY 1089 0 ACTIVE
150.4.3.3 150.4.5.5 GDOI_IDLE 1088 0 ACTIVE

Routing entry for 192.168.4.0/32, 1 known subnets
O 192.168.4.4 [110/65] via 163.1.54.4, 3d01h, Serial0/0.54

[110/65] via 163.1.45.4, 3d01h, Serial0/1

- 342 -
Rack4R5#show crypto ipsec sa interface serial 0/1
interface: Serial0/1


current outbound spi: 0xA42267F9(2753718265)
inbound esp sas:

spi: 0xA42267F9(2753718265)
sa timing: remaining key lifetime (sec): (422)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xA42267F9(2753718265)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 343 -


current outbound spi: 0xA42267F9(2753718265)
inbound esp sas:

spi: 0xA42267F9(2753718265)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xA42267F9(2753718265)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 344 -
Task 4.1 Solution

R3:
!
! R3 ahs CBAC configured. Permit RADIUS from SW2
!
60 permit udp host 163.1.13.100 host 163.1.13.150 eq 1645
70 permit udp host 163.1.13.100 host 163.1.13.150 eq 1646
SW2:
!
! Authenticate EoU session via RADIUS
!
aaa new-model
aaa authentication eou default group radius
!
! Authorize network settings (e.g. ACLs) with RADIUS
!
!
! The default access-list
!
ip access-list extended DEFAULT
permit udp any any eq 21862
permit udp any any eq bootps
permit udp any any eq domain
!
! Admission Control Rule
!
ip admission name NAC_L2_IP eapoudp
!
! Apply the admission rule and ACL
!
interface Fa 0/20
ip admission NAC_L2_IP
ip access-group DEFAULT in
!
! EoU timers: Revalidate every 30 minutes
!
eou timeout revalidation 1800

- 345 -
!
! Hold failed hosts for 60 seconds
!
eou timeout hold-period 60
!
! Track IP addresses of connected devices
!
ip device tracking
!
! Enable DHCP snooping to inspect DHCP messages on VLAN8
!
ip dhcp snooping
ip dhcp snooping vlan 101
!
!
! Send VSAs with authentication requests
! Send Framed-IP-Address in authentication requests
! – the basic overhead data needed to be supplied to NAC server
!
radius-server vsa send authentication
radius-server attribute 8 include-in-access-req

- 346 -
ACS:
Step 1:
Add SW2 as Radius Client. Click Network Configuration then click

Add/Edit

- 347 -
Step 2:
Generate and install a self-signed certificate in the ACS server. Navigate to

System Configuration choose ACS Certificate Setup then Generate
Self Signed Certificate and click Submit when you’re done with the
settings per the screenshot below. Make sure to restart ACS services afterwards.

- 348 -
Step 3:
Configure ACS Global Authentication to enable PEAP and Posture Validation.

Navigate to System Configuration select Global Authentication
Setup then EAP Configuration. Set the values per screenshot below and
click Submit

- 349 -
Step 4:
Create new Network Access Profile for NAC L2 IP from template. Click
Network Access Profiles then click Add Template Profile and
select [NAC L2 IP]; click Submit when you’re done with the settings per
the screenshot below. Make sure to restart ACS services afterwards.
Perform the following steps on the Test PC:
Import ACS certificate into client’s certificate store. You need it so that Cisco
Trust Agent may successfully authenticate the ACS during PEAP session. Obtain
the file containing ACS certificate in PEM format (by default), e.g. c:\ACS.cer.
You should have created this file when you configured ACS server.
Upload this file into a directory on the Test PC, e.g. into “c:\mycerts”. Go to Cisco
Trust Agent home directory (by default it’s “C:\Program Files\Cisco
Systems\CiscoTrustAgent”) and execute the following command from there:
’ctacert.exe /add c:\mycerts\ACS.cer /store “Root”’

- 350 -
Task 4.2 Solution
ACS:
Step 1:
Modify the condition for Healthy Posture for NAC Policy associated with the NAC
Profile. Run the ACS Administration and click Posture Validation then
select Internal Posture Validation Setup and choose the “NAC-
SAMPLE-CTA-POLICY” then click Add/Edit Condition. Add new conditions
according to the screenshot below.

- 351 -
Step 2:
Modify the downloadable ACL associated with Healthy Posture. Click the
Shared Profile Components then click Downloadable IP ACLs and
select the “NAC_SAMPLE_HEALTHY_ACL”

- 352 -
Choose the first component of the access-list name “L3_EXAMPLE”

- 353 -
Next add the required ACL rules to the sample ACL per the screenshot below.

- 354 -

Step 1:
Configure the Test PC to obtain an IP address via DHCP.

- 355 -
Step 2:
Run the CTA statistics utility C:\Program Files\Cisco

Systems\CiscoTrustAgent\ctastat.exe:

- 356 -
Step 3:
Now check the admission status in SW2. Verify the DHCP address bindings and
check device tracking. Finally check the access-list downloaded to the client.
Rack4SW2#show ip admission configuration

Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication global init state time is 2 minutes
Authentication Proxy Watch-list is disabled
Authentication Proxy Rule Configuration

Auth-proxy name NAC_L2_IP
eapoudp list not specified auth-cache-time 60 minutes
Rack4SW2#show ip dhcp binding

IP address Client-ID/ Lease expiration Type
Hardware address
163.1.13.2 0100.0c29.f86f.bf Mar 05 1993 12:17 AM
Automatic
Rack4SW2#show eou all

-----------------------------------------------------------------------
--
Address Interface AuthType Posture-Token
Age(min)
-----------------------------------------------------------------------
--
163.1.13.2 FastEthernet0/20 EAP Healthy 115
Rack4SW2#show ip device tracking all

IP Device Tracking = Enabled
--------------------------------------------------------------
IP Address MAC Address Interface STATE
--------------------------------------------------------------
163.1.13.2 000c.29f8.6fbf FastEthernet0/20 ACTIVE
Rack4SW2#show ip admission cache eapoudp

Posture Validation Proxy Cache
Total Sessions: 1 Init Sessions: 0
Client IP 163.1.13.2, timeout 60, posture state POSTURE ESTAB
Rack4SW2#show ip access-lists
Extended IP access list DEFAULT
10 permit udp any any eq 21862
20 permit tcp any host 10.0.0.100 eq www
30 permit udp any any eq domain
40 permit icmp any any echo
50 permit icmp any any echo-reply
60 permit udp any any eq bootps
Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-45da9baa
10 permit tcp any any
20 permit udp any any
30 permit icmp any any

- 357 -
Task 4.3 Solution

Both the devices and the ACS server will need to be configured for this task.
Note: devices are configured using the translated addresses configured per
Task 7.2
ASA1:
!
! Tacacs server configuration
!
aaa-server TAC prot TACACS
aaa-server TAC (OUT) host 10.0.0.100
key CISCO
!
! Configure ASA for SSH. The task does not say from where to allow
! administration traffic
!
domain-name INE.com
crypto key generate rsa modulus 1024
ssh 0 0 IN
aaa authentication ssh console TAC
!
! Create ACL on OUT interface and permit telnet and ssh to SW1 Loopback
! and VLAN 72 interface from anywhere.
!
access-list OUT_IN extended permit tcp any host 150.4.7.7 eq telnet
access-list OUT_IN extended permit tcp any host 150.4.7.7 eq ssh
access-list OUT_IN extended permit tcp any host 192.10.4.7 eq telnet
access-list OUT_IN extended permit tcp any host 192.10.4.7 eq ssh
access-group OUT_IN interface OUT
R1:
!
! Configure R1 for tacacs. Source tacacs packets from Loopback0 since
it is translated on R4 as 10.0.0.1
!
aaa new-model
ip tacacs source-interface Lo0

- 358 -
SW2:
!
! Configure SW2 for tacacs. Source tacacs packets from Vlan13 since it
is translated on R4 as 10.0.0.8
!
aaa new-model
ip tacacs source-interface vlan13
!
! Enable ssh
!
SW1, R5:
!
! Enable ssh
!
SW1, R3, R5:

!
! Configure SW1, R3, R5 for tacacs. Source tacacs packets off
! Loopback0 since it is translated on R4
!
aaa new-model
R5:
!
! Permit traffic from tacacs server to self zone. R5 has zone-basedf
! firewall configured. Also allow telnet and ssh into the router.
!
permit tcp host 10.0.0.100 eq tacacs host 150.4.5.5
permit tcp any any eq telnet

- 359 -
R3:
!
! R3 has CBAC configured. Allow tacacs from R1, ASA2 and SW2.
!
80 permit tcp host 150.4.1.1 host 163.1.13.150 eq 49
110 permit tcp any host 163.1.13.3 eq telnet
120 permit tcp any host 163.1.13.3 eq 22
SW1, R1, R3, R5:
The task requires that ONLY telnet and ssh sessions to be authorized with the
AAA server.

aaa authentication login VTY group tacacs
aaa authorization exec AUTH group tacacs
aaa authorization commands 0 AUTH group tacacs
!
line vty 0 4
authorization exec AUTH
authorization commands 0 AUTH
R3:
line vty 101 102
R5:
line vty 37

- 360 -
ACS:
Step 1:
Create network device groups in the ACS. Run the ACS Admin utility and click
Interface Configuration then Advanced Options and finally check
Network Device Groups.

- 361 -
Next, under Network Configuration, create three network device groups

named ROUTERS, SWITCHES and FIREWALLS encompassing devices
mentioned in the task. For example, the screenshot for the group ROUTERS
would look like:
If you have already configured any of the devices as clients, move the devices
from Unassigned Group to their respective groups after this.

- 362 -
Step 2:
Configure the command authorization sets after this. Click Shared Profile
Components and click Shell Command Authorization Sets. Click the
Add button to add a new set. The command authorization set below permits all
commands.

- 363 -
Step 3:
Create a new shell command authorization set named “SHOW”. This set should
deny show run and show start commands. Look at the screenshot below for
the configuration – there is just one command with two deny statements for the
arguments. All other arguments are permitted.

- 364 -
Step 4:
Add all the users mentioned in the task with the service “shell” enabled and
privilege-level set to 15.

- 365 -
Step 4:
Assign shell command authorization sets to the users per the task requirements.
Select the Assign a Shell Command Authorization Set on a per
Network Device Group Basis option for every user.
For the user RTRADMIN, add full access for routers, and show access for
switches: Group ROUTERS has command set ALL assigned and the group
SWITCHES has command set SHOW assigned.

- 366 -
For the user SWADMIN, add show access for routers, and full access for
switches: Group SWITCHES has command set ALL assigned and the group
ROUTERS has command set SHOW assigned.

- 367 -
Step 5:
Add R1, R3, R5, SW1, SW2, ASA1 and ASA2 to the respective groups in AAA.
Here is an example of adding R3. Go to Network Configuration; click on
the appropriate Network Device Group and under ROUTERS AAA Clients
click Add Entry. Note that there is no need to specify a Key, since it was
specified at the Network Device Group level when it was created. Remember
that SW2 was already added to AAA for task 4.2 but with RADIUS. So now we
add SW2 as a tacacs client, under a different name.

- 368 -

Trying 163.1.45.5 ... Open
Username: RTADMIN
Password:
Rack4R5#conf t
Rack4R5(config)#interface fastEthernet0/0
Rack4R5(config-if)#end
Rack4R5#exit
Trying 163.1.45.5 ... Open
Username: SWADMIN
Password:
Rack4R5#show running-config
Command authorization failed.
Rack4R5#show startup-config
Rack4R5#show ip interface brief | e unas

Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 10.5.5.5 YES manual up
up
Serial0/0.35 163.1.35.5 YES manual up
up
Serial0/0.54 163.1.54.5 YES manual up
up
FastEthernet0/1 192.0.2.5 YES manual administratively
down down
Serial0/1 163.1.45.5 YES manual up
up
Loopback0 150.4.5.5 YES manual up
up
up

- 369 -
Rack4R5#conf t
Trying 163.1.45.5 ... Open
Username: FWADMIN
Password:
Rack4R5#conf t
Rack4R5#show ip interface brief

Username: SWADMIN
Password:
Rack4SW1#conf t
Rack4SW1(config)#interface VLan127
Rack4SW1(config-if)#end
Rack4SW1#exit
Username: RTRADMIN
Password:
Rack4SW1#show running-config
Rack4SW1#show startup-config
Rack4SW1#show spanning-tree interface fastEthernet 0/1
Vlan Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------
---------
VLAN0013 Desg FWD 19 128.1 P2p

- 370 -
Username: FWADMIN
Password:
Rack4SW1#conf t
Rack4SW1#show running-config
Rack4SW1#show spanning-tree interface fastEthernet 0/1

Rack4R5#test aaa group tacacs+ RTRADMIN CISCO legacy

Rack4SW1#test aaa group tacacs+ SWADMIN CISCO legacy


- 371 -
Task 5.1 Solution

ASA2:
!
! Create resource classes
!
class A
limit-resource rate conns 100
!
class B
limit-resource xlates 1000
limit-resource hosts 100
limit-resource rate inspects 10
!
! Attach contexts to appropriate resource classes
!
context A
class A
!
context B
class B
ASA2/Context A:
username CISCO password CISCO
ssh 163.1.13.0 255.255.255.0 AIN
domain-name INE.com
crypto key generate rsa
ASA1:
snmp-server community CISCO
snmp-server listen-port 181
snmp-server host OUT 10.0.0.100 poll

- 372 -

Rack4SW2#ssh -l CISCO 163.1.136.13
Password:
Type help or '?' for a list of available commands.
ASA2/A> enable
Password:
ASA2/A#
ASA2# show resource allocation detail
Resource Origin:
A Value was derived from the resource 'all'
C Value set in the definition of this class
D Value set in default class
Resource Class Mmbrs Origin Limit Total
Total %
Conns [rate] default all CA unlimited
A 0 C 100
B 0 DA unlimited
All Contexts: 3
Inspects [rate] default all CA unlimited

A 0 DA unlimited
B 0 C 10
All Contexts: 3
Syslogs [rate] default all CA unlimited

A 0 DA unlimited
B 0 DA unlimited
All Contexts: 3
Conns default all CA unlimited

A 0 DA unlimited
B 0 DA unlimited
All Contexts: 3
Hosts default all CA unlimited

A 0 DA unlimited
B 0 C 100
All Contexts: 3

- 373 -
IPSec default all CA unlimited

A 0 DA unlimited
B 0 DA unlimited
All Contexts: 3
Mac-addresses default all CA unlimited

A 0 DA unlimited
B 0 DA unlimited
All Contexts: 3
ASDM default all C 5

A 0 D 5
B 0 D 5
All Contexts: 3 15
46.87%
SSH default all C 5

A 0 D 5
B 0 D 5
All Contexts: 3 15
15.00%
Telnet default all C 5

A 0 D 5
B 0 D 5
All Contexts: 3 15
15.00%
Xlates default all CA unlimited

A 0 DA unlimited
B 0 C 1000
All Contexts: 3
Task 5.2 Solution

R5:
!
! Configure R5 to listen on port 3010 and 7010 for telnet connections
!
line vty 37
rotary 10
password cisco
!
! R5 has zone-based firewall configured. We need allow telnet on self
! zone from OUTSIDE zone
!

- 374 -
R3:
!
! Configure R3 to listen on port 55 and 5501 for ssh connections
!
ip ssh port 5500 rotary 1 2
!
line vty 101
rotary 1
transport input telnet ssh
!
line vty 102
rotary 2
transport input telnet ssh
!
! Create ACL to restrict telnet on default port and allow on all other
! ports
!
access-list 199 deny tcp any any eq 23
access-list 199 permit tcp any any
!
line vty 101 102
access-class 199 out
!
! Allow ssh traffic on both ports from anywhere to R3 interfaces.
!

Rack4R4#telnet 163.1.45.5 3010
Trying 163.1.45.5, 3010 ... Open
Username: RTRADMIN
Password:

- 375 -
Rack4R5#show users
0 con 0 idle 00:01:12
*103 vty 37 RTRADMIN idle 00:00:00 163.1.45.4

Se0/1 Sync PPP 00:00:00 163.1.45.4
Rack4R4#telnet 163.1.45.5 7010

Trying 163.1.45.5, 7010 ... Open
Username: RTRADMIN
Password:
Rack4R5#show users
0 con 0 idle 00:02:40

Se0/1 Sync PPP 00:00:00 163.1.45.4
Rack4R1#ssh -l RTRADMIN -p 5500 150.4.3.3
Password:
Rack4R3#show users
0 con 0 idle 00:00:19
Trying 163.1.35.5 ...
% Connections to that host not permitted from this terminal
Rack4R3#show ip access-lists 199

Extended IP access list 199
10 deny tcp any any eq telnet (1 match)
20 permit tcp any any
Rack4R3#telnet 163.1.35.5 3010

Trying 163.1.35.5, 3010 ... Open
Username: RTRADMIN
Password:
Rack4R5#exit

Rack4R3#exit

Rack4R1#

- 376 -
Rack4R1#ssh -l RTRADMIN -p 5501 150.4.3.3
Password:
Rack4R3#show users
0 con 0 idle 00:03:26
Task 5.3 Solution

R6:
!
! Configure class maps to match required protocols
!
class-map type queue-threshold match-all SNMP
match protocol snmp
!
class-map type queue-threshold match-all BGP
match protocol BGP
!
class-map type queue-threshold match-all TELNET
!
class-map type queue-threshold match-all OTHER
match host-protocols
!
! Configure policy-map for limiting queue threshold
!
policy-map type queue-threshold QT
class BGP
queue-limit 200
class TELNET
queue-limit 100
class SNMP
queue-limit 50
class OTHER
queue-limit 100
!
! Apply the policy-map
!
control-plane host
service-policy type queue-threshold input QT

- 377 -

Rack4R6#show policy-map type queue-threshold control-plane host
queue-limit 200
queue-count 0 packets allowed/dropped 0/0
queue-limit 100
queue-limit 50
queue-limit 100
Control Plane Host
Service-policy queue-threshold input: QT
Class-map: BGP (match-all)

0 packets, 0 bytes
Match: protocol bgp

0 packets, 0 bytes
Class-map: SNMP (match-any)

0 packets, 0 bytes
Match: protocol snmp
0 packets, 0 bytes
5 minute rate 0 bps
Class-map: OTHER (match-all)

Match: host-protocols

Match: any
Rack4R6#

- 378 -
Task 6.1 Solution

Use the setup command to configure basic settings for the IPS sensor. First
erase the current configuration to make sure you start with a clean configuration.
sensor# erase current-config

Warning: Removing the current-config file will result in all
configuration being reset to default, including system information such
as IP address.
User accounts will not be erased. They must be removed manually using
the "no username" command.
Continue? []: yes
sensor# reset
Warning: Executing this command will stop all applications and reboot
the node.
Continue with reset? []: yes
Broadcast Message from root@sensor

(somewhere) at 21:18 ...
A system reboot has been requested. The reboot may not start for 90
seconds.
Request Succeeded.
IPS:
Enter host name[ips]: Rack4IPS
Enter telnet-server status[disabled]:
Modify current access list?[no]: yes
Current access list entries:
No entries
Permit: 10.0.0.100/32
Permit:

- 379 -
service host
network-settings
host-ip 10.0.0.15/24,10.0.0.4
host-name Rack4IPS
access-list 10.0.0.100/32
ftp-timeout 300
exit
time-zone-settings
offset -480
standard-time-zone-name GMT-08:00
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
exit
exit
Enter your selection[2]:

SW1:
!
! Create VLAN 99 as remote-span VLAN
!
vlan 99
remote-span
!
! Span R3 Fa0/0 interface. Make sure to configure the “reflector-port”
! as an unused port if the switch is a 3550; hardware limitation
!
monitor session 1 source interface FastEthernet 0/3
monitor session 1 destination remote vlan 99 reflector-port Gi0/1

- 380 -
SW2:
!
! Create VLAN 99 as remote-span VLAN
!
vlan 99
remote-span
!
! Span from VLAN 99. Configure “ingress vlan” so that TCP resets can be
! sent. Task 6.2 requires it.
!
monitor session 1 source remote vlan 99
monitor session 1 destination interface fastEthernet0/10 ingress vlan
13
Configure the IPS in promiscuous mode.
IPS:
Rack4IPS# conf t
Rack4IPS(config-int-phy)# exi
Rack4IPS(config-int)# exi


- 381 -
IDM:
Using the IPS GUI, enable and tune signatures 2000 and 2004 corresponding to
ICMP echo-reply and echo packets. Connect to the IPS server and run the IPS
Device Manager. Navigate to Configuration > Signature Definitions
> sig0. Locate the above mentioned signatures and change Event Count
field for those two.

- 382 -

We will ping from R1 to R3 to fire the Echo Request Signature. Since R3 has
CBAC feature configured, echo-reply will not be received back. If we ping from
R3 to R1 ping will be successful and will trigger both signatures.
Rack4R1#ping 163.1.13.3

U.U.U
Rack4IPS# show events alert past 10:00

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 400
time: 2009/06/21 06:17:21 2009/06/21 06:17:21 UTC
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
interface: ge0_0
protocol: icmp
Rack4R3#ping 163.1.13.1

!!!!!

- 383 -

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 400
time: 2009/06/21 06:24:14 2009/06/21 06:24:14 UTC
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
interface: ge0_0
protocol: icmp

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 400
time: 2009/06/21 06:24:14 2009/06/21 06:24:14 UTC
signature: description=ICMP Echo Reply id=2000 version=S1
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
interface: ge0_0
protocol: icmp

- 384 -
Task 6.2 Solution

IPS:
Rack4IPS(config-sig-sig)# engine string-tcp
Rack4IPS(config-sig-sig-str)# event-action produce-alert|reset-tcp-
connection
Rack4IPS(config-sig-sig-str)# service-ports 23
Rack4IPS(config-sig-sig-str)# regex
[sS][eE][cC][rR][eE][tT]|[pP][aA][sS][sS][wW][oO][rR][dD]
Rack4IPS(config-sig-sig-str)# exit
Rack4IPS(config-sig-sig-sig)# sig-name "Secret Password"

Trying 163.1.13.1 ... Open
Username: RTRADMIN
Password:
Rack4R1#sec
evIdsAlert: eventId=733543164016782383 severity=high vendor=Cisco

originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 400
time: 2009/06/21 07:28:48 2009/06/21 07:28:48 UTC
signature: description=Secret Password id=60001 version=custom
subsigId: 0
sigDetails: My Sig Info
marsCategory: Info/Misc
interfaceGroup: vs0
vlan: 0
participants:
attacker:
port: 65277

- 385 -
target:
port: 23
actions:
resetTcpFlowSent: true
context:
fromTarget:
000000 FF FB 01 FF FB 03 FF FD 18 FF FD 1F 0D 0A 55 73
..............Us
000010 65 72 6E 61 6D 65 3A 20 FF FE 20 FF FD 21 FF FA ername: ..
..!..
000020 21 00 FF F0 FF FE 18 52 54 52 41 44 4D 49 4E 0D
!......RTRADMIN.
000030 0A 50 61 73 73 77 6F 72 64 3A 20 0D 0A 0D 0A 25 .Password:
....%
000040 20 41 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20
Authentication
000050 66 61 69 6C 65 64 0D 0A 0D 0A 0D 0A 55 73 65 72 failed......User
000060 20 41 63 63 65 73 73 20 56 65 72 69 66 69 63 61 Access Verifica
000070 74 69 6F 6E 0D 0A 0D 0A 55 73 65 72 6E 61 6D 65 tion....Username
000080 3A 20 52 54 52 41 44 4D 49 4E 0D 0A 50 61 73 73 : RTRADMIN..Pass
000090 77 6F 72 64 3A 20 0D 0A 0D 0A 52 61 63 6B 31 52 word: ....Rack4R
0000A0 31 23 73 65 63 1#sec
fromAttacker:
000000 FF FD 03 FF FB 20 FF FB 1F FF FB 21 FF FD 01 FF ..... .....!....
000010 FC 18 FF FA 1F 00 50 00 18 FF F0 FF FC 20 52 54 ......P...... RT
000020 52 41 44 4D 49 4E 0D 0A 43 53 49 43 4F 0D 0A 52 RADMIN..CSICO..R
000030 54 52 41 44 4D 49 4E 0D 0A 43 49 53 43 4F 0D 0A TRADMIN..CISCO..
000040 73 65 63 72 65 74 secret
interface: ge0_0
protocol: tcp
Task 6.3 Solution
Note
For special characters, special methods need to be used when matching by

regex. Backspace and Delete can be matched by their respective ASCII codes.
There is a list of ASCII codes in the command reference for IOS Configuration
Fundamentals. Backspace is hex 08, and Delete is hex code 7F.

- 386 -
IPS:
Rack4IPS(config-sig-sig-str)# event-action reset-tcp-connection
Rack4IPS(config-sig-sig-str)# regex [\x08]|[\x7f]
Rack4IPS(config-sig-sig-sig)# sig-name "Backspace Delete"
Apply Changes?[yes]:

We will initiate a telnet connection from R1 and hit the Del key and Backspace
Key to trigger signature. Since signature is not configured to alert we can only
believe what we see, that connection was reset.
Rack4R1#telnet 163.1.13.3 23
Trying 163.1.13.3 ... Open
Username: RTRADMIN
Password:
Task 6.4 Solution

Basic signature set support can be enabled on the ASA with the ip audit
syntax. You need to configure a different rule name for informational and attack
signatures. In order to limit which messages get logged, you can configure a
logging list. In the section Troubleshooting and Alerts, error and system
messages, there is a list of syslog messages. Messages for the built in
signatures start at 400000.

- 387 -
ASA1:
!
! Enable IPS signatures
!
ip audit name MYINFO info action alarm
ip audit name MYATTACK attack action alarm reset
ip audit interface OUT MYINFO
ip audit interface OUT MYATTACK
!
! Enable logging to host 10.0.0.100
!
logging enable
logging host OUT 10.0.0.100
logging list SYSLOG message 400000-400050
logging trap SYSLOG


!!!!!
ASA1# show ip audit count interface oUT

IP AUDIT INTERFACE COUNTERS: OUT
1000 I Bad IP Options List 0

1001 I Record Packet Route 0
1002 I Timestamp 0
1003 I Provide s,c,h,tcc 0
1004 I Loose Source Route 0
1005 I SATNET ID 0
1006 I Strict Source Route 0
1100 A IP Fragment Attack 0
1102 A Impossible IP Packet 0
1103 A IP Teardrop 0
2000 I ICMP Echo Reply 0
2001 I ICMP Unreachable 28
2002 I ICMP Source Quench 0
2003 I ICMP Redirect 0
2004 I ICMP Echo Request 48
2005 I ICMP Time Exceed 0
2006 I ICMP Parameter Problem 0
2007 I ICMP Time Request 0
2008 I ICMP Time Reply 0
2009 I ICMP Info Request 0
2010 I ICMP Info Reply 0
2011 I ICMP Address Mask Request 0
2012 I ICMP Address Mask Reply 0
2150 A Fragmented ICMP 0
2151 A Large ICMP 0
2154 A Ping of Death 0
3040 A TCP No Flags 0

- 388 -
3041 A TCP SYN & FIN Flags Only 0

3042 A TCP FIN Flag Only 0
3153 A FTP Improper Address 0
3154 A FTP Improper Port 0
4050 A Bomb 0
4051 A Snork 0
4052 A Chargen 0
6050 I DNS Host Info 0
6051 I DNS Zone Xfer 0
6052 I DNS Zone Xfer High Port 0
6053 I DNS All Records 0
6100 I RPC Port Registration 0
6101 I RPC Port Unregistration 0
6102 I RPC Dump 0
6103 A Proxied RPC 0
6150 I ypserv Portmap Request 0
6151 I ypbind Portmap Request 0
6152 I yppasswdd Portmap Request 0
6153 I ypupdated Portmap Request 0
6154 I ypxfrd Portmap Request 0
6155 I mountd Portmap Request 0
6175 I rexd Portmap Request 0
6180 I rexd Attempt 0
6190 A statd Buffer Overflow 0
ASA1# show logging

Facility: 20
Trap logging: list SYSLOG, facility 20, 84 messages logged
Logging to OUT 10.0.0.100 errors: 21 dropped: 60
Device ID: disabled

- 389 -
Task 7.1 Solution

ASA1:
!
! Create ACL to match traffic between the 2 VLANs
!
access-list SKEEBUB permit tcp 192.10.4.0 255.255.255.0 163.1.124.0
255.255.255.0
!
! Create class-map to match the ACL
!
class-map SKB
match access-list SKEEBUB
!
! Create tcp-map to allow TCP options 16 and 17
!
tcp-map BUB
!
! Configure advanced TCP features in global_policy
!
class SKB
set connection conn-max 100
set connection per-client-max 10
set connection advanced-options BUB
If you wonder about the purpose of these two options – they were designed to
implement DH key exchange for a TCP session and allow for quick and simple
session encryption. The implementation was simple but lacked any
authentication and thus protection from the man-in-the-middle attack.

- 390 -
Task 7.2 Solution

R4:
!
! Configure interfaces with appropriate NAT statements
!
interface fastEthernet0/1
ip nat inside
ip nat outside
interface Serial0/1
ip nat inside
ip nat inside
!
! Configure static NAT as asked
!
ip nat inside source static 163.1.124.12 10.0.0.12
R3:
!
! Configure interfaces with appropriate NAT statements
!
interface serial 1/0.35
ip nat inside
int fa0/0
ip nat outside
!
! Configure static NAT as required
!

Rack4R1#test aaa group tacacs+ RTRADMIN CISCO legacy

tcp 163.1.13.150:49 10.0.0.100:49 150.4.1.1:32974 150.4.1.1:32974
--- 163.1.13.150 10.0.0.100 --- ---
Rack4R4#show ip nat translations | i 10.0.0.1

- 391 -
tcp 10.0.0.1:32974 150.4.1.1:32974 10.0.0.100:49 10.0.0.100:49
Task 7.3 Solution

R5:
!
! Create ACL to match ICMP echo
!
!
! Apply CAR as required with Cisco recommended burst values.
!
rate-limit input access-group 173 32000 6000 12000 conform-action
transmit exceed-action drop
!
R2:
!
! Create ACL to match ICMP echo-reply
!
access-list 173 permit icmp any any echo-reply
!
! We are required to use MQC so create class-map to match ACL
!
class-map ECHO_REPLY
match access-group 173
!
! Police echo-reply traffic to 32 kbps
!
policy-map LIMIT_ECHO_REPLY
class ECHO_REPLY
police 32000
!
! Apply policy to interface
!
service-policy input LIMIT_ECHO_REPLY

- 392 -

SW1:
interface Vlan5
ip address 10.5.5.100 255.255.255.0
no shutdown
Rack4SW1#ping 10.5.5.5 repeat 10000

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!.
Rack4R5#show interfaces fastEthernet 0/0 rate-limit

FastEthernet0/0
Input

- 393 -
Task 7.4 Solution
Note
SNMPv3 extends the previous versions of SNMP by introducing a new security

model that replaces the old community-based authentication system. SMNPv3
also provides for communication privacy by means of encryption. The new
concepts for SNMPv3 are the user, group, and security level.
A group defines what access rights a set of users have. This access policy
controls which SNMP objects (MIBs) can be accessed for reading and writing, or
which SNMP objects can generate notifications to the members of a group. The
policy is defined by associating a read, write, or notify view with the group. By
using a notify view, a group determines the list of notifications its users can
receive. The group also defines the security model (SNMP version) and the
security level (authentication and/or encryption) for its users.
If a group is defined without a read view, all objects are available to be read
(implicit permit). Contrary to that, if a write or notify view is not defined, no write
access is granted, and no objects can send notifications to members of the group
(implicit deny). The notify view is usually not configured manually, and is auto-
generated by the snmp-server host command when users in a group are bound
to a notification target host.
The security models are defined as SNMPv1, SNMPv2, SNMPv3, while the
security levels are defined as noAuthNoPriv, AuthNoPriv, and AuthPriv.
noAuthNoPriv, the noauth keyword in the IOS, means no authentication and no
encryption. AuthNoPriv, the auth keyword in the IOS, means authentication but
no encryption. AuthPriv, the priv keyword in IOS, means authentication and
encryption.
SNMPv3 can implement any of the three above security levels. SNMPv1 and
SNMPv2 only support noAuthNoPriv. In the case that SNMPv3 uses
noAuthNoPriv, the username serves as a replacement for the community string.
All users sharing a group utilize the same security model; however the specific
model settings (password and encryption key) are set per-user. Note that
SNMPv3 does not send passwords in clear-text, but instead uses MD5 or SHA1
hash-based authentication. For encryption, statically configured keys are used
along with a single-DES (56-bit) symmetric cipher. This means that the same
key should be configured on NMS for the particular user.

- 394 -
After setting up SNMP, you can confirm the interface index with the command
show snmp mib ifmib ifindex.
Rack4R4(config)#do show snmp mib ifmib ifindex

FastEthernet0/0: Ifindex = 1
Loopback0: Ifindex = 6
NVI0: Ifindex = 8
Null0: Ifindex = 5
Serial0/0: Ifindex = 3
Loopback10: Ifindex = 7
FastEthernet0/1: Ifindex = 2
Serial0/1: Ifindex = 4
Serial0/0.54: Ifindex = 9
Rack4R4(config)#
R4:
!
! Identify VLAN 124 in ACL
!
!
! Globally enable ifindex persistence required for second view
!
snmp-server ifindex persist
!
! Create the 2 SNMP views
!
snmp-server view NORMVW iso included
snmp-server view RESTVW ifEntry.*.4 included
!
! Create SNMP groups
!
snmp-server group NORMGRP v3 priv read NORMVW write NORMVW
snmp-server group RESTGRP v3 auth read RESTVW access 99
snmp-server group TRAPGRP v3 priv
!
! Create SNMP users
!
snmp-server user NORMUSER NORMGRP v3 auth sha CISCO priv des56 CISCO
snmp-server user RUSER RESTGRP v3 auth sha CISCO
snmp-server user TRAP TRAPGRP v3 auth sha CISCO priv des56 CISCO

- 395 -
!
! Enable SNMP traps
!
snmp-server enable traps snmp linkup linkdown
snmp-server host 10.0.0.100 traps version 3 priv TRAP
Task 8.1 Solution

SW1:
!
! Create the macro
!
macro name SECURE_ACCESS
switchport nonegotiate
@
!
! Apply the macro
!
interface range fa 0/1 – 22 , fa0/24
macro apply SECURE_ACCESS
Task 8.2 Solution

SW1:
!
! Configure EIGRP to speak Unicast
!
router eigrp 100
neighbor 163.1.127.12 vlan 127
!
! Create key-chain
!
key chain 1
key 1
key-string CISCO
!
! Configure EIGRP authentication
!
interface vlan 127
ip authentication key-chain eigrp 100 1
ip authentication mode eigrp 100 md5

- 396 -
ASA1:
!
! Configure EIGRP to speak Unicast and remove command for Multicast
!
router eigrp 100
neighbor 163.1.127.7 interface IN
!
! Configure EIGRP authentication
!
authentication key eigrp 100 CISCO key-id 1
authentication mode eigrp 100 MD5

Check that ASA1 and SW1 are still EIGRP neighbors and that authentication is
functional:
Rack4SW1#show ip eigrp neighbors

EIGRP-IPv4:(100) neighbors for process 100
(sec) (ms) Cnt Num
0 163.1.127.12 Vl127 11 03:55:13 1 200 0 76
Rack4SW1#show ip eigrp interfaces detail

EIGRP-IPv4:(100) interfaces for process 100
Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Vl127 1 0/0 1 0/1 50 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/11 Un/reliable ucasts: 34/19
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 0
Retransmissions sent: 16 Out-of-sequence rcvd: 0
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "1"
Rack4SW1#debug eigrp packets hello

EIGRP Packets debugging is on
(HELLO)
Rack4SW1#
EIGRP: Sending HELLO on Vlan127 nbr 163.1.127.12
AS 100, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
EIGRP: received packet with MD5 authentication, key id = 1
EIGRP: Received HELLO on Vlan127 nbr 163.1.127.12
AS 100, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ
un/rely 0/0

- 397 -
Task 8.3 Solution

Beyond what is explicitly asked, there are a few other items to keep in mind here.
Some of the steps for this task are fairly obvious, where other steps may not be.
Start by configuring the default route and the access-list to block inbound traffic.
In order for R5 to know where to send the traffic, a static ARP entry is configured.
The switch is configured to drop the traffic with a static mac entry for that
particular address.
With a default advertised out, traffic for unknown destinations will be sent
towards R5. Since R5 is running ZBF, we are going to add a policy to explicitly
pass all traffic through to the Fa0/1 interface.
Finally, configure IP accounting and flow information on the interface.
R5:
!
! Create an ACL with explicit DENY and apply it inbound on Fa0/1
!
access-list 183 deny ip any any
!
! Add the default route to 192.0.2.1
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
! For router to be able to encapsulate packets towards gateway of last
! resort we need a L3 to L2 resolution
!
arp 192.0.2.1 0086.0086.0086 arpa
!
! Originate default route into OSPF
!
router ospf 1
!
! Create a new security zone for interface fastEthernet0/1
!
zone security SINK

- 398 -
!
! Configure the firewall policy to pass any traffic
!
policy-map type inspect PMAP_SINK
class class-default
pass
!
! Configure the zone-pair to match both OUTSIDE to SINK and INSIDE to
! SINK traffic
!
zone-pair security ZP_OUTSE_TO_SINK source OUTSIDE dest SINK
service-policy type inspect PMAP_SINK
zone-pair security ZP_INIDE_TO_SINK source INSIDE dest SINK

service-policy type inspect PMAP_SINK
!
! Configure flow monitoring for interface fastEthernet0/1
!
flow monitor MONITOR
statistics packet protocol
statistics packet size
record netflow ipv4 protocol-port-tos
!
! Apply configuration to interfafce Fa0/1
!
ip flow monitor MONITOR output
ip accounting output-packets
zone-member security SINK
no shutdown
SW2:
!
! Configure switch to drop traffic destined for this mac
!
mac address-table static 0086.0086.0086 vlan 86 drop

Routing entry for 0.0.0.0/0, supernet
Known via "ospf 1", distance 110, metric 1, candidate default path
Redistributing via eigrp 100
Advertised by eigrp 100 metric 64 1 255 1 1500
Last update from 163.1.54.5 on Serial0/0.54, 03:44:03 ago
163.1.54.5, from 150.4.5.5, 03:44:03 ago, via Serial0/0.54
Route tag 1
* 163.1.45.5, from 150.4.5.5, 03:44:03 ago, via Serial0/1
Route tag 1

- 399 -
R5:
ip access-list extended 105
10 permit ip any host 20.20.20.20
!
no ip route-cache
interface Serial0/0
no ip route-cache
interface serial0/0.54
no ip route-cache
debug ip packet detail 105
Rack4R4#ping 20.20.20.20 re 6

IP: tableid=0, s=163.1.45.4 (Serial0/0.54), d=20.20.20.20

(FastEthernet0/1), routed via FIB
IP: s=163.1.45.4 (Serial0/0.54), d=20.20.20.20 (FastEthernet0/1),
g=192.0.2.1, len 100, forward
ICMP type=8, code=0
Rack4R5#
g=192.0.2.1, len 100, forward
ICMP type=8, code=0
Rack4R5#
g=192.0.2.1, len 100, forward
ICMP type=8, code=0
Rack4R5#
g=192.0.2.1, len 100, forward
ICMP type=8, code=0
Rack4R5#
g=192.0.2.1, len 100, forward
ICMP type=8, code=0
Rack4R5#
g=192.0.2.1, len 100, forward
ICMP type=8, code=0
Rack4R5#

- 400 -
Check for flexible netflow statistics in R5.
Rack4R5#show flow monitor name MONITOR statistics

Cache type: Normal
Cache size: 4096
Current entries: 0
High Watermark: 1
Flows added: 3
Flows aged: 3
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 3
- Event aged 0
- Watermark aged 0
- Emergency aged 0
Packet size distribution (45 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416
.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000
448 480 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
Protocol Total Flows Packets Bytes Packets Active(Sec)

Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow
/Flow
ICMP 3 0.0 15 100 0.0 28.0
15.6
Total: 3 0.0 15 100 0.0 28.0
15.6

- 401 -

- 402 -

Task 1.1 Solution
ASA1:
!
! First convert the firewall from routed mode to transparent mode
!
firewall transparent
!
hostname Rack4ASA1
!
! Configure the interfaces with appropriate security levels and nameif
!
nameif outside
no shut
nameif inside
no shut
!
! Configure the management ip address needed so the firewall
! can actually forward traffic; configure default-route
!
ip address 162.1.38.12 255.255.255.0
!
! Enable ssh access to the firewall
!
domain-name INE.com
!
! Allow ssh access from anywhere since there are no specific
! restrictions
!
ssh 0 0 inside
ssh 0 0 outside

- 403 -

Check basic connectivity and ssh into the firewall from both R3 and SW1 using
default username/password of pix/cisco.
Rack4ASA1# show firewall

Firewall mode: Transparent

!!!!!

!!!!!
Rack4R3#ssh -l pix 162.1.38.12
Password:
Rack4ASA1> en
Password:
Rack4ASA1#
Rack4SW1#ssh -l pix 162.1.38.12
Password:
Rack4ASA1> en
Password:
Rack4ASA1#

- 404 -
Task 1.2 Solution

ASA2:
hostname Rack4ASA2
!
! Configure sub-interfaces as per the diagram
!
no shutdown
!
interface Ethernet0/0.113
vlan 113
nameif outside
ip address 162.1.113.2 255.255.255.0
no shut
vlan 100
nameif inside
ip address 192.10.4.2 255.255.255.0
!
! Configure OSPF on the inside interface and EIGRP on the outside.
! Although it’s not mentioned in the task it is best practices
! to be as specific as possible using the “network” statements.
!
router eigrp 100
no auto-summary
network 162.1.113.13 255.255.255.255
!
router ospf 1
network 192.10.4.13 255.255.255.255 area 51
!
router eigrp 100
redistribute ospf 1 metric 10000 100 255 1 1500
router ospf 1
redistribute eigrp 100 metric-type 1 subnets

- 405 -

!!!!!

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 m
Neighbor ID Pri State Dead Time Address Interface

150.4.6.6 1 FULL/DR 0:00:30 192.10.4.6 inside
Rack4ASA2# show eigrp neighbors

EIGRP-IPv4 neighbors for process 100
(sec) (ms) Cnt Num
0 162.1.113.1 Et0/0.113 14 00:29:06 1 200 0 3
Rack4ASA2# show route inside

BGP
inter area

O 150.4.6.6 255.255.255.255 [110/11] via 192.10.4.6, 0:29:13, inside

- 406 -
Rack4ASA2# show route outside

BGP
inter area
D 162.1.13.0 255.255.255.0 [90/2170368] via 162.1.113.1, 0:30:42,

outside

D EX 192.10.4.0/24 [170/284160] via 162.1.113.2, 00:29:08,
FastEthernet0/0
D EX 150.4.6.6/32 [170/284160] via 162.1.113.2, 00:29:08,
FastEthernet0/0

O E1 162.1.13.0 [110/21] via 192.10.4.2, 00:32:09, FastEthernet0/0
O E1 162.1.113.0 [110/21] via 192.10.4.2, 00:32:09, FastEthernet0/0

- 407 -
Task 1.3 Solution
0 Caution
Make sure that the NAT id used for PAT is smaller than the NAT id used for
dynamic NAT. This is because the “network” statement used in dynamic NAT
matches any subnet including 192.10.X.0/24 used for PAT. Thus, in order to
change the matching preference you have to adjust the NAT identifiers.
ASA2:
!
! Configure PAT for inside 192.10.x.0/24 subnet
!
nat (inside) 1 192.10.4.0 255.255.255.0
!
! Configure dynamic NAT for all other networks reachable via inside
!
nat (inside) 2 0.0.0.0 0.0.0.0
global (outside) 2 162.1.113.128-162.1.113.191 netmask 255.255.255.192

Trying 162.1.113.1 ... Open
Password:
Rack4R1>en
Password:
Rack4R1#show users
0 con 0 idle 14:49:02
* 66 vty 0 idle 00:00:00 162.1.113.13
Rack4ASA2# show conn

TCP outside 162.1.113.1:23 inside 192.10.4.6:64799, idle 0:01:10, bytes
461, flags UIO
Rack4ASA2# show xlate state portmap

PAT Global 162.1.113.13(59258) Local 192.10.4.6(64799)

- 408 -

Trying 162.1.113.1 ... Open
Password:
Rack4R1>en
Password:
Rack4R1#show users
0 con 0 idle 00:01:14
* 66 vty 0 idle 00:00:00 162.1.113.174

456, flags UIO
Rack4ASA2# show xlate
Global 162.1.113.174 Local 150.4.6.6

- 409 -
Task 1.4 Solution

ASA2:
!
! Create the object-groups
!
object-group service SRV_VLAN100
service-object tcp-udp
service-object icmp echo
object-group network NET_VLAN100

!
! Create and apply the access-list inbound on the inside interface
!
access-list INSIDE_IN extended deny object-group SRV_VLAN100 object-
group NET_VLAN100 any
access-list INSIDE_IN extended permit ip any any
access-group INSIDE_IN in interface inside
Note
For verification we need to make sure that only the specified traffic is prohibited
from going across the firewall. We can either configure the Test PC in VLAN 100
or temporarily modify the IP address of R6 to one of the restricted hosts in VLAN
100.
Rack4R6#show running-config interface fastEthernet 0/0 | i ip

ip address 192.10.4.6 255.255.255.0
Trying 162.1.113.1 ... Open
Password:
Rack4R1>
Rack4R6#show running-config interface FastEthernet 0/0 | i ip

ip address 192.10.4.120 255.255.255.0
Trying 162.1.113.1 ...

- 410 -
Rack4ASA2# show asp drop frame acl-drop

Flow is denied by configured rule (acl-drop) 1
Last clearing: Never

1 * * *
2 * * *
3 * *

Rack4R6#ping 163.1.113.1 re 2

..
Task 1.5 Solution

ASA2:
!
! Configure the dhcp server parameters and enable the server
!
dhcpd address 192.10.4.64-192.10.4.127 inside
dhcpd dns 192.10.4.200 192.10.4.201 interface inside
dhcpd ping_timeout 100 interface inside
dhcpd domain INE.com interface inside
dhcpd enable inside

- 411 -

For verification we assign the TestPC to VLAN100 and configure it for DHCP
auto-configuration
Rack4ASA2#logging enable
Rack4ASA2#logging buffered debug
Rack4ASA2#debug dhcpd packet
debug dhcpd packet enabled at level 1

Rack4ASA2# DHCPD: Server msg received, fip=ANY, fport=0 on inside
interface
DHCPD: DHCPDISCOVER received from client 0100.0c29.6a1c.aa on interface
inside.
DHCPD: Sending DHCPOFFER to client 0100.0c29.6a1c.aa (192.10.4.64).
DHCPD: Including FQDN option name 'sc09-xp.INE.com' rcode1=0, rcode2=0
flags=0x0
DHCPD: Total # of raw options copied to outgoing DHCP message is 0.

DHCPD: creating ARP entry (192.10.4.64, 000c.296a.1caa).
DHCPD: unicasting BOOTREPLY to client 000c.296a.1caa (192.10.4.64).
DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
DHCPD: DHCPREQUEST received from client 0100.0c29.6a1c.aa.
DHCPD: Sending DHCPACK to client 0100.0c29.6a1c.aa (192.10.4.64).
DHCPD: Including FQDN option name 'sc09-xp.INE.com' rcode1=0, rcode2=0
flags=0x0
DHCPD: Total # of raw options copied to outgoing DHCP message is 0.

DHCPD: creating ARP entry (192.10.4.64, 000c.296a.1caa).
DHCPD: unicasting BOOTREPLY to client 000c.296a.1caa (192.10.4.64).
Rack4ASA2#show dhcpd binding
IP address Hardware address Lease expiration Type
192.10.4.64 0100.0c29.6a1c.aa 3509 seconds Automatic
Rack4ASA2# show dhcpd state

Context Configured as DHCP Server
Interface inside, Configured for DHCP SERVER
Interface outside, Not Configured for DHCP

- 412 -
Task 1.6 Solution

This task is simple as well, but be aware that EtherType access-list are stateless.
This means that, for our case, if we need to allow MPLS packets flow bi-
directional (inside to outside and outside to inside) we should apply the ethertype
access-list inbound on both interfaces.
ASA1:
!
! Disable mac-learning on both interfaces and add static mappings for
! R3 and SW2 MACs. These can be easily found by issuing “show interface
! Fa0/1 | i bia” on R3 and “show interface Vlan128 | i bia” on SW2
!
mac-learn outside disable
mac-learn inside disable
mac-address-table static outside 000f.8f14.ad21
mac-address-table static inside 000f.f703.3c00
!
! Create an object-group covering subnets behind ASA1’s inside and
! create access-list to allow telnet and icmp echo. Apply the access-
! list inbound on the outside interface.
!
object-group network NET_INSIDE
network-object 10.0.0.0 255.255.255.0
network-object 162.1.38.0 255.255.255.0
access-list OUTSIDE_IN extended permit tcp any object-group NET_INSIDE

eq telnet
access-list OUTSIDE_IN extended permit icmp any object-group NET_INSIDE
echo
!
! Create EtherType access-lists to allow MPLS packets. Apply it
! inbound on both inside and outside interfaces
!
access-list ETH_OUTSIDE_IN ethertype permit mpls-unicast
access-list ETH_INSIDE_IN ethertype permit mpls-unicast
!
access-group ETH_OUTSIDE_IN in interface outside
access-group ETH_INSIDE_IN in interface inside
!
inspect icmp

- 413 -

Verify that telnet/ping works from R3 to SW1 and vice-versa.
Rack4R3#ping 162.1.38.8

!!!!!
Trying 162.1.38.8 ... Open
Password:
Rack4SW1>

!!!!!
Trying 162.1.38.3 ... Open
Password:
Rack4R3>

- 414 -
Task 1.7 Solution

ASA1:
!
! Configure ARP inspection on both interfaces with “no-flood”
! option
!
arp-inspection outside enable no-flood
arp-inspection inside enable no-flood
!
! Create static ARP mappings for SW1 and R3 since “no-flood” option
! has been configured previously
!
arp inside 162.1.38.8 0012.0183.5900
arp outside 162.1.38.3 000f.8f14.ad21

- 415 -

To make sure we still have connectivity between R3, SW1 and ASA1 we can
clear existing dynamic ARP entries on SW1 and R3 and try pinging again. In
order simulate a MITM attack, we can temporarily modify the IP address on
either SW1 or R3 and verify there is no connectivity and that ASA1 drops ARP
replies.
Rack4ASA1# show arp-inspection

interface arp-inspection miss
----------------------------------------------------
outside enabled no-flood
inside enabled no-flood
Rack4R3#clear arp-cache interface fastEthernet 0/1

Rack4R3#ping 162.1.38.8

.!!!!
Rack4SW1#clear arp-cache interface vlan 128


!!!!!
ms
Rack4ASA1(config)# logging enable

Rack4ASA1(config)# logging buffered debugging
Rack4ASA1# debug arp-inspection
Rack4SW1(config)#
Rack4SW1(config)# interface Vlan128
Rack4SW1(config)# ip address 162.1.38.10 255.255.255.0

- 416 -
Rack4SW1#ping 162.1.38.3 re 2

..
Rack4ASA1# show logging | b ARP

%ASA-3-322003: ARP inspection check failed for arp request received
from host 0012.0183.5900 on interface inside. This host is advertising
MAC Address 0012.0183.5900 for IP Address 162.1.38.10, which is not
bound to any MAC Address
Task 1.8 Solution

ASA1:
!
! Configure logging levels as required by the task and enable
! timestamps
!
logging timestamp
logging console emergencies
logging monitor errors
logging trap debugging
!
! Configure logging to the syslog server and make sure debug messages
! don’t show on monitor session.
!
logging host outside 162.1.38.175
logging debug-trace
logging enable
!
! Configure the ASA to authenticate NTP and the NTP key
!
ntp authentication-key 1 md5 *
ntp authenticate
ntp trusted-key 1
!
! Configure the NTP server
!
ntp server 162.1.38.254 key 1 source outside
!
! Configure static ARP entries for the NAT on R3, so we can reach
! syslog and ntp servers. Otherwise ARP replies from R3 will be dropped
! by ASA1, since we have ARP inspection configured
!
arp outside 162.1.38.254 000f.8f14.ad21
arp outside 162.1.38.175 000f.8f14.ad21

- 417 -
ASA2:
!
! Configure static PAT for ntp and syslog. Create an access-list to
! allow ntp and syslog traffic and apply it inbound on the outside
! interface
!
static (inside,outside) udp 162.1.113.254 ntp 192.10.4.254 ntp netmask
255.255.255.255
static (inside,outside) udp 162.1.113.175 syslog 192.10.4.175 syslog
netmask 255.255.255.255
!
access-list OUTSIDE_IN extended permit udp host 162.1.38.12 host
162.1.113.254 eq ntp
162.1.113.175 eq syslog
R3:
!
! Configure static PAT for the already NAT’ed addresses of the
! syslog and ntp servers
!
ip nat outside
!
ip nat inside
!
ip nat inside source static udp 162.1.113.175 514 162.1.38.175 514
ip nat inside source static udp 162.1.113.254 123 162.1.38.254 123

- 418 -

Make sure logging is enabled and configured per the requirements. Check NTP
association and synchronization.
Rack4ASA1# show logging setting

Facility: 20
Timestamp logging: enabled
Debug-trace logging: enabled
Console logging: level emergencies, 0 messages logged
Monitor logging: level errors, 0 messages logged
Trap logging: level debugging, facility 20, 19 messages logged
Logging to outside 162.1.38.175
<snip>
Rack4ASA1# show ntp status

2**6
reference time is af49e066.d4979bbc (15:59:34.830 UTC Thu Mar 11 1993)
Rack4ASA1# show ntp associations detail
162.1.38.254 configured, authenticated, our_master, sane, valid,

stratum 4
ref ID 127.127.7.1, time af49e02b.72126bfa (15:58:35.445 UTC Thu Mar 11
1993)
our mode client, peer mode server, our poll intvl 64, peer poll intvl
64
delay 61.49 msec, offset -1.6795 msec, dispersion 7890.91
precision 2**18, version 3
org time af49e066.cc4a4a36 (15:59:34.798 UTC Thu Mar 11 1993)
rcv time af49e066.d4979bbc (15:59:34.830 UTC Thu Mar 11 1993)
xmt time af49e066.c4a3f580 (15:59:34.768 UTC Thu Mar 11 1993)
filtdelay = 61.49 60.23 0.00 0.00 0.00 0.00 0.00
0.00
filtoffset = -1.68 -2.27 0.00 0.00 0.00 0.00 0.00
0.00
filterror = 15.63 16.60 16000.0 16000.0 16000.0 16000.0 16000.0
16000.0

- 419 -
Task 2.1 Solution

R4:
!
! Drop packets with ip options and disable cdp on the interface
! to BB3.
!
ip options drop
!
no cdp enable
!
! Configure CBAC for udp and tcp traffic. Apply it outbound on the
! “outside” interface since we are told to use minimum configuration.
! Configure t “router-traffic” inspection option so that tcp traffic
! initiated by R4.
!
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC udp
!
! Configure static NAT for server 10.4.4.100
!
ip nat outside
!
ip nat inside
!
!
ip access-list extended CBAC_IN
permit tcp any host 204.12.4.100 neq 25
deny ip any any
!
! Apply the inspection and ACL. Do not send “administratively
! prohibited” messages for acl dropped packets means not to send icmp
! unreachables
!
no ip unreachables
ip access-group CBAC_IN in
ip inspect CBAC out

- 420 -

Verify that CDP is disabled on interface towards BB3 and that traffic with ip
options set gets dropped. Verify that TCP and UDP traffic initiated from “inside”
interfaces of R4 is allowed back in on the “outside” interface.
Rack4R4#show cdp interface fast0/1

FastEthernet0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Rack4R4#show cdp interface fast0/0
Rack4R4#
Rack4R5#ping 162.1.45.4

!!!!!

- 421 -
To test IP options filtering, we will generate extended ICMP packets with “record
route” option:
Rack4R5#ping
Protocol [ip]:
Target IP address: 162.1.45.4
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: record
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Request 0 timed out

Request 1 timed out

- 422 -
Rack4R4#show ip traffic
IP statistics:
Rcvd: 89 total, 87 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 fragments, 0 couldn't fragment
Bcast: 0 received, 0 sent
Mcast: 60 received, 101 sent
Sent: 127 generated, 0 forwarded
Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 0 unicast RPF, 0 forced drop
2 options denied
Since BB3 has no route back to the pod, traffic initiated from behind R4 will not
generate any returning packets, but we can still see CBAC session openings:
Trying 204.12.4.254 ...
Rack4R5#
Half-open Sessions
Session 844CAF00 (162.1.0.5:34592)=>(204.12.4.254:23) tcp SIS_OPENING
In SID 204.12.4.254[23:23]=>162.1.0.5[34592:34592] on ACL CBAC_IN

1 162.1.0.3 32 msec 28 msec 32 msec

2 162.1.0.4 56 msec 56 msec 56 msec
3 * * *
4 *
Rack4R5#

- 423 -

Half-open Sessions
Session 844CA970 (162.1.0.5:49162)=>(204.12.4.254:33442) udp
SIS_OPENING
In SID 204.12.4.254[33442:33442]=>162.1.0.5[49162:49162] on ACL
CBAC_IN
Session 844CAC38 (162.1.0.5:49161)=>(204.12.4.254:33441) udp
SIS_OPENING
In SID 204.12.4.254[33441:33441]=>162.1.0.5[49161:49161] on ACL
CBAC_IN
Session 844CA3E0 (162.1.0.5:49164)=>(204.12.4.254:33444) udp
SIS_OPENING
In SID 204.12.4.254[33444:33444]=>162.1.0.5[49164:49164] on ACL
CBAC_IN
Session 844CAF00 (162.1.0.5:49160)=>(204.12.4.254:33440) udp
SIS_OPENING
In SID 204.12.4.254[33440:33440]=>162.1.0.5[49160:49160] on ACL
CBAC_IN
For testing we put the TestPC in VLAN4 and configure it with the ip address of
10.4.4.100. We then telnet into BB3 then telnet back to 204.12.4.100 server on
the remote desktop port 3389. Then we telnet to the prohibited port 25 and
confirm that unreachables are not being sent.
Trying 204.12.4.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+

- 424 -
SC.9.9.BB3>telnet 204.12.4.100 3389

Trying 204.12.4.100, 3389 ... Open

SC.9.9.BB3>
SC.9.9.BB3>telnet 204.12.4.100 25
Trying 204.12.4.100, 25 ...
SC.9.9.BB3>
Rack4R4#show ip interface fastEthernet 0/0 | i unreach

ICMP unreachables are never sent
Rack4R4#
Rack4R4#show ip traffic | section ICMP

ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable
0 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 timestamp replies, 0 info request,
0 other
0 irdp solicitations, 0 irdp advertisements
Sent: 0 redirects, 0 unreachable, 0 echo, 0 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 0
timestamp replies
0 info reply, 0 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements

- 425 -
Task 2.2 Solution

R4:
!
! Configure URL filtering, the Websense server and exclusive domains
!
ip inspect name CBAC http urlfilter
ip urlfilter source-interface Loopback0
ip urlfilter exclusive-domain permit INE.com
ip urlfilter exclusive-domain permit cisco.com
!
! Create the time-range and configure the ACL to deny web traffic
! during work hours. Then apply it outbound on R4, towards BB3
!
time-range HTTP_RESTRICT
ip access-list extended CBAC_OUT
deny tcp any any eq www time-range HTTP_RESTRICT
permit ip any any
ip access-group CBAC_OUT out
R6:
!
! Configure URL filtering, the Websense server and exclusive domains
!
ip inspect name CBAC http urlfilter
ip urlfilter source-interface Loopback0
ip urlfilter exclusive-domain permit INE.com
ip urlfilter exclusive-domain permit cisco.com
!
! Create the time-range and configure the ACL to deny web traffic
! during work hours. Then apply it outbound on R4, towards BB3
!
time-range HTTP_RESTRICT
!

- 426 -
ip access-list extended CBAC_OUT

deny tcp any any eq www time-range HTTP_RESTRICT
permit ip any any
!
ip inspect CBAC out
ASA1:
!
! Configure a static route for host 10.0.0.100
!
route inside 10.0.0.100 255.255.255.255 162.1.38.8 1
!
! Create statics for host 10.0.0.100 and for R4 Loopback0
!
static (inside,outside) 162.1.38.100 10.0.0.100 netmask 255.255.255.255
static (outside,inside) 162.1.38.4 150.4.4.4 netmask 255.255.255.255
!
! Configure outside NAT for R6-Loopback0 dynamic NAT range
!
nat (outside) 1 162.1.113.128 255.255.255.192 outside
global (inside) 1 162.1.38.128 netmask 255.255.255.255
!
! Allow Websense traffic inbound on the outside interface. If you
! cant remember the Websense port number you can find it out by
! issuing the “debug ip urlfilter events” on either R4 or R6:
!
! URLF:got cache idle timer event...
! URLF:Closing the socket for server (162.1.38.100:15868)
! URLF:server connecting (socket fd 0)
! URLF:received a wrong event
!
access-list OUTSIDE_IN extended permit tcp host 150.4.4.4 host
162.1.38.100 eq 15868
access-list OUTSIDE_IN extended permit tcp 162.1.113.128
255.255.255.192 host 162.1.38.100 eq 15868

- 427 -

Verify that the TCP session with Websense server has been established. Verify
that port 80 is disallowed during work hours. Keep in mind that you may not have
the Websense server running in the real exam.
Rack4R4#show tcp brief

TCB Local Address Foreign Address
(state)
8416A438 150.4.4.4.179 150.4.1.1.43647 ESTAB
84DAD248 150.4.4.4.57637 162.1.38.100.15868 ESTAB
Rack4R6#show tcp brief

(state)
484AB040 54.4.2.6.62152 54.4.2.254.179 ESTAB
484A93F0 150.4.6.6.28978 162.1.38.100.15868 ESTAB

Global 162.1.38.4 Local 150.4.4.4
Global 162.1.38.100 Local 10.0.0.100
PAT Global 162.1.38.128(6892) Local 162.1.113.152(28978)
TCP outside 162.1.38.4(150.4.4.4):57637 inside 10.0.0.100:15868, idle
0:00:37, bytes 0, flags UB
TCP outside 162.1.38.128(162.1.113.152):28978 inside 10.0.0.100:15868,
idle 0:00:50, bytes 0, flags UB
Rack4R4#show ip access-lists CBAC_OUT

Extended IP access list CBAC_OUT
10 deny tcp any any eq www time-range HTTP_RESTRICT (inactive)
Rack4R4#show clock
*23:08:43.410 UTC Sun Jul 19 2009
Rack4R4#clock set 10:00:00 20 Jul 2009

Rack4R4#show ip access-lists CBAC_OUT
Extended IP access list CBAC_OUT
10 deny tcp any any eq www time-range HTTP_RESTRICT (active)
Rack4R5#telnet 204.12.4.254 80
Trying 204.12.4.254, 80 ...
Rack4R4#show ip access-lists interface fastEthernet 0/0 out

Extended IP access list CBAC_OUT out
10 deny tcp any any eq www time-range HTTP_RESTRICT (active) (1
match)

- 428 -
Task 3.1 Solution

This is a classic LAN-to-LAN IPSec tunnel, however only one endpoint (ASA2)
should be able to initiate the connections. This means we need dynamic crypto-
map configured on the other endpoint.
R6:
!
! Configure R6 as NTP master
!
ntp master 5
!
! Configure HTTP server for CA and configure the CA sever as well.
!
ip http server
crypto pki server CA
issuer-name cn=CA, ou=CCIE, o=INE
grant auto
database url flash:
no shutdown
R3:
!
! Create ISAKMP policy. Modify the DH group to match the default one in
!
auth rsa-sig
encr 3des
hash md5
group 2
!
! Enable NTP synchronization with R6
!
ntp server 162.1.113.6 source Serial1/1.13
!
! Create the proxy ACL and transform-set
!
permit ip 10.35.35.0 0.0.0.255 162.1.113.0 0.0.0.255
!

- 429 -
!
! Since only ASA should be capable of initiating the tunnel, we need to
! configure a dynamic crypto-map in R3
!
crypto dynamic-map MYDYNAMIC 10
set transform-set 3DES_MD5
!
crypto map MYMAP 10 ipsec-isakmp dynamic MYDYNAMIC
!
crypto map MYMAP
!
! Authenticate and enroll with the CA
!
crypto pki trustpoint CA
enrollment url http://162.1.113.6:80
crypto ca authenticate CA
crypto ca enroll CA
Do you want to continue with re-enrollment? [yes/no]: yes

%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your
certificate.
For security reasons your password will not be saved in the
configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: Rack4R3.INE.com

% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA verbose' commandwill show the
fingerprint.
CRYPTO_PKI: Certificate Request Fingerprint MD5: 70E0C773 C51C83CE

B9DAD6E3 34931F39
CRYPTO_PKI: Certificate Request Fingerprint SHA1: E7F774C8 985DB4D3
C183AD55 4FCEAD5A FD95B19F
%PKI-6-CERTRET: Certificate received from Certificate Authority

- 430 -
ASA2:
!
! Enable ISAKMP on the outside interface and configure the ISAKMP
! policy
!
authentication rsa-sig
encryption 3des
hash md5
group 2
!
! Configure NTP synchronization with R6
!
ntp server 192.10.4.6 source inside
!
! Configure the proxy ACL and the transform-set
!
access-list VLAN113_TO_VLAN3 extended permit ip 162.1.113.0
255.255.255.0 10.35.35.0 255.255.255.0
!
! Tie the pieces into the crypto map
!
crypto map MYMAP 10 match address VLAN113_TO_VLAN3
crypto map MYMAP 10 set peer 162.1.13.3
crypto map MYMAP 10 set transform-set 3DES_MD5
crypto map MYMAP interface outside
!
! Allow ASA to initiate the tunnel using certificate based-
! authentication
!
crypto map MYMAP 10 set trustpoint CA
!
! Authenticate the CA and enroll with it
!
crypto ca trustpoint CA
crypto ca enroll CA
!
! Configure the tunnel-group and specify the trust-point for
! certificate validation
!
peer-id-validate cert
trust-point CA

- 431 -
!
! Create a route for VLAN3 to trigger the IPSec process
!
route outside 10.35.35.0 255.255.255.0 162.1.113.1 1
!
! Permit U-turn for VPN traffic on the outside interface
!
same-security-traffic permit intra-interface
!
! Configure static PAT for NTP and Certificate Enrollment from R3 to
! R6. Then permit traffic through the firewall in the outside access-
! list
!
static (inside,outside) udp 162.1.113.6 ntp 192.10.4.6 ntp netmask
255.255.255.255
static (inside,outside) tcp 162.1.113.6 www 192.10.4.6 www netmask
255.255.255.255
162.1.113.6 eq ntp
162.1.113.6 eq www
R1:
!
! Configure the route to VLAN3 towards ASA2 so traffic from VLAN113 to
! VLAN 3 flows through the tunnel
!
ip route 10.35.35.0 255.255.255.0 162.1.113.13

- 432 -

Verify that R3 can’t initiate the tunnel. Confirm that packets flow across the tunnel
once ASA2 initiates it.

.....
Rack4R1#ping 10.35.35.3

.!!!!
Rack4R1#
Rack4ASA2# show crypto isakmp sa
Active SA: 1
rekey)
Total IKE SA: 1
1 IKE Peer: 162.1.13.3

Rack4ASA2#

- 433 -
Rack4ASA2# show crypto ipsec sa

interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 162.1.113.13

10.35.35.0 255.255.255.0
(162.1.113.0/255.255.255.0/0/0)
(10.35.35.0/255.255.255.0/0/0)

failed: 0
created: 0
reassembly: 0

162.1.13.3

current outbound spi: F60C0F9E
inbound esp sas:

spi: 0xA5FE61A0 (2784911776)
transform: esp-3des esp-md5-hmac no compression
slot: 0, conn_id: 53248, crypto-map: MYMAP
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xF60C0F9E (4127985566)
transform: esp-3des esp-md5-hmac no compression
slot: 0, conn_id: 53248, crypto-map: MYMAP
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x00000001

- 434 -

2**18
reference time is CE0F48DD.AD5DFDA8 (19:49:49.677 UTC Mon Jul 20 2009)
Rack4ASA2# show ntp status

2**6
reference time is ce0f472a.55982fae (19:42:34.334 UTC Mon Jul 20 2009)

- 435 -
Task 3.2 Solution

ASA2:
!
! Enable SSLVPN on the outside interface, specify the AnyConnect client
! location and enable it
!
webvpn
port 443
enable outside
tunnel-group-list enable
svc image flash:/anyconnect-win-2.3.0254-k9.pkg
svc enable
!
! Create the Split-Tunnel list
!
access-list SPLIT_TUNNEL standard permit 192.10.4.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 150.4.6.0 255.255.255.0
!
! Create a group-policy called SSLVPN and enable SVC as the tunneling
! protocol
!
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol svc
!
! Create an address pool for remote clients
!
ip local pool SSLVPN 192.168.0.1-192.168.0.254 mask 255.255.255.0
!
! Configure RRI redistribution into OSPF
!
router ospf 1
!
! Configure the tunnel-group
!
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
default-group-policy SSLVPN
address-pool SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
authentication aaa

- 436 -
!
! Create username/password for SSL access
!
username SSLUSER password CISCO
username SSLUSER attributes
group-lock value SSLVPN
!
! Configure the allowed ssl encryption algorithm
!
ssl encryption rc4-md5

!
! Configure NAT exemption for VPN traffic
!
access-list NAT-EXEMPTION permit ip 150.4.6.0 255.255.255.0 192.168.0.0
255.255.255.0
access-list NAT-EXEMPTION permit ip 192.10.4.0 255.255.255.0
192.168.0.0 255.255.255.0
nat (inside) 0 access-list NAT_EXEMPTION
!
! Configure access-list Bypass for VPN connectionssv ?
!

- 437 -
Task 3.3 Solution

ASA2:
!
! Allow NTP and Certificate Enrollment traffic through ASA2
!
162.1.113.6 eq ntp
162.1.113.6 eq ntp
162.1.113.6 eq www
162.1.113.6 eq www
R3:
!
! Configure the IPSEC profile
!
crypto ipsec profile DMVPN
set pfs group2
!
! Configure new Loopback interface
!
interface Loopback2
ip address 192.168.3.3 255.255.255.0

- 438 -
!
! Configure the Tunnel on the HUB
!
interface Tunnel0
ip address 100.100.100.3 255.255.255.0
no ip redirects
ip nhrp authentication cisco
no ip split-horizon eigrp 1
tunnel source Serial1/0.2345
tunnel key 1
tunnel protection ipsec profile DMVPN
!
! Enable EIGRP AS 1 on the DMVPVN cloud and advertise Loopback2
!
router eigrp 1
network 100.100.100.3 0.0.0.0
network 192.168.3.3 0.0.0.0
no auto-summary
R4:
!
!
ntp server 162.1.113.6 source serial 0/0.2345
!
! Configure CA trustpoint, authenticate and enroll with it
!
crypto ca enroll CA
!
! Configure ISAKMP policy to match the one on R3 but modify the
! lifetime as the task implies. There is no need to configure another
! ISAKMP policy on R3 since lifetime gets negotiated and the lower
! value will win
!
encr 3des
hash md5
group 2
lifetime 43200

- 439 -
!
! Configure IPSec transform-set and the IPSec profile
!
set pfs group2
!
! Create the new Loopback2 interface
!
interface Loopback2
ip address 192.168.4.4 255.255.255.0
!
! Configure the Tunnel interface
!
interface Tunnel0
ip address 100.100.100.4 255.255.255.0
no ip redirects
ip nhrp map 100.100.100.3 162.1.0.3
ip nhrp nhs 100.100.100.3
tunnel key 1
!
!
router eigrp 1
network 100.100.100.4 0.0.0.0
network 192.168.4.4 0.0.0.0
no auto-summary
R5:
!
!
ntp server 162.1.113.6 source serial 0/0.2345
!
! Configure CA trustpoint, authenticate and enroll with it
!
crypto ca enroll CA

- 440 -
!
! Configure ISAKMP policy to match the one in R3 but modify the
! lifetime as the task implies. There is no need to configure another
! ISAKMP policy on R3 since lifetime gets negotiated and the lower
! value will win
!
encr 3des
hash md5
group 2
lifetime 43200
!
! Configure IPSec transform-set and the IPSec profile
!
set pfs group2
!
! Create the new Loopback2 interface
!
interface Loopback2
ip address 192.168.5.5 255.255.255.0
!
! Configure the Tunnel interface
!
interface Tunnel0
ip address 100.100.100.5 255.255.255.0
no ip redirects
ip nhrp map 100.100.100.3 162.1.0.3
ip nhrp nhs 100.100.100.3
tunnel key 1
!
!
router eigrp 1
network 100.100.100.5 0.0.0.0
network 192.168.5.5 0.0.0.0
no auto-summary

- 441 -

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1097 162.1.0.3 162.1.0.4 ACTIVE 3des md5 rsig 2 11:59:48


Rack4R3#show ip eigrp neighbors 1

IP-EIGRP neighbors for process 1
(sec) (ms)Cnt Num
1 100.100.100.4 Tu0 13 00:02:02 114 5000 0 9
0 100.100.100.5 Tu0 11 00:03:57 112 5000 0 9
Rack4R3#show ip route eigrp 1

D 192.168.4.0/24 [90/297372416] via 100.100.100.4, 00:03:25, Tunnel0
D 192.168.5.0/24 [90/297372416] via 100.100.100.5, 00:05:02, Tunnel0
Rack4R3#show crypto ipsec sa peer 162.1.0.4
interface: Tunnel0


path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0.2345
current outbound spi: 0x6E90E3CF(1854989263)

- 442 -
inbound esp sas:

spi: 0x2CE5636A(753230698)
transform: esp-3des esp-md5-hmac ,
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x6E90E3CF(1854989263)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

!!!!!
ms

!!!!!
ms

- 443 -
Task 4.1 Solution

We need to configure R1 for both RADIUS and TACACS+ support; RADIUS for
authentication and TACACS+ for command authorization and accounting.
R1:
!
! Enable aaa. Configure a list with no authentication for console to
! avoid lockouts and the default with radius+ local fallback
!
aaa new-model
aaa authentication login default group radius local
!
! Configure tacacs+ accounting. Configure local username/password
!
username ADMIN password CISCO
!
! Configure console for no authentication
!
line console 0
!
! Configure tacacs and radius servers with different source interfaces
! so the AAA server can differentiate it
!
tacacs-server host 162.1.38.100 key cisco
radius-server host 162.1.38.100 key cisco
ip radius source-interface Serial 0/0.13
ASA1:
!
! Since ASA1 splits the routing domain, we need static xlates for both
! R1’1 loopback and the Serial interface so that SW1 can reach them
!
!
! Allow tacacs and radius to flow across ASA1’s outside interface
!
162.1.38.100 eq radius
162.1.38.100 eq tacacs

- 444 -
ACS:
Step 1:
Add R1 as a RADIUS AAA Client: Network Configuration | AAA

Clients: Add/Edit | Submit + Apply

- 445 -
Step 2:
Add R1 as TACACS+ AAA Client: Network Configuration | AAA


- 446 -
Step 3:
Add a New User to the ACS:
User Setup | Add/Edit [ADMIN] | [Password=CISCO]

- 447 -

Rack4R1#test aaa group radius server 162.1.38.100 ADMIN CISCO legacy
Rack4R1#test aaa group tacacs+ ADMIN CISCO legacy

Username: ADMIN
Password:
Rack4R1>en
Password:
Rack4R1#conf t
Rack4R1(config)#interface fastEthernet 0/0
Rack4R1(config-if)#end
Rack4R1#exit

- 448 -
ACS:
Check User Authentication Logs: Report and Activity | Passed

Authentications | Passed Authentications Active.csv

- 449 -
Verify Command Accounting:
Reports and Activity | TACACS+ Administration | TACACS+

Administration Active.csv
Rack4R1#conf t
Rack4R1(config)#interface serial 0/0.13
Rack4R1(config-subif)#shutdown
Rack4R1(config-subif)#end
Username: ADMIN
Password:
Rack4R1>en
Password:
Rack4R1#

- 450 -
Task 4.2 Solution

Configure R5 for dynamic lock-and-key access-lists. Enable listening on port
7005 for the proprietary application. Apply necessary changes to ASA1
configuration.
R5:
!
! Enable aaa. Configure a list with no authentication for console to
! avoid lockouts and the default with tacacs+
!
aaa new-model
!
! Configure TACACS+ to authorize exec shell (e.g. autocommands)
!
!
! Dynamic ACL to control access to server
!
ip access-list extended PROTECT_SERVER
dynamic SERVER permit tcp any host 162.1.55.100 eq 4550
deny tcp any host 162.1.55.100 eq 4550
permit ip any any
!
! Set up TACACS+ server
!
ip tacacs source-interface Loopback 0
!
ip access-group PROTECT_SERVER in
!
ip access-group PROTECT_SERVER in
!
line console 0
!
! Enable the router to listen on port 7005 for telnet connections
!
line vty 4
rotary 5

- 451 -
ASA1:
162.1.38.100 eq tacacs
ACS:
Step 1:
Add R5 as a TACACS+ AAA Client: Network Configuration | AAA


- 452 -
Step 2:
Add APP user, enable service shell and specify the autocommand: User Setup
| Add/Edit [APP] | [Password=CISCO]

- 453 -

Verify connectivity to the AAA server. Telnet on port 7005 and authenticate; next,
verify that you may connect through on port 4550.
Rack4R5#test aaa group tacacs+ APP CISCO legacy

Rack4R3#telnet 162.1.55.100 4550

Trying 162.1.55.100, 4550 ...
Extended IP access list PROTECT_SERVER
10 Dynamic SERVER permit tcp any host 162.1.55.100 eq 4550
20 deny tcp any host 162.1.55.100 eq 4550 (3 matches)
Rack4R3#telnet 150.4.5.5 7005

Trying 150.4.5.5, 7005 ... Open
Username: APP
Password:
Rack4R3#telnet 162.1.55.100 4550

Trying 162.1.55.100, 4550 ...
Extended IP access list PROTECT_SERVER
10 Dynamic SERVER permit tcp any host 162.1.55.100 eq 4550
permit tcp host 162.1.0.3 host 162.1.55.100 eq 4550 (6 matches)
20 deny tcp any host 162.1.55.100 eq 4550 (3 matches)

- 454 -
ACS:
Step 1
Check User Authentication Logs. Report and Activity | Passed

Authentications | Passed Authentications Active.csv

- 455 -
Task 4.3 Solution

This task is for TACACS+ privilege level assignment. Configure R3 for TACACS+
and configure some commands to be accessible at privilege level 7. Make
necessary changes on ASA1.
R3:
!
! Prevent console lockouts
!
aaa new-model
!
! Authorize exec privilege levels with TACACS+
!
aaa authorization exec default tacacs+
!
! Permit some privilege 15 commands at level 7
!
privilege exec level 7 configure terminal
privilege configure all level 7 snmp-server
!
! Configure the tacacs server
!
!
! Apply the list with no authentication on the console
!
line console 0
ASA1:
!
162.1.38.100 eq tacacs

- 456 -
ACS:
Step 1:
Add R3 as a TACACS+ Client to the ACS server: Network Configuration |

AAA Clients: Add/Edit | Submit + Apply

- 457 -
Step 2:
Add New User and assign exec privilege levl. User Setup | Add/Edit
[USER1] | [Password=CISCO]
TACACS+ Settings: [Shell(exec)], [+ Privilege Level = 7]
Repeat the procedure for USER2, setting Privilege Level to 0 this time.
User Setup | Add/Edit [USER2] | User Setup [Password =

CISCO]
TACACS+ Settings: [Shell(exec)], [Privilege Level = 0]

- 458 -
Task 4.3 Verifications

Verify connectivity with the AAA server. Verify privilege level assignment via the
TACACS+ server and confirm that necessary commands are available at
privilege level 7.
Rack4R3#test aaa group tacacs+ USER1 CISCO legacy

Rack4R3#test aaa group tacacs+ USER2 CISCO legacy

Username: USER1
Password:
Rack4R3#configure terminal
Rack4R3(config)#?
Configure commands:
beep Configure BEEP (Blocks Extensible Exchange Protocol)
default Set a command to its defaults
end Exit from configure mode
netconf Configure NETCONF
no Negate a command or set its defaults
sasl Configure SASL
snmp-server Modify SNMP engine parameters
Rack4R3(config)#snmp-server ?
chassis-id String to uniquely identify this chassis
community Enable SNMP; set community string and access privs
contact Text for mib object sysContact
context Create/Delete a context apart from default
drop Silently drop SNMP packets
enable Enable SNMP Traps
engineID Configure a local or remote SNMPv3 engineID
file-transfer File transfer related commands
group Define a User Security Model group
host Specify hosts to receive SNMP notifications
ifindex Enable ifindex persistence
location Text for mib object sysLocation
packetsize Largest SNMP packet size
queue-length Message queue length for each TRAP host

- 459 -
source-interface Assign an source interface

system-shutdown Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap SNMP trap options
trap-source Assign an interface for the source address of all
traps
trap-timeout Set timeout for TRAP message retransmissions
user Define a user who can access the SNMP engine
view Define an SNMP MIB view
Username: USER2
Password:
Rack4R3>?
Exec commands:
<1-99> Session number to resume
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
logout Exit from the EXEC

- 460 -
Task 4.4 Solution
1 Pitfall
Under the command authorization set we need to specify not only commands
specified in this task (debug ip rip & undebug all), but also the
commands required by the previous task (configure terminal & all
snmp-server commands).
R3:
!
! Authorize & Account level 7 commands with TACACS+
!
aaa authorization commands 7 default group tacacs+
!
! This is required to authorize config-mode commands
!
aaa authorization config-commands
!
! Make the commands “visible” at level 7
! They will be sent to TACACS+ for detailed authorization
!
privilege exec all level 7 undebug

- 461 -
ACS:
Step 1:
Create shell-command authorization set for USER1:
Shared Profile Components | Shell Command Authorization

Sets | Add [USER1]
Unmatched commands = Deny
Add Commands:
cmd = “configure”, args = “permit terminal”

cmd = “debug” , args = “permit ip rip”
cmd = “undebug” , args = “permit all”
cmd = “snmp-server”, Permit Unmatched args

- 462 -
Step 2:
Assign the shell-command authorization set to USER1
User Setup | Add/Edit [USER1] | TACACS+ Setting: Shell

Command Authorization Set = USER1

- 463 -

Verify that USER1 has access to both debug ip rip and undebug all
commands and the snmp-server commands. Confirm that any other
commands are not allowed.
Username: USER1
Password:
Rack4R3#conf t
Rack4R3#undebug all
All possible debugging has been turned off
Rack4R3#debug ip ospf adj

Rack4R3#conf t
Rack4R3(config)#?
Configure commands:
beep Configure BEEP (Blocks Extensible Exchange Protocol)
default Set a command to its defaults
end Exit from configure mode
netconf Configure NETCONF
no Negate a command or set its defaults
sasl Configure SASL
snmp-server Modify SNMP engine parameters
Rack4R3(config)#
Rack4R3(config)#snmp-server enable traps cpu

- 464 -
ACS:
Check for command logging: Reports and Activity | TACACS+

Administration | TACACS+ Administration Active.csv

- 465 -
Task 4.5 Solution
R4:
aaa new-model
!
! Enable TACACS+ command authorization for privilege level 12
!
!
! Make sure configuration mode commands and exec are authorized as well
!
aaa authorization config-commands
!
! Make some privileged commands visible at level 12
!
privilege exec level 12 configure terminal
privilege exec level 12 show running-config
privilege exec level 12 show running-config interface
privilege configure all level 12 interface
!
! We move the “hostname” command down to level 12, thus permitting
! it to be in the running-config for the user. However, TACACS+
! will deny any attempts to change the hostname
!
privilege configure level 12 hostname
privilege interface level 12 shutdown
privilege interface level 12 no shutdown
!
!
line console 0
ASA1:
162.1.38.100 eq tacacs

- 466 -
ACS:
Step 1:
Add R4 as TACACS+ AAA Client: Network Configuration | AAA


- 467 -
Step 2:
Create a new shell command authorization set named “NOC”: Shared

Profile Components | Shell Command Authorization Sets | Add
Deny Unmatched Commands and Add the following:
Cmd = “configure” , Args = “permit terminal”

Cmd = “interface” , Check “Permit unmatched Args”
Cmd = “no” , Args = “permit shutdown”
Cmd = “show” , Args = “permit running-config”
Cmd = “shutdown” , Check ”Permit unmatched Args”

- 468 -
Step 3:
Create a user NOC and assign shell command authorization set to it:
User Setup | Add/Edit [NOC] | User Setup; [Password =
CISCO]

- 469 -
Step 4:
Modify the Privilege Level for the new user. TACACS+ Settings:
[+Shell(exec)] , [+Privilege Level = 12]

- 470 -

Rack4R4#test aaa group tacacs+ NOC CISCO legacy
Username: NOC
Password:

!
!
hostname Rack4R4
!
boot-start-marker
boot-end-marker
!
!
!
!
!
interface Loopback0
ip address 150.4.4.4 255.255.255.0
!
interface Loopback2
ip address 192.168.4.4 255.255.255.0
!
interface Tunnel0
ip address 100.100.100.4 255.255.255.0
no ip redirects
ip nhrp map 100.100.100.3 162.1.0.3
ip nhrp nhs 100.100.100.3
tunnel key 1
!

- 471 -
ip address 204.12.4.4 255.255.255.0
ip access-group CBAC_IN in
no ip unreachables
ip inspect CBAC out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
Rack4R4#conf t
Rack4R4(config)#hostname test
Rack4R4(config)#interface loopback2
Rack4R4(config-if)#no shutdown
Rack4R4(config-if)#ip address 5.5.5.5 255.255.255.0

Task 5.1 Solution

R2:
!
! Enable authentication globally under the OSPF process and the
! authentication key under the interface
!
router ospf 1
area 2345 authentication
ip ospf authentication-key cisco
R3:
!
! Enable authentication globally under the OSPF process and set the
! authentication key under the interface
!
router ospf 1

- 472 -
R4:
!
! authentication key under the interface. Altough simple authentication
! is enabled globally the interface MD5 authentication will take
! precedence as is more specific
!
router ospf 1
!
interface Serial0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
R5:
!
! authentication key under the interface. Altough simple authentication
! is enabled globally the interface MD5 authentication will take
! precedence as is more specific
!
router ospf 1
!
!
interface Serial0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco

- 473 -

Rack4R5#show ip os neighbor

150.4.3.3 0 FULL/ - 00:01:49 162.1.0.3 Serial0/0.2345
150.4.4.4 0 FULL/ - 00:00:38 162.1.45.4 Serial0/1
Rack4R5#show ip ospf interface serial 0/1

9999
Transmit Delay is 1 sec, State POINT_TO_POINT
Next 0x0(0)/0x0(0)

- 474 -

Cost: 64
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit
5
Next 0x0(0)/0x0(0)
Rack4R3#show ip ospf neighbor

150.4.5.5 0 FULL/ - 00:01:54 162.1.0.5 Serial1/0.2345
150.4.2.2 0 FULL/ - 00:01:47 162.1.0.2 Serial1/0.2345
150.4.4.4 0 FULL/ - 00:01:54 162.1.0.4 Serial1/0.2345

Cost: 781
5
Next 0x0(0)/0x0(0)

- 475 -
Task 5.2 Solution

R1:
router bgp 100
no neighbor 162.1.0.4 remote-as 200
no neighbor 162.1.0.4 ebgp-multihop 1
no neighbor 162.1.0.4 next-hop self
neighbor 150.4.4.4 ttl-security hops 2
neighbor 150.4.4.4 next-hop-self
R4:
router bgp 200
no neighbor 162.1.13.1 remote-as 100
no neighbor 162.1.13.1 ebgp-multihop 1
no neighbor 162.1.13.1 next-hop-self
neighbor 150.4.1.1 ttl-security hops 2
neighbor 150.4.1.1 next-hop self

Rack4R1#show ip bgp neighbors 150.4.4.4 | section TTL
Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255
Rack4R4#show ip bgp neighbors 150.4.1.1 | section TTL


- 476 -
Task 5.3 Solution

R6:
!
! Configure thresholds as specified and enable the
! respective SNMP traps
!
process cpu threshold type total rising 75 interval 60 falling 30
interval 60
memory free low-watermark processor 5000
snmp-server enable traps cpu
snmp-server enable traps memory
!
! Configure logging to the AAA server but use TCP for transport
!
logging host 162.1.38.100 transport tcp
ASA1:
!
! Allow TCP syslog traffic from R6 to reach the AAA server
!
access-list OUTSIDE_IN extended permit tcp 162.1.113.128
255.255.255.192 host 162.1.38.100 eq 601
Task 5.4 Solution

The feature works only with local or AAA authentication and not with line
password authentication.
R6:
!
! Configure the access-list for exemption from blocking
!
!
! Configure the feature as required
!
login block-for 600 attempts 3 within 60
login quiet-mode access-class 1
login on-failure log every 5
login delay 3
!
! Create a local username/password and enable local authentication on
! VTY lines
!
username cisco password cisco
line vty 0 988
login local

- 477 -

Try failing login authentication 3 times in the given 60 seconds. Verify that logins
are blocked except from sources in list 1 as the router enter quiet mode.
Rack4R6#telnet 150.4.6.6 /source-interface Loopback0

Username: c
Password:
% Login invalid
Username: c
Password:
% Login invalid
Username: c
Password:
%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 21

secs, [user: c] [Source: 150.4.6.6] [localport: 23] [Reason: Login
Authentication Failed - BadUser] [ACL: 1] at 20:23:01 UTC Tue Jul 21
2009
Trying 150.4.6.6 ...
While the route is in quite mode for 600 seconds, verify that sessions sourced
from subnet 192.10.4.0/24 are permitted:
Rack4R6#show login
A login delay of 3 seconds is applied.
Quiet-Mode access list 1 is applied.
Every 5 failed login is logged.
Router enabled to watch for login Attacks.

If more than 3 login failures occur in 60 seconds or less,
logins will be disabled for 600 seconds.
Router presently in Quiet-Mode.

Will remain in Quiet-Mode for 483 seconds.
Restricted logins filtered by applied ACL 1.

- 478 -
Trying 192.10.4.6 ... Open
Username: cisco
Password:
Rack4R6>en
Password:
Rack4R6#
Rack4R6#show login failures

Total failed logins: 6
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp

c 150.4.6.6 23 6 20:23:01 UTC Tue Jul 21
2009
Simulate two more failed logins to verify that the fifth one is logged to the
console.
Trying 192.10.4.6 ... Open
Username: c
Password:
% Login invalid

2009
Trying 192.10.4.6 ... Open
Username: c
Password:
% Login invalid

- 479 -
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: c] [Source: 192.10.4.6]

[localport: 23] [Reason: Login Authentication Failed - BadUser] at
20:30:57 UTC Tue Jul 21 2009

2009

- 480 -
Task 5.4 Solution

Configure IP source tracking feature to back-track the attack to its source..
R3:
!
! Configure and limit the number of tracked addresses to 100
!
ip source-track 162.1.55.100
ip source-track address-limit 100
R4:
!
!
R5:
!
!
Note
Assign the TestPC to VLAN55 for verification purposes.
Rack4R5#ping 162.1.55.100

!!!!!
Rack4R4#ping 162.1.55.100

!!!!!
ms

- 481 -
Rack4R3#ping 162.1.55.100

!!!!!
Rack4R5#show ip source-track 162.1.55.100

Address SrcIF Bytes Pkts Bytes/s Pkts/s
162.1.55.100 Se0/0.2345 1500 15 14 0
Task 6.1 Solution

The task points toward the use of virtual sensors in order to split policy
configuration. Additionally, we need to set up static NAT entries in ASA1/ASA2 to
manage the IPS sensor.
!
! Perform basic sensor initialization
!
ips# setup
Current Configuration:
service host
network-settings
host-ip 1.1.1.1/24,1.1.1.254
host-name ips
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit

- 482 -

overrides
exit
exit
Setup Configuration last modified: Mon

Enter host name[ips]: Rack4IPS
Enter web-server port[443]: 80
No entries
Permit: 192.10.4.0/24
Permit: 162.1.38.100/32
Permit:
service host
network-settings
host-ip 192.10.4.10/24,192.10.4.13
host-name Rack4IPS
access-list 162.1.38.100/32
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 80
exit
overrides
exit
exit

- 483 -


*03:12:34 UTC Tue Jul 21 2009
Modify system date and time?[no]: no
!
! Disable the HTTPS service
!
ips# conf t
ips(config)# service web-server
ips(config-web)# enable-tls false
i ps(config-web)# exit
ips(config)#
!
! Configure VLAN groups
!
ips# conf t
ips(config)# service interface
ips(config-int)# physical-interface gigabitethernet0/0
ips(config-int-phy)# admin-state enabled
ips(config-int-phy)# subinterface-type vlan-group
ips(config-int-phy-vla)# subinterface 1
ips(config-int-phy-vla-sub)# vlans range 666
ips(config-int-phy-vla-sub)# exit
ips(config-int-phy-vla)# subinterface 2
ips(config-int-phy-vla-sub)# vlans range 113
ips(config-int-phy-vla-sub)# exit
ips(config-int-phy-vla)# exit
ips(config-int-phy)# exit
ips(config-int)# exit
!
! Configure virtual-sensors and map VLAN groups
!
ips(config)# service analysis-engine
ips(config-ana)# virtual-sensor vs0
ips(config-ana-vir)# physical-interface gigabitEthernet0/0
ips(config-ana-vir)# exit
ips(config-ana)# virtual-sensor vs1
ips(config-ana-vir)# physical-interface gigabitEthernet0/0
ips(config-ana-vir)# exit
ips(config-ana)# exit

- 484 -
SW1:
!
! Since the sensing interface is on SW2 we need RSPAN session
!
vlan 666
remote-span
monitor session 1 destination remote vlan 666 reflector-port Gi0/1
SW2:
!
! Use the local VLAN SPAN session in SW2 to direct traffic for
! both VLANs to the sensor
!
monitor session 1 source vlan 113 , 666 rx
monitor session 1 destination interface fastEthernet 0/10 encapsulation
dot1q
ASA1:
static (outside,inside) tcp 162.1.38.10 80 162.1.113.10 80
ASA2:
!
!
162.1.113.10 eq 80

ips(config)# service analysis-engine
ips(config-ana)# show settings
global-parameters
-----------------------------------------------
ip-logging
-----------------------------------------------
max-open-iplog-files: 20 <defaulted>
-----------------------------------------------
-----------------------------------------------
virtual-sensor (min: 1, max: 255, current: 2)
-----------------------------------------------
<protected entry>
name: vs0
-----------------------------------------------
description: default virtual sensor <defaulted>
signature-definition: sig0 <protected>
event-action-rules: rules0 <protected>
anomaly-detection
-----------------------------------------------
anomaly-detection-name: ad0 <protected>
operational-mode: detect <defaulted>
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 1)
-----------------------------------------------
name: GigabitEthernet0/0
subinterface-number: 1 default: 0
-----------------------------------------------

- 485 -
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
inline-TCP-session-tracking-mode: virtual-sensor <defaulted>
-----------------------------------------------
name: vs1
-----------------------------------------------
description: <defaulted>
signature-definition: sig0 <defaulted>
event-action-rules: rules0 <defaulted>
anomaly-detection
-----------------------------------------------
anomaly-detection-name: ad0 <defaulted>
operational-mode: detect <defaulted>
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 1)
-----------------------------------------------
subinterface-number: 2 default: 0
-----------------------------------------------
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
inline-TCP-session-tracking-mode: virtual-sensor <defaulted>
-----------------------------------------------
-----------------------------------------------
ips(config)# service interface

ips(config-int)# show settings
physical-interfaces (min: 0, max: 999999999, current: 2)
-----------------------------------------------
<protected entry>
-----------------------------------------------
media-type: tx <protected>
admin-state: enabled default: disabled
duplex: auto <defaulted>
speed: auto <defaulted>
default-vlan: 0 <defaulted>
alt-tcp-reset-interface
-----------------------------------------------
none
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
subinterface-type
-----------------------------------------------
vlan-group
-----------------------------------------------
subinterface (min: 1, max: 255, current: 2)
-----------------------------------------------
subinterface-number: 1
-----------------------------------------------

- 486 -
vlans
-----------------------------------------------
range: 666
-----------------------------------------------
-----------------------------------------------
subinterface-number: 2
-----------------------------------------------
vlans
-----------------------------------------------
range: 113
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
<protected entry>
name: GigabitEthernet0/1 <defaulted>
-----------------------------------------------
media-type: tx <protected>
admin-state: disabled <protected>
duplex: auto <defaulted>
speed: auto <defaulted>
default-vlan: 0 <protected>
alt-tcp-reset-interface
-----------------------------------------------
none
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
subinterface-type
-----------------------------------------------
none
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
command-control: GigabitEthernet0/1 <protected>
inline-interfaces (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
bypass-mode: auto <defaulted>
interface-notifications
-----------------------------------------------
missed-percentage-threshold: 0 percent <defaulted>
notification-interval: 30 seconds <defaulted>
idle-interface-delay: 30 seconds <defaulted>
-----------------------------------------------

- 487 -
Make sure you can access the IPS sensor via HTTP and start the IDM:

- 488 -
You may want to enable the IPS Signature 2004 in order to test if the IPS
actually receives the mirrored traffic.

!!!!!

!!!!!
Rack4ASA2#

- 489 -

- 490 -
Task 6.2 Solution

!
! Tune the existing signature in the new sig1 signature set.
!
Rack4IPS# conf t
Rack4IPS(config-sig-sig)# engine atomic-ip
Rack4IPS(config-sig-sig-ato)# event-action log-victim-packets
Rack4IPS(config-sig-sig-ato)# event-action request-block-host
Rack4IPS(config-sig-sig-ato)# exit
!
! Assign the new set to vs1
!
Rack4IPS# conf t
Rack4IPS(config-ana-vir)# signature-definition sig1
!
! Configure the access-profile for the ASA and add it as a blocking
! device
!
Rack4IPS# conf t
Rack4IPS(config)# service network-access
Rack4IPS(config-net)# user-profiles ASA2
Rack4IPS(config-net-use)# password
Enter password[]: cisco
Re-enter password: cisco
Rack4IPS(config-net-fir)# nat-address 162.1.113.10
Rack4IPS(config-net)#exit
Apply Changes:?[yes] : yes

- 491 -
Configure ASA2 to allow ssh connections coming from the IPS management
interface. Add ASA2’s SSH public key to the IPS known hosts database.
ASA2:
!
! Allow ssh connections coming from IPS
!
ssh 192.10.4.10 255.255.255.255 inside

- 492 -

For verification generate large ICMP packets off ASA2 across both inside and
outside interfaces and confirm that only the outside attackers are shunned.
Rack4ASA2# ping 162.1.113.1 size 2000

?????
Rack4ASA2# show shun
shun (outside) 162.1.113.1 0.0.0.0 0 0 0
Rack4ASA2# ping 192.10.4.6 size 2000
!!!!!
shun (outside) 162.1.113.1 0.0.0.0 0 0 0
Rack4ASA2# show ssh sess
SID Client IP Version Mode Encryption Hmac State Username

0 192.10.4.10 1.5 - 3DES - SessionStarted pix
Task 6.3 Solution

We need to create a “String TCP” signature and match on the message that IOS
routers return when a failed authentication takes place. The message is “% Login
invalid”. Make sure to create the signature in sig0, the signature definition for the
VS corresponding to the inside of ASA2. Change the default block duration to 15
minutes.
!
! Configure the signature to match packets coming “from the service”.
! Specify the event-count to be 4 in interval 60 for the signature to
! fire
!
Rack4IPS(config-sig-sig-str)# event-action request-block-host
Rack4IPS(config-sig-sig-str)# direction from-service
Rack4IPS(config-sig-sig-str)# regex-string ..Login.invalid
Rack4IPS(config-sig-sig)# event-counter

- 493 -
Rack4IPS(config-sig-sig-eve)# event-count 4
Rack4IPS(config-sig-sig-eve)# specify-alert-interval yes
Rack4IPS(config-sig-sig-eve-yes)# alert-interval 60
Rack4IPS(config-sig-sig-eve-yes)# exit
Rack4IPS(config-sig-sig-eve)# exit
IDM: Set the block duration

- 494 -

For verification we’ll telnet from R6 to BB1 and then telnet back to R6 using
wrong username/password combination 4 times in 60 seconds. Then we’ll look
for the “shun” installed in ASA2 and check the blocked hosts in the IPS.
Trying 192.10.4.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB2>telnet 192.10.4.6
Trying 192.10.4.6 ... Open
Username: c
Password:
% Login invalid
SC.9.9.BB2>telnet 192.10.4.6
Trying 192.10.4.6 ... Open
Username: c
Password:
% Login invalid
SC.9.9.BB2>telnet 192.10.4.6
Trying 192.10.4.6 ... Open
Username: c
Password:
% Login invalid
SC.9.9.BB2>telnet 192.10.4.6
Trying 192.10.4.6 ... Open

- 495 -
Username: c
Password:
% Login invalid

shun (inside) 192.10.4.254 0.0.0.0 0 0 0
Rack4ASA2# show ssh sess
SID Client IP Version Mode Encryption Hmac State Username

0 192.10.4.10 1.5 - 3DES - SessionStarted pix
IDM:
List currently blocked hosts:

- 496 -
Task 6.4 Solution

The anomaly detection feature should be enabled only for the sensor monitoring
the inside interface of the ASA. We need to create an additional anomaly
detection policy called ad1 and assign it to vs1 virtual sensor. Then anomaly
detection tuning for this task will be done on ad0, which is by default assigned to
vs0.
IDM:
Step 1:
Navigate to Anomaly Detection then click the Add button and assign the
name ad1 to the new policy.

- 497 -
Step 2:
Navigate to Virtual Sensors select Edit and then select vs1. Assign the
ad1 policy to vs1.

- 498 -
Configure the AD zones next. Select ad0, configure the Internal Zone with
the 192.10.4.0/24 subnet; then go to TCP protocol and modify the threshold for
port 3389; After that, modify histogram thresholds for UDP port 135

- 499 -

- 500 -
Add RFC 1918 addresses range to the “Illegal” zone.

- 501 -
We are told to configure the Ethernet segments on the outside of the firewall as
external subnets. By default all subnets, unless assigned to Internal/Illegal zone
are included in the External zone. Thus, in order to remove the AAA server’s
VLAN from External zone we should add it to the Internal zone.
as

- 502 -
Task 6.5 Solution

R6:
!
! Specify the IPS signature location.
!
ip ips config location flash:ips
!
! Enable IOS basic set of signatures
!
retired false
category all
retired true
!
! Disable signature 3106
!
ip ips signature-definition
signature 3106 0
status
retired true
!
! Tune ICMP echo and ICMP echo-reply signatures to produce high
! security alerts
!
signature 2000 0
alert-severity high
signature 2004 0
alert-severity high
!
! Enable SDEE events reporting
!
ip ips notify SDEE
!
! Set TVR to maximum for subnet 192.10.4.0/24
!
ip ips event-action-rules
target-value high target-address 192.10.4.0/24
!
! Inspect packets only for subnet 162.1.0.0/16. Apply inspection
! inbound on connection to BB1
!
ip access-list standard IPS
permit 162.1.0.0 0.0.255.255
ip ips name IPS list IPS
ip ips IPS in

- 503 -

Rack4R6#show ip ips configuration
IPS Signature File Configuration Status

Configured Config Locations: flash:ips/
Last signature default load time: 23:09:33 UTC Jul 21 2009
Last signature delta load time: 02:05:27 UTC Jul 22 2009
Last event action (SEAP) load time: 02:08:32 UTC Jul 22 2009
General SEAP Config:

Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status

Total Active Signatures: 2
Total Inactive Signatures: 1
IPS Packet Scanning and Interface Status

IPS Rule Configuration
IPS name IPS
acl list IPS
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Serial0/0/0
acl list IPS
IPS Category CLI Configuration:

Category ios_ips basic:
Retire: False
Category all:
Retire: True

- 504 -
Task 7.1 Solution

Configuration change logging is useful for auditing purposes. Make sure to
permit syslog traffic through ASA1.
ASA1:
!
! Allow syslog traffic originated from R4 Loopback through ASA1
!
162.1.38.100 eq syslog
R4:
!
! Enable configuration change logging.
!
archive
log config
logging enable
logging size 1000
notify syslog contenttype plaintext
hidekeys
!
! Configuration changes are forwarded to syslog as well. Configure the
! source to be Loopback0, as it already has a static NAT on ASA1
!
logging source-interface Loopback0
logging 162.1.38.100

- 505 -

Rack4R4#show archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | hidekeys
4 1 console@console | exit
6 1 console@console |archive
7 1 console@console | log config
10 1 console@console | notify syslog
12 1 console@console | logging size 1000
15 2 console@console |logging source-interface Loopback0
16 3 console@console |logging host 162.1.38.100
19 4 console@console | notify syslog contenttype
plaintext
20 5 console@console |interface loopback 10
22 5 console@console |no interface Loopback10

- 506 -
Rack4R4#configure terminal
Rack4R4(config)#interface loopback 10
Rack4R4(config-if)#ip ospf authentication
Rack4R4(config-if)#ip ospf authentication-key cisco
Rack4R4(config)#no interface loopback 10
Rack4R4#show archive log config all

10 1 console@console | notify syslog
12 1 console@console | logging size 1000
15 2 console@console |logging source-interface Loopback0
16 3 console@console |logging host 162.1.38.100
19 4 console@console | notify syslog contenttype
plaintext
20 5 console@console |interface loopback 10
22 5 console@console |no interface Loopback10
23 6 console@console |interface Loopback10

24 6 console@console | ip ospf authentication
25 6 console@console | ip ospf authentication-key *****

- 507 -
Rack4ASA1# show conn port 514

UDP outside 150.4.4.4:55462 inside 10.0.0.100:514, idle 0:00:28, bytes
1348, flags -
Task 7.2 Solution

The only way to disable ARP is to filter it on the switch using a VACL. This
configuration will force to use static ARP mappings on R2 for SW1 and on SW1
for R3.
R2:
!
! Configure static ARP for SW1 VLAN27 IP address
!
arp 10.7.7.1 0012.0183.5900 ARPA
SW1:
!
! Configure static ARP for R2 FastEthernet0/0 IP address
!
arp 10.7.7.2 0013.c440.3980 ARPA
!
! Match ARP traffic in a MAC ACL
!
mac access-list extended ARP
permit any any 0x806 0x0
!
! Configure VLAN access-map to filter ARP packets and forward all other
! traffic
!
vlan access-map VLAN27_FILTER 10
action drop
match mac address ARP
action forward
!
! Apply the filter on VLAN 27
!
vlan filter VLAN27_FILTER vlan-list 27

- 508 -

For testing purpose, we may change the IP address on either SW1 or R2 and
confirm that L3 to L2 resolution fails.
Rack4SW1#clear arp-cache
Rack4SW1#show arp | i 10.7.7.1
Internet 10.7.7.1 - 0012.0183.5900 ARPA Vlan27

!!!!!

!!!!!
Rack4SW1#conf t
Rack4SW1(config)#interface vlan 27
Rack4SW1(config-if)#ip address 10.7.7.3 255.255.255.0

.....
Rack4R2#show arp | i 10.7.7.3

Internet 10.7.7.3 0 Incomplete ARPA

- 509 -
Task 7.3 Solution

Since outbound filtering on R1 is not an option we stick with VACL configuration
on SW2.
SW2:
!
! Match ICMP echo destined to ASA2 in an ACL
!
ip access-list extended ICMP_ECHO
permit icmp any host 162.1.113.13 echo
!
! Configure the access-map and drop required traffic while allowing the
! rest
!
vlan access-map ICMP_ECHO_VLAN113 10
action drop
match ip address ICMP_ECHO
vlan access-map ICMP_ECHO_VLAN113 20
action forward
!
! Apply the VACL on VLAN 113
!
vlan filter ICMP_ECHO_VLAN113 vlan-list 113

For verification, we can remove the filter and verify that R1 can ping ASA1
afterwards.
Rack4R1#ping 162.1.113.13 re 3

...
Rack4SW2#conf t
Rack4SW2(config)#no vlan filter ICMP_ECHO_VLAN113 vlan-list 113
Rack4R1#ping 162.1.113.13 re 3

!!!

- 510 -
Task 7.4 Solution

Make sure you applied the access-class to all VTY lines in the router!
R1:
!
! Create the ACL to filter telnet and allow other management protocols
!
ip access-list extended DENY_TELNET
deny tcp any any eq telnet
permit ip any any
!
! Apply the filter on console and all VTY lines
!
line con 0
access-class DENY_TELNET out
!
line vty 0 181
access-class DENY_TELNET out

Trying 150.4.4.4 ...
Extended IP access list DENY_TELNET

20 permit ip any any (1 match)
Username: ADMIN
Password:
Rack4R1>en
Password:

- 511 -
Trying 150.4.4.4 ...

10 deny tcp any any eq telnet (2 matches)

10 deny tcp any any eq telnet (2 matches)
Task 8.1 Solution

R6:
!
! Load protocol headers
!
load protocol system:fpm/phdf/ip.phdf
load protocol system:fpm/phdf/icmp.phdf
load protocol system:fpm/phdf/tcp.phdf
load protocol system:fpm/phdf/udp.phdf
load protocol system:fpm/phdf/ether.phdf
!
! Configure the protocol stack for IP-in-IP
!
class-map type stack match-all IP_IN_IP
stack-start l2-start
match field ETHER type eq 0x800 next IP
match field layer 2 IP protocol eq 4 next IP
match field layer 3 IP protocol eq 6 next TCP
!
! Define the traffic filter. Match on FIN and SYN bits, port 80 and the
! specified string
!
class-map type access-control match-all FILTER
match field TCP dest-port eq 80
match start TCP payload-start offset 0 size 64 regex ".*[pP] [rR] [oO]
[bB] [eE].*"
match field tcp control-bits eq 2 mask 0x3D
match field tcp control-bits eq 1 mask 0x3D
!
policy-map type access-control FILTER_TCP
class FILTER
drop

- 512 -
policy-map type access-control FILTER_TCP_IPIP

class IP_IN_IP
service-policy FILTER_TCP
!
! Apply the policy on both R6 interfaces
!
service-policy type access-control input FILTER_TCP_IPIP

- 513 -

Rack4R6#show policy-map type access-control interface fastEthernet 0/0
FastEthernet0/0
Service-policy access-control input: FILTER_TCP_IPIP
Class-map: IP_IN_IP (match-all)

0 packets, 0 bytes
Match: field ETHER type eq 0x800 next IP
Match: field layer 2 IP protocol eq 4 next IP
Match: field layer 3 IP protocol eq 6 next TCP
Service-policy access-control : FILTER_TCP
Class-map: FILTER (match-all)

0 packets, 0 bytes
Match: field TCP dest-port eq 80
Match: start TCP payload-start offset 0 size 64 regex ".*[pP]
[rR] [oO] [bB] [eE].*"
Match: field TCP control-bits eq 2 mask 0x3D
Match: field TCP control-bits eq 1 mask 0x3D
drop

0 packets, 0 bytes
Match: any

0 packets, 0 bytes
Match: any

- 514 -

Task 1.1 Solution
ASA1:
!
hostname Rack4ASA
!
! Configure interfaces with appropriate IP addresses, nameifs and
security-
! levels
!
no shut
nameif outside
security-level 0
!
no shut
nameif inside
security-level 100

Verify basic connectivity between the firewall and R2, R5, SW2. Additionally,
verify that IP addresses, nameifs and security-levels are correct.
Rack4ASA(config)# ping 141.1.255.8

!!!!!
Rack4ASA(config)# ping 141.1.100.2

!!!!!
Rack4ASA# ping 141.1.100.5

!!!!!
Rack4ASA# show nameif

Ethernet0/0 outside 0
Ethernet0/1 inside 100
- 515 -
Rack4ASA# show ip address

System IP Addresses:
Interface Name IP address Subnet mask
Method
Ethernet0/0 outside 141.1.100.12 255.255.255.0
manual
Ethernet0/1 inside 141.1.255.12 255.255.255.0
manual
Current IP Addresses:
Method
manual
Ethernet0/1 inside 141.1.255.12 255.255.255.0
manual
Task 1.2 Solution

ASA1:
!
static (inside,outside) tcp 141.1.100.10 https 141.1.255.10 777 netmask
255.255.255.255

Rack4ASA# show xlate detail
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from inside:141.1.255.10/777 to outside:141.1.100.10/443 flags
sr
NAT from inside:141.1.255.8 to outside:141.1.100.8 flags s

- 516 -
Task 1.3 Solution

The last requirement means that stateful failover needs to replicate a state which
is not replicated by default. This points to HTTP session replication.
ASA1:
!
no shut
!
! Configure ASA1 as the primary failover device
!
failover lan unit primary
failover key CISCO
failover replication http
10.10.10.13
failover
ASA2:
!
no shut
!
! Configure ASA as the secondary failover device
!
failover lan unit secondary
failover key CISCO
10.10.10.13
failover

- 517 -

Verify that ASA1 is the active device and ASA2 is standby. Also check that HTTP
session replication is on and that standby IP addresses are properly assigned.
ASA1:
Rack4ASA# show failover
Failover On
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Last Failover at: 19:16:06 UTC Sep 3 2009
Interface inside (141.1.255.12): Normal
slot 1: empty
slot 1: empty

General 354 0 352 0
sys cmd 354 0 352 0
up time 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN SDI upd 0 0 0 0
SIP Session 0 0 0 0

Cur Max Total
Recv Q: 0 11 391
Xmit Q: 0 28 3093

- 518 -

Method
manual
Ethernet0/1 inside 141.1.255.12 255.255.255.0
manual
Ethernet0/2 failover 10.10.10.12 255.255.255.0
unset
Method
manual
Ethernet0/1 inside 141.1.255.12 255.255.255.0
manual
unset
ASA2:
Rack4ASA# show failover

Failover On
Failover unit Secondary
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Last Failover at: 23:05:13 UTC Jan 22 2003
This host: Secondary - Standby Ready
slot 1: empty
Other host: Primary - Active
slot 1: empty

- 519 -

General 406 0 405 0
sys cmd 406 0 405 0
up time 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
VPN IKE upd 0 0 0 0
VPN SDI upd 0 0 0 0
SIP Session 0 0 0 0

Cur Max Total
Recv Q: 0 8 3540
Xmit Q: 0 1 406

Method
CONFIG
Ethernet0/1 inside 141.1.255.12 255.255.255.0
CONFIG
unset
Method
CONFIG
Ethernet0/1 inside 141.1.255.13 255.255.255.0
CONFIG
unset
Task 1.4 Solution

ASA1:
url-server (outside) vendor websense host 10.0.0.100
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url 8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 proxy-block

- 520 -

Rack4ASA# show url-server statistics
Global Statistics:
--------------------
URLs total/allowed/denied 0/0/0
URLs allowed by cache/server 0/0
URLs denied by cache/server 0/0
HTTPSs total/allowed/denied 0/0/0
HTTPSs allowed by cache/server 0/0
HTTPSs denied by cache/server 0/0
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 0
Server timeouts/retries 0/0
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second
Server Statistics:
--------------------
10.0.0.100 DOWN
Vendor websense
Port 15868
Requests total/allowed/denied 0/0/0
Responses received 0
Response time average 60s/300s 0/0
URL Packets Sent and Received Stats:

------------------------------------
Message Sent Received
STATUS_REQUEST 697 0
LOOKUP_REQUEST 0 0
LOG_REQUEST 0 NA
Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 0
We assign the test PC to vlan 255 and test connectivity across the ASA with
HTTP sessions destined to the ports 80 and 8080. A temporaty static route is
needed for verification purposes.
R2:
ip route 141.1.255.0 255.255.255.0 141.1.100.12

- 521 -
We are going to perform verifcation ausing the Test PC and accessing the URL
http://141.X.100.2

- 522 -
Now we’ll change the port that R2’s HTTP server is listening on to 8080. This
time the ASA should block the request.
R2:
!
ip http port 8080

- 523 -

- 524 -
Rack4ASA# show url-server statistics
Global Statistics:
--------------------
URLs total/allowed/denied 0/0/0
URLs allowed by cache/server 0/0
URLs denied by cache/server 0/0
HTTPSs total/allowed/denied 0/0/0
HTTPSs allowed by cache/server 0/0
HTTPSs denied by cache/server 0/0
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 1
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second
Server Statistics:
--------------------
10.0.0.100 DOWN
Vendor websense
Port 15868
Requests total/allowed/denied 0/0/0
Responses received 0
Response time average 60s/300s 0/0
URL Packets Sent and Received Stats:

------------------------------------
Message Sent Received
STATUS_REQUEST 4 0
LOOKUP_REQUEST 0 0
LOG_REQUEST 0 NA
Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 0
R2:
!
no ip route 141.1.255.0 255.255.255.0 141.1.100.12
ip http port 80

- 525 -
Task 1.5 Solution

ASA1:
!
! Enable the OSPF process and hard-code the router-id. Also enable OSPF
only
! on the inside interface.
!
router ospf 1
router-id 150.4.12.12
network 141.1.255.12 255.255.255.255 area 0
!
! Enable OSPF clear-text authentication on the inside interface
!
ospf authentication
SW2:
!
! Enable OSPF clear-text authentication on the inside interface
!
interface Vlan 255
ip ospf authentication-key CISCO

- 526 -

Rack4ASA(config)# show ospf neighbor

Interface
150.4.8.8 1 FULL/DR 0:00:36 141.1.255.8
inside
Rack4ASA# show route inside

BGP
inter area

O 10.8.8.0 255.255.255.0 [110/11] via 141.1.255.8, 0:02:11, inside
O 150.4.8.8 255.255.255.255 [110/11] via 141.1.255.8, 0:02:11,
inside
Rack4ASA(config)# show ospf interface inside
inside is up, line protocol is up

Internet Address 141.1.255.12 mask 255.255.255.0, Area 0
141.1.255.12
Next 0x0(0)/0x0(0)

- 527 -
Task 1.6 Solution

ASA1:
!
! Configure a static default route pointing to the HSRP address in VLAN
100.
! Originate the default route in the OSPF domain; notice the “always”
keyword
! is not necessary since the ASA has the default route.
!
router ospf 1
!
! Inspect ICMP so that ICMP replies are allowed back from outside to
inside
!
inspect icmp

- 528 -

Verify the default route is injected in the OSPF domain and that SW2 can ping
the HSRP address of VLAN 100.
SCRack4SW2#show ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet
Known via "ospf 1", distance 110, metric 1, candidate default path
Last update from 141.1.255.12 on Vlan255, 00:16:35 ago
* 141.1.255.12, from 150.4.12.12, 00:16:35 ago, via Vlan255
Route tag 1
SCRack4SW2#ping 141.1.100.25

.!!!!
Rack4ASA# show conn detail

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d -
dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy
TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside
SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
ICMP outside:141.1.100.25/0 inside:141.1.255.8/3,
idle 0s, uptime 0s, timeout 2s, bytes 72

- 529 -
Task 2.1 Solution

R6:
!
! Configure the ACL to match traffic to be NAT’ed
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
! Identify the inside(interface traffic is coming in) and
outside(interface
! traffic is going out) NAT interfaces
!
ip nat outside
!
ip nat inside
!
! Configure PAT
!
ip nat inside source list 100 interface Serial 0/0/0 overload
R1:
!
! Configure the ACL to match traffic to be NAT’ed
!
!
! Identify the inside(interface traffic is coming in) and
outside(interface
! traffic is going out) NAT interfaces
!
ip nat outside
!
ip nat inside
!
! Configure PAT
!
ip nat inside source list 100 interface FastEthernet 0/0 overload

- 530 -

First check the BGP routes learned at R1 and R6. After that, test connectivity to
th BGP learned routes, sourcing packets from 10.0.0.0/8 and 150.4.0.0/16
networks.
SCRack4R6#show ip route bgp

B 119.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 118.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 117.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 116.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 115.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 114.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 113.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 112.0.0.0/8 [20/0] via 54.4.1.254, 00:31:21
B 28.119.17.0 [20/0] via 54.4.1.254, 00:31:21
B 28.119.16.0 [20/0] via 54.4.1.254, 00:31:21
SCRack4SW1#sho ip int brief | e unas

Protocol
Vlan7 10.7.7.7 YES manual up
up
Vlan37 141.1.37.7 YES manual up
up
up
SCRack4SW1#ping 119.0.0.1 source vlan 7

!!!!!
SCRack4SW1#ping 119.0.0.1 source loopback 0

!!!!!
SCRack4R6#show ip nat translations

global
icmp 54.4.1.6:21 10.7.7.7:21 119.0.0.1:21
119.0.0.1:21
icmp 54.4.1.6:22 150.4.7.7:22 119.0.0.1:22
119.0.0.1:22

- 531 -
SCRack4R1#show ip route bgp

B 119.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 118.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 222.22.2.0/24 [20/0] via 192.10.4.254, 00:25:07
B 117.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 220.20.3.0/24 [20/0] via 192.10.4.254, 00:25:07
B 116.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 115.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 114.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 113.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 112.0.0.0/8 [20/0] via 150.4.3.3, 00:35:55
B 28.119.17.0 [20/0] via 150.4.3.3, 00:35:55
B 28.119.16.0 [20/0] via 150.4.3.3, 00:35:55
B 205.90.31.0/24 [20/0] via 192.10.4.254, 00:25:07

!!!!!
ms
SCRack4SW1#ping 222.22.2.1 source loopback 0

!!!!!
ms

global
icmp 192.10.4.1:25 10.7.7.7:25 222.22.2.1:25
222.22.2.1:25
icmp 192.10.4.1:26 150.4.7.7:26 222.22.2.1:26
222.22.2.1:26

- 532 -
Task 2.2 Solution

We need to create a static NAT entry. Altough subnet 10.7.7.0/24 is not directly
attached to R1, as long as R1 has a route to it, it will work.
R1:
!

--- 192.10.4.253 10.7.7.100 --- ---
SC.9.9.BB2>ping 192.10.4.253

!!!!!
ms

global
icmp 192.10.4.253:116 10.7.7.100:116 192.10.4.254:116
192.10.4.254:116
icmp 192.10.4.253:117 10.7.7.100:117 192.10.4.254:117
192.10.4.254:117
icmp 192.10.4.253:118 10.7.7.100:118 192.10.4.254:118
192.10.4.254:118
icmp 192.10.4.253:119 10.7.7.100:119 192.10.4.254:119
192.10.4.254:119
icmp 192.10.4.253:120 10.7.7.100:120 192.10.4.254:120
192.10.4.254:120
--- 192.10.4.253 10.7.7.100 --- ---

- 533 -
Task 2.3 Solution

R1:
!
! Enable AAA. Configure a authentication list with authentication
“none” for
! the console and aux; a authentication list with line password for
VTY; a
! authentication list with TACACS for our task.
!
aaa new-model
aaa authentication login FREE none
aaa authentication login VTY line
aaa authentication login default group tacacs
aaa authorization auth-proxy default group tacacs
!
! Configure the tacacs server and source packets from Loopback0, the
most
! reliable interface of the router.
!
!
! Enable http server and configure aaa authentication for it. Allow for
! maximum of 3 login attempts.
!
ip http server
ip auth-proxy max-login-attempts 3
!
! Configure a ACL to deny ICMP packets to 192.10.4.253 and allow
everything
! else.
!
ip access-list extended INGRESS-FASTETHERNET0/0
deny icmp any host 192.10.4.253
permit ip any any
!
! Configure and apply the ACL to trigger the AUTH proxy feature.
!
ip access-list extended TO_SERVER
ip auth-proxy name AUTH http list TO_SERVER
!
! Apply authentication lists to AUX,VTY and console
!
line con 0
login authen FREE
line aux 0
login authen FREE
Line vty 0 4

- 534 -
!
! Apply the inbound ACL to deny ICMP packets
! Enable auth-proxy on the interface
!
ip access-group INGRESS-FASTETHERNET0/0 in
ip auth-proxy AUTH

- 535 -
AAA Server:
Step 1:
Follow the screenshots below to accomplish the ACS configuration. First, add R1
as a TACACS+ client in the ACS server (use Loopback address for it). Go to
Network Configuration and click Add Entry:

- 536 -
Step 2:
Go to Interface Configuration, click TACACS+(Cisco IOS) and add a

new service named “auth-proxy” to the list of the TACACS+ services:

- 537 -
Step 3:
Go to User Setup and add a new user named “AUTH” with a password of
“CISCO” to the ACS and configure the auth-proxy service for this user:

- 538 -
Step 4:
Under the auth-proxy settings, configure the proxy-access list permitting ICMP
traffic to the specified host only.

- 539 -

Set up the Test PC in VLAN 12 and assign it an IP address from this VLAN.
SW2:
Initiate an HTTP session across the Auth-Proxy router:

- 540 -
SCRack4R1#show access-list INGRESS-FASTETHERNET0/0

Extended IP access list INGRESS-FASTETHERNET0/0
10 deny icmp any host 192.10.4.253
SCRack4R1#show ip auth-proxy cache

Client Name auth, Client IP 192.10.4.200, Port 1235, timeout 60, Time
Remaining 59, state ESTAB

- 541 -
Task 2.4 Solution

R1:
!
! Configure logging time stamps; note that logs are required to use the
! routers time; without the “localtime” option, logs will have GMT
! time
!
service timestamps log datetime localtime
!
! Configure logging at informational level with a source of Loopback
!
logging 10.0.0.102
logging source-interface Loopback 0
!
! Modify the existing ACL and identify RFC1918 and RFC2827 in it
!
! RFC 1918
!
ip access-list extended INGRESS-FASTETHERNET0/0
no 20
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
!
! RFC 2827
!
deny ip 141.1.0.0 0.0.255.255 any log
deny ip 150.4.0.0 0.0.255.255 any log
permit ip any any
!
! Also account for packets denied by the ACL
!
ip accounting access-violation

- 542 -
R6:
!
! Configure logging time stamps; note that logs are required to use the
! routers time zone; without the “localtime” option, logs will have GMT
! timezone
!
service timestamps log datetime localtime
!
! Configure logging at informational level with a source of Loopback
!
logging 10.0.0.102
logging source-interface Loopback 0
!
! Create the ACL and identify RFC1918 and RFC2827 in it
!
! RFC 1918
!
access-list 99 deny 10.0.0.0 0.255.255.255 log
!
! RFC 2827
!
!
! Apply the ACL inbound on the interface to BB1.Also account for
packets
! denied by the ACL
!
ip accounting access-violation

- 543 -

For verification we will temporarely add a new deny entry to the access-list 99.
SCRack4R6(config)#ip access-list standard 99

SCRack4R6(config-std-nacl)#5 deny 54.0.0.0 0.255.255.255 log
Sep 6 12:01:23: %SEC-6-IPACCESSLOGNP: list 99 denied 0 54.4.2.254 ->
224.0.0.10, 1 packet
224.0.0.10, 1 packet
224.0.0.9, 1 packet
SCRack4R6(config-std-nacl)#no 5
SCRack4R6(config-std-nacl)#exit
SCRack4R6(config)#exit
SCRack4R6#show ip accounting access-violations

Source Destination Packets Bytes
ACL
54.4.1.254 224.0.0.9 1 112
99
54.4.2.254 224.0.0.10 1 120
99
54.4.1.254 224.0.0.10 1 200
99
Accounting data age is 5
SCRack4R6#show logging
disabled)
Console logging: level debugging, 54 messages logged, xml disabled,

filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Persistent logging: disabled
No active filter modules.

- 544 -

authentication disabled, encryption disabled, link up),
filtering disabled
Task 2.5 Solution

R4:
!
! Create a inspect class-map for outbound and match required protocols
!
class-map type inspect match-any cmap_outbound
match protocol http
match protocol ssh
!
! Create a inspect class-map for inbound and match required protocols
!
class-map type inspect match-any cmap_inbound
match protocol icmp
!
! Configure the parameter-map for audit-trail and session limit
!
parameter-map type inspect my_param_max_sess
sessions maximum 5
audit-trail on

- 545 -
!
! Configure the inspect policy-map for outbound. Call the class-map and
! inspect accordingly to the parameter-map
!
policy-map type inspect pmap_outbound
class type inspect cmap_outbound
inspect my_param_max_sess
!
! Configure the inspect policy-map for inbound. Call the class-map,
inspect
! and police traffic
!
policy-map type inspect pmap_inbound
class type inspect cmap_inbound
inspect
!
! Define the security zones and add interfaces to it
!
zone security inside
zone security outside
!
interface serial 0/0.45
zone-member security inside
!
interface serial 0/1
!
int FastEthernet0/0
!
int FastEthernet0/1
zone-member security outside
!
! Configure the firewall policies for traffic initiated between
security
! zones. Call the inspect policy-maps.
!
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect pmap_outbound
!
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect pmap_inbound

- 546 -

Ping from inside to outside; traffic should be droped; check the policy; icmp
should match the class-default with drop action.
SCRack4R5#ping 30.0.0.1

.....
SCRack4R4#show policy-map type inspect zone-pair inside-to-

outside sessions
Zone-pair: inside-to-outside
Service-policy inspect : pmap_outbound
Class-map: cmap_outbound (match-any)

Match: protocol http
0 packets, 0 bytes
Match: protocol https
0 packets, 0 bytes
0 packets, 0 bytes
Match: protocol ssh
0 packets, 0 bytes
Inspect

Match: any
Telnet from inside to outside;traffic should be inspected;check the policy;telnet

traffic should match the defined class with inspect option.

- 547 -
SCRack4R5#telnet 30.0.0.1
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB3>
SCRack4R4#show policy-map type inspect zone-pair inside-to-

outside sessions
Service-policy inspect : pmap_outbound

Class-map: cmap_outbound (match-any)
0 packets, 0 bytes
Match: protocol https
0 packets, 0 bytes
1 packets, 24 bytes
Match: protocol ssh
0 packets, 0 bytes
Inspect
Session 845B1080 (141.1.54.5:47168)=>(30.0.0.1:23) telnet
SIS_OPEN

Match: any

- 548 -
Ping from outside to inside;traffic should be inspected:check the statistics - icmp

traffic should match the defined class-map with inspect option.
SC.9.9.BB3>ping 141.1.54.5

!!!!!
SCRack4R4#show policy-map type inspect zone-pair outside-to-

inside sessions
Zone-pair: outside-to-inside
Police
rate 8000 bps,1000 limit
Service-policy inspect : pmap_inbound
Class-map: cmap_inbound (match-any)

1 packets, 80 bytes
Inspect Established Sessions
Session 845B0DB8 (204.12.4.254:8)=>(141.1.54.5:0) icmp
SIS_OPEN
ECHO request

Match: any
0 packets, 0 bytes

- 549 -
Telnet from outside to inside;traffic should be dropped;check the policy; telent

traffic should match the class-default with drop option.
SC.9.9.BB3>telnet 141.1.54.5
Trying 141.1.54.5 ...
SCRack4R4#show policy-map type inspect zone-pair outside-to-

inside sessions
Police
Service-policy inspect : pmap_inbound
Class-map: cmap_inbound (match-any)

1 packets, 80 bytes
Inspect

Match: any
4 packets, 96 bytes
Check connectivity between interfaces on the inside zone; all traffic between
these interfaces should be allowed

!!!!!

- 550 -
Task 2.6 Solution

R3:
!
! Configure the ACL to match tcp traffic sourced from port 23
!
access-list 100 deny tcp any eq 23 any
access-list 100 permit ip any any
!
! Apply the ACL inbound on FastEthernet0/0
!
int FastEthernet 0/0
!
! Configure the ACL to match Sw1 Loopback address
!
access-list 1 permit 150.4.7.7
!
! Configure a CBAC rule to inspect tcp, http packets and deny fragments
!
ip inspect name CBAC tcp
ip inspect name CBAC http java-list 1
ip inspect name CBAC fragment maximum 0
!
! Configure port-map so that HTTP inspection looks over port 8080 as
well.
! Enable audit-trail
!
ip port-map http port 8080
ip inspect audit-trail
!
! Apply the inspection outbound on FastEthernet0/0
!
ip inspect CBAC out

- 551 -

SCRack4R3#show ip port-map http
Default mapping: http tcp port 80 system
defined
Default mapping: http tcp port 8080 user
defined
SCRack4R3#show ip inspect config

Session audit trail is enabled
connections
minute.
bytes
Inspection name CBAC
tcp alert is on audit-trail is on timeout 3600
http java-list 1 alert is on audit-trail is on timeout 3600
fragment Maximum 0 In Use 0 alert is on audit-trail is on timeout
1
SCRack4R3#show ip inspect interfaces

Interface FastEthernet0/0
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
tcp alert is on audit-trail is on timeout 3600
http java-list 1 alert is on audit-trail is on timeout 3600
fragment Maximum 0 In Use 0 alert is on audit-trail is on timeout
1
Inbound access list is 100

- 552 -
Password:
SCRack4SW1>en
Password:
SCRack4SW1#
SCRack4R3#show ip inspect sessions detail

Session 8460F7E8 (141.1.36.6:40162)=>(10.7.7.7:23) tcp SIS_OPEN
In SID 10.7.7.7[23:23]=>141.1.36.6[40162:40162] on ACL 100 (17
matches)
SCRack4R3#show logging | b Log Buffer

Sep 6 14:12:31.351: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session:

initiator (141.1.36.6:38163) -- responder (10.7.7.7:23)
Sep 6 14:12:59.285: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session:
initiator (141.1.36.6:38163) sent 59 bytes -- responder (10.7.7.7:23)
sent 122 bytes
Task 3.1 Solution

ASA1:
!
! Configure ISAKMP policy and enable ISAKMP on the outside
!
auth pre-share
encr 3des
hash sha
group 2
!
!
! Configure Phase 2 parameters
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac

- 553 -
!
! Configure dynamic crypto-map with PFS, SA lifetime and Phase 2 set
!
crypto dynamic-map DYNAMIC 10 set transform-set AES_SHA
crypto dynamic-map DYNAMIC 10 set pfs group2
crypto dynamic-map DYNAMIC 10 set security-a life kilo 1000
!
!
!
!
! Configure split-tunnel ACL
!
access-list SPLIT_TUNNEL permit ip 141.1.255.0 255.255.255.0 any
!
! Configure group-policy accordingly with the tasks
!
group-policy IPSGROUP_POLICY internal
group-policy IPSGROUP_POLICY attributes
password-storage enable
wins-server value 141.1.255.200
dns-server value 141.1.255.200
vpn-simultaneous-logins 2
vpn-idle-timeout 10
!
! Configure the tunnel-group name for the EZVPN client and specify the
key
!
tunnel-group IPSGROUP type ipsec-ra
tunnel-group IPSGROUP ipsec-attributes
!
! Configure the VPN pool and the local username
!
ip local pool POOL-VPN 141.1.255.51-141.1.255.55 mask 255.255.255.0
username IPSUSER password CISCOIPS
!
! Call the VPN pool inside the tunnel-group attributes; specify the
group-
! policy settings to be inherited
!
tunnel-group IPSGROUP general-attributes
address-pool POOL-VPN
default-group-policy IPSGROUP_POLICY

- 554 -
R4:
!
! Create the Virtual-Tunnel interface and configure encapsulation to be
! IPSec, default being GRE
!
no ip address
!
! Configure the EZVPN profile in mode client. Specify the virtual-
template
! interface to be used for this VPN connection
!
crypto ipsec client ezvpn EZ_CLIENT
connect auto
group IPSGROUP key CISCO
mode client
peer 141.1.100.12
virtual-interface 1
username IPSUSER password CISCOIPS
!
! Identify the inside and outside VPN interfaces
!
interface Loopback 44
ip address 150.4.44.44 255.255.255.0
crypto ipsec client ezvpn EZ_CLIENT inside
!
interface S0/0.45
crypto ipsec client ezvpn EZ_CLIENT outside

Check IKE Phase 1 negotiations status:
SCRack4R4#show crypto isakmp sa detail

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime

Cap.
1003 141.1.54.4 141.1.100.12 ACTIVE 3des sha 2 23:56:29

CX

- 555 -
Check EZVPN client status; verify configuration settings and tunnel status.
SCRack4R4#show crypto ipsec client ezvpn

Tunnel name : EZ_CLIENT

Inside interface list: Loopback44
Outside interface: Virtual-Access2 (bound to Serial0/0.45)
Mask: 255.255.255.255
DNS Primary: 141.1.255.200
NBMS/WINS Primary: 141.1.255.200
Save Password: Allowed
Address : 141.1.255.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 141.1.100.12
Send traffic across the tunnel toward VLAN 255.
SCRack4R4#ping 141.1.255.88 source loopback 44

!!!!!
ms

- 556 -
Confirm that packets are encrypted and decrypted.
SCRack4R4#show crypto ipsec sa

(141.1.255.51/255.255.255.255/0/0)

141.1.100.12
current outbound spi: 0xDD0E327A(3708695162)
inbound esp sas:

spi: 0x41638720(1097041696)
transform: esp-aes esp-sha-hmac ,
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xDD0E327A(3708695162)
IV size: 16 bytes
Status: ACTIVE

- 557 -
Che the IP address assigned to the client:
SCRack4R4#show ip route connected

C 141.1.255.51/32 is directly connected, Loopback10000
C 141.1.45.0/24 is directly connected, Serial0/1
C 141.1.45.5/32 is directly connected, Serial0/1
C 141.1.54.0/24 is directly connected, Serial0/0.45
C 204.12.4.0/24 is directly connected, FastEthernet0/1
C 10.0.0.0 is directly connected, FastEthernet0/0
Check the split-tunnel route downloaded to R5:
SCRack4R4#show interfaces virtual-access 2

Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback10000
(141.1.255.51)
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x44, loopback not set
Keepalive not set
Tunnel source 141.1.54.4 (Serial0/0.45), destination 141.1.100.12
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
9 packets input, 900 bytes, 0 no buffer
<snip>

- 558 -
SCRack4R4#show ip route static

S 141.1.255.0/24 [1/0] via 0.0.0.0, Virtual-Access2
Verify the remote-access VPN session on the ASA1.
Rack4ASA# show vpn-sessiondb remote
Session Type: IPsec
Username : IPSUSER Index : 6

Protocol : IKE IPsec
License : IPsec
Encryption : 3DES AES128 Hashing : SHA1
Group Policy : IPSGROUP_POLICY Tunnel Group : IPSGROUP
Login Time : 22:39:51 UTC Sun Sep 6 2009
Rack4ASA# show crypto ipsec sa

interface: outside

(141.1.255.51/255.255.255.255/0/0)
current_peer: 141.1.54.4, username: IPSUSER

failed: 0
created: 0
reassembly: <snip>

- 559 -
Task 3.2 Solution

R1:
!
! Create and configure the point-to-point tunnel interface; leave
! encapsulation GRE as default;source the tunnel from Loopback0
!
interface Tunnel12
tunnel source Loopback 0
ip address 10.12.12.1 255.255.255.0
!
! Configure the new Loopback
!
interface Loopback2
ip address 10.100.100.1 255.255.255.255
!
! Speak RIP version 2 ONLY on the tunnel interface
!
router rip
version 2
no auto-summary
passive-interface default
network 10.0.0.0
no passive-interface Tunnel12
R2:
!
! Create and configure the point-to-point tunnel interfaces; leave
!
interface Tunnel21
ip address 10.12.12.2 255.255.255.0
!
interface Tunnel23
ip address 10.23.23.2 255.255.255.0
!

- 560 -
interface Tunnel25
ip address 10.25.25.2 255.255.255.0
!
!
interface Loopback2
ip address 10.100.100.2 255.255.255.255
!
! Speak RIP version 2 ONLY on the tunnel interfaces
!
router rip
version 2
no auto-summary
network 10.0.0.0
R3:
!
!
interface Tunnel32
ip address 10.23.23.3 255.255.255.0
!
!
interface Loopback2
ip address 10.100.100.3 255.255.255.255
!
!
router rip
version 2
no auto-summary
network 10.0.0.0

- 561 -
R5:
!
!
interface Tunnel52
ip address 10.25.25.5 255.255.255.0
!
!
interface Loopback2
ip address 10.100.100.5 255.255.255.255
!
!
router rip
version 2
no auto-summary
network 10.0.0.0

SCRack4R1#show ip route rip
R 10.100.100.2/32 [120/1] via 10.12.12.2, 00:00:08, Tunnel12
R 10.100.100.3/32 [120/2] via 10.12.12.2, 00:00:08, Tunnel12
R 10.25.25.0/24 [120/1] via 10.12.12.2, 00:00:08, Tunnel12
R 10.23.23.0/24 [120/1] via 10.12.12.2, 00:00:08, Tunnel12
R 10.5.5.0/24 [120/2] via 10.12.12.2, 00:00:08, Tunnel12
R 10.100.100.5/32 [120/2] via 10.12.12.2, 00:00:08, Tunnel12

!!!!!

- 562 -

!!!!!
ms

!!!!!
ms

!!!!!
ms
R 10.100.100.3/32 [120/1] via 10.23.23.3, 00:00:04, Tunnel23
R 10.5.5.0/24 [120/1] via 10.25.25.5, 00:00:15, Tunnel25
R 10.100.100.1/32 [120/1] via 10.12.12.1, 00:00:16, Tunnel21
R 10.100.100.5/32 [120/1] via 10.25.25.5, 00:00:15, Tunnel25

!!!!!

!!!!!

- 563 -

!!!!!

!!!!!

R 10.100.100.2/32 [120/1] via 10.23.23.2, 00:00:27, Tunnel32
R 10.25.25.0/24 [120/1] via 10.23.23.2, 00:00:27, Tunnel32
R 10.12.12.0/24 [120/1] via 10.23.23.2, 00:00:27, Tunnel32
R 10.5.5.0/24 [120/2] via 10.23.23.2, 00:00:27, Tunnel32
R 10.100.100.1/32 [120/2] via 10.23.23.2, 00:00:27, Tunnel32
R 10.100.100.5/32 [120/2] via 10.23.23.2, 00:00:27, Tunnel32

!!!!!
ms

!!!!!

!!!!!
ms

- 564 -

!!!!!
ms

R 10.100.100.2/32 [120/1] via 10.25.25.2, 00:00:10, Tunnel52
R 10.100.100.3/32 [120/2] via 10.25.25.2, 00:00:10, Tunnel52
R 10.23.23.0/24 [120/1] via 10.25.25.2, 00:00:10, Tunnel52
R 10.12.12.0/24 [120/1] via 10.25.25.2, 00:00:10, Tunnel52
R 10.100.100.1/32 [120/2] via 10.25.25.2, 00:00:10, Tunnel52

!!!!!
ms

!!!!!

!!!!!
ms

- 565 -
SCRack4R4#show ip route 10.100.100.1

% Subnet not in table



Task 3.3 Solution

R1:
!
! Configure IKE Phase 1 policy and the pre-shared key
!
encr 3des
hash md5
!
!
! Configure IKE Phase 2 policy and use transport mode for less overhead
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
! Configure a IPSec profile and apply it to the tunnel interface
!
crypto ipsec profile VPN_TUNNEL
set transform-set 3DES_MD5_TRANS
!
interface Tunnel12
tunnel protection ipsec profile VPN_TUNNEL

- 566 -
R2:
!
!
encr 3des
hash md5
!
!
!
mode transport
!
! Configure a IPSec profile and apply it to the tunnel interfaces
!
!
interface Tunnel21
!
interface Tunnel25
R5:
!
!
encr 3des
hash md5
!
!
!
mode transport
!
! Configure a IPSec profile and apply it to the tunnel interfaces
!
!
interface Tunnel52

- 567 -

SCRack4R2#show crypto isakmp sa
150.4.2.2 150.4.1.1 QM_IDLE 1001 0 ACTIVE
150.4.2.2 150.4.5.5 QM_IDLE 1002 0 ACTIVE


Lifetime Cap.
1001 150.4.2.2 150.4.1.1 ACTIVE 3des md5 psk 1

23:38:54
1002 150.4.2.2 150.4.5.5 ACTIVE 3des md5 psk 1

23:58:09

R 10.100.100.3/32 [120/1] via 10.23.23.3, 00:00:06, Tunnel23
R 10.5.5.0/24 [120/1] via 10.25.25.5, 00:00:21, Tunnel25
R 10.100.100.1/32 [120/1] via 10.12.12.1, 00:00:14, Tunnel21
R 10.100.100.5/32 [120/1] via 10.25.25.5, 00:00:21, Tunnel25

- 568 -
interface: Tunnel25


current outbound spi: 0x8992FD05(2308111621)
inbound esp sas:

spi: 0x5C928215(1553105429)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x8992FD05(2308111621)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 569 -
interface: Tunnel21


current outbound spi: 0x83029897(2197985431)
inbound esp sas:

spi: 0x1035BAC5(271956677)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x83029897(2197985431)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 570 -

!!!!!
ms

!!!!!
ms
SCRack4R2#show crypto ipsec sa | i pkts encaps|pkts decaps
Task 3.4 Solution
R2:
!
! Configure NTP synchronization, needed for certificates validity
!
!
! Configure the IKE Phase 1 policy
!
encr 3des
hash md5
!
! Create RSA keys for certificate enrollment
!
ip domain-name internetworkexpert.com
!
! Create a trustpoint to enroll with and get certificate from
!
crypto pki trustpoint IESERVER1

- 571 -
!
! Get the CA certificate and request a certificate from it afterwards
!
crypto pki authenticate IESERVER1
crypto pki enroll IESERVER1
!
! Apply the IPSec profile on the tunnel
!
interface Tunnel 23
R3:
!
! Configure NTP synchronization, needed for certificates validity
!
!
!
encr 3des
hash md5
!
! Create RSA keys for certificate enrollment
!
!
! Create a trustpoint to enroll with and get certificate from
!
crypto pki trustpoint IESERVER1
!
! Get the CA certificate and request a certificate from it afterwards
!
crypto pki authenticate IESERVER1
crypto pki enroll IESERVER1
!
! Configure the IKE Phase 2 policy,then the IPSec profile and apply it
to the
! tunnel interface
!
mode transport

- 572 -

!
interface Tunnel 32

SCRack4R3#show ntp status
2**18
reference time is CE4FE188.0CF442CF (19:46:16.050 UTC Mon Sep 7 2009)

2**18
reference time is CE4FE21E.E9ECC6A9 (19:48:46.913 UTC Mon Sep 7 2009)
CRack4R3#show crypto ca certificates

Certificate
Status: Available
Certificate Serial Number: 0x1C363827000000000007
Issuer:
cn=Brian Dennis
o=Internetwork Expert\
Inc.
l=Reno
st=Nevada
c=US
[email protected]
Subject:
Name: SCRack4R3.internetworkexpert.com
Serial Number: JAE081056R9
hostname=SCRack4R3.internetworkexpert.com
serialNumber=JAE081056R9
CRL Distribution Points:
http://sc09-aaa/CertEnroll/Brian%20Dennis.crl
Validity Date:
start date: 19:26:26 UTC Sep 7 2009
end date: 19:36:26 UTC Sep 7 2010
Associated Trustpoints: IESERVER1

- 573 -
CA Certificate
Status: Available
Certificate Serial Number: 0x1E76973E6706ABA7452D37E7EEC0DBB6
Issuer:
cn=Brian Dennis
Inc.
l=Reno
st=Nevada
c=US
[email protected]
Subject:
cn=Brian Dennis
Inc.
l=Reno
st=Nevada
c=US
[email protected]
Validity Date:
start date: 22:39:54 UTC Dec 10 2008
end date: 22:49:27 UTC Dec 10 2018
SCRack4R2#show crypto ca certificates

Certificate
Status: Available
Certificate Serial Number: 0x1C332A3F000000000006
Issuer:
cn=Brian Dennis
Inc.
l=Reno
st=Nevada
c=US
[email protected]
Subject:
Name: SCRack4R2.internetworkexpert.com
Serial Number: FCZ092774JK
hostname=SCRack4R2.internetworkexpert.com
serialNumber=FCZ092774JK
Validity Date:
start date: 19:23:06 UTC Sep 7 2009
end date: 19:33:06 UTC Sep 7 2010

- 574 -
CA Certificate
Status: Available
Certificate Serial Number: 0x1E76973E6706ABA7452D37E7EEC0DBB6
Issuer:
cn=Brian Dennis
Inc.
l=Reno
st=Nevada
c=US
[email protected]
Subject:
cn=Brian Dennis
Inc.
l=Reno
st=Nevada
c=US
[email protected]
Validity Date:
start date: 22:39:54 UTC Dec 10 2008
end date: 22:49:27 UTC Dec 10 2018

150.4.2.2 150.4.3.3 QM_IDLE 1005 0 ACTIVE


Cap.


- 575 -

R 10.100.100.2/32 [120/1] via 10.23.23.2, 00:00:09, Tunnel32
R 10.25.25.0/24 [120/1] via 10.23.23.2, 00:00:09, Tunnel32
R 10.12.12.0/24 [120/1] via 10.23.23.2, 00:00:09, Tunnel32
R 10.5.5.0/24 [120/2] via 10.23.23.2, 00:00:09, Tunnel32
R 10.100.100.1/32 [120/2] via 10.23.23.2, 00:00:09, Tunnel32
R 10.100.100.5/32 [120/2] via 10.23.23.2, 00:00:09, Tunnel32

!!!!!
ms
interface: Tunnel32


current outbound spi: 0x61C248E6(1640122598)
inbound esp sas:

spi: 0x7DC4B99(131877785)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:

- 576 -
outbound esp sas:

spi: 0x61C248E6(1640122598)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Task 3.5 Solution

R1:
!
! Configure the pre-shared key and IKE Phase 2 policy
!
crypto isakmp key cisco address 141.1.123.0 255.255.255.0
crypto ipsec transform-set gdoi-trans-group1 esp-aes esp-sha-hmac
!
! Configure the IPSec encryption profile
!
crypto ipsec profile gdoi-profile-group1
set transform-set gdoi-trans-group1
!
! Create the RSA keys needed to sign the re-keying messages
!
crypto key generate rsa general-keys modulus 1024 label GETVPN
!
! Configure the GDOI group
!
identity number 1
server local
rekey address ipv4 191
rekey lifetime seconds 400
rekey authentication mypubkey rsa GETVPN
sa ipsec 1
profile gdoi-profile-group1
address ipv4 141.1.123.1
redundancy
local priority 10

- 577 -
!
! Configure the ACL to match IPSec interesting traffic; this ACL will
be
! downloaded by every GM
!
access-list 101 permit icmp host 141.1.123.2 host 141.1.123.3
!
! Create the ACL to match the source and destination of the rekey
messages;
! since rekeying is via multicast, destination is a multicast address
!
access-list 191 permit udp host 141.1.123.1 eq 848 host 230.15.15.15 eq
848
R2:
!
! Configure the pre-shared key
!
!
! Configure the GDOI group and specify server IP address
!
identity number 1
!
! Configure a crypto-map and call the GDOI group; apply the crypto-map
!
crypto map map-group1 10 gdoi
set group group1
interface s0/0.123
crypto map map-group1
R3:
!
! Configure the pre-shared key and IKE Phase 1 policy
!
auth pre
enc 3des
hash md5
!
! Configure the GDOI group and specify server IP address
!
identity number 1
exit

- 578 -
!
! Configure a crypto-map and call the GDOI group; apply the crypto-map
!
set group group1
interface s1/0.123

Verify KS and GM configuration. Trigger interesting traffic and see if the IPSec
SA’s counters increment:
SCRack4R1#show crypto gdoi ks


Group Name : group1
Group Identity : 1
Group Members : 2
ACL Configured:
access-list 101
SCRack4R1#show crypto gdoi group group1

Group Name : group1 (Multicast)
Group Identity : 1
Group Members : 2
Active Group Server : Local
Group Rekey Lifetime : 400 secs
Group Rekey
Remaining Lifetime : 266 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : gdoi-profile-group1
Replay method : Count Based
Replay Window Size : 64
SA Rekey
ACL Configured : access-list 101
Group Server list : Local

- 579 -
SCRack4R2#show crypto gdoi

GROUP INFORMATION
Group Name : group1

Group Identity : 1
Rekeys received : 5

Rekey Received(hh:mm:ss) : 00:04:49
Rekeys received
Cumulative : 5

access-list permit icmp host 141.1.123.2 host 141.1.123.3
KEK POLICY:
Rekey Transport Type : Multicast
Lifetime (secs) : 0
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
Serial0/0.123:
IPsec SA:
spi: 0x80C99C15(2160696341)
transform: esp-aes esp-sha-hmac
Anti-Replay : Disabled
IPsec SA:
spi: 0x80C99C15(2160696341)
IPsec SA:
spi: 0x80C99C15(2160696341)

- 580 -
IPsec SA:
spi: 0x80C99C15(2160696341)

!!!!!
ms
SCRack4R2#show crypto ipsec sa interface serial 0/0.123
Crypto map tag: map-group1, local addr 141.1.123.2

(141.1.123.3/255.255.255.255/1/0)
(141.1.123.2/255.255.255.255/1/0)

current outbound spi: 0x80C99C15(2160696341)
inbound esp sas:

spi: 0x80C99C15(2160696341)
conn id: 57, flow_id: 57, crypto map: map-group1
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:

- 581 -
outbound esp sas:

spi: 0x80C99C15(2160696341)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

(141.1.123.2/255.255.255.255/1/0)
(141.1.123.3/255.255.255.255/1/0)

current outbound spi: 0x80C99C15(2160696341)
inbound esp sas:

spi: 0x80C99C15(2160696341)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x80C99C15(2160696341)
IV size: 16 bytes
Status: ACTIVE
<snip>

- 582 -
Task 3.6 Solution

R2:
!
! Configure ISAKMP keepalive DPD messages at periodic intervals and
invalid-
! spi for fast failure detection; configure the pre-shared key as well.
!
crypto isakmp invalid-spi-recovery
!
! Configure the IKE Phase 2 policy-aka transform-set
!
!
! Identify interesting traffic in ACL
!
ip access-list extended TO_VLAN8
permit ip any 10.8.8.0 0.0.0.255
!
!
! Configure the crypto-map with reverse-route injection
!
match address TO_VLAN8
set peer 141.1.100.12
reverse-route

- 583 -
!
! Configure IPSec HA; raise priority to 101 and configure preemption so
that
! R2 is active if both routers are up and running;
!
standby 1 name HSRP1
standby 1 priority 101
standby 1 preempt
crypto map VPN redundancy HSRP1
!
! Redistribute static/ VPN injected routes into OSPF domain; the
“subnets”
! keyword is required under OSPF so that non-classful networks are
! redistributed
!
router ospf 1
R5:
!
! Configure ISAKMP keepalive DPD messages at periodic intervals and
invalid-
! spi for fast failure detection; configure the pre-shared key as well.
!
crypto isakmp invalid-spi-recovery
!
! Configure the IKE Phase 2 policy-aka transform-set
!
!
! Identify interesting traffic in ACL
!
ip access-list extended TO_VLAN8
permit ip any 10.8.8.0 0.0.0.255
!
! Configure the crypto-map with reverse-route injection
!
match address TO_VLAN8
set peer 141.1.100.12
reverse-route

- 584 -
!
! Configure IPSec HA; raise priority to 101 and configure preemption so
that
! R2 is active if both routers are up and running; R5 gets default
priority
!
standby 1 name HSRP1
crypto map VPN redundancy HSRP1
!
! Redistribute static/ VPN injected routes into OSPF and EIGRP
domain;the
! “subnets” keyword is required under OSPF so that non-classful
networks are
! redistributed; normally EIGRP resistributed routes need a
specific/seed
! metric, except for the connected and static redistributed
!
router ospf 1
!
router eigrp 100
redistribute static
ASA1:
!
! Modify the DH group to match the default on routers
!
encr 3des
hash md5
group 1
auth pre-share
!
! Bind pre-shared key to HSRP IP address ASA will create tunnel-group
! automatically; this is the legacy way of creating tunnel-groups.
!
!
! Identify the interesting traffic in a ACL and configure IKE Phase 2
! parameters
!
access-list FROM_VLAN8 permit ip 10.8.8.0 255.255.255.0 any
!
! Configure a static crypto-map entry, lower than the dynamic entry
!
crypto map VPN 10 match address FROM_VLAN8
crypto map VPN 10 set transform-set 3DES_MD5

- 585 -
!
! Tune ISAKMP keepalives for group 141.1.100.25
!
isakmp keepalive threshold 10 retry 2

Verify that R2 is the HSRP active node, then generate interesting traffic from
SW2 to trigger IPSec encryption.
SCRack4R2#show standby brief

|
Interface Grp Pri P State Active Standby Virtual
IP
Fa0/0 1 101 P Active local 141.1.100.5
141.1.100.25

|
IP
Fa0/1 1 100 Standby 141.1.100.2 local
141.1.100.25
SCRack4SW2#ping 150.4.4.4 source vlan 8 repeat 512

.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...!!!!!!!
Success rate is 99 percent (508/512), round-trip min/avg/max =
116/120/172 ms
In the above output, the first packet is lost while the IPSec tunnel is being
established; the other 3 lost packets are lost when R2 gets reloaded and HSRP
active node changes to R5.

- 586 -

150.4.2.2 150.4.3.3 QM_IDLE 1025 0 ACTIVE
141.1.123.1 141.1.123.2 GDOI_IDLE 1026 0 ACTIVE
150.4.1.1 150.4.2.2 QM_IDLE 1029 0 ACTIVE
150.4.5.5 150.4.2.2 QM_IDLE 1030 0 ACTIVE
141.1.100.25 141.1.100.12 QM_IDLE 1095 0 ACTIVE
SCRack4R2#sho crypto ipsec sa interface fastEthernet 0/0
Crypto map tag: VPN, local addr 141.1.100.25


141.1.100.12
current outbound spi: 0x53985FA2(1402494882)
inbound esp sas:

spi: 0xBE8A2493(3196724371)
conn id: 947, flow_id: 947, crypto map: VPN
IV size: 8 bytes
Status: ACTIVE
<snip>
outbound esp sas:

spi: 0x53985FA2(1402494882)
IV size: 8 bytes
Status: ACTIVE

- 587 -
Reload R2 and confirm that R5 takes over:
SCRack4R2#reload
Proceed with reload? [confirm]

|
IP
Fa0/1 1 100 Active local unknown
141.1.100.25

141.1.100.25 141.1.100.12 QM_IDLE 1003 0 ACTIVE

- 588 -


141.1.100.12
current outbound spi: 0x5297367B(1385641595)
inbound esp sas:

spi: 0x45784765(1165510501)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x5297367B(1385641595)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 589 -
At this point R2 is the HSRP active node again. We generate more traffic to
trigger tunnel establishment to R2.

|
IP
Fa0/1 1 100 Standby 141.1.100.2 local
141.1.100.25

150.4.5.5 150.4.2.2 QM_IDLE 1004 0 ACTIVE
150.4.2.2 150.4.5.5 QM_IDLE 1005 0 ACTIVE

- 590 -

|
IP
Fa0/0 1 101 P Active local 141.1.100.5
141.1.100.25
SCRack4SW2#ping 150.4.4.4 source vlan 8 repeat 10

.!!!!!!!!!
ms

150.4.2.2 150.4.3.3 QM_IDLE 1003 0 ACTIVE
141.1.123.1 141.1.123.2 GDOI_IDLE 1001 0 ACTIVE
150.4.5.5 150.4.2.2 QM_IDLE 1005 0 ACTIVE
150.4.2.2 150.4.5.5 QM_IDLE 1006 0 ACTIVE
141.1.100.25 141.1.100.12 QM_IDLE 1007 0 ACTIVE
150.4.2.2 150.4.1.1 QM_IDLE 1004 0 ACTIVE
SCRack4R2#show crypto ipsec sa interface fastEthernet 0/0


- 591 -

141.1.100.12
current outbound spi: 0x43AE288A(1135487114)
inbound esp sas:

spi: 0x39B1CDF7(967953911)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x43AE288A(1135487114)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 592 -
Task 4.1 Solution

!
! Initialize and configure the IPS
!
ips# setup
service host
network-settings
host-ip 1.1.1.1/24,1.1.1.254
host-name ips
ftp-timeout 300
!
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
exit
exit
Current time: Tue Sep 8 09:39:05 2009
Setup Configuration last modified: Sat Sep 05 02:44:57 2009

- 593 -

Enter host name[ips]: IPS
Enter telnet-server status[disabled]: enable
Enter web-server port[443]: 777
No entries
Permit: 10.0.0.100/32
Permit:
service host
network-settings
host-ip 141.1.255.10/24,141.1.255.12
host-name IPS
telnet-option enabled
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 777
exit
overrides
exit
exit

*09:41:34 UTC Tue Sep 08 2009
Modify system date and time?[no]:

- 594 -
SW1:
!
! Configure the C&C port of IPS in vlan 255
!
Static PAT for TCP port 443 has been configured before. We need to create
additional static entry to permit telnet and ICMP traffic in addition to HTTPs
connection.
ASA1:
!
! Configure the static
!
static (inside,outside) 141.1.100.10 141.1.255.10 netmask
255.255.255.255
!
! Configure a object-group to match traffic to IPS
!
object-group service IPS_STUFF
service-object tcp eq telnet
service-object tcp eq https
service-object icmp
!
! Create the ACL using a single line and apply it inbound on the
outside
! interface
!
access-list outside_in permit object-group IPS_STUFF host 10.0.0.100
host 141.1.100.10
access-group outside_in in interface outside

- 595 -

Validate link-level connectivity
ips# ping 141.1.255.12

PING 141.1.255.12 (141.1.255.12): 56 data bytes
--- 141.1.255.12 ping statistics ---

Verify that telnet, icmp and https access to the IPS work:

- 596 -
Rack4ASA# show conn

TCP outside 10.0.0.100:4967 inside 141.1.255.10:777, idle 0:00:00,
bytes 2851, flags UIOB
2430, flags UIOB

- 597 -
Task 4.2 Solution

SW2:
!
! Configure the C&C port of the sensor as trunk; allow only necessary
VLANs
!
!
! Create vlan 101; VTP is not configured so manual creation of vlan 101
on
! both switches is required; on sw1 vlan 101 will be automatically
created
! when command “switchport access vlan 101” is entered on SW1
!
vlan 101
!
SW1:
!
! Put R2 interface FastEthernet0/0 in vlan 101
!

- 598 -
IDM:
Step 1:
Run IDM. Go to Configuration | Interface Configuration | VLAN

Pairs and click add:

- 599 -
Step 2:
Assign the new inline VLAN pair to the default virtual sensor. Go to
Configuration | Analysis Engine | Virtual Sensors and click
Edit. In the new windows click Assign:

- 600 -
Step 3:
Enable the sensing interface. Go to Configuration | Interface

Configuration and click Enable:

- 601 -

Verify that R2 still has connectivity to R5 and ASA.

|
IP
Fa0/0 1 101 P Active local 141.1.100.5
141.1.100.25
SCRack4R2#show ip ospf neighbor fastEthernet 0/0

150.4.5.5 0 FULL/ - 00:00:34 141.1.100.5
FastEthernet0/0

!!!!!

.!!!!
Task 4.3 Solution

R2:
username IPS privilege 15 secret cisco
line vty 0 4
login local

- 602 -
IDM:
Step 1:
Add an SSH host key for R2 to the list of the trusted public keys in the IPS.This is
required for the blocking/rate-limiting feature. Go to Configuration | SSH |
Known Host Keys and click Add:

- 603 -
Step 2:
Create a new device login profile for R2. Go to Configuration | Blocking

| Device Login Profiles and click Add:

- 604 -
Step 3:
Create new blocking device with the IP address of R2 and associate it with the
device login profile. Make sure you enabled Rate Limit capability for this
device. Go to Configuration | Blocking | Blocking Devices and
click Add:

- 605 -
Step 4:
Add new blocking device interface to R2 and specify the outgoing direction for
“Serial 0/0.123”. Go to Configuration | Blocking | Router Blocking
Device Interfaces and click Add:

- 606 -
Step 5:
Now tune the ICMP Flood signature (Sig ID 2152). Go to Configuration |

Signature Definition | sig0 and look for signature 2152 and click Edit.
Edit the Event Action setting for this signature to Produce Alert and
Request Rate-Limit. Modify the External Rate Limit Percentage
and Rate to 1 and 75:

- 607 -

Flood R2 FastEthernet0/0 with ICMP echo packets and verify that IPS rate-limits
traffic outbound on Serial0/0.123.
SCRack4R5#ping 141.1.100.2 repeat 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ms
SCRack4R2#show run interface serial 0/0.123


!
interface Serial0/0.123 multipoint
ip address 141.1.123.2 255.255.255.0
ip ospf network point-to-multipoint
snmp trap link-status
frame-relay map ip 141.1.123.1 201 broadcast
frame-relay map ip 141.1.123.3 203 broadcast
service-policy output IDS_RL_POLICY_MAP_1
SCRack4R2#show policy-map interface serial 0/0.123
Serial0/0.123
Class-map: IDS_RL_CLASS_MAP_icmp-xxBx-8-1_1 (match-any)

0 packets, 0 bytes
Match: access-group name IDS_RL_ACL_icmp-xxBx-8-1_1
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 1 %
transmit
<snip>

- 608 -
SCRack4R2#show access-lists IDS_RL_ACL_icmp-xxBx-8-1_1

Extended IP access list IDS_RL_ACL_icmp-xxBx-8-1_1
10 permit icmp any host 141.1.100.2 echo
Task 4.4 Solution
IPS:
!
! Configure the sensor to block user account after 10 unsuccessful
logins;
! default is 0, which means feature is disabled
!
sensor# conf t
sensor(config)# service authentication
sensor(config-aut)# attemptLimit 10
sensor(config-aut)# exit

- 609 -
Task 4.5 Solution

IDM:
Add a new event action filter in the IPS, that filters all events generated by R5.
Go to Configuration | Policies | Event Action Rules | rules0
click Event Action Filters and then click Add. Add 150.X.5.5 as the
attacker address and select all actions to substract. After this, repeat the same
with R5’s IP address as the victim IP:

- 610 -

We need to perform two tests: the first one with R5’s Loopback0 as the attacker
IP address (ICMP flood to R2 FastEthernet0/0) and the second one with R5’s
Loopback0 as the victim (ICMP flood from R2 FastEthernet0/0
!
! We’ll temporarely shutdown the serial interface between R2 and R5 to
maks
! sure pings run over the Ethernet segment, where IPS is inline
!
SCRack4R5#conf t
SCRack4R5(config)#interface serial 0/0.25
SCRack4R5(config-subif)#shutdown
SCRack4R5#ping 141.1.100.2 source loopback 0 re 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ms
SCRack4R2#ping 150.4.5.5 source fastEthernet 0/0 repeat 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ms
!
! We see there is no policing/rate-limiting in place;.This means
! signature 2152 did not fire when R5 Loopback0 was victim/attacker
!
Serial0/0.123

Match: any

- 611 -
Verify that signature is triggered by flooding over the Ethernet segment
R5:
SCRack4R5#conf t
SCRack4R5(config)#interface serial 0/0.25
SCRack4R5(config-subif)#no shut
SCRack4R5#ping 141.1.100.2 re 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ms
Serial0/0.123

0 packets, 0 bytes
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 1 %
transmit
drop

Match: any
SCRack4R2#show access-lists IDS_RL_ACL_icmp-xxBx-8-1_1

Extended IP access list IDS_RL_ACL_icmp-xxBx-8-1_1
10 permit icmp any host 141.1.100.2 echo

- 612 -
Task 5.1 Solution

R5:
!
! Enable AAA on the router. Configure 2 authentication lists, one for
VTY and
! one for console access
!
aaa new-model
aaa authentication login VTY group tacacs+ local
aaa authentication login CONSOLE local
!
! Create the users locally for fallback authentication

!
username ADMIN password cisco
username NOC password cisco
!
! Authorize commands at level 15 and authorize exec attributes. There
is no
! need for local “fallback” since for VTY is not specified in the task
and at
! the console authorization is not required
!
!
! Configure tacacs server connection attributes
!
!
! Apply the authentication lists to console,aux and VTY lines
!
line console 0
!
line aux 0
!
line vty 0 4

- 613 -
AAA Server:
Step 1:
Add R5 as a new TACACS+ client device in the ACS server. Go to Network

Configuration and click Add Entry under AAA Clients:

- 614 -
Step 2:
Add new Shared Profile Component | Shell Command

Authorization Set named “ADMIN” permitting full access to the device. Go
to Shared Profile Components, Shell Command Authorization Set
and click Add:

- 615 -
Step 3:
Add new Shared Profile Component | Shell Command

Authorization Set named “ADMIN” that blocks the “configure” command.
Go to Shared Profile Components, Shell Command Authorization
Set and click Add:

- 616 -
Step 4:
Add a user named “ADMIN” and associate the command authorization set
“ADMIN” with this user. Additionally, configure “privilege level” of 15 and enable
“shell (exec)” under TACACS+ Settings.

- 617 -
Step 5:
Add a user named “NOC” and associate the command authorization set “NOC”
with this user. Additionally, configure “privilege level” of 15 and enable “shell
(exec)” under TACACS+ Settings.

- 618 -

Confirm that users authenticate successfully via TACACS+; test that users are
authorized as stated in the tasks; check that the console uses local
authentication.
SCRack4R5#test aaa group tacacs+ ADMIN cisco legacy

SCRack4R5#test aaa group tacacs+ NOC cisco legacy


- 619 -
Trying 141.1.100.5 ... Open
Username: ADMIN
Password:
SCRack4R5#conf t
SCRack4R5(config)#interface fastEthernet 0/0
Trying 141.1.100.5 ... Open
Username: NOC
Password:
SCRack4R5#conf t
SCRack4R5#conf n
SCRack4R5#dir
Directory of flash:/
1 -rw- 19596460 Mar 16 2009 05:35:09 +00:00 c2600-

advsecurityk9-mz.124-15.T8.bin
2 -rw- 3602 Jun 9 2009 23:17:09 +00:00 cristian.config
33030140 bytes total (13429948 bytes free)

- 620 -
SCRack4R5#show running-config

<snip>
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SCRack4R5
!
boot-start-marker
boot-end-marker
!
logging console notifications
enable password cisco
!
aaa new-model
!
!
aaa authentication login VTY group tacacs+ local
Console Access
Username: ADMIN
Password:
SCRack4R5#conf t
Sep 8 15:22:32.126: %SYS-5-CONFIG_I: Configured from console by ADMIN
on console
SCRack4R5#show user
* 0 con 0 ADMIN idle 00:00:00

- 621 -
Task 5.2 Solution

ASA1:
!
! Configure the static for SW2 Loopback address
!
SW2:
!
! Enable AAA on the switch and configure dot1x authentication via
radius
!
aaa new-model
aaa authentication dot1x default group radius
!
! Configure a authentication list for VTY
!
!
! Enable dot1x authentication globally on the switch
!
dot1x system-auth-control
!
! Enable dot1x authentication attributes on port 16
!
dot1x guest-vlan 5
no shutdown
!
! Configure the connection with radius server
!
ip radius source-interface Loopback 0
radius-server host 10.0.0.100
radius-server key cisco
!
! Apply the VTY list on VTY lines
!
line vty 0 15

- 622 -
AAA Server:
Step 1:
Add SW2 as a RADIUS client to the ACS server using the authentication key
“cisco”.
Step 2:
Modify RADIUS Interface configuration to allow the Tunnel-Type, Tunnel-

Medium-Type and Tunnel-Private-Group-ID for the ACS User profiles..
Go to Interface Configuration | RADIUS (IETF) to enable these

attributes:

- 623 -
Step 3:
Add new user to the ACS server, named “dot1x-user”. Configure RADIUS
attributes for the new user per the screenshot below. Make sure the Tags of the
Values are set to 1 and configure the exact name of the vlan which in our case
is “VLAN0255”:

- 624 -

For verification we configure the port connected to the Test PC in the same
manner as FastEthernet0/16. Since the client does not have a 802.1x supplicant,
port should be assigned in vlan 5.
SW2:
dot1x guest-vlan 5
SCRack4SW2#test aaa group radius dot1x-user cisco legacy

After some time these massages appear at SW2 console:
%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on

Interface Fa0/20
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for
client (Unknown MAC) on Interface Fa0/20
AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC)
on Interface Fa0/20
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for
client (Unknown MAC) on Interface Fa0/20
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on
Interface Fa0/20
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/20,
changed state to up
SCRack4SW2#show dot1x all summary

Interface PAE Client Status
--------------------------------------------------------
Fa0/16 AUTH none UNAUTHORIZED
Fa0/20 AUTH none UNAUTHORIZED
SCRack4SW2#show dot1x interface fastEthernet 0/20

-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO

- 625 -
SCRack4SW2#show vlan id 5
VLAN Name Status Ports

---- -------------------------------- --------- -----------------------
------
5 VLAN0005 active Fa0/20, Fa0/23
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------
-----
5 enet 100005 1500 - - - - - 0
0
Remote SPAN VLAN

----------------
Disabled
Primary Secondary Type Ports

------- --------- ----------------- -----------------------------------
------
SW2:
!
! Revert back the configuration on FastEthernet0/20
!
default interface FastEthernet0/20
Confirm that VTY authentication on SW2 uses line password.
SCRack4SW2#telnet 150.4.8.8
Password:
SCRack4SW2>en
Password:
SCRack4SW2#exit

SCRack4SW2#

- 626 -
Task 5.3 Solution

Authenticated users need a downloadable ACL from the ACS server; so we use
the “per-user-override” option with the outside interface ACL.
ASA1:
!
! Configure the outside ACL to allow per-user entries
!
access-group outside_in in int outside per-user-override
!
! Configure the interesting traffic for cut-through proxy
!
access-list AUTH permit tcp 10.0.0.0 255.0.0.0 any eq telnet
!
! Configure the ASA to speak radius with the ACS server
!
aaa-server RAD (outside) host 10.0.0.100
key cisco
!
! Enable authentication for connections through the ASA
!
aaa authentication match AUTH outside RAD

- 627 -
ACS:
Step 1:
Add the ASA as a new RADIUS client to the ACS server. Then, add new
downloadable ACL to the ACS server. To do that, go to Shared Profile
Components | Downloadable IP ACLs and click Add:

- 628 -
Step 2:
Add a new user named “user-cut” in the ACS and associate the downloadable
ACL with the user.

- 629 -
Step 3:
Make sure Passed Authentication log is enabled. Go to System

Configuration | Logging:

- 630 -

Initiate a connection across the firewall and authentication with the cut-through
proxy:

- 631 -
Rack4ASA(config)# show uauth

Current Most Seen
user 'user-cut' at 10.0.0.100, authenticated
access-list #ACSACL#-IP-ACL1-4a94bc12 (*)
Rack4ASA(config)# show access-list #ACSACL#-IP-ACL1-4a94bc12
access-list #ACSACL#-IP-ACL1-4a94bc12; 2 elements (dynamic)

access-list #ACSACL#-IP-ACL1-4a94bc12 line 1 extended permit icmp any
any (hitcnt=0) 0xbfd50db2
access-list #ACSACL#-IP-ACL1-4a94bc12 line 2 extended permit tcp host
10.0.0.100 host 141.1.100.10 eq telnet (hitcnt=1) 0xe1b7aba2
Task 5.4 Solution

ASA1:
!
! Enable SSH on the ASA
!
domain-name internetworkexperts.com
crypto key generate rsa modulus 1024
!
! Allow ssh connections from any host on the inside interface
!
ssh 0 0 inside
!
! Enable sssh authentication via radius server
!
aaa authentication ssh console RAD
AAA Server:
Add a new user in the ACS server , name “SSHUSER” using the password of
“cisco”

- 632 -

Initiate SSH connection from SW2 to ASA and authenticate using the user
created in the ACS server. Check the “Passed Authentication Logs” on the ACS.
SCRack4SW2#ssh -l sshuser 141.1.255.12
Password:
Rack4ASA>
ACS:
Check the passed authentications report in the ACS:

- 633 -
Task 6.1 Solution

For proper key transition, EIGRP neighbors should have time synchronized.
EIGRP authentication requires both key number and strings to match on the
peers.
R4:
!
! Configure R4 as NTP stratum level 2
!
ntp master 2
!
! Configure authentication
!
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
!
! Configure peering with R5 and timezone
!
ntp peer 150.4.5.5 key 1 source Loopback 0
clock timezone PST -8
clock summer-time PDT recurring
R5:
!
! Configure R5 as NTP stratum level 2
!
ntp master 2
!
! Configure authentication
!
ntp trusted-key 1
ntp authenticate
!
! Configure peering with R4 and timezone
!
ntp peer 150.4.4.4 key 1 source Loopback 0

- 634 -
R4 and R5:
!
! Configure key-chain for EIGRP.Notice the overlapping between accept-
! lifetimes
!
key chain EIGRP
key 1
key-string CISCO1
accept-lifetime local 00:00:00 Jan 1 1993 00:05:00 Jan 1 2011
send-lifetime local 00:00:00 Jan 1 1993 00:00:00 Jan 1 2011
key 2
key-string CISCO2
accept-lifetime local 23:55:00 Dec 31 2010 infinite
send-lifetime local 00:00:00 Jan 1 2011 infinite
!
! Apply EIGRP authentication on both EIGRP running interfaces
!
ip authentication key-chain eigrp 100 EIGRP
!
ip authentication key-chain eigrp 100 EIGRP

Verify NTP synchronization and EIGRP authentication.

2**16
reference time is CE541286.EC18740A (17:04:22.922 PDT Thu Sep 10 2009)

- 635 -
SCRack4R5#show ntp associations detail

150.4.4.4 configured, authenticated, selected, sane, valid, stratum 2
ref ID 127.127.7.1, time CE5412A0.248B2782 (17:04:48.142 PDT Thu Sep 10
2009)
our mode active, peer mode active, our poll intvl 64, peer poll intvl
64
delay 58.47 msec, offset -2.5482 msec, dispersion 0.52
org time CE5412A5.24A0E826 (17:04:53.143 PDT Thu Sep 10 2009)
rcv time CE5412A5.2CC3FCEC (17:04:53.174 PDT Thu Sep 10 2009)
xmt time CE54129F.EC694842 (17:04:47.923 PDT Thu Sep 10 2009)
filtdelay = 58.47 58.56 58.46 58.43 58.59 58.23 58.50
58.69
filtoffset = -2.55 -2.30 -2.01 -1.91 -1.74 -1.88 -1.91
-2.22
filterror = 0.11 1.08 2.06 3.04 4.01 4.99 5.97
6.94
127.127.7.1 configured, our_master, sane, valid, stratum 1

ref ID .LOCL., time CE5412C6.EC5C6B90 (17:05:26.923 PDT Thu Sep 10
2009)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl
64
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
org time CE5412C6.EC5C6B90 (17:05:26.923 PDT Thu Sep 10 2009)
rcv time CE5412C6.EC5C6B90 (17:05:26.923 PDT Thu Sep 10 2009)
xmt time CE5412C6.EC5B8F2C (17:05:26.923 PDT Thu Sep 10 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00
filterror = 0.02 0.99 1.97 2.94 3.92 3.94 3.95
3.97
Reference clock status: Running normally
Timecode:

2**16
reference time is CE5412E0.24C7FF7A (17:05:52.143 PDT Thu Sep 10 2009)

- 636 -

150.4.5.5 configured, authenticated, selected, sane, valid, stratum 2
ref ID 127.127.7.1, time CE5412C6.EC5C6B90 (17:05:26.923 PDT Thu Sep 10
2009)
our mode active, peer mode active, our poll intvl 64, peer poll intvl
64
org time CE5412DF.EB972DB2 (17:05:51.920 PDT Thu Sep 10 2009)
rcv time CE5412DF.F25E3FD6 (17:05:51.946 PDT Thu Sep 10 2009)
xmt time CE5412E5.24DCE3BA (17:05:57.143 PDT Thu Sep 10 2009)
filtdelay = 58.26 58.27 58.21 58.35 58.33 58.55 58.40
58.90
filtoffset = 2.66 2.45 2.13 1.95 1.87 1.71 1.96
2.11
filterror = 0.90 1.88 2.85 3.83 4.81 5.78 6.76
7.74

ref ID .LOCL., time CE5412E0.24C7FF7A (17:05:52.143 PDT Thu Sep 10
2009)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl
64
org time CE5412E0.24C7FF7A (17:05:52.143 PDT Thu Sep 10 2009)
rcv time CE5412E0.24C7FF7A (17:05:52.143 PDT Thu Sep 10 2009)
xmt time CE5412E0.24C646B2 (17:05:52.143 PDT Thu Sep 10 2009)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00
filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87
6.85
Reference clock status: Running normally
Timecode:
SCRack4R5#show clock
17:56:36.766 PDT Thu Sep 10 2009
SCRack4R5#show key chain

Key-chain EIGRP:
key 1 -- text "CISCO1"
accept lifetime (00:00:00 PDT Jan 1 1993) - (00:05:00 PDT Jan 1
2011) [valid now]
send lifetime (00:00:00 PDT Jan 1 1993) - (00:00:00 PDT Jan 1
2011) [valid now]
accept lifetime (23:55:00 PDT Dec 31 2010) - (infinite)
send lifetime (00:00:00 PDT Jan 1 2011) - (infinite)

- 637 -
17:57:09.159 PDT Thu Sep 10 2009

Key-chain EIGRP:
accept lifetime (00:00:00 PDT Jan 1 1993) - (00:05:00 PDT Jan 1
2011) [valid now]
send lifetime (00:00:00 PDT Jan 1 1993) - (00:00:00 PDT Jan 1
2011) [valid now]
accept lifetime (23:55:00 PDT Dec 31 2010) - (infinite)
send lifetime (00:00:00 PDT Jan 1 2011) - (infinite)
SCRack4R5#show ip eigrp neighbors

H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec) (ms)
Cnt Num
1 141.1.54.4 Se0/0.45 11 00:19:29 362 2172 0
24
0 141.1.45.4 Se0/1 10 00:19:31 438 2628 0
23
SCRack4R5#show ip eigrp interfaces detail

IP-EIGRP interfaces for process 100
Xmit Queue Mean Pacing Time Multicast

Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer
Routes
Se0/1 1 0/0 438 0/15 1995
0
Authentication mode is md5, key-chain is "EIGRP"
Use unicast
Se0/0.45 1 0/0 362 0/15 1559
0
Authentication mode is md5, key-chain is "EIGRP"
Use unicast

- 638 -
Change clocks on both machines and see if EIGRP authentication key switches
without losing neighbor relations.
R4 and R5
clock set 23:54:00 31 Dec 2010
SCRack4R5show clock
23:55:08.804 PST Fri Dec 31 2010

Key-chain EIGRP:
accept lifetime (00:00:00 PST Jan 1 1993) - (00:05:00 PST Jan 1
2011) [valid now]
send lifetime (00:00:00 PST Jan 1 1993) - (00:00:00 PST Jan 1
2011) [valid now]
accept lifetime (23:55:00 PST Dec 31 2010) - (infinite) [valid
now]
send lifetime (00:00:00 PST Jan 1 2011) - (infinite)

Seq
(sec) (ms)
Cnt Num
0 141.1.45.4 Se0/1 14 00:06:39 95 570 0
28
1 141.1.54.4 Se0/0.45 11 00:31:29 362 2172 0
24
00:00:26.950 PST Sat Jan 1 2011

- 639 -

Key-chain EIGRP:
2011) [valid now]
2011)
now]
send lifetime (00:00:00 PST Jan 1 2011) - (infinite) [valid
now]

Seq
(sec) (ms)
Cnt Num
0 141.1.45.4 Se0/1 11 00:11:38 95 570 0
28
1 141.1.54.4 Se0/0.45 14 00:36:29 362 2172 0
24
00:05:03.403 PST Sat Jan 1 2011

Key-chain EIGRP:
2011)
2011)
now]
send lifetime (00:00:00 PST Jan 1 2011) - (infinite) [valid
now]

Seq
(sec) (ms)
Cnt Num
0 141.1.45.4 Se0/1 13 00:16:17 95 570 0
28
1 141.1.54.4 Se0/0.45 14 00:41:07 362 2172 0
24
SCRack4R5#

- 640 -
Task 6.2 Solution

R5:
!
! Exempt traffic coming from R2 Loopback from being policing and match
any
! other source for telnet, ssh, https and icmp
!
access-list 100 deny ip host 150.4.2.2 any
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any any eq 22
access-list 100 permit icmp any any
!
! Configure class-map to classify Traffic/ match ACL 100
!
class-map cmap-cpp
!
! Configure Policing as required
!
policy-map pmap-cpp
class cmap-cpp
police 9000 conform transmit exceed drop
!
! Apply policy-map to the control plane
!
control-plane
service-policy input pmap-cpp
!
! Deny ssh, https and telnet to the router unless received on
Serial0/0.25
!
control-plane host
management-interface Serial 0/0.25 allow ssh https telnet icmp
!
! Create ACL to match on ODD IP addresses
!
access-list 1 deny 0.0.0.1 255.255.255.254
line vty 0 181

access-class 1 in
!
! Enable ssh
!

- 641 -

As an example, verify that ICMP traffic is policed except when sourced from R2
Loopback0.
SCRack4R2#ping 150.4.5.5 size 1000 repeat 15

!!.!!.!!.!!.!!.
508/509/512 ms
SCRack4R2#ping 150.4.5.5 size 1000 repeat 15 source loopback

0
!!!!!!!!!!!!!!!
508/510/513 ms
Note that exactly 5 packets were droped.
SCRack4R5#show policy-map control-plane input

Control Plane
Service-policy input: pmap-cpp
Class-map: cmap-cpp (match-all)

Match: access-group 100
police:
cir 9000 bps, bc 1500 bytes, be 1500 bytes
transmit
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps

Match: any

- 642 -
Try telnetting to R5 on an interface other than S0/0.25; traffic should be dropped.

Enable control-plane debugging in R5.
Rack4R5#debug control-plane management-interface
Trying 141.1.100.5 ...
SCRack4R5#show logging | b Log Buffer

MI:DROPPED TCP dport 23 fport 40252 faddr 141.1.100.2
MI:DROPPED TCP dport 23 fport 40252 faddr 141.1.100.2
R5
!
undebug all
!
Finally, telnet from an odd-numbered IP address e.g. from R1 or R3; traffic

should be dropped by ACL on VTY lines.

!!!!!
ms
Trying 141.1.25.5 ...
SCRack4R5#show access-lists 1
Standard IP access list 1
10 deny 0.0.0.1, wildcard bits 255.255.255.254 (1 match)
20 permit any (4 matches)

- 643 -
Task 6.3 Solution

R5:
!
! Create ACL to NOT (deny) drop unreachables to R2 Loopback0 but to all
! others (permit)
!
access-list 101 deny icmp any host 150.4.2.2 unreachable
access-list 101 permit icmp any any unreachable
!
!
class-map icmp-class
!
! Configure policy-map to drop traffic
!
policy-map control-plane-out
class icmp-class
drop
!
! Apply the policy-map on the control-plane
!
control-plane
service-policy output control-plane-out

- 644 -

We are going to add a route towards a non-existing network on R2 with the next-
hop pointing to R5. We’ll then do test pings sourced off different interfaces
R2:
!
ip route 100.100.100.100 255.255.255.255 141.1.25.5
Rack4R2#debug ip icmp
!

seconds:
..
SCRack4R2#ping 100.100.100.100 repeat 2 source loopback 0

seconds:
..
SCRack4R2#
Sep 11 10:52:41.780: ICMP: time exceeded rcvd from 141.1.25.5
SCRack4R2#
Sep 11 10:52:43.772: ICMP: time exceeded rcvd from 141.1.25.5
R2:
!
no ip route 100.100.100.100 255.255.255.255 141.1.25.5
undebug all

- 645 -
Task 6.4 Solution

R2:
!
! Configure the ACL to match IP packets to R2 with any options
!
ip access−list extended ACL−IP−OPTIONS−ANY
permit ip any host 141.1.100.2 option any−options
!
! Configure a class-map and call the ACL in it
!
class−map ACL−IP−OPTIONS−CLASS
match access−group name ACL−IP−OPTIONS−ANY
!
! Configure the aggregate-policy to drop
!
policy−map COPP−POLICY
class ACL−IP−OPTIONS−CLASS
drop
!
! Apply the policy
!
control−plane
service−policy input COPP−POLICY

- 646 -


!!!!!
SCRack4R1#ping
Protocol [ip]:
Repeat count [5]: 1
Loose, Strict, Record, Timestamp, Verbose[none]: Record
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)

- 647 -
Request 0 timed out

SCRack4R1#ping
Protocol [ip]:
Repeat count [5]: 1
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Reply to request 0 (120 ms). Received packet has options

Total option bytes= 40, padded length=40
Record route:
(141.1.123.1)
(141.1.25.2)
(141.1.25.5)
(141.1.25.5)
(141.1.123.2)
(141.1.123.1) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list

ms

- 648 -
SCRack4R2#show access-lists ACL-IP-OPTIONS-ANY

Extended IP access list ACL-IP-OPTIONS-ANY
10 permit ip any host 141.1.100.2 option any-options
30 permit ip any host 141.1.123.2 option any-options (1 match)

Control Plane
Service-policy input: COPP-POLICY
Class-map: ACL-IP-OPTIONS-CLASS (match-all)

Match: access-group name ACL-IP-OPTIONS-ANY
drop

Match: any

- 649 -
Task 6.5 Soluton

R1:
!
! Configure the ACL to match packets with TTL lower than 3
!
ip access−list extended ACL−IP−TTL−LOW
permit ip any any ttl lt 3
!
!
class−map CMAP−TTL−LOW−CLASS
match access−group name ACL−IP−TTL−LOW
!
! Configure the policy to drop an apply it to the transit sub-interface
of RP
!
policy−map CPPR−TRANSIT−POLICY
class CMAP−TTL−LOW−CLASS
drop
!
control−plane transit
service−policy input CPPR−TRANSIT−POLICY

- 650 -

SCRack4R1#show policy-map control-plane all
Control Plane Transit
Service-policy input: CPPR-TRANSIT-POLICY
Class-map: CMAP-TTL-LOW-CLASS (match-all)

0 packets, 0 bytes
Match: access-group name ACL-IP-TTL-LOW
drop

Match: any
Task 6.6 Solution

R5:
!
! Enable SNMP traps and configure to send it to 10.0.0.100
!
snmp-server enable traps
snmp-server host 10.0.0.100 traps public cpu
!
! Configure CPU monitoring
!
process cpu threshold type total rising 95 interval 10 falling 20
interval 20

SCRack4R5#debug snmp packets
SNMP packet debugging is on
SCRack4R5#wr
%SYS-1-CPURISINGTHRESHOLD: Threshold: Total CPU

Utilization(Total/Intr): 99%/0%, Top 3 processes(Pid/Util): 3/98%,
2/0%, 61/0%

- 651 -
SNMP: Queuing packet to 10.0.0.100

SNMP: V1 Trap, ent ciscoProcessMIB.2, addr 141.1.54.5, gentrap 6,
spectrap 1
cpmCPUThresholdTable.1.2.1.1 = 95
cpmCPUTotalTable.1.10.1 = 99
cpmCPUTotalTable.1.11.1 = 0
ciscoProcessMIB.1.2.3.1.5.1.3 = 98
cpmProcessTable.1.5.1.3 = 3333835[OK]
Task 7.1 Solution

R2
!
! Enable HSRP MD5 authentication
!
standby 1 authentication md5 key-string CISCO
R5
!
! Enable HSRP MD5 authentication
!
standby 1 authentication md5 key-string CISCO

SCRack4R2#show standby
FastEthernet0/0 - Group 1
State is Active
1 state change, last state change 06:05:34
Virtual IP address is 141.1.100.254
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.081 secs
Authentication MD5, key-string "CISCO"
Preemption enabled
Active router is local
Standby router is 141.1.100.5, priority 100 (expires in 9.111 sec)
Priority 101 (configured 101)
Group name is "HSRP1" (cfgd)

- 652 -
Taks 7.2 Solution

R4:
!
! Configure class-maps to identify traffic
!
class-map match-all PRIORITY
match protocol eigrp
class-map match-all ICMP
match protocol icmp
class-map match-all TELNET
!
! Configure the policy-map and apply it outbound on Serial0/1
!
policy-map pmap-outbound
class PRIORITY
bandwidth percent 25
class ICMP
police rate percent 10
class TELNET
set dscp af43
!
service-policy out pmap-outbound


!!!!!
Trying 141.1.45.5 ...

- 653 -
SCRack4R4#show policy-map interface serial 0/1

Serial0/1
Service-policy output: pmap-outbound
Class-map: PRIORITY (match-all)

Match: protocol eigrp
Queueing
Bandwidth 25 (%)
Bandwidth 386 (kbps)Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0

police:
rate 10 %
rate 154000 bps, burst 4812 bytes
transmit
drop

2 packets, 96 bytes
QoS Set
dscp af43
Packets marked 2

Match: any

- 654 -
Task 7.3 Solution

R3:
!
! Configure a class-map to match strings in the URL
!
class-map match-any cmap-not-allowed
match protocol http url "*cmd.exe*"
match protocol http url "*root.com*"
!
! Configure the policy-map to drop if strings are matched
!
policy-map pmap-not-allowed
class cmap-not-allowed
drop
!
! Apply the policy inbound on interface FastEthernet0/1
!
service-policy input pmap-not-allowed

SCRack4R6#copy http://10.7.7.7/root.com null:
%Error opening http://10.7.7.7/root.com (I/O error)
SCRack4R6#copy http://10.7.7.7/cmd.exe null:

%Error opening http://10.7.7.7/cmd.exe (I/O error)
SCRack4R3#show policy-map interface fastEthernet 0/1

FastEthernet0/1
Service-policy input: pmap-not-allowed
Class-map: cmap-not-allowed (match-any)

Match: protocol http url "*cmd.exe*"
5 minute rate 0 bps
Match: protocol http url "*root.com*"
5 minute rate 0 bps
drop

Match: any

- 655 -
Task 7.4 Solution

R6:
!
! Enable Netflow on R6 interfaces
!
ip flow ingress
!
ip flow ingress
!
! Configure Netflow version 5 and export to the static NAT’ed IP
address of
! SW2
!
ip flow-export version 5
ip flow-export destination 141.1.100.88 9999
ip flow-export source loopback 0
ASA1:
!
! Allow inbound Netflow reporting traffic from R6 Loopback
!
access-list outside permit udp host 150.4.6.6 host 141.1.100.88 eq 9999

SCRack4R6#show ip cache flow
IP packet size distribution (379 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416
448 480
.000 .224 .221 .548 .000 .000 .000 .000 .000 .000 .000 .000 .000
.000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .005 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes

5 active, 4091 inactive, 70 added
2753 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
5 active, 1019 inactive, 70 added, 70 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec)
Idle(Sec)

- 656 -
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 2 0.0 18 71 0.0 3.0
1.3
TCP-BGP 33 0.0 1 49 0.0 5.4
15.5
UDP-other 27 0.0 1 112 0.0 0.0
15.4
ICMP 3 0.0 5 100 0.0 0.1
15.2
Total: 65 0.0 1 75 0.0 2.8 15.0
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa0/0 141.1.36.3 Null 224.0.0.5 59 0000 0000 85
Se0/0/0 54.4.1.254 Null 224.0.0.9 11 0208 0208 1
Se0/0/0 54.4.1.254 Local 54.4.1.6 06 00B3 BAC9 1
Se0/0/0 54.4.1.254 Null 224.0.0.10 58 0000 0000 166
Fa0/0 150.4.3.3 Local 150.4.6.6 06 00B3 7E43 2
Task 7.5 Solution

ASA1:
!
! Configure a SNMP map and deny version 1
!
snmp-map NO_SNMP_V1
deny version 1
!
! Apply the inspection under the default global_policy so we cover all
! interfaces
!
inspect snmp NO_SNMP_V1

- 657 -

SW2:
!
! Configure SNMP traps v1 to R2
!
snmp-server host 141.1.100.2 version 1 cisco
snmp-server enable traps
!
! Simulate a link failure
!
interface Vlan 8
shutdown
no shutdown
Rack4ASA# show service-policy global
Global policy:
drop 0
0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 4052, drop 0, reset-drop 0
Inspect: snmp NO_SNMP_V1, packet 11, drop 11, reset-drop 0
SW2:
!
! Remove SNMP configuration
!
no snmp-server host 141.1.100.2 cisco
no snmp-server enable traps

- 658 -
Task 7.6 Solution

R4:
!
! Configure an ACL with log keyword
!
access-list 100 deny ip any any log
!
! Configure uRPF strict mode with ACL
!
ip verify unicast source reachable-via rx 100

Create a new SVI 43 on SW1 and ping R4 souricing off VLAN7 interface. Since
R2 has a route to 10.7.7.0/24 towards R5 this will trigger uRPF failure.
SW1:
!
interface Vlan43
ip address 204.12.4.10 255.255.255.0
no shutdown

.!!!!

- 659 -

.....
SCRack4R4#show ip interface fastEthernet 0/1

<snip>
IP verify source reachable-via RX, ACL 100
Jan 2 07:08:34.229: %SEC-6-IPACCESSLOGDP: list 100 denied icmp

10 deny ip any any log (5 matches)
SW1:
!
no interface Vlan43

- 660 -
Task 8.1 Solution

R2:
!
! Configure HSRP to use the BIA MAC address instead of the virtual MAC
! address
!
standby use-bia
R5:
!
! Configure HSRP to use the BIA MAC address instead of the virtual MAC
! address
!
standby use-bia
SW1:
!
! Enable port-security; if violation occurs send a syslog message
!
switchport port-security violation restrict
SW2:
!
! Enable port-security; if violation occurs send a syslog message
!
switchport port-security violation restrict

- 661 -

SCRack4R2#show interfaces fastEthernet 0/0 | i bia
Hardware is AmdFE, address is 0013.c451.f240 (bia 0013.c451.f240)
SCRack4R2#show standby
FastEthernet0/0 - Group 1
State is Active
1 state change, last state change 3d15h
Virtual IP address is 141.1.100.25
Active virtual MAC address is 0013.c451.f240
Local virtual MAC address is 0013.c451.f240 (bia)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.856 secs
Authentication MD5, key-string "cisco"
Preemption enabled
Active router is local
Standby router is 141.1.100.5, priority 100 (expires in 9.652 sec)
Priority 101 (configured 101)
Group name is "HSRP1" (cfgd)
SCRack4SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
-----------------------------------------------------------------------
Fa0/2 1 1 0
Restrict
-----------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120
SCRack4SW1#show port-security address

Secure Mac Address Table
-----------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining
Age
(mins)
---- ----------- ---- ----- ------------
101 0013.c451.f240 SecureDynamic Fa0/2 -
-----------------------------------------------------------------------

- 662 -

!!!!!

!!!!!

!!!!!
Task 8.2 Solution

SW2:
!
! Enable the Private VLAN Edge feature on ports 0/7 and 0/8 so that
! communication between the ports is restricted. Also unknown unicast
frames
! should not be forwarded out these ports
!
interface range FastEthernet 0/7-8
switchport protected
switchport block unicast

SCRack4SW2#show interfaces fastethernet 0/7 switchport
Name: Fa0/7
<snip>
Protected: true
Unknown unicast blocked: enabled
Unknown multicast blocked: disabled
Appliance trust: none

- 663 -
Task 8.3 Solution

R1:
!
! Configure ACL to match ICMP Echo and Echo-Reply
!
access-list 110 permit icmp any any echo-reply
!
! Use CAR to limit the traffic
!
rate-limit output access-group 110 128000 32000 32000 conf tran ex
drop

SCRack4R1show interfaces serial 0/0.123 rate-limit
Serial0/0.123
Output

!!!!!
ms
SCRack4R1#show interfaces serial 0/0.123 rate-limit

Serial0/0.123
Output
last cleared 00:06:40 ago, conformed 1000 bps, exce

- 664 -
Task 8.4 Solution

R4:
!
! Drop packets with IP options
!
ip options drop
Task 8.4 Verifications

SCRack4R5#ping
Protocol [ip]:
Repeat count [5]: 1
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Request 0 timed out


- 665 -
SCRack4R4#show ip traffic | section Drop

1 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
Drop due to input queue full: 0
Task 8.5 Solution

ASA1:
!
! Configure the maximum number of fragments to be 1, so all packets
must be
! whole, no fragments accepted
!
fragment chain 1 inside
fragment chain 1 outside

We generate large ICMP packets from R2 to ASA. The packets will be
fragmented and dropped by the firewall.

!!!!!
SCRack4R2#ping 141.1.100.12 size 2000

.....
Rack4ASA# show fragment

Interface: outside
Size: 200, Chain: 1, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 5, Overflow: 0
Interface: inside

- 666 -

Task 1.1 Solution
ASA1:
!
! Configure hostname, nameifs and IP addresses as per the diagram
!
hostname Rack4ASA1
!
no shutdown
nameif outside
ip address 136.1.125.12 255.255.255.0
!
no shutdown
nameif inside
ip address 10.0.0.12 255.255.255.0
ASA2:
!
! Configure hostname, nameifs and IP addresses as per the diagram
!
hostname Rack4ASA2
!
no shutdown
nameif outside
ip address 136.1.100.13 255.255.255.0

- 667 -

ASA1:

Rack4ASA1# show interface ip brief | e unas

Interface IP-Address OK? Method Status Protocol
Ethernet0/0 136.1.125.12 YES manual up up

!!!!!

!!!!!
ASA2:
Rack4ASA2# sho interface ip brief | e unas


!!!!!

- 668 -
Task 1.2 Solution

ASA1:
!
! Enable RIP on both inside and outside interfaces
!
router rip
version 2
no auto-summary
network 10.0.0.0
network 136.1.0.0
ASA2:
!
! Enable OSPF on the outside interface in area 136; be as specific as
! possible with the network command
!
router ospf 1
router-id 150.4.13.13
network 136.1.100.13 255.255.255.255 area 136

- 669 -

ASA1:

BGP
inter area
* - candidate default, U - per-user static route, o – ODR
R 136.1.136.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19,

outside
R 136.1.255.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19,
outside
R 136.1.8.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19, outside
R 136.1.0.1 255.255.255.255 [120/1] via 136.1.125.5, 0:00:19,
outside
R 136.1.0.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19, outside
R 136.1.0.0 255.255.0.0 [120/1] via 136.1.125.5, 0:00:19, outside
R 136.1.2.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19, outside
R 136.1.0.2 255.255.255.255 [120/1] via 136.1.125.5, 0:00:19,
outside
R 136.1.0.4 255.255.255.255 [120/1] via 136.1.125.5, 0:00:19,
outside
R 136.1.7.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19, outside
R 136.1.45.4 255.255.255.255 [120/1] via 136.1.125.5,0:00:19,
outside
R 136.1.45.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19, outside
R 136.1.100.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:19,
outside
R 192.10.4.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:21, outside
R 150.4.5.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:21, outside
R 150.4.4.0 255.255.255.0 [120/1] via 136.1.125.5, 0:00:21, outside
R 150.4.8.8 255.255.255.255 [120/1] via 136.1.125.5, 0:00:21,
outside
R 150.4.7.7 255.255.255.255 [120/1] via 136.1.125.5, 0:00:21,
outside
R 150.4.6.6 255.255.255.255 [120/1] via 136.1.125.5, 0:00:21,
outside
R 150.4.3.3 255.255.255.255 [120/1] via 136.1.125.5, 0:00:21,
outside
R 150.4.2.2 255.255.255.255 [120/1] via 136.1.125.5, 0:00:21,
outside
R 150.4.1.1 255.255.255.255 [120/1] via 136.1.125.5, 0:00:21,
outside
R 150.4.0.0 255.255.0.0 [120/1] via 136.1.125.5, 0:00:21, outside

- 670 -
Rack4ASA1# show rip database 10.0.0.0 255.255.255.0
10.0.0.0 255.255.255.0 directly connected, Ethernet0/1
ASA2:

Interface
150.4.3.3 1 FULL/DR 0:00:36 136.1.100.3 outside
Rack4ASA2# show ospf interface outside
outside is up, line protocol is up

136.1.100.13
Next 0x0(0)/0x0(0)


BGP
inter area

- 671 -
O 136.1.136.0 255.255.255.0 [110/11] via 136.1.100.3, 0:14:04,

outside
O IA 136.1.255.0 255.255.255.0 [110/140] via 136.1.100.3, 0:14:04,
outside
O IA 136.1.8.0 255.255.255.0 [110/141] via 136.1.100.3, 0:14:04,
outside
O IA 136.1.0.1 255.255.255.255 [110/11] via 136.1.100.3, 0:14:04,
outside
O E2 136.1.0.0 255.255.0.0 [110/1] via 136.1.100.3, 0:14:04, outside
O E2 136.1.2.0 255.255.255.0 [110/20] via 136.1.100.3, 0:14:04, outside
O IA 136.1.0.2 255.255.255.255 [110/139] via 136.1.100.3, 0:14:04,
outside
O IA 136.1.0.5 255.255.255.255 [110/75] via 136.1.100.3, 0:14:04,
outside
O IA 136.1.0.4 255.255.255.255 [110/139] via 136.1.100.3, 0:14:04,
outside
O IA 136.1.7.0 255.255.255.0 [110/141] via 136.1.100.3, 0:14:04,
outside
O E2 136.1.45.4 255.255.255.255 [110/20] via 136.1.100.3, 0:14:04,
outside
O IA 136.1.45.0 255.255.255.0 [110/10074] via 136.1.100.3, 0:14:04,
outside
O E2 136.1.125.0 255.255.255.0 [110/20] via 136.1.100.3, 0:14:04,
outside
O E2 10.0.0.0 255.255.255.0 [110/20] via 136.1.100.3, 0:14:06, outside
O IA 192.10.4.0 255.255.255.0 [110/76] via 136.1.100.3, 0:14:06,
outside
O IA 150.4.4.0 255.255.255.0 [110/140] via 136.1.100.3, 0:14:06,
outside
O E2 150.4.0.0 255.255.0.0 [110/1] via 136.1.100.3, 0:14:06, outside
O IA 150.4.8.8 255.255.255.255 [110/141] via 136.1.100.3, 0:14:06,
outside
O IA 150.4.7.7 255.255.255.255 [110/141] via 136.1.100.3, 0:14:06,
outside
O IA 150.4.5.5 255.255.255.255 [110/76] via 136.1.100.3, 0:14:06,
outside
O IA 150.4.2.2 255.255.255.255 [110/140] via 136.1.100.3, 0:14:06,
outside
O IA 150.4.1.1 255.255.255.255 [110/12] via 136.1.100.3, 0:14:06,
outside
O 150.4.6.6 255.255.255.255 [110/12] via 136.1.100.3, 0:14:06,
outside
O 150.4.3.3 255.255.255.255 [110/11] via 136.1.100.3, 0:14:06,
outside

- 672 -
Task 1.3 Solution

ASA1:
!
! Configure static NAT for the AAA server and enable nat-control
!
nat-control
!
! Configure ACL and permit TACACS and RADIUS traffic towards the AAA
! server; since RADIUS runs on 2 different sets of ports make sure to
! catch both
!
access-list OUTSIDE_IN permit udp any host 136.1.125.100 range 1645
1646
access-list OUTSIDE_IN permit udp any host 136.1.125.100 range 1812
1813
!

Global 136.1.125.100 Local 10.0.0.100
SCRack4R5#traceroute 136.1.125.100 port 1645

1 * *
UDP outside 136.1.125.5:49188 inside 10.0.0.100:1646, idle 0:00:15,
bytes 0, flags -
bytes 0, flags -

- 673 -
Task 1.4 Solution

Since nat-control is enabled on ASA1, any traffic going through the firewall
should to match a NAT statement. We configure PAT so that hosts on VLAN 10
can reach outside networks.
ASA1:
!
! Configure static PAT for UDP port 53
!
static (outside,inside) udp interface 53 136.1.59.100 53
!
! Configure PAT for hosts on Vlan 10
!
nat (inside) 10.0.0.0 255.255.255.0

PAT Global 10.0.0.12(53) Local 136.1.59.100(53)
Global 136.1.125.100 Local 10.0.0.100
Task 1.5 Solution

ASA1:
!
! Enable priority-queuing on both interfaces
!
priority-queue outside
priority-queue inside
!
! Configure a class-map and match packets marked EF
!
class-map cmap-voice
match dscp ef
!
! Assign traffic to the priority queue by calling the class-map in the
! global policy-map
!
class cmap-voice
priority

- 674 -

Simulate traffic marked with DSCP EF and check for priority queue matches
Rack4ASA1# show priority-queue config
Priority-Queue Config interface outside

queue-limit 2048 2048 0 - 2048
tx-ring-limit 80 80 3 - 256
Priority-Queue Config interface inside

queue-limit 2048 2048 0 - 2048
tx-ring-limit 80 80 3 – 256
Rack4ASA1# show priority-queue statistics inside
Priority-Queue Statistics interface inside
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Packets Transmit = 1
Packets Enqueued = 0
Current Q Length = 0
Max Q Length = 0
Queue Type = LLQ

Tail Drops = 0
Reset Drops = 0
Max Q Length = 0
R5:
!
ip telnet tos B8
SCRack4R5#telnet 136.1.125.100 49
Trying 136.1.125.100, 49 ... Open

- 675 -
Rack4ASA1# show priority-queue statistics inside
Priority-Queue Statistics interface inside
Queue Type = BE
Tail Drops = 0
Reset Drops = 0
Max Q Length = 0
Queue Type = LLQ

Tail Drops = 0
Reset Drops = 0
Max Q Length = 0
R5:
!
no ip telnet tos B8
!

- 676 -
Task 1.6 Solution

ASA1:
!
! Deny ICMP Echo-Request received on outside from 150.4.1.1 and allow
! all other ICMP traffic
!
icmp deny host 150.4.1.1 echo outside
icmp permit any outside


!!!!!


.....


- 677 -
Task 1.7 Solution

ASA1:
!
! Configure a SLA monitor operation with a frequency of 3 seconds and
! timeout of 1
!
sla monitor 5
type echo protocol ipIcmpEcho 150.4.6.6 interface outside
timeout 1000
frequency 3
!
! Set the SLA lifetime to be infinite
!
sla monitor schedule 5 life forever start-time now
!
! Create the tracking object and attach it to the static route
!
track 1 rtr 5 reachability
route outside 54.4.2.254 255.255.255.255 136.1.100.3 track 1

Rack4ASA2# show route outside 54.4.2.254

BGP
inter area
S 54.4.2.254 255.255.255.255 [1/0] via 136.1.100.3, outside

- 678 -
Rack4ASA2# show sla monitor configuration

SA Agent, Infrastructure Engine-II
Entry number: 5
Owner:
Tag:
Type of operation to perform: echo
Target address: 150.4.6.6
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
Rack4ASA2# show sla monitor operational-state

Entry number: 5
Modification time: 05:48:05.666 UTC Sat Feb 1 2003
Number of Octets Used by this Entry: 1480
Number of operations attempted: 19
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 05:48:59.667 UTC Sat Feb 1 2003
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
Task 2.1 Solution

R2:
no ip proxy-arp

- 679 -

Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Inbound access list is not set
Proxy ARP is disabled
<snip>

- 680 -
Task 2.2 Solution

R3:
!
! Configure SSH version 2
!
ip ssh version 2
!
! Configure username for SSH authentication and hard-code SSH version 2
!
ip ssh time-out 30
!
! Configure incoming and outgoing telnet/SSH sessions. The exec-timeout
! should be 5 minutes
!
line vty 0 5
transport input ssh telnet
transport output ssh telnet
exec-timeout 5
R4:
!
! Configure SSH version 2
!
ip ssh version 2
!
! Configure username for SSH authentication and hard-code SSH version 2
!
ip ssh time-out 30
!
! Configure incoming and outgoing telnet/SSH sessions. The exec-timeout
! should be 5 minutes
!
line vty 0 5
transport input ssh telnet
transport output ssh telnet
exec-timeout 5

- 681 -

SCRack4R3#show ip ssh
SCRack4R3#show crypto key mypubkey rsa

% Key pair was generated at: 07:45:27 UTC Sep 13 2009
Key name: SCRack4R3.INE.com
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181
00A3C19B
3D3EC2D4 077FE0EA 89AACEB3 CBEC60DE C017D975 5AB42C08 CA3EFED8
9F6516DC
45225B65 9AEA5BC6 BBC2963A 327C13E9 002316B8 C0C43775 860EC3AB
64F1271A
DBF8BFBE 1E9E8207 9C6C53A9 E193484E 4EDDC9D2 68B1D505 C3CB14B2
136CFC6E
0A84062C B379B8BC 406D9254 C291ABE1 F0734C83 5DB850C3 627BF96D
29020301 0001
% Key pair was generated at: 07:45:40 UTC Sep 13 2009
Key name: SCRack4R3.INE.com.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B54B97
BC97EFEE
40405F75 64BDA894 B80439E4 D23C9B9F CDA9293B 91A46970 10992F2E
A6DB1921
4F4AB4DE 0484F70F 3389B396 2064B8FD 99CF3DA8 15A40FC6 61143749
CA2C83E5
99A65513 E3706CD2 B6C4EA04 7FA040DD 5FBDB5F3 73713492 57020301 0001
SCRack4R3#show line vty 0

<snip>
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session
Dispatch
00:05:00 never none
not set
<snip>
Allowed input transports are telnet ssh.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters

- 682 -
SCRack4R3#ssh -l SSH 150.4.3.3
Password:
SCRack4R3>exit
Task 2.3 Solution

In addition to the straightforward CBAC configuration, we should permit the
eBGP session between R6 and BB3.
R6:
!
! Configure the ACL to allow necessary traffic inbound on Fa0/1
!
permit icmp any any port-unreachable
permit icmp any any time-exceed
!
! Configure the ACL to be used for blocking JAVA applets
!
access-list 1 deny any
!
! Configure the inspection of tcp, udp, ftp and smtp traffic
!
ip inspect name TO_BB3 tcp
ip inspect name TO_BB3 udp
ip inspect name TO_BB3 ftp
ip inspect name TO_BB3 smtp
!
! Deny java to everyone
!
ip inspect name TO_BB3 http java-list 1
!
! Configure DNS timeout and TCP session deletion 3 seconds after FIN
!
ip inspect dns-timeout 3
ip inspect tcp finwait 3
ip inspect max-incomplete low 150
ip inspect max-incomplete high 250

- 683 -
!
! Disable alerts
!
ip inspect alert-off
!
! Set hash table size that is closest to average number of sessions
!
ip inspect hashtable-size 4096
!
! Apply the ACL inbound and inspection outbound on Fa0/1 towards BB3
!
ip inspect TO_BB3 out

SCRack4R6#show ip bgp summary
BGP router identifier 150.4.6.6, local AS number 100
BGP table version is 13, main routing table version 13
12 network entries using 1584 bytes of memory
22 path entries using 1144 bytes of memory
8/5 BGP path/bestpath attribute entries using 1344 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory
BGP using 4176 total bytes of memory
BGP activity 12/0 prefixes, 22/0 paths, scan interval 60 secs

State/PfxRcd
54.9.1.254 4 54 49 48 13 0 0
00:41:42 10
150.4.1.1 4 100 962 960 13 0 0
15:59:46 0
204.12.4.254 4 54 48 46 13 0 0
00:38:38 10
SCRack4R6#show access-lists FROM_BB3

20 permit icmp any any port-unreachable
30 permit icmp any any time-exceeded
40 permit tcp host 204.12.4.254 eq bgp host 204.12.4.6 (29 matches)
50 permit tcp host 204.12.4.6 host 204.12.4.254 eq bgp

- 684 -
SCRack4R6#show ip inspect all

Session alert is disabled
connections
max-incomplete sessions thresholds are [250 : 250]
minute.
bytes
Inspection name TO_BB3
tcp alert is off audit-trail is off timeout 3600
udp alert is off audit-trail is off timeout 30
ftp alert is off audit-trail is off timeout 3600
smtp max-data 20000000 alert is off audit-trail is off timeout 3600
http java-list 1 alert is off audit-trail is off timeout 3600
Outgoing inspection rule is TO_BB3
tcp alert is off audit-trail is off timeout 3600
udp alert is off audit-trail is off timeout 30
ftp alert is off audit-trail is off timeout 3600
smtp max-data 20000000 alert is off audit-trail is off timeout 3600
http java-list 1 alert is off audit-trail is off timeout 3600
Inbound access list is FROM_BB3
We temporarily add a route to VLAN 63 on R1 to test CBAC
R1:
!ip route 204.12.4.0 255.255.255.0 136.1.136.6

!!!!!

- 685 -
Trying 204.12.4.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB3>
SCRack4R6#show ip inspect sessions

Session 49034F08 (136.1.136.1:55477)=>(204.12.4.254:23) tcp SIS_OPEN

10 permit icmp any any echo-reply (5 matches)
20 permit icmp any any port-unreachable
SCRack4R1#traceroute 204.12.4.254

1 136.1.136.6 0 msec 4 msec 0 msec

2 204.12.4.254 4 msec * 4 msec
Half-open Sessions
Session 49034F08 (136.1.136.1:49157)=>(204.12.4.254:33437) udp
SIS_OPENING
Session 49034C40 (136.1.136.1:49158)=>(204.12.4.254:33438) udp
SIS_OPENING
Session 49034978 (136.1.136.1:49159)=>(204.12.4.254:33439) udp
SIS_OPENING

- 686 -

10 permit icmp any any echo-reply (5 matches)
20 permit icmp any any port-unreachable (2 matches)
R1:
!
no ip route 204.12.4.0 255.255.255.0 136.1.136.6
Task 2.4 Solution

R4:
!
! Configure inspect class-map to match on http
!
class-map type inspect cmap-http
match protocol http
!
! Configure inspect class-map to match on outbound traffic
!
class-map type inspect match-any cmap-outbound-apps
match protocol ssh
match protocol icmp
match protocol tcp
!
! Configure inspect class-map to match on inbound traffic
!
class-map type inspect match-any cmap-inbound-apps
match protocol icmp
!
! Configure an inspect parameter-map to set some parameters like in
CBAC
!
parameter-map type inspect param-map
audit-trail on
max-incomplete low 5
max-incomplete high 10
dns-timeout 3
sessions maximum 50
tcp synwait-time 5
!
! Configure an urlfilter parameter-map to deny a certain URL
!
parameter-map type urlfilter param-map-url
exclusive-domain deny .badsite.com

- 687 -
!
! Configure the inspect policy-map for inbound traffic
!
policy-map type inspect pmap-inbound
class type inspect cmap-inbound-apps
inspect param-map
class type inspect cmap-http
inspect param-map
urlfilter param-map-url
!
! Configure the inspect policy-map for outbound traffic
!
policy-map type inspect pmap-outbound
class type inspect cmap-outbound-apps
inspect param-map
class type inspect cmap-http
inspect param-map
urlfilter param-map-url
!
! Create the two security zones
!
!
! Configure zone-pairs and apply firewall policies correspondingly
!
zone-pair security inside-outside source inside destination outside
service-policy type inspect pmap-outbound
zone-pair security outside-inside source outside destination inside

service-policy type inspect pmap-inbound
!
! Map interfaces to security zones
!
!
interface Serial0/1
!
!
!
!

- 688 -

SCRack4SW1#show ip ospf neighbor

Interface
150.4.4.4 1 FULL/DROTHER 00:00:32 136.1.255.4
FastEthernet0/4
150.4.8.8 1 FULL/DR 00:00:37 136.1.255.8
FastEthernet0/4
SCRack4R4#show policy-map type inspect

Policy Map type inspect pmap-outbound
Class cmap-outbound-apps
Inspect param-map
Class cmap-http
Inspect param-map
Urlfilter param-map-url
Class cmap-ospf
Pass
Class class-default
Policy Map type inspect pmap-inbound

Class cmap-inbound-apps
Inspect param-map
Police rate 20000 burst 5000
Class cmap-http
Inspect param-map
Urlfilter param-map-url
Class cmap-ospf
Pass
Class class-default

!!!!!
Trying 136.1.255.7 ... Open
Password:
SCRack4SW1>exit

- 689 -

!!!!!
Trying 136.1.255.8 ... Open
Password:
SCRack4SW2>exit
SCRack4R4#show policy-map type inspect zone-pair

Zone-pair: inside-outside
Service-policy inspect : pmap-outbound
Class-map: cmap-outbound-apps (match-any)

Match: protocol ssh
0 packets, 0 bytes
1 packets, 24 bytes
1 packets, 80 bytes
Match: protocol tcp
0 packets, 0 bytes
Inspect
tcp packets: [0:43]
<snip>
Zone-pair: outside-inside
Police

- 690 -
Service-policy inspect : pmap-inbound
Class-map: cmap-inbound-apps (match-any)

1 packets, 24 bytes
1 packets, 80 bytes
Inspect
tcp packets: [0:42]

Class-map: cmap-http (match-all)

Inspect
Urlfilter
Class-map: cmap-ospf (match-all)

Match: access-group name acl-ospf
Pass
0 packets, 0 bytes

Match: any
0 packets, 0 bytes

- 691 -
Task 3.1 Solution

R3:
!
! Configure the strongest ISAKMP policy with AES 256 and SHA-1
!
encr aes 256
hash sha
auth pre-share
group 5
!
! Configure the keyring
!
crypto keyring vpn
pre-shared-key address 150.4.4.4 key cisco
!
! Configure the isakmp profile, needed for keyring match
!
crypto isakmp profile isa-prof
keyring vpn
match identity address 150.4.4.4 255.255.255.255
!
! Configure the proxy-ACL for IPSec interesting traffic
!
permit ip 136.1.100.0 0.0.0.255 10.4.4.0 0.0.0.255
!
! Configure the IPSec encryption/hashing policy, aka transform-set
!
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
!
! Bound all the above together in the crypto-map. Configure PFS so that
! a new DH exchange is forced with every new SA; specify the SA
lifetime
! to be 10 minutes; specify IKE/IPSec traffic to be
initiated/terminated
! on the Loopback interface
!
crypto map VPN local-address loop 0
crypto map VPN isakmp-profile isa-prof
set peer 150.4.4.4
set transform-set AES_256_SHA
set pfs group5
set isakmp-profile isa-prof
set security-association lifetime seconds 600

- 692 -
!
! Apply the crypto-map
!
crypto map VPN
R4:
!
! Configure the strongest ISAKMP policy with AES 256 and SHA-1
!
encr aes 256
hash sha
auth pre-share
group 5
!
! Configure the keyring
!
crypto keyring vpn vrf vrf1
pre-shared-key address 150.4.3.3 key cisco
!
! Configure the isakmp profile, needed for keyring match. Maje sure to
! specify the VRF in it
!
crypto isakmp profile isa-prof
vrf vrf1
keyring vpn
match identity address 150.4.3.3 255.255.255.255 vrf1
!
! Configure the proxy-ACL for IPSec interesting traffic
!
permit ip 10.4.4.0 0.0.0.255 136.1.100.0 0.0.0.255
!
! Configure the IPSec encryption/hashing policy, aka transform-set
!
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
!
!
!
crypto map VPN isakmp-profile isa-prof
crypto map VPN local-address loopback 0
set peer 150.4.3.3
set transform-set AES_256_SHA
set pfs group5
set isakmp-profile isa-prof

- 693 -
!
! Apply the crypto-map
!
crypto map VPN
!
int Serial 0/0.1245
crypto map VPN

SCRack4R3#ping 10.4.4.4 source fastEthernet 0/1

..!!!
ms

150.4.4.4 150.4.3.3 QM_IDLE 1001 0 ACTIVE


Cap.
1001 150.4.3.3 150.4.4.4 ACTIVE aes sha psk 5 23:59:39


- 694 -


current outbound spi: 0xF876360B(4168496651)
inbound esp sas:

spi: 0xC41C24CE(3290178766)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xF876360B(4168496651)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 695 -
Task 3.2 Solution

There are some restrictions for configuring L2TP over IPSec tunnel: only DH
group 1 is supported by the Windows clients; only the default tunnel group and
group-policy support this type of remote access connection. If the local
authentication is in use, the passwords must be stored using MSCHAP format.
Only transport mode IPsec is supported by most Windows clients. The transport
protocol for L2TP is UDP with the port number of 1701.
ASA2:
!
! Enable ISAKMP on the outside interface and configure ISAKMP policy.
! Configure DH group 1,as it’s the only supported by L2TP clients; the
! ASA uses DH group 2 by default
!
encr des
hash md5
group 1
auth pre-share
!
! Create L2TP user ans store password in format accessible for MSCHAP
as
! the ASA will authenticate the user against local database
!
username L2TP password CISCO mschap
username L2TP attributes
vpn-tunnel-protocol l2tp-ipsec
!
! Configure address pool for L2TP users
!
ip local pool L2TP_POOL 192.168.100.1-192.168.100.100 mask
255.255.255.0
!
! Configure default RA group policy, permit L2TP over IPsec.
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
!
! Create transport mode IPSec as Windows L2TP clients use transport
mode
!
crypto ipsec transform-set DES_MD5_TRANS esp-des esp-md5-hmac
crypto ipsec transform-set DES_MD5_TRANS mode transport

- 696 -
!
! Configure dynamic crypto map for IPsec wrapping of L2TP
!
crypto dynamic-map DYNAMIC 10 set transform-set DES_MD5_TRANS
!
! Configure Default RA group, assign Address Pool and Auth Server
!
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL
authentication-server-group LOCAL
!
! Configure IPsec pre-shared key
!
tunnel-group DefaultRAGroup ipsec-attributes
!
! Permit U-Turn on the outside, to reach out the IPS
!
same-security-traffic permit intra-interface

- 697 -

Assign the Test PC in VLAN126 and initiate L2TP over IPsec connection:
Rack4ASA2# show crypto isakmp sa
Active SA: 1
rekey)
Total IKE SA: 1
1 IKE Peer: 136.1.125.105

Type : user Role : responder

interface: outside

(136.1.100.13/255.255.255.255/17/1701)
(136.1.125.105/255.255.255.255/17/1701)
current_peer: 136.1.125.105, username: L2TP

failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments
created: 0
reassembly: 0

136.1.125.105
current outbound spi: 8C44EFAE

- 698 -
inbound esp sas:

spi: 0x8348DB40 (2202590016)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Transport, }
slot: 0, conn_id: 4096, crypto-map: DYNAMIC
IV size: 8 bytes
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x8C44EFAE (2353328046)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Transport, }
slot: 0, conn_id: 4096, crypto-map: DYNAMIC
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x00000001

- 699 -
Rack4ASA2#show vpn-sessiondb detail remote filter protocol

l2tpOverIpSec
Session Type: IPsec Detailed
Username : L2TP Index : 1

Protocol : IKE IPsec L2TPOverIPsec
License : IPsec
Encryption : DES Hashing : MD5
Pkts Tx : 25 Pkts Rx : 113
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy Tunnel Group : DefaultRAGroup
Login Time : 23:18:45 UTC Sat Feb 1 2003
IKE Tunnels: 1
IPsec Tunnels: 1
L2TPOverIPsec Tunnels: 1
IKE:
Tunnel ID : 1.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Rekey Int (T): 28800 Seconds Rekey Left(T): 28558 Seconds
D/H Group : 1
Filter Name :
IPsec:
Tunnel ID : 1.2
Local Addr : 136.1.100.13/255.255.255.255/17/1701
Remote Addr : 136.1.125.105/255.255.255.255/17/1701
Encapsulation: Transport
Rekey Int (T): 3600 Seconds Rekey Left(T): 3357 Seconds
Rekey Int (D): 250000 K-Bytes Rekey Left(D): 249980 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
L2TPOverIPsec:
Tunnel ID : 1.3
Username : L2TP
Encryption : none Auth Mode : msCHAPV1
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : Microsoft
Client OS Ver: 5.0

- 700 -
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 246 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
Task 3.3 Solution

ASA1:
!
! Enable ISAKMP on the outside interface and configure the IKE Phase1
! policy
!
encryption 3des
hash sha
!
! Since all traffic from inside is NAT’ed we need to configure NAT
! exemption for IPSec traffic; match the IPSec traffic in ACL
!
access-list nonat permit ip 10.0.0.0 255.255.255.0 136.1.100.0
255.255.255.0
!
! Configure proxy-ACL to match interesting IPSec traffic
!
access-list crypto-acl permit ip 10.0.0.0 255.255.255.0 136.1.100.0
255.255.255.0
!
! Configure the tunnel-group and pre-shared key
!
pre-shared-key cisco
!
! Configure IPSec traffic policy, aka transform set
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
! Configure the crypto map and apply it on outside interface
!
crypto map outside_map 1 match address crypto-acl
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 136.1.100.13
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

- 701 -
!
! Configure NAT exemption for IPSec traffic
!
nat (inside) 0 access-list nonat
ASA2:
!
! Configure proxy-ACL to match interesting IPSec traffic
!
access-list crypto-acl permit ip 136.1.100.0 255.255.255.0 10.0.0.0
255.255.255.0
!
! Configure IKE Phase 1 policy to match on with ASA1
!
encryption 3des
hash sha
!
! Configure the tunnel-group and pre-shared key
!
pre-shared-key cisco
!
! Configure IPSec traffic policy, aka transform set
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
! Configure the crypto-map with a sequence number lower than 1000 which
! is the dynamic entry for task 3.2
!
crypto map VPN 1 match address crypto-acl
crypto map VPN 1 set pfs group1
crypto map VPN 1 set transform-set ESP-3DES-SHA

- 702 -

?!!!!
Rack4ASA2# show crypto isakmp sa detail
Active SA: 1
rekey)
Total IKE SA: 1
1 IKE Peer: 136.1.125.12

Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86365

interface: outside
access-list crypto-acl permit ip 136.1.100.0 255.255.255.0

10.0.0.0 255.255.255.0
(136.1.100.0/255.255.255.0/0/0)

failed: 0
created: 0
reassembly: 0

136.1.125.12

current outbound spi: 25D01BD8

- 703 -
inbound esp sas:

spi: 0x7C4CA0FE (2085396734)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x25D01BD8 (634395608)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x00000001
Task 3.4 Solution

Don’t forget that a router configured as CA need to be enrolled with itself as the
PKI CA in order to be able to authenticate IKE sessions based on RSA
signatures.
R3:
!
! Configure R3 as NTP master and authenticate clients
!
ntp source Loopback0
ntp master 2
ntp trusted-key 1
ntp authenticate
!
! Enable the HTTP server necessary for certificate server
!
ip http server

- 704 -
!
! Configure the IOS CA server; specify the database path and the level
! of information stored in the database to minimum; activate the server
! and configure the server to issue certificates automatically
!
crypto pki server R3-CA_Server
database url nvram:
database level minimum
grant auto
no shutdown
!
! Configure R3 as trustpoint and authenticate/enroll with it; since R3
! is actively participating in the VPN it needs a certificate of its
own
!
crypto ca trustpoint R3-CA
!
cry pki authenticate R3-CA
cryp pki enroll R3-CA
!
! Configure IKE Phase 1 policy
!
encr aes
hash sha
!
! Configure the IPSec traffic policy, aka transform-set
!
crypto ipsec transform-set Trans-GDOI-AES-SHA esp-aes esp-sha
!
! Configure the IPSec profile
!
crypto ipsec profile PROF-GDOI-Group1
set transform-set Trans-GDOI-AES-SHA

- 705 -
!
! Configure the GDOI policy and the data-plane protection parameters
!
identity number 1
server local
rekey authentication mypubkey rsa SCRack4R3.INE.com
sa ipsec 1
profile PROF-GDOI-Group1
redundancy
local priority 10
!
! Configure the proxy-ACL, interesting traffic for IPSec, which will
get
! downloaded by every GM
!
R6:
!
! Configure NTP and synchronize with R3
!
ntp trusted-key 1
ntp authenticate
ntp server 150.4.3.3 key 1 source Loopback0
!
! Generate RSA keys for certificate enrollment
!
!
! Configure the trustpoint and authenticate/enroll with the CA
!
!
cry pki authenticate R3-CA
cryp pki enroll R3-CA

- 706 -
!
!
encr aes
hash sha
!
! Configure the GDOI group and server IP address
!
identity number 1
!
! Configure the crypto-map, reference the GDOI group and apply the
! crypto-map
!
set group group1
!

- 707 -
R1:
!
! Configure NTP and synchronize with R3
!
ntp trusted-key 1
ntp authenticate
ntp server 150.4.3.3 key 1 source Loopback0
!
! Generate RSA keys for certificate enrollment
!
!
! Configure the trustpoint and authenticate/enroll with the CA
!
!
crypto pki authenticate R3-CA
crypto pki enroll R3-CA
!
!
encr aes
hash sha
!
! Configure the GDOI group and server IP address
!
identity number 1
!
! Configure the crypto-map, reference the GDOI group and apply the
! crypto-map
!

set group group1
!

- 708 -

2**18
reference time is CE5916C7.5CDAB606 (12:23:51.362 PDT Mon Sep 14 2009)

2**18
reference time is CE5916F3.FFC3D765 (12:24:35.999 PDT Mon Sep 14 2009)

ref ID 127.127.7.1, time CE591787.5C873950 (12:27:03.361 PDT Mon Sep 14
2009)
<snip>

2**24
<snip>

ref ID 127.127.7.1 , time CE591787.5C873950 (12:27:03.361 PDT Mon Sep
14 2009)
<snip>
SCRack4R1#show crypto pki certificates

Certificate
Status: Available
Issuer:
cn=R3-CA_Server
Subject:
Name: SCRack4R1.INE.com
hostname=SCRack4R1.INE.com
Validity Date:
start date: 11:34:04 PDT Sep 14 2009
end date: 11:34:04 PDT Sep 14 2010
Associated Trustpoints: R3-CA

- 709 -
CA Certificate
Status: Available
Issuer:
cn=R3-CA_Server
Subject:
cn=R3-CA_Server
Validity Date:
end date: 10:12:34 PDT Sep 13 2012

Certificate
Status: Available
Certificate Serial Number (hex): 02
Issuer:
cn=R3-CA_Server
Subject:
Validity Date:
end date: 11:24:38 PDT Sep 14 2010
Storage: nvram:R3-CA_Server#2.cer
CA Certificate
Status: Available
Issuer:
cn=R3-CA_Server
Subject:
cn=R3-CA_Server
Validity Date:
end date: 10:12:34 PDT Sep 13 2012
Storage: nvram:R3-CA_Server#1CA.cer

Certificate
Status: Available
Issuer:
cn=R3-CA_Server
Subject:
Validity Date:
end date: 11:53:26 PDT Sep 14 2010

- 710 -
CA Certificate
Status: Available
Issuer:
cn=R3-CA_Server
Subject:
cn=R3-CA_Server
Validity Date:
end date: 10:12:34 PDT Sep 13 2012
Associated Trustpoints: R3-CA R3-CA_Server
Verify KS and GM configuration and confirm that packets between R1 and R6

are encrypted:
SCRack4R3#show crypto gdoi ks


Group Name : group1
Group Identity : 1
Group Members : 2
ACL Configured:
access-list 136
SCRack4R3show crypto gdoi group group1

Group Name : group1 (Unicast)
Group Identity : 1
Group Members : 2
Group Rekey
Group Retransmit
IPSec SA Number : 1
Profile Name : PROF-GDOI-Group1
SA Rekey

- 711 -
SCRack4R1#show crypto gdoi

GROUP INFORMATION
Group Name : group1

Group Identity : 1
Rekeys received : 0

Rekeys received
Cumulative : 0
Rekey Acks sent : 0

KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86362
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet0/0:
IPsec SA:
spi: 0x6DD91C6(115184070)
IPsec SA:
spi: 0x6DD91C6(115184070)

- 712 -
IPsec SA:
spi: 0x6DD91C6(115184070)
IPsec SA:
spi: 0x6DD91C6(115184070)

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 m
SCRack4R1#show crypto ipsec sa interface fastEthernet 0/0
Crypto map tag: map-group1, local addr 136.1.136.1

(136.1.136.6/255.255.255.255/1/0)
(136.1.136.1/255.255.255.255/1/0)

current outbound spi: 0x6DD91C6(115184070)
inbound esp sas:

spi: 0x6DD91C6(115184070)
IV size: 16 bytes
Status: ACTIVE
<snip>

- 713 -

(136.1.136.1/255.255.255.255/1/0)
(136.1.136.6/255.255.255.255/1/0)

current outbound spi: 0x6DD91C6(115184070)
inbound esp sas:

spi: 0x6DD91C6(115184070)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x6DD91C6(115184070)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


- 714 -

Lifetime Cap.
1006 136.1.136.1 150.4.3.3 ACTIVE aes sha rsig 1

23:07:58
1007 136.1.136.1 150.4.3.3 ACTIVE 3des sha psk 0

0
Task 4.1 Solution

IPS:
sensor# conf t
sensor(config-hos-net)# host-name Rack4IPS
sensor(config-hos-net)# host-ip 136.1.100.10/24,136.1.100.13
sensor(config-hos-net)# exit
sensor(config-hos)# exit

sensor# show configuration
! ------------------------------
! Current configuration last modified Mon Sep 14 12:44:31 2009
! ------------------------------
! Version 6.0(3)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S291.0 2007-06-18
! Virus Update V1.2 2005-11-24
! ------------------------------
display-serial
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
exit
! ------------------------------
service host
network-settings
host-ip 136.1.100.10/24,136.1.100.13
host-name Rack4IPS
exit
time-zone-settings
offset 0

- 715 -
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service analysis-engine
exit
Task 4.2 Solution

IPS:

sensor(config-hos-net)# access-list 10.0.0.0/24
sensor(config-hos-net)# access-list 192.168.100.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
sensor(config)# service web-server
sensor(config-web)# enable-tls true
sensor(config-web)# port 443
sensor(config-web)# exit

- 716 -

sensor(config-hos)# show settings terse
network-settings
-----------------------------------------------
host-ip: 136.1.100.10/24,136.1.100.13 default:
10.1.9.201/24,10.1.9.1
telnet-option: disabled default: disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
login-banner-text: <defaulted>
-----------------------------------------------
time-zone-settings
-----------------------------------------------
offset: 0 minutes default: 0
standard-time-zone-name: UTC default: UTC
-----------------------------------------------
ntp-option
-----------------------------------------------
disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
summertime-option
-----------------------------------------------
disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
auto-upgrade-option
-----------------------------------------------
disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
crypto
-----------------------------------------------
key (min: 0, max: 10, current: 2)
-----------------------------------------------
<protected entry>
name: realm-cisco.pub
<protected entry>
name: realm-trend.pub
-----------------------------------------------
-----------------------------------------------
password-recovery: allowed <defaulted>

- 717 -
Task 4.3 Solution

IPS:
sensor(config)# service interface
sensor(config-int)# physical-interfaces gigabitEthernet0/0
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# exit
sensor(config-int)# exit
sensor(config)# service analysis-engine
sensor(config-ana)# virtual-sensor vs0
sensor(config-ana-vir)# physical-interface gigabitEthernet0/0
sensor(config-ana-vir)# exit
sensor(config-ana)# exit
SW1:
!
! Create the RSPAN vlan 111
!
vlan 111
remote-span
!
! Configure SPAN sessions sourced off vlan 52
!
monitor session 1 destination remote vlan 111 reflector fa 0/19
SW2:
!
! Create an RSPAN vlan 52
!
vlan 111
remote-span
!
! Configure a SPAN session of VLAN 111 and VLAN 52
!
monitor session 1 source vlan 52 , 111 rx
monitor session 1 destination interface FastEthernet0/10

- 718 -
IDM:
Enable the ICMP echo and echo-reply signatures to test sensor configuration. Go
to Policies | Signature Definitions | sig0 and enable signatures
2000 and 2004:
You may configure the same thing from the IPS CLI:
sensor(config)# service signature-definition sig0

sensor(config-sig)# signatures 2100 0
sensor(config-sig-sig)# status
sensor(config-sig-sig-sta)# enabled true
sensor(config-sig-sig)# status
sensor(config-sig-sig-sta)# enabled true
sensor(config-sig-sig-sta)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit

- 719 -


!!!!!
sensor# show events alert past 00:02:00

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 368
time: 2009/09/14 14:09:29 2009/09/14 14:09:29 UTC
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
interface: ge0_0
protocol: icmp

- 720 -

vendor=Cisco
originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 368
time: 2009/09/14 14:09:29 2009/09/14 14:09:29 UTC
signature: description=ICMP Echo Reply id=2000 version=S1
subsigId: 0
interfaceGroup: vs0
vlan: 0
participants:
attacker:
target:
interface: ge0_0
protocol: icmp
Task 4.4 Solution

IPS:
Rack4IPS# conf t
Rack4IPS(config)# service logger
Rack4IPS(config-log)# zone-control nac severity debug
Rack4IPS(config-log)# exit

- 721 -
Task 4.5 Solution
Note
The sensor supports many IP fragment reassembly methods; the default being
Wondows NT. All the rest are supported only if the sensor runs in promiscuous
mode.
The TCP stream reassembly mode can be strict (only allows the next expected in
the sequence), loose (allows gaps in the sequence) or asymmetric (allows
asymmetric traffic to be reassembled). We need the loose mode per the
requirements.
Rack4IPS# conf t
Rack4IPS(config-sig)# fragment-reassembly
Rack4IPS(config-sig-fra)# ip-reassemble-mode linux
Rack4IPS(config-sig-fra)# exit
Rack4IPS(config-sig)# stream-reassembly
Rack4IPS(config-sig-str)# tcp-reassembly-mode loose
Rack4IPS(config-sig-str)# exit

sensor(config-sig-fra)# show settings
fragment-reassembly
-----------------------------------------------
ip-reassemble-mode: linux default: nt
-----------------------------------------------
sensor(config-sig-str)# show settings
stream-reassembly
-----------------------------------------------
tcp-3-way-handshake-required: true <defaulted>
tcp-reassembly-mode: loose default: strict
-----------------------------------------------

- 722 -
Task 5.1 Solution

R1:
!
! Disable HTTP server and enable HTTPS server
!
ip http secure-server
no ip http server
!
! Configure ACL to match the HTTPS management subnet and apply the ACL
! to HTTPS access
!
ip http access-class 1
!
! Create local username CISCO with password CISCO
!
username CISCO password CISCO
username CISCO privielege 15
!
! Enable AAA. Configure the default authentication/exec authorization
! list with tacacs+ and local fallback.
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
! Configure the console and VTY authentication lists plus the VTY exec
! authorization list
!
aaa authorization exec VTY none
!
! In order for a user to manage router via HTTP, it must be assigned
! privilege level 15. Configure this via TACACS+ as well (fallback to
! local). Enable HTTP authentication via AAA methods - it will
! inherit the default list authentication method

- 723 -
!
! Configure the TACACS+ server IP address and key
!
ip tacacs source loopback0
!
! Apply authentication list on console and authentication/authorization
! list on VTY
!
line console 0
line vty 0 4

- 724 -
ACS:
Step 1:
Add R1 as a TACACS+ client to the ACS server
Step 2:
Add new user named “WEBADMIN” with the password of “CISCO”. And
configure the following TACACS+ settings for this user: Enable Shell(exec)
and set Privilege Level to 15

- 725 -

.Assign the Test PC to VLAN 2 and try accessing the HTTPS server on R1
SCRack4R1#show tcp brief

(state)
82F50210 150.4.1.1.179 150.4.6.6.24328 ESTAB
841E50B4 150.4.1.1.443 136.1.2.105.1611 ESTAB
SCRack4R1#show ip http server status

HTTP server status: Disabled
HTTP server port: 80
HTTP server authentication method: aaa
<snip>

- 726 -
SCRack4R1#show ip http server secure status

HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-
md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
Confirm that console access requires no authentication and the VTYs lines use
line authentication.
SCRack4R1#show line console 0 summary

0: u
1 character mode users. (U)

1 total lines in use, 1 not authenticated (lowercase)
Password:
SCRack4R1>en
Password:
SCRack4R1#conf t
SCRack4R1#exit
Task 5.2 Solution

R2:
!
aaa new-model

- 727 -
!
! Configure the TACACS+ server’s IP address and key
!
!
! Configure ACL with “deny any” for HTTP access on the router
!
!
! Enable the HTTP server, configure it with AAA authentication
!
ip http server
!
! Configure the AUTH proxy ACL and create an AUTH proxy admission rule
!
permit tcp any host 136.1.2.105 eq www
!
ip auth-proxy name ACCESS_TO_SERVER http list TO_SERVER
ip auth-proxy auth-cache-time 30
!
! Configure ACL to deny access to the server by default
!
ip access-list extended ACCESS
deny ip any host 136.1.2.105
permit ip any any
!
! Apply the ACL to filter access to server unless authenticated and
! apply AUTH proxy
!
ip access-group ACCESS in
ip auth-proxy ACCESS_TO_SERVER
!
! Apply the authentication lists on console and VTY lines
!
line console 0
!
line vty 0 4

- 728 -
ACS:
Step 1:
Add R2 as a TACACS+ client to the ACS server using the authentication key
value of “CISCO”.
Step 2:
Create new TACACS+ service named “auth-proxy”. Go to Interface

Configuration | TACACS+ (Cisco IOS) and configure per the screenshot
below:

- 729 -
Step 3:
Create new user named “AUTH” with the password of “CISCO” and set the
following attributes under the “auth-proxy” service:
priv-lvl=15
proxyacl#1=permit udp any host 136.1.2.105
proxyacl#2=permit tcp any host 136.1.2.105
proxyacl#3=permit icmp any host 136.1.2.105

- 730 -

Check the inbound access-list before the AUTH proxy process.
SCRack4R2#show ip access-lists ACCESS

Extended IP access list ACCESS
10 deny ip any host 136.1.2.105
SCRack4R2#show ip auth-proxy configuration
Authentication Proxy Banner not configured

Consent Banner is not configured
Authentication Proxy Session ratelimit is 100
Authentication Proxy Max HTTP process is 7

Authentication Proxy Auditing is disabled
Max Login attempts per user is 30

Auth-proxy name ACCESS_TO_SERVER
http list TO_SERVER inactivity-timer 60 minutes
Make sure R2 is able to use the ACS server for authentication. Next, open the
URL http://136.X.2.105 from the AAA server in order to verify AUTH proxy
functionality
SCRack4R2#test aaa group tacacs+ AUTH CISCO legacy

Check the inbound ACL after successful authentication; verify that TCP/UDP and
ICMP protocols are now permitted:

Client Name AUTH, Client IP 136.1.125.100, Port 4093, timeout 60, Time
SCRack4R2#show ip access-lists ACCESS

permit udp host 136.1.125.100 host 136.1.2.105
permit tcp host 136.1.125.100 host 136.1.2.105 (6 matches)
10 deny ip any host 136.1.2.105

- 731 -
Task 5.3 Solution

R4:
!
! Enable AAA and configure a login authentication list for VTY with
line
! password authentication; configure accounting default list for level
! 15 commands
!
aaa new-model
aaa accounting commands 15 default start-stop group VRF1
!
! Configure the VRF aware TACACS+ server IP address and key; port needs
! to be specified as well.
!
aaa group server tacacs+ VRF1
server-private 136.1.125.100 port 49 key CISCO
ip vrf forwarding vrf1
!
! Apply the accounting list on both console and VTY lines; also on VTY
! lines apply the login authentication list
!
line console 0
accounting commands 15 default
!
line vty 0 15
accounting commands 15 default
ACS:
All you need to do is add R4 as a TACACS+ client to the ACS so it could send
accounting records.

- 732 -

SCRack4R4#conf t
SCRack4R4(config)interface fastEthernet 0/0
SCRack4R4(config-if)#exit
Password:
SCRack4R4>en
Password:
SCRack4R4#conf t
SCRack4R4(config)#interface fastEthernet 0/1
SCRack4R4(config-if)#exit

- 733 -
ACS:
Go to Reports and Activity | TACACS+ Administration and select

TACACS+ Administration active.csv:

- 734 -
Task 5.4 Solution

R5:
!
! Enable AAA; configure the local username and give it privilege level
2
!
aaa new-model
username CONSULTANT privilege 2 password CISCO
!
! Lower the privilege level of the 2 commands from level 15 to level 2
!
privilege exec level 2 debug ip rip
privilege exec level 2 undebug ip rip
!

Telnet to R5 and confirm the user may use exec privilege level 2 commands.
Username: CONSULTANT
Password:
SCRack4R5#show privilege
SCRack4R5#debug ip rip
SCRack4R5#undebug ip rip
RIP protocol debugging is off
SCRack4R5#conf t
^
SCRack4R5#exit

- 735 -
Task 5.5 Solution
Note
LDAP map defines binding of an LDAP attribute (e.g. “FirstName”, “UserName”,

EmailAddress”), to an attribute understood by Cisco ASA such as “cVPN3000-
IETF-Radius-Class”.
In our case, the LDAP attribute named “msNPAllowDialin” defines a user’s

permission to “dial in”, which is an equivalent to VPN access in the ASA.
ASA1:
!
! Configure the LDAP map
!
ldap attribute-map INE-MAP
map-name msNPAllowDialin cVPN3000-IETF-Radius-Class
!
! Configure integration with the LDAP server
!
aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 10.0.0.100
ldap-base-dn dc=training, dc=internetworkexpert, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
We need to configure a password that contains the “?” character; In order to type
it in, you should press the “CTRL+V” sequence and then type the “?” character,
followed by the rest of the password.
ldap-login-password cisco?123!
ldap-login-dn
CN=Administrator,CN=Users,DC=training,DC=internetworkexpert,DC=com
server-type Microsoft
!
! Apply the LDAP map
!
ldap-attribute-map INE-MAP

- 736 -

Rack4ASA1# show aaa-server protocol ldap
Server Group: LDAPGROUP
Server Protocol: ldap
Server Address: 10.0.0.100
Server port: 0
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Task 6.1 Solution

R6:
!
! Configure local username for SSH access
!
username vty-user secret cisco
!
! Configure ssh process to listen on port 2000
!
ip ssh port 2000 rotary 1
!
! Configure SSH as transport for lines 2 through 4 and assign them to a
! rotary pool
!
line vty 0 1
password cisco
login
transport input telnet
!
line vty 2 4
transport input ssh
login local
rotary 1

- 737 -

Test that the first two lines use line password authentication and the remaining
three use the username/password pair; Make sure you can connect to port 2000
using SSH.
Password:
SCRack4R6>en
Password:
SCRack4R6#
Password:
SCRack4R6>en
Password:
SCRack4R6#
Notice that the third telnet connection is fails, as starting from the third VTY line,
the VTY line transport is SSH:.
Trying 150.4.6.6 ...
SCRack4R6#ssh -l vty-user 150.4.6.6
Password:
SCRack4R6>en
Password:
SCRack4R6#
SCRack4R6#ssh -l vty-user -p 2000 150.4.6.6
Password:
SCRack4R6>en
Password:
SCRack4R6#

- 738 -

(state)
4A185C9C 150.4.6.6.32038 150.4.6.6.2000 ESTAB
4A014BB4 150.4.6.6.23 150.4.6.6.52750 ESTAB
49760488 150.4.6.6.24328 150.4.1.1.179 ESTAB
49CD7C04 150.4.6.6.52750 150.4.6.6.23 ESTAB
495FF7D8 204.12.4.6.28890 204.12.4.254.179 ESTAB
484A29AC 150.4.6.6.48614 150.4.6.6.22 ESTAB
4A06089C 54.9.1.6.48178 54.9.1.254.179 ESTAB
Task 6.2 Solution

SW1:
!
! Apply the storm-control broadcast level at 5% of the BW
!
storm-control broadcast level 5
!
storm-control broadcast level 5

SCRack4SW1#show storm-control fastEthernet 0/1 broadcast
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/1 Forwarding 5.00% 5.00% 0.00%

--------- ------------- ----------- ----------- ----------
Fa0/2 Forwarding 5.00% 5.00% 0.00%

- 739 -
Task 6.3 Solution

R2:
!
! Identify in ACL telnet AND SSH traffic; exempt from policy R1 L0
!
access-list 100 deny ip host 150.4.1.1 any
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
!
! Configure a class-map and call the ACL
!
class-map cmap-control
!
! Configure the policy-map to police traffic
!
policy-map pmap-control-in
class cmap-control
!
! Apply the policy-map and allow TELNET, SSH and FTP only if coming
from
! Serial0/0.1245
!
control-plane
service-policy input pmap-control-in
!
control-plane host
management-interface serial 0/0.1245 allow telnet ssh ftp

- 740 -

Password:
SCRack4R2>en
Password:
SCRack4R2#
SCRack4R1#telnet 150.4.2.2 /source-interface loopback 0

Password:
SCRack4R2>en
Password:
SCRack4R2#

10 deny ip host 150.4.1.1 any (28 matches)
20 permit tcp any any eq telnet (28 matches)

Control Plane
Service-policy input: pmap-control-in
Class-map: cmap-control (match-any)

5 minute rate 0 bps
police:
transmit
drop
drop

- 741 -

Match: any
SCRack4R2#show control-plane host features

Control plane host path features :
--------------------------------------------------------
Management-Interface activated Sep 15 2009 17:2
--------------------------------------------------------
Task 6.4 Solution

R6:
!
! Enable the archiving feature and configure it accordingly
!
archive
path flash:archived−config
maximum 10
time−period 30
write−memory

SCRack4R6#show flash: | i archive
SCRack4R6#
SCRack4R6#wr mem
SCRack4R6#show flash: | i archive

33 5758 Sep 15 2009 17:32:54 archived-config-0
SCRack4R6#show archive
The maximum archive configurations allowed is 14.
There are currently 1 archive configurations saved.
The next archive file will be named flash:archived-config-1
Archive # Name
1 flash:archived-config-0 <- Most Recent
2
3
4
5
6
7
8
9
10

- 742 -
Task 7.1 Solution

R3:
!
! We need a route so that R3 can advertise the 136.1.2.100 host in the
! routing domain
!
ip route 136.1.2.100 255.255.255.255 null 0
!
! Redistribute the static into OSPF
!
router ospf 1
!
! Configure a NAT pool type rotary for DNAT
!
ip nat pool SERVER_POOL 136.1.100.100 136.1.100.100 prefix 24 type
rotary
!
! Match in an ACL traffic going to the mapped/VIP address of the server
!
permit tcp any host 136.1.2.100 range 3000 3500
!
! Configure the DNAT and mark interfaces as inside/outside
!
ip nat inside destination list TO_SERVER pool SERVER_POOL
!
ip nat inside
!
ip nat outside

- 743 -

Connection will fail since there is no TCP service listening on that port, but a
translation entry would show up:
SCRack4R1#telnet 136.1.2.100 3000

Trying 136.1.2.100, 3000 ...

global
tcp 136.1.2.100:3000 136.1.100.100:3000 136.1.136.1:61581
136.1.136.1:61581
Task 7.2 Solution

R5:
!
! Configure different views
!
snmp-server view ALL internet included
snmp-server view CISCO cisco included
!
! Configure 2 groups and assign views to each
!
snmp-server group ADMIN v3 priv read ALL write ALL
snmp-server group OPERATOR v3 priv read ALL write CISCO
!
! Configure users with authentication and traffic encryption
!
snmp-server user ADMIN ADMIN v3 auth md5 CISCO priv des56 CISCO
snmp-server user OPERATOR OPERATOR v3 auth md5 CISCO priv des56 CISCO

- 744 -

SCRack4R5#show snmp user
User name: ADMIN

Engine ID: 800000090300000D284DF4C0
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: ADMIN
User name: OPERATOR

Engine ID: 800000090300000D284DF4C0
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES

Group-name: OPERATOR
SCRack4R5#show snmp group

groupname: ILMI security model:v1
readview : *ilmi writeview: *ilmi
notifyview: <no notifyview specified>
row status: active
groupname: ILMI security model:v2c

readview : *ilmi writeview: *ilmi
row status: active
groupname: ADMIN security model:v3 priv

readview : ALL writeview: ALL
row status: active
groupname: OPERATOR security model:v3 priv

readview : ALL writeview: CISCO
row status: active
SCRack4R5#show snmp view

ALL internet - included nonvolatile active
*ilmi system - included permanent active
*ilmi atmForumUni - included permanent active
CISCO cisco - included nonvolatile active
v1default iso - included permanent active
v1default internet.6.3.15 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active

- 745 -
Task 7.3 Solution
R3:
!
! Configure syslog logging.
!
logging 136.1.125.100
!
permit icmp any 136.1.136.0 0.0.0.255 echo log-input
permit ip any any
!
! Apply the ACL inbound on FastEthernet0/1
!
!
! Tune logging interval
!
ip access-list logging interval 100
ASA1:
!
! Allow syslog traffic to the AAA server
!
136.1.125.100 eq syslog

- 746 -

!!!!!
SCRack4R3#show logging | i SEC

%SEC-6-IPACCESSLOGDP: list VLAN136_IN permitted icmp 136.1.100.13
(FastEthernet0/1 0021.5537.8b6a) -> 136.1.136.1 (8/0), 1 packet
SCRack4R3#show ip access-lists VLAN136_IN

10 permit icmp any 136.1.136.0 0.0.0.255 echo log-input (6 matches)

bytes 161, flags -
Task 7.4 Solution
SW1:
!
! Apply the “Access” template for maximum ACL entries
!
sdm prefer access

- 747 -
Note
Check the template applied to the switch before and after reloading it.
SCRack4SW1#show sdm prefer

The current template is the default template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1K VLANs.
number of unicast mac addresses: 5K

number of igmp groups: 1K
number of qos aces: 1K
number of security aces: 1K
number of unicast routes: 8K
number of multicast routes: 1K
The template stored for use after the next reload

is the access template.

SCRack4SW1#show sdm prefer

The current template is the access template.


- 748 -
Task 7.5 Solution

ASA1:
!
! Configure ACL to deny traffic sourced from 10.0.0.0/8 and 136.0.0.0/8
! from the policy and match the rest
!
access-list IM_ACL extended deny ip 10.0.0.0 255.0.0.0 any
access-list IM_ACL extended deny ip 136.0.0.0 255.0.0.0 any
access-list IM_ACL extended deny ip any 10.0.0.0 255.0.0.0
access-list IM_ACL extended deny ip any 136.0.0.0 255.0.0.0
access-list IM_ACL extended permit ip any any
!
! Configure an inspect IM class type and match on MSN IM protocol
!
class-map type inspect im match-all IM_CLASS_INSPECT
match protocol msn-im
!
! Configure regular class-map and match the ACL
!
class-map IM_CLASS
match access-list IM_ACL
!
! Configure a inspect IM policy-map type and for traffic referenced by
! the inspect type class-map drop connection and log
!
policy-map type inspect im IM_POLICY_INSPECT
parameters
class IM_CLASS_INSPECT
drop-connection log
!
! Apply the policy under the global policy-map
!
class IM_CLASS
inspect im IM_POLICY_INSPECT

Rack4ASA1# show service-policy inspect im
Global policy:
Class-map: IM_CLASS
Inspect: im IM_POLICY_INSPECT, packet 0, drop 0, reset-drop 0
class IM_CLASS_INSPECT

- 749 -
Task 8.1 Solution

The TCP Intercept function should be enabled in watch mode, so that the router
does not intercept TCP packets but allows connections to pass through.
R6:
!
! Configure ACL to match HTTP traffic destined to the server
!
access-list 199 permit tcp any host 136.1.2.102 eq www
!
! Configure the TCP Intercept function in watch mode with a timeout
! value of 10 seconds
!
ip tcp intercept list 199
ip tcp intercept mode watch
ip tcp intercept watch-timeout 10

SC.9.9.BB1>telnet 136.1.2.102 80
Trying 136.1.2.102, 80 ...
SCRack4R6#show tcp intercept statistics

Watching new connections using access-list 199
0 incomplete, 0 established connections (total 0)
1 connection requests per minute
Task 8.2 Solution

ASA1:
!
! Configure the maximum number of fragments to be 1, so all packets
must
! be whole, no fragments accepted
!

- 750 -


!!!!!
SCRack4R5#ping 136.1.125.12 size 2000

.....
Rack4ASA1# show fragment outside

Interface: outside
Task 8.3 Solution

SW2:
!
! Manually configure the speed to 100 Mbps to make sure auto-
negotiation
! will not make it 10 Mbps. Configure the unicast storm control so
! that traffic does not exceed 1Mbps
!
speed 100
storm-control unicast level 1
no shutdown

SCRack4SW2#show storm-control fastEthernet 0/22 unicast
--------- ------------- ----------- ----------- ----------
Fa0/22 Link Down 1.00% 1.00% 0.00%

- 751 -
Task 8.4 Solution

Since we are not allowed to use MPF, another option is to specify the maximum
allowed number of embryonic connections in the static NAT.
ASA1:
!
! Re-create the static for AAA server and specify the maximum number of
! embryonic connections
!
no static (inside,outside) 136.1.125.100 10.0.0.100 netmask
255.255.255.255
static (inside,outside) 136.1.125.100 10.0.0.100 netmask
255.255.255.255 0 10
clear xlate
Task 8.5 Solution

We need to filter based on EtherType Values and match IPX; IPX uses both
0x8137 and 0x8138 values for encapsulations other than SNAP. Normally, these
are provided in the scenarios, but this time you are supposed to find them using
other resources. This is not something a real exam would expect you to do,
though.
SW1, SW2:
!
! Identify IPX traffic
!
mac access-list extended MACL-1
!
! Configure VLAN access-map; for IPX traffic drop and forward the rest
!
vlan access-map VACL-1 10
match mac address MACL-1
action drop
vlan access-map VACL-1 20
action forward
!
! Apply the VLAN access-map only on VLAN 10
!
vlan filter VACL-1 vlan-list 10

- 752 -

SCRack4SW1#show vlan access-map
Vlan access-map "VACL-1" 10
Match clauses:
mac address: MACL-1
Action:
drop
Vlan access-map "VACL-1" 20
Match clauses:
Action:
forward
SCRack4SW1#show vlan filter

VLAN Map VACL-1 is filtering VLANs:
10

- 753 -

- 754 -

Task 1.1 Solution
ASA1:
!
! Configure the hostname
!
hostname Rack4ASA1
!
! Configure interfaces with IP addresses, nameifs
!
no shutdown
nameif outside
ip address 10.0.0.12 255.255.255.0
!
no shutdown
nameif inside
ip address 148.1.127.12 255.255.255.0



!!!!!

!!!!!

- 755 -
Task 1.2 Solution

ASA2:
!
! First convert the firewall to transparent mode so that configurations
! are not lost
!
!
! Configure the hostname and IP address
!
hostname Rack4ASA2
!
ip address 192.10.4.13 255.255.255.0
!
! Configure the interfaces with appropriate nameifs
!
nameif outside
no shutdown
!
nameif inside
no shutdown

Rack4ASA2# show firewall
Firewall mode: Transparent

Rack4ASA2# show int ip brief | e unas

Protocol
Ethernet0/0 192.10.4.13 YES unset up up
Ethernet0/1 192.10.4.13 YES unset up up

!!!!!

!!!!!

- 756 -
Rack4ASA2# ping 192.10.4.254

!!!!!
Task 1.3 Solution

ASA1:
!
! Configure RIP version 2 and make the outside passive so that updates
! are not sent but can be received
!
router rip
version 2
no auto-summary
network 148.1.0.0
network 10.0.0.0
passive-interface outside
!
! Configure the Policy PAT
!
access-list POLICY_PAT permit tcp host 148.1.105.10 eq 443 host

10.0.0.100
static (inside,outside) tcp 10.0.0.10 14433 access-list POLICY_PAT
!
! Configure the ACL to permit traffic from the AAA server to IPS; apply
! it inbound on the outside interface
!
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.10 eq 14433

- 757 -


BGP
inter area
R 204.12.4.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside

R 54.4.3.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 10.3.3.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 192.10.4.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.255.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.4.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.0.4 255.255.255.255 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.6.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.0.1 255.255.255.255 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.0.2 255.255.255.255 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.57.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.35.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:02, inside
R 148.1.45.0 255.255.255.224 [120/1] via 148.1.127.7, 0:00:02,
inside
R 148.1.105.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.7.0 255.255.255.0 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.8.8 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.6.6 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.5.5 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.4.4 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.3.3 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.2.2 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside
R 150.4.1.1 255.255.255.255 [120/1] via 148.1.127.7, 0:00:03, inside

- 758 -

PAT Global 10.0.0.10(14433) Local 148.1.105.10(443)
SCRack4SW1#show ip route 10.0.0.0 255.255.255.0

Known via "rip", distance 120, metric 1
Redistributing via ospf 1, rip
Advertised by ospf 1 subnets
Last update from 148.1.127.12 on FastEthernet0/13, 00:00:01 ago
* 148.1.127.12, from 148.1.127.12, 00:00:02 ago, via FastEthernet0/13
Task 1.4 Solution

ASA2:
!
! Configure ACL to identify ICMP traffic and apply it inbound on both
! interfaces
!
access-list INSIDE_IN permit icmp any any
access-list INSIDE_IN permit ip any any
access-list OUTSIDE_IN permit icmp any any
access-group INSIDE_IN in interface inside


!!!!!

!!!!!

- 759 -
Task 2.1 Solution

R3:
!
! Configure the outbound ACL to deny ICMP echo traffic; apply the ACL
!
ip access-list extended TO_BB2
deny icmp any host 192.10.4.254 echo
permit ip any any
!
ip access-group TO_BB2 out
!
! Configure ACL for local policy routing and match ICMP echo
!
ip access-list extended LOCAL_PINGS_TO_BB2
permit icmp any host 192.10.4.254 echo
!
! Configure a route-map, match on the ACL and set the next-hop to Lo0
!
route-map LOCAL_POLICY
match ip address LOCAL_PINGS_TO_BB2
set interface Loopback0
!
! Configure the local-policy routing feature
!
ip local policy route-map LOCAL_POLICY

Ping BB2 from behind R3, and then from R3. Traffic should be dropped and
ICMP unreachable messages sent back.

U.U.U
SCRack4R3#debug ip policy
Policy routing debugging is on

- 760 -

U
SCRack4R3#
IP: s=192.10.4.3 (local), d=192.10.4.254, len 100, policy match
IP: route map LOCAL_POLICY, item 10, permit
IP: s=192.10.4.3 (local), d=192.10.4.254 (Loopback0), len 100, policy
routed
IP: local to Loopback0 192.10.4.254
SCRack4R3#show access-lists
Extended IP access list LOCAL_PINGS_TO_BB2
10 permit icmp any host 192.10.4.254 echo (1 match)
Extended IP access list TO_BB2
10 deny icmp any host 192.10.4.254 echo (5 matches)
Task 2.2 Solution

R1:
!
! Configure the allowed protocols for outbound line connections
!
line vty 0 181

transport output pad rlogin mop v120 ssh

- 761 -

SCRack4R1#show line vty 0
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise
Overruns Int
66 VTY - - - - - 0 0 0/0
-
Line 66, Location: "", Type: ""

Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: No Exit Banner
Capabilities: none
Modem state: Idle
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session
Dispatch
00:10:00 never none
not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 20.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are pad telnet rlogin mop v120 ssh.
Allowed output transports are pad rlogin mop v120 ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
Password:
SCRack4R1>telnet 150.4.5.5
% telnet connections not permitted from this terminal

- 762 -
Task 2.3 Solution

R4:
!
! Enable AAA; configure default authentication/authorization list and
! custom authentication list for console
!
aaa new-model
aaa authentication login default local
!
! Configure the time-range when WEB access is allowed unauthenticated
!
time-range WORK_TIME
periodic weekday 8:00 to 16:59
!
! Configure the ACL: allow traffic to the WEB server in the time-range;
! for the rest of the time configure dynamic entry(lock and key) to
! force users authenticate first
!
ip access-list extended ACCESS
permit tcp any host 148.1.4.100 eq www time-range WORK_TIME
dynamic WEB permit tcp any host 148.1.4.100 eq www
deny tcp any host 148.1.4.100 eq www
permit ip any any
!
! Configure the local user and configure “autocommand” for dynamic ACL;
! the “autocommand” could be applied on the VTY lines as well but this
! will restrict regular access to VTY lines note we are not asked to
! configure idle/absolute timeout
!
username WEB password CISCO
username WEB autocommand access-enable host
!
! Apply the ACL inbound on both Serial interfaces
!
!
!
! Configure access on all VTY lines for port 30001
!
line vty 0 181
rotary 1

- 763 -
!
! Apply the authentication list that requires no authentication to the
! console
!
line console 0

SCRack4R4#show ip access-lists
10 permit tcp any host 148.1.4.100 eq www time-range WORK_TIME
(inactive)
20 Dynamic WEB permit tcp any host 148.1.4.100 eq www
30 deny tcp any host 148.1.4.100 eq www
Username: WEB
Password:
(inactive)
permit tcp host 148.1.0.1 host 148.1.4.100 eq www
SCRack4R1#telnet 148.1.4.100 80
Trying 148.1.4.100, 80 ...
(inactive)
permit tcp host 148.1.0.1 host 148.1.4.100 eq www (12 matches)

- 764 -
Clear the dynamic ACL entry and modify the system clock so that the time-range
is valid. Verify that access to WEB server is allowed without authentication.
SCRack4R4#clear ip access-template ACCESS WEB host 148.1.0.1 host

148.1.4.100
SCRack4R4#clock set 10:00:00 22 Sep 2009
(active)
SCRack4R1#telnet 148.1.4.100 80
Trying 148.1.4.100, 80 ...
(active) (12 matches)
Task 2.4 Solution

R6:
!
! Configure 2 inspect type class-maps for inbound/outbound traffic
!
class-map type inspect cmap-inbound
match protocol icmp
!
class-map type inspect match-any cmap-outbound
match protocol icmp
match protocol http
!
! Configure a parameter-map for audit trail
!
parameter-map type inspect param-map-audit
audit-trail on

- 765 -
!
! Configure the inspect type policy-maps for inbound/outbound; inbound
! traffic will be inspected and policed, while outbound only inspected
!
policy-map type inspect pmap-inbound
class type inspect cmap-inbound
inspect param-map-audit
!
policy-map type inspect pmap-outbound
class type inspect cmap-outbound
inspect
!
! Create the 2 security zones
!
!
! Configure the firewall policy in both directions
!
zone-pair security in-out source inside dest outside
service-policy type inspect pmap-outbound
!
zone-pair security out-in source outside destination inside
service-policy type inspect pmap-inbound
!
! Assign interfaces to appropriate security zones
!
!
!
!


!!!!!

- 766 -
Trying 54.4.3.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB1>
SC.9.9.BB1>ping 148.1.255.1

!!!!!
policy exists on zp in-out

Zone-pair: in-out
Service-policy inspect : pmap-outbound
Class-map: cmap-outbound (match-any)

2 packets, 48 bytes
1 packets, 80 bytes
0 packets, 0 bytes
Inspect
tcp packets: [0:122]

- 767 -


Match: any
Drop
0 packets, 0 bytes
policy exists on zp out-in

Zone-pair: out-in
Service-policy inspect : pmap-inbound
Class-map: cmap-inbound (match-all)

Inspect

Police

Match: any
Drop
0 packets, 0 bytes

- 768 -
Task 2.5 Solution

R2:
!
! Identify interfaces as outside and inside
!
ip nat outside
!
ip nat inside
!
! Configure the ACL for traffic to be NAT’ed
!
ip access-list extended TRANSLATE
permit ip 10.0.0.0 0.255.255.255 192.10.4.0 0.0.0.255
!
! Configure policy PAT and tune timeouts for DNS and TCP translations
!
ip nat inside source list TRANSLATE interface Loopback 0 overload
ip nat translation dns-timeout 120
ip nat translation tcp-timeout 21600
R3:
!
! Identify interfaces as outside and inside
!
ip nat outside
!
ip nat inside
!
ip nat inside
!
! Configure the ACL for traffic to be NAT’ed
!
ip access-list extended TRANSLATE
permit ip 10.0.0.0 0.255.255.255 192.10.4.0 0.0.0.255
!
! Configure policy PAT and tune timeouts for DNS and TCP translations
!
ip nat inside source list TRANSLATE interface Loopback 0 overload
ip nat translation dns-timeout 120
ip nat translation tcp-timeout 21600

- 769 -

SCRack4R3#telnet 192.10.4.254 /source-interface fastEthernet 0/0
Trying 192.10.4.254 ...
Connection is dropped by the ASA2 as is initiated from the outside of the firewall.

global
tcp 150.4.3.3:23444 10.3.3.3:23444 192.10.4.254:23
192.10.4.254:23
Task 2.6 Solution

ASA2:
!
! Configure class-map and match on BGP TCP port
!
class-map BGP
!
! Configure TCP map and allow option 19
!
tcp-map OPTION19
!
! Apply the TCP map and disable randomization for BGP traffic, at the
! global level
!
class BGP
set connection advanced-options OPTION19
!
! Allow eBGP session to be initiated by R2 and R3 as well
!
access-list OUTSIDE_IN permit tcp 192.10.4.0 255.255.255.0 192.10.4.0
255.255.255.0 eq bgp
R3:
!
! Configure BGP MD5 authentication
!
router bgp 200
neighbor 192.10.4.2 pass CISCO

- 770 -
R2:
!
! Configure BGP MD5 authentication
!
router bgp 200


State/PfxRcd
192.10.4.3 4 200 20 21 27 0 0 00:15:16
3
192.10.4.254 4 254 7 9 27 0 0 00:02:47
3
SCRack4R2#show ip bgp neighbors 192.10.4.3

BGP neighbor is 192.10.4.3, remote AS 200, internal link
<snip>
SRTT: 197 ms, RTTO: 984 ms, RTV: 787 ms, KRTT: 0 ms
minRTT: 12 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: active open
Option Flags: nagle, md5
IP Precedence value : 6
<snip>
SCRack4R2#show ip bgp neighbors 192.10.4.254

BGP neighbor is 192.10.4.254, remote AS 254, external link
BGP version 4, remote router ID 222.22.2.1
<snip>
SRTT: 182 ms, RTTO: 1073 ms, RTV: 891 ms, KRTT: 0 ms
minRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, gen tcbs
<snip>

- 771 -
There is an alternate way to verify BGP authentication by viewing the TCP

sessions on the router.

(state)
84DBC444 192.10.4.3.179 192.10.4.2.62091 ESTAB
8372BBD0 148.1.35.3.179 148.1.57.7.59058 ESTAB
83F8C6A8 192.10.4.3.179 192.10.4.254.60661 ESTAB
SCRack4R3#show tcp tcb 84DBC444

Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 192.10.4.3, Local port: 179
Foreign host: 192.10.4.2, Foreign port: 62091
<snip>

<snip>
Task 3.1 Solution

R5:
!
! Enable AAA and configure authentication/authorization list for EZVPN
!
aaa new-model
aaa authentication login vpn_group local
aaa authorization network vpn_group local
!
! Configure authentication login list for VTY lines
!
!
! Configure the local username for EZVPN xauth
!
username vpn_user password cisco
!
! Configure the ISAKMP policy; modify the DH group from default 1, as
! EZVPN requires DH group 2
!
hash sha
encr aes
group 2

- 772 -
!
! Configure the traffic encryption/hash policy-aka transform-set
!
crypto ipsec transform-set EZ_TRANS_AES_SHA_Tunnel esp-aes esp-sha-hmac
!
! Configure ISKAMP profile and specify the Virtual Tunnel Interface
!
crypto isakmp profile easy-IKE-profile-1
match identity group vpn_group
client authentication list vpn_group
isakmp authorization list vpn_group
client configuration address respond
virtual-template 1
!
! We are not allowed to use crypto-maps; so we’ll use IPSec profiles
!
crypto ipsec profile IPSEC-easyvpn-profile-1
set transform-set EZ_TRANS_AES_SHA_Tunnel
set isakmp-profile easy-IKE-profile-1
!
! Create the Virtual Tunnel Interface and apply the IPSec profile
!
ip unnumbered loop 0
tunnel protection ipsec profile IPSEC-easyvpn-profile-1
!
! Configure the pool of addresses for EZVPN clients
!
ip local pool POOL_1 148.1.57.101 148.1.57.110
!
! Configure the split-tunneling access-list
!

- 773 -
!
! Configure the EZVPN group with PSK, pool, ACL for split-tunneling and
! the save-password option to allow client caching of xauth credentials
!
crypto isakmp client configuration group vpn_group
key cisco
pool POOL_1
acl 100
save-password
line vty 0 181
R4:
!
! Configure the Virtual Tunnel Interface
!
no ip address
!
! Configure the EZVPN client parameters:group name, PSK, etc
!
crypto ipsec client ezvpn EZ_CLIENT
connect auto
group vpn_group key cisco
mode client
peer 150.4.5.5
virtual-interface 1
username vpn_user password cisco
xauth userid mode local
!
! Configure the new Loopback address as the inside EZVPN interface
!
ip address 44.44.44.44 255.255.255.0
crypto ipsec client ezvpn EZ_CLIENT inside
!
! Configure interface Serial0/1 as the outside EZVPN interface
!
interface serial 0/1
crypto ipsec client ezvpn EZ_CLIENT outside

- 774 -

150.4.5.5 148.1.45.4 QM_IDLE 1001 0 ACTIVE
SCRack4R4#sho crypto isakmp sa detail


Lifetime Cap.
1001 148.1.45.4 150.4.5.5 ACTIVE aes sha 2

22:20:59 CX
SCRack4R4#show crypto ipsec client ezvpn

Tunnel name : EZ_CLIENT

Inside interface list: Loopback2
Outside interface: Virtual-Access2 (bound to Serial0/1)
Mask: 255.255.255.255
Save Password: Allowed
Address : 148.1.57.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 150.4.5.5

!!!!!

- 775 -


path mtu 1500, ip mtu 1500, ip mtu idb Serial0/1
current outbound spi: 0x939C8A98(2476509848)
inbound esp sas:
spi: 0x4E223C34(1310866484)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x939C8A98(2476509848)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 776 -
Task 3.2 Solution

R5:
!
! Configure the new Loopback interface
!
interface Loopback1
ip address 192.168.255.5 255.255.255.255
!
! Configure the mGRE tunnel; configure NHRP redirect and disable split-
! horizon
!
interface Tunnel156
ip address 192.168.100.5 255.255.255.0
ip nhrp redirect
!
! Configure EIGRP for Tunnel and Loopback interfaces
!
router eigrp 1
no auto-summary
network 192.168.100.5 0.0.0.0
network 192.168.255.5 0.0.0.0
no passive-interface Tunnel 156
R1:
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.255
!
! Configure the mGRE tunnel; configure NHRP redirect, NHRP shortcut and
! disable split-horizon
!
interface Tunnel156
ip address 192.168.100.1 255.255.255.0
ip nhrp shortcut
ip nhrp map 192.168.100.5 150.4.5.5
ip nhrp nhs 192.168.100.5

- 777 -
!
!
router eigrp 1
no auto-summary
network 192.168.100.1 0.0.0.0
network 192.168.255.1 0.0.0.0
R6:
!
!
interface Loopback1
ip address 192.168.255.6 255.255.255.255
!
! Configure the mGRE tunnel; configure NHRP redirect, NHRP shortcut and
! disable split-horizon
!
interface Tunnel156
ip address 192.168.100.6 255.255.255.0
ip nhrp shortcut
ip nhrp map 192.168.100.5 150.4.5.5
ip nhrp nhs 192.168.100.5
!
!
router eigrp 1
no auto-summary
metwork 192.168.100.6 0.0.0.0
network 192.168.255.6 0.0.0.0

- 778 -

(sec) (ms) Cnt Num
0 192.168.100.5 Tu156 10 00:29:08 262 5000 0 14
SCRack4R1#show ip route eigrp

192.168.255.0 show ip route eigrp /32 is subnetted, 3 subnets
D 192.168.255.6 [90/310172416] via 192.168.100.5, 00:29:18,
Tunnel156
D 192.168.255.5 [90/297372416] via 192.168.100.5, 00:29:27,
Tunnel156

(sec) (ms) Cnt Num
0 192.168.100.5 Tu156 13 00:30:38 1039 5000 0 14

D 192.168.255.5 [90/27008000] via 192.168.100.5, 00:30:40,
Tunnel156
D 192.168.255.1 [90/298652416] via 192.168.100.5, 00:30:40,
Tunnel156

- 779 -
Verify NHRP shortcuts on spokes and confirm that traffic from spoke-to-spoke
does not pass through the HUB. The first packet is routed across the hub while
the remaining take the shortcut path:

1 192.168.100.5 64 msec 60 msec 64 msec

2 192.168.100.1 52 msec * 52 msec

1 192.168.100.1 4 msec * 0 msec
SCRack4R6#show ip nhrp 192.168.255.1

192.168.255.1/32 via 192.168.100.1
Tunnel156 created 00:01:08, expire 01:58:54
Type: dynamic, Flags: router
NBMA address: 150.4.1.1

1 192.168.100.5 60 msec 60 msec 60 msec

2 192.168.100.6 52 msec * 52 msec

1 192.168.100.6 0 msec * 0 msec
SCRack4R1#show ip nhrp 192.168.255.6

192.168.255.6/32 via 192.168.100.6, Tunnel156 created 00:00:57, expire
01:59:05
Type: dynamic, Flags: router
NBMA address: 150.4.6.6

- 780 -
Task 3.3 Solution

R2:
!
! Configure R2 as NTP server with authentication; Enable HTTP for the
CA
! server feature
!
ntp source Loopback0
ntp master 1
ntp trusted-key 1
ntp authenticate
ip http server
!
! Configure the CA server; for easier deployment configure it to grant
! certificates automatically
!
crypto pki server R2-CA_Server
database url nvram:
database level minimum
grant auto
no shut
R5, R1, R6:

!
! Configure domain name and NTP synchronization with R2
!
ntp trusted-key 1
ntp authenticate
!
! Configure the RSA key pair for certificate enrollment
!
!
! Configure the trustpoint, authenticate and enroll with it
!
!
crypto pki authenticate R2-CA
crypto pki enroll R2-CA

- 781 -
R1, R5 and R6:

!
! Configure the ISAKMP Phase 1 policy
!
encr AES
group 2
lifetime 3600
!
! Configure the Transform-Set; usually to minimize overhead on
GRE/IPsec
! transport mode is used; as the task does not suggest it we can use
! either one
crypto ipsec transform-set AES_SHA_TRANSPORT_MODE esp-aes esp-sha-hmac
mode transport
!
! Configure the IPSec profile and apply it on the Tunnel interface
!
crypto ipsec profile DMVPN_PROF
set transform-set AES_SHA_TRANSPORT_MODE
set pfs group2
!
interface Tunnel156
tunnel protection ipsec profile DMVPN_PROF

2**24
reference time is CE5FF122.AE273216 (17:09:06.680 PDT Sat Sep 19 2009)
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -
0.000013535 s/s
system poll interval is 64, last update was 448 sec ago.

<snip>

- 782 -

Certificate
Status: Available
Issuer:
cn=R2-CA_Server
Subject:
Serial Number: FTX1128F0GA
serialNumber=FTX1128F0GA+hostname=SCRack4R6.INE.com
Validity Date:
end date: 16:16:15 PDT Sep 19 2010
Storage: nvram:R2-CA_Server#4.cer
CA Certificate
Status: Available
Issuer:
cn=R2-CA_Server
Subject:
cn=R2-CA_Server
Validity Date:
end date: 16:01:51 PDT Sep 18 2012
Storage: nvram:R2-CA_Server#1CA.cer


Lifetime Cap.

00:56:48

- 783 -

D 192.168.255.5 [90/27008000] via 192.168.100.5, 00:04:02,
Tunnel156
D 192.168.255.1 [90/298652416] via 192.168.100.5, 00:03:46,
Tunnel156
SCRack4R6#ping 192.168.255.5

!!!!!
ms
SCRack4R6#ping 192.168.255.1

!!!!!
ms
Verify spoke-to-spoke traffic flow:


Lifetime Cap.

00:48:20

00:51:11

- 784 -
interface: Tunnel156

current outbound spi: 0xA8CCF021(2832003105)
PFS (Y/N): Y, DH group: group2
inbound esp sas:

spi: 0xE72FB8CA(3878664394)
conn id: 2017, flow_id: NETGX:17, sibling_flags 80000006,
crypto map: Tunnel156-head-0
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xA8CCF021(2832003105)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 785 -


current outbound spi: 0xA859141F(2824410143)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x131A87AD(320505773)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xA859141F(2824410143)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

- 786 -
Task 3.4 Solution

ASA1:
!
! Enable WEBVPN on the outside interface
!
webvpn
enable outside
!
! Configure a group-policy and specify the VPN protocol as webvpn
!
group-policy web-vpn internal
group-policy web-vpn attributes
vpn-tunnel-protocol webvpn
!
! Configure local username and apply the group-policy under user
! attributes
!
username web-user password cisco
username web-user attributes
vpn-group-policy web-vpn
!
! Configure a tunnel-group and specify the group-policy to be used
!
tunnel-group web_vpn type remote-access
tunnel-group web_vpn general-attributes
default-group-policy web-vpn
!
! Specify a group URL and alias so that the user does not need toselect
! a group at login; based on the URL the ASA will know on what tunnel-
! group to match on
!

- 787 -
Since the URL-entry is enabled by default it will be inherited by the new group-
policy as well.
tunnel-group web_vpn webvpn-attributes

group-alias web enable
group-url https://10.0.0.12/web enable

Access WEBVPN portal via https://10.0.0.12/web; authenticate and browse to get
to SW1 via HTTP:

- 788 -

- 789 -
Task 4.1 Solution

sensor# setup
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
exit
exit
Current time: Thu Aug 27 22:48:18 2009
Setup Configuration last modified: Thu Aug 27 16:23:04 2009

- 790 -

Enter host name[sensor]: IPS
Enter IP interface[192.168.1.2/24,192.168.1.1]:
148.1.105.10/24,148.1.105.5
No entries
Permit: 10.0.0.100/32
Permit:
service host
network-settings
host-ip 148.1.105.10/24,148.1.105.5
host-name IPS
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides

- 791 -
exit
exit
Enter your selection[2]:

*22:50:11 UTC Thu Aug 27 2009

Verify you can access the IPS using the URL https://10.0.0.10:14433
Rack4ASA1# show conn all protocol tcp

TCP outside 10.0.0.100:1689 inside 148.1.105.10:443, idle 0:00:13,
bytes 4243, flags UIOB

- 792 -
Task 4.2 Solution

SW1:
!
! Configure R1 and R2 interfaces in the new VLANs
!
!
SW2:
!
! Configure the interface towards IPS sensing as trunk and allow only
! the necessary VLANs
!
switchport trunk allowed vlan 255,256,2313,2314

- 793 -
IDM:
Step1:
Enable the sensing interface. Go to Configuration | Interface

Configuration | Interfaces and enable GigabitEthernet0/0.

- 794 -
Step 2:
Add a new VLAN pair. Go to Configuration | Interface

Configuration | VLAN Pairs. Combine VLANs 2313 and 2314 in a pair:

- 795 -
Step 3:
Add a new VLAN pair. Go to Configuration | Interface

Configuration | VLAN Pairs Combine VLANs 255 and 256 in a pair:

- 796 -
Step 4:
Clone the default signature definition and add two more named “sig1” and “sig2”.
Go to Configuration | Policies | Signature Definition and click
Clone:
Step 5:
Clone the default event action rules and add two more named “rules1” and
“rules2”. Go to Configuration | Policies | Event Action Rules and
click Clone:
Step 6:
Clone the default anomaly detection rules and add two more named “ad1” and
“ad2”. Go to Configuration | Policies | Anomaly Detections and
click Clone:
Step 7:
Add new virtual sensor VS1 and associate the previously configured sets with it.
Go to Configuration | Analysis Engine | Virtual Sensors and click
Add:
Step 8:
Add a new virtual sensor VS2 and associate the previously configured sets with
it. Go to Configuration | Analysis Engine | Virtual Sensors and
click Add:


!!!!!

- 797 -

!!!!!
SCRack4R1#show ip ospf neighbor fastEthernet 0/0

Interface
150.4.6.6 1 FULL/DR 00:00:33 148.1.255.6
FastEthernet0/0
150.4.8.8 0 2WAY/DROTHER 00:00:36 148.1.255.8
FastEthernet0/0

!!!!!

.!!!!


State/PfxRcd
192.10.4.3 4 200 2844 2852 0 0 0 1d02h
Active
192.10.4.254 4 254 2826 2839 0 0 0 1d02h
Active

- 798 -
Task 4.3 Solution

Create a custom signature to match on certain strings in telnet session; create an
event action filter to not trigger on packets sourced from R3 Loopback0.
IDM:
Step 1:
Start the custom signature wizard for VS1. Go to Configuration |

Policies | Signature Definitions | sig1; go to Custom
Signature Wizard and click Start the Wizard:

- 799 -
Step 2:
Follow the screenshots to configure the new signature settings:

- 800 -
Step 3:
Since we need to inspect telnet sessions, choose TCP as the protocol to decode
and inspect:

- 801 -
Step 4:
Select “Single TCP Connection” since our traffic is session based:

- 802 -
Step 5:
Choose “Other” as the service so we can define telnet in the next screen:

- 803 -
Step 6:
Leave everything default in this screen as we are not given any specifications:

- 804 -
Step 7:
Specify the Service Ports to be 23 for telnet; specify the Direction to be

To Service since the strings will be sent to the router; specify the Regex
String to match on the sequence conf t; here we configured the regex to
match on any combination of lower/high case

- 805 -
Step 8:
Modify the Severity of the Alert to High as asked:

- 806 -
Step 9:
Click on Advanced to modify the signature to alarm on every match:

- 807 -
Step 10:
Leave all settings as they are here and move on:

- 808 -
Step 11:
Modify the signature to Alert Every Time the Signature Fires

- 809 -
Step 12:
For the last two configuration screens, leave the values to their defaults and
finish the process.

- 810 -
Step 13:
Create an Event Action Filter in rules1 to implement the requirement

“don’t alarm on connections made from R3 Loopback0”. Go to Configuration |
Policies | Event Action Rules | rules1; Click Event Action
Filters and Add:
Step 14:
Modify the Signature ID to be 60000 (the signature # we just created; modify

the Attacker Address to be 150.X.3.3; modify the “Action to Subtract” to
“Produce Alert. You could optionally remove all actions:

- 811 -

Telnet from R3 to R2. Initially, source packets from VLAN 2313 and then, use
Loopback0 as the source. Check the reported events on IPS and confirm that the
second connection did not produce an alert.
Trying 192.10.4.2 ... Open
Password:
SCRack4R2>en
Password:
SCRack4R2#conf t
SCRack4R3#telnet 192.10.4.2 /source-interface loopback 0

Trying 192.10.4.2 ... Open
Password:
SCRack4R2>en
Password:
SCRack4R2#conf t
sensor# show events alert high past 00:04:00

originator:
hostId: IPS
appName: sensorApp
appInstanceId: 368
time: 2009/09/25 13:16:01 2009/09/25 13:16:01 UTC
signature: description=My Sig id=60000 version=custom
subsigId: 0
interfaceGroup: VS1
vlan: 2313
participants:
attacker:
port: 53718
target:
port: 23

- 812 -

context:
fromTarget:
000000 20 70 65 72 20 6C 69 6E 65 2E 20 20 45 6E 64 20 per line. End
000010 77 69 74 68 20 43 4E 54 4C 2F 5A 2E 0D 0A 53 43 with CNTL/Z...SC
000020 52 61 63 6B 31 52 32 28 63 6F 6E 66 69 67 29 23 Rack4R2(config)#
000030 63 6F 6E 46 74 0D 0A 20 20 20 20 20 20 20 20 20 conFt..
000040 20 20 20 20 20 20 20 20 20 20 20 20 20 5E 0D 0A ^..
000050 25 20 49 6E 76 61 6C 69 64 20 69 6E 70 75 74 20 % Invalid input
000060 64 65 74 65 63 74 65 64 20 61 74 20 27 5E 27 20 detected at '^'
000070 6D 61 72 6B 65 72 2E 0D 0A 0D 0A 53 43 52 61 63 marker.....SCRac
000080 6B 31 52 32 28 63 6F 6E 66 69 67 29 23 63 6F 6E k1R2(config)#con
000090 46 20 74 0D 0A 20 20 20 20 20 20 20 20 20 20 20 F t..
0000A0 20 20 20 20 20 20 20 20 20 20 20 20 5E 0D 0A 25 ^..%
0000B0 20 49 6E 76 61 6C 69 64 20 69 6E 70 75 74 20 64 Invalid input d
0000C0 65 74 65 63 74 65 64 20 61 74 20 27 5E 27 20 6D etected at '^' m
0000D0 61 72 6B 65 72 2E 0D 0A 0D 0A 53 43 52 61 63 6B arker.....SCRack
0000E0 31 52 32 28 63 6F 6E 66 69 67 29 23 65 78 69 74 1R2(config)#exit
0000F0 0D 0A 53 43 52 61 63 6B 31 52 32 23 63 6F 6E 46 ..SCRack4R2#conF
fromAttacker:
000010 FC 18 FF FA 1F 00 50 00 18 FF F0 FF FC 20 63 69 ......P...... ci
000020 73 63 6F 0D 0A 65 6E 0D 0A 63 69 73 63 6F 0D 0A sco..en..cisco..
000030 63 6F 6E 66 20 74 0D 0A 63 6F 6E 46 74 0D 0A 63 conf t..conFt..c
000040 6F 6E 46 20 74 0D 0A 65 78 69 74 0D 0A 63 6F 6E onF t..exit..con
000050 46 F
interface: ge0_0
protocol: tcp

- 813 -
Task 4.4 Solution

The BGP peering sessions between R2, R3 and BB2 are not forming any longer.
The problem came up after configuring the Inline VLAN pair of 2313-2314; this is
definitively related to the IPS.
evIdsAlert: eventId=1252132196862910590 severity=low vendor=Cisco

originator:
hostId: IPS
appName: sensorApp
appInstanceId: 368
time: 2009/09/25 13:34:37 2009/09/25 13:34:37 UTC
signature: description=TCP Option Other id=1306 version=S272
subsigId: 0
sigDetails: TCP Option Other Detected
interfaceGroup: VS1
vlan: 2313
participants:
attacker:
port: 21295
target:
port: 179
interface: ge0_0
protocol: tcp
How can we fix it? Either disable the signature for “sig1” or tune the signature to
just produce an alert without modifying the packet. Either way will work. For
clarification, asking the proctor is recommended.
sensor# conf t
sensor(config)# service signature-definition sig1
sensor(config-sig-sig)# engine normalizer
sensor(config-sig-sig-nor)# event-action produce-alert
sensor(config-sig-sig-nor)# exit
sensor(config-sig-sig)# exit

- 814 -

Verify that BGP peering between R2 and BB2 is up.


State/PfxRcd
192.10.4.3 4 200 2921 2928 50 0 0 01:10:53
3
192.10.4.254 4 254 2845 2860 50 0 0 00:14:17
3

- 815 -
Task 4.5 Solution

IDM:
Step1:
Use the custom signature wizard to create a new signature for “sig2”. Go to
Configuration | Policies | Signature Definitions | sig2. Go
to Custom Signature Wizard and click Start the Wizard:
Step2:
Follow the screenshots below to configure the new signature settings. Select the
String TCP engine:

- 816 -
Step3:
Leave all value to their defaults on this screen.

- 817 -
Step4:
Specify the direction From Service, Service Port value of 23 for telnet and
specify the Regex String.

- 818 -
Step5:
Modify the severity of the alarm to High per the task requirements:

- 819 -
Step6:
Change the Advanced settings for this signature as we need to change event
summarization mode.:

- 820 -
Step 7:
Set Event Count to “3” and set Event Interval to 30 seconds:

- 821 -
Step 8:
Set alert summarization mode to Alert Every Time the Signature

Fires:

- 822 -
Step9:
Use the default values for the next two configuration dialogs:

- 823 -

Telnet from R6 to R1, type an incorrect password three times in a row and check
the events in the IPS log:
Trying 148.1.255.6 ... Open
Password:
Password:
Password:
% Bad passwords
sensor# show events alert high past 00:02:00

originator:
hostId: IPS
appName: sensorApp
appInstanceId: 368
time: 2009/09/26 03:29:44 2009/09/26 03:29:44 UTC
signature: description=My Sig id=60000 version=custom
subsigId: 0
interfaceGroup: VS2
vlan: 255
participants:
attacker:
port: 23
target:
port: 56854
context:
fromTarget:
000000 FF FB 01 FF FB 03 FF FD 18 FF FD 1F 0D 0A 0D 0A ................
000010 55 73 65 72 20 41 63 63 65 73 73 20 56 65 72 69 User Access Veri
000020 66 69 63 61 74 69 6F 6E 0D 0A 0D 0A 50 61 73 73 fication....Pass
000030 77 6F 72 64 3A 20 FF FE 20 FF FD 21 FF FA 21 00 word: .. ..!..!.
000040 FF F0 FF FE 18 0D 0A 50 61 73 73 77 6F 72 64 3A .......Password:
000050 20
fromAttacker:
000010 FC 18 FF FA 1F 00 50 00 18 FF F0 FF FC 20 72 65 ......P...... re
000020 0D 0A 66 72 0D 0A 0D 0A 50 61 73 73 77 6F 72 ..fr....Passwor
interface: ge0_0
protocol: tcp

- 824 -
Task 5.1 Solution

ASA1:
!
! Configure domain name and create a RSA key pair for SSH.
!
domain-name INE.com
!
! Configure the AAA server with RADIUS protocol; enable sssh
! authentication via AAA
!
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 10.0.0.100 CISCO
aaa authentication ssh console RADIUS
!
! Permit SSH connections from the AAA server only
!
ssh 10.0.0.100 255.255.255.255 outside
ACS:
Step 1:
Add the ASA as a RADIUS client to the ACS database using the authentication
key value of CISCO.
Step 2:
Create a new user in the ACS, named “SSHUSER” with the password of
“CISCO”.

- 825 -
Note
Verify that you can connect to the ASA using SSH protocol.
Rack4ASA1# test aaa authentication RADIUS username SSHUSER password

CISCO
Server IP Address or name: 10.0.0.100
INFO: Attempting Authentication test to IP address <10.0.0.100>
(timeout: 12 seconds)
INFO: Authentication Successful
Rack4ASA1# show ssh

Timeout: 5 minutes
Versions allowed: 1 and 2
10.0.0.100 255.255.255.255 outside
Task 5.2 Solution

R3:
!
! Enable AAA. Configure 3 authentication lists, one for proxy-auth, one
! for VTY and one for CONSOLE
!
aaa new-model
!
! Enable the proxy-auth authorization using tacacs+
!
!
! Configure the connection with TACACS server; source traffic from
! Loopback0
!
ip tacacs source Loopback0
!
! Configure an access-list with deny any and apply it to the HTTP
! server; the HTTP server should e used only for proxy-auth and not for
! accessing the router
!
ip http server

- 826 -
!
! Enable proxy-auth, specify a inactivity timeout of 20 minutes;
! configure the banner
!
ip auth-proxy name PROXY http auth-cache-time 20
ip auth-proxy auth-proxy-banner http # Authorized Users Only! #
!
! Configure access-list to deny ICMP traffic and permit the rest
!
deny icmp any any
permit ip any any
!
! Apply the access-list and the auth-proxy on FastEthernet0/0
!
ip auth-proxy PROXY
!
! Apply the login authentication lists on VTY lines and console
!
line vty 0 181
!
line console 0
ASA1:
!
! Configure static on the ASA so that the AAA server sees R3 Loopback0
! as 10.0.0.3
!

- 827 -
ACS:
Step 1:
Create a new client entry in the ACS for the NAT’d address of R3 Loopback0.
Use TACACS+ protocol and the key value of “CISCO”.
Step 2:
Create a new TACACS+ service entry named auth-proxy. Go to Interface

Configuration | TACACS+ (Cisco IOS) in the TACACS+ Interface
Configuration settings:

- 828 -
Step 3:
Create new user in the ACS database named “VLAN3” with a password of
“CISCO”. Edit the auth-proxy settings for this user and associate an access-list
entry with it to permit ICMP traffic:

- 829 -

SCRack4R3#test aaa group tacacs+ VLAN3 CISCO legacy
SCRack4R3#show access-lists VLAN3_IN

10 deny icmp any any (12 matches)

- 830 -

- 831 -
SCRack4R3#show access-lists VLAN3_IN

permit icmp host 10.3.3.100 any (12 matches)
10 deny icmp any any (12 matches)

Client Name VLAN3, Client IP 10.3.3.100, Port 2223, timeout 20, Time
SCRack4R3#show ip auth-proxy configuration
Authentication Proxy Banner

HTTP Protocol Banner: Authorized Users Only!
Consent Banner is not configured
Authentication Proxy Session ratelimit is 100
Authentication Proxy Max HTTP process is 7

Authentication Proxy Auditing is disabled
Max Login attempts per user is 30

Auth-proxy name PROXY
http list not specified inactivity-timer 20 minutes

- 832 -
Task 5.3 Solution

ASA1:
!
! Permit inbound telnet sessions in the outside ACL
!
!
! Configure ACL to match on telnet traffic and configure RADIUS
! authentication for this ACL
!
access-list TELNET permit tcp any any eq 23
aaa authentication match TELNET outside RADIUS
!
! Identify traffic from host with MAC address 1234.4567.890a and exempt
! it from authentication
!
mac-list AAA_EXEMPT permit 1234.4567.890a ffff.ffff.ffff
aaa mac-exempt match AAA_EXEMPT
!
! Configure inactivity and absolute timeout for the sessions
!
timeout uauth 00:15:00 inactivity
timeout uauth 01:00:00 absolute

- 833 -
AAA Server:
ASA1 has been already added as a RADIUS client in the ACS, so we just need
to go ahead and add a user named “TELNET-USER” with the password
“CISCO”.

- 834 -

Rack4ASA1# test aaa authentication RADIUS host 10.0.0.100 username
TELNET-USER password cisco
Test authentication by initiating a telnet session from the AAA server.

Current Most Seen
user 'TELNET-USER' at 10.0.0.100, authenticated
Task 5.4 Solution

ASA1:
!
! Configure the outside access-list such that it allows downloadable
! user access-list to override the ACL entries
!
access-group OUTSIDE_IN in interface outside per-user-override

- 835 -
ACS:
Step 1:
Create a new downloadable IP ACL in the ACS. Name the access-list as

ACLASA and create the access-list entries shown on the screenshot. Since this
is a per-user access-list, we need to permit in the ACL both ICMP traffic and
telnet traffic for the previous task. Accomplish this by going to Shared Profile
Components | Downloadable IP ACLs | Add:

- 836 -
Step 2:
Assign the previously created downloadable ACL to user TELNTE-USER. Go to

User Setup | Find to locate and edit “TELNET-USER” profile:

- 837 -

Telnet from AAA server, authenticate and see if the per-user ACL is downloaded
from the AAA server:

- 838 -

Current Most Seen
user 'TELNET-USER' at 10.0.0.100, authenticated
access-list #ACSACL#-IP-ACLASA-4abe41b0 (*)
Rack4ASA1# show access-list #ACSACL#-IP-ACLASA-4abe41b0

access-list #ACSACL#-IP-ACLASA-4abe41b0; 2 elements (dynamic)
access-list #ACSACL#-IP-ACLASA-4abe41b0 line 1 extended permit icmp any
any (hitcnt=0) 0x1717dc18
access-list #ACSACL#-IP-ACLASA-4abe41b0 line 2 extended permit tcp any
any eq telnet (hitcnt=1) 0xacb20edc
Task 6.1 Solution

SW1:
!
! Configure storm-control with rising threshold of 30% and falling
! threshold of 10%
!
storm-control broadcast level 30 10

--------- ------------- ----------- ----------- ----------
Fa0/15 Forwarding 30.00% 10.00% 0.00%

- 839 -
Task 6.2 Solution

R4:
!
! Configure class-map type port-filter and match on telnet port
!
class-map type port-filter match-all cmap-cppr
match port tcp 23
!
! Configure policy-map to drop traffic identified by the class-map
!
policy-map type port-filter pmap-cppr
class cmap-cppr
drop
!
! Apply the policy-map on the host subinterface
!
control-plane host
service-policy type port-filter input pmap-cppr

Trying 150.4.4.4 ...
SCRack4R4#show policy-map type port-filter control-plane host input

Control Plane Host
Service-policy port-filter input: pmap-cppr
Class-map: cmap-cppr (match-all)

Match: port tcp 23
drop

Match: any

- 840 -
Task 6.3 Solution

R2:
!
! Configure the router to generate keepalive packets on idle
connections
! and remove them if orphaned or half-open
!
service tcp-keepalives-in
service tcp-keepalives-out
Task 6.4 Solution

Reserve a region of memory on the router so that when system resources are
overloaded, the router still has enough room in the memory for critical system
processes.
R2:
!
memory reserve critical 2000

SCRack4R2#show memory summary
Head Total(b) Used(b) Free(b) Lowest(b)
Largest(b)
Processor 8369B0A0 74681476 23351948 51329528 46555792 44530664
I/O 7CA2C00 3527680 1908776 1618904 1618904 1618876
Critical 83FA8584 1955620 52 1955568 1955568 1955568
Critical 7E5E320 92396 52 92344 92344 92344

- 841 -
Task 6.5 Solution

R6:
!
! Configure a type logging class-map and match on dropped and permitted
! packets
!
class-map type logging match-any cmap-log
match packets dropped
match packets permitted
!
! Configure policy-map type logging and Rate-limit log messages to one
! every 30 seconds
!
policy-map type logging pmap-log
class cmap-log
log interval 30000
!
! Apply the logging policy to all sub-interfaces
!
control-plane host
service-policy type logging input pmap-log
!
control-plane transit
!
control-plane cef-exception

- 842 -

SCRack4R6#show policy-map type logging control-plane host input
Control Plane Host
Service-policy logging input: pmap-log
Class-map: cmap-log (match-any)

Match: packets dropped
0 packets, 0 bytes
5 minute rate 0 bps
Match: packets permitted
0 packets, 0 bytes
5 minute rate 0 bps
log interval 30000

Match: any
SCRack4R6#show policy-map type logging control-plane transit input
Control Plane Transit

0 packets, 0 bytes
0 packets, 0 bytes
5 minute rate 0 bps
0 packets, 0 bytes
5 minute rate 0 bps
log interval 30000

0 packets, 0 bytes
Match: any

- 843 -
SCRack4R6#show policy-map type logging control-plane cef-exception

input
Control Plane Cef-exception

0 packets, 0 bytes
5 minute rate 0 bps
0 packets, 0 bytes
5 minute rate 0 bps
log interval 30000

Match: any
%CP-6-ARP: PERMIT 54.9.10.254 -> 54.9.10.6

%CP-6-UDP: PERMIT 54.4.3.254(520) -> 224.0.0.9(520)
%CP-6-IP: PERMIT 54.9.10.254 -> 224.0.0.10 eigrp

- 844 -
Task 7.1 Solution

R3:
!
! Specify the TFTP source-interface
!
ip tftp source-interface FastEthernet 0/1
!
! Configure ACL to permit R2 Ethernet interface only
!
access-list 1 permit 192.10.4.2
!
! Configure TFTP server and apply acess-list
!
tftp-server flash:c2600-advsecurityk9-mz.124-15.T8.bin 1

Confirm that R2 is allowed downloading IOS image via TFTP and other routers
are prohibited.
SCRack4R2#copy tftp null:

Source filename [c2600-advsecurityk9-mz.124-15.T8.bin]?
Accessing tftp://192.10.4.3/c2600-advsecurityk9-mz.124-15.T8.bin...
Loading c2600-advsecurityk9-mz.124-15.T8.bin from 192.10.4.3 (via
FastEthernet0/0): !!!!!
SCRack4R1#copy tftp null:

Source filename [c2600-advsecurityk9-mz.124-15.T8.bin]?
Accessing tftp://192.10.4.3/c2600-advsecurityk9-mz.124-15.T8.bin...
%Error opening tftp://192.10.4.3/c2600-advsecurityk9-mz.124-15.T8.bin
(No such file or directory)

- 845 -
Task 7.2 Solution

!
! Find out the MAC addresses of the AAA server
!
Rack4ASA1# show arp
outside 10.0.0.100 000c.2983.284c 1563
inside 148.1.127.7 0012.0183.5900 8530
inside 224.0.0.9 0100.5e00.0009 12050
SW1:
!
! Activate IP source guard with IP-MAC filtering and port-security
!
ip verify source port-security
!
! Enable DHCP snooping on VLAN 12 to activate IP Source Guard
!
ip dhcp snooping
!
! Configure the switch to insert Option 82 and configure the manual
! binding for Source Guard
!
ip dhcp snooping information option
ip source binding 000c.2983.284c vlan 12 10.0.0.100 interface Fa0/20

- 846 -

Verify that configuration is correct and that AAA server is still reachable:
SCRack4SW1#show ip verify source

Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- -----------------
Fa0/20 ip-mac active 10.0.0.100 00:0C:29:83:28:4C 12
Action
-----------------------------------------------------------------------
Fa0/20 1 1 0
Shutdown
-----------------------------------------------------------------------
-
SCRack4R3#test aaa group tacacs+ VLAN3 CISCO legacy

Task 7.3 Solution
Note
When changes are made to the security ACLs, the switch completely blocks
traffic on the affected ports while updating the TCAM; this way the switch
ensures the updated access-lists do no pass any frames by mistake. Here, we
disable the feature and configure switch to keep on forwarding frames while the
TCAM is updated with the new configuration.
SW1:
!
access-list hardware program nonblocking

- 847 -
Task 7.4 Solution

R1:
!
! Configure the authentication string on each interface
!
!
!
! Globally enable clear-text authentication
!
router ospf 1
R2:
!
! Configure the authentication string on the interface to R1
!
!
!
router ospf 1
R4:
!
! Configure the authentication string on the interface to R1; disable
! authentication on the link to R5
!
!
ip ospf authentication null
!
!
router ospf 1

- 848 -
R6:
!
! Configure the authentication string on the interface in Vlan255
!
!
!
router ospf 1
SW2:
!
! Configure the authentication string on the SVI 255
!
interface Vlan 255
!
!
router ospf 1

- 849 -

SCRack4R2#show ip ospf interface serial 0/0.124
Cost: 64
5
Next 0x0(0)/0x0(0)

- 850 -

Cost: 64
5
Next 0x0(0)/0x0(0)
SCRack4R1#show ip ospf interface fastEthernet 0/0

148.1.255.1
Next 0x0(0)/0x0(0)

- 851 -
SCRack4SW2#show ip ospf interface vlan 255

Vlan255 is up, line protocol is up
Transmit Delay is 1 sec, State DR, Priority 1
148.1.255.1
Next 0x0(0)/0x0(0)

Transmit Delay is 1 sec, State DROTHER, Priority 1
148.1.255.1
Next 0x0(0)/0x0(0)

- 852 -

Cost: 64
5
Next 0x0(0)/0x0(0)
SCRack4R4#show ip ospf interface serial 0/1

64
Next 0x0(0)/0x0(0)

- 853 -
Task 8.1 Solution

ASA2:
!
! Configure ACL and match TCP traffic to the server
!
access-list TO_SERVER extended permit tcp any host 192.10.4.100
!
! Configure a TCP-map to normalize TCP connections
!
tcp-map NORMALIZE
check-retransmission
checksum-verification
reserved-bits clear
exceed-mss drop
!
! Drop any fragments on both interfaces
!
fragment chain 1 inside
!
! Create class-map and match on previously configured ACL
!
class-map TO_SERVER
match access-list TO_SERVER
!
! Apply the policy globally
!
class TO_SERVER
set connection conn-max 5000 embryonic-conn-max 2000
set connection timeout dcd 0:0:5 3 tcp 0:5:0 reset
set connection advanced-options NORMALIZE

- 854 -

Verify that fragments are dropped by the ASA and check TCP normalization
configuration.

!!!!!

..
Rack4ASA2# show fragment outside

Interface: outside

- 855 -
Rack4ASA2# show service-policy global
Global policy:
drop 0
0 Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Class-map: BGP
Set connection policy: random-sequence-number disable
drop 0
Set connection advanced-options: OPTION19
Retransmission drops: 0 TCP checksum drops :
0
Exceeded MSS drops : 0 SYN with data drops:
0
Invalid ACK drops : 0 SYN-ACK with data
drops: 0
Out-of-order (OoO) packets : 0 OoO no buffer drops:
0
OoO buffer timeout drops : 0 SEQ past window
drops: 0
Reserved bit cleared: 0 Reserved bit drops :
0
IP TTL modified : 0 Urgent flag cleared:
0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared :
0
Class-map: TO_SERVER
Set connection policy: conn-max 5000 embryonic-conn-max 2000
current embryonic conns 0, current conns 0, drop 0
Set connection timeout policy:
tcp 0:05:00 reset
DCD: enabled, retry-interval 0:00:05, max-retries 3
DCD: client-probe 0, server-probe 0, conn-expiration 0
Set connection advanced-options: NORMALIZE
Retransmission drops: 0 TCP checksum drops :
0
Exceeded MSS drops : 0 SYN with data drops:
0

- 856 -
Invalid ACK drops : 0 SYN-ACK with data

drops: 0
Out-of-order (OoO) packets : 0 OoO no buffer drops:
0
OoO buffer timeout drops : 0 SEQ past window
drops: 0
Reserved bit cleared: 0 Reserved bit drops :
0
IP TTL modified : 0 Urgent flag cleared:
0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared :
0

- 857 -
Task 8.2 Solution

IDM:
Step 1:
Locate the “Unknown IP protocol signature” in the signature definition set for
VS1. Go to Configuration | Policies | Signature Definitions |
sig1 and search for the signature with “Unknown IP”:

- 858 -
Step 2:
Modify the summarization mode for this signature and change the threshold
settings:

- 859 -
Task 8.3 Solution

SW1:
!
! Configure access-list to deny packets with IP options and allow the
! rest
!
ip access-list extended ACL-TRANSIT-IN
deny ip any any option any-options
permit ip any any
!
! Apply the ACL inbound on VLAN73
!
interface Vlan 73
ip access-group ACL-TRANSIT-IN in
Task 8.4 Solution

R6:
!
! Enable Unicast RPF in strict mode on Serial0/0/0 interface
!
ip verify unicast source reachable-via rx

SCRack4R6#show ip interface serial 0/0/0
Serial0/0/0 is up, line protocol is up
<snip>
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
IP verify source reachable-via RX

- 860 -

Task 1.1 Solution
ASA1:
!
! Configure hostname
!
hostname Rack4ASA1
!
! Configure interface nameifs and IP addresses as in the diagram
!
no shutdown
nameif inside
ip address 192.10.4.12 255.255.255.0
!
no shutdown
nameif outside
ip address 164.1.126.12 255.255.255.0

Rack4ASA1# ping 192.10.9.254
!!!!!

!!!!!



- 861 -
Task 1.2 Solution

ASA2:
!
! Configure hostname
!
hostname Rack4ASA2
!
! Configure interface nameifs and IP addresses as in the diagram
!
no shut
nameif inside
ip address 164.1.131.13 255.255.255.0
!
no shut
nameif outside
ip address 164.1.128.13 255.255.255.0

!!!!!

!!!!!



- 862 -
Task 1.3 Solution

Per RFC 1035, DNS messages over UDP have a data payload of maximum 512
bytes; this why, by default, ASA allows the DNS response to be maximum 512
bytes in size. The restriction was put in place to reduce the possibility of
fragmentation of DNS responses.
ASA1:
!
! Modify the DNS response maximum-size to 1024
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024

Rack4ASA1# show service-policy global inspect dns
Global policy:
message-length maximum 1024, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
Task 1.4 Solution

ASA2:
!
router rip
version 2
no auto-summary
network 164.1.0.0
no passive-interface outside
redistribute ospf 1 metric 1
!
router ospf 1
!
network 164.1.131.13 255.255.255.255 area 51
redistribute rip subnets

- 863 -


Interface
150.4.1.1 1 FULL/DR 0:00:32 164.1.131.1
inside

BGP
inter area

R 150.4.8.0 255.255.255.0 [120/1] via 164.1.128.8, 0:00:23, outside

BGP
inter area
O IA 204.12.4.0 255.255.255.0 [110/920] via 164.1.131.1, 0:02:05,

inside
O 54.4.2.0 255.255.255.0 [110/139] via 164.1.131.1, 0:02:05, inside
O E2 10.3.3.0 255.255.255.0 [110/20] via 164.1.131.1, 0:02:05, inside
O E2 10.0.0.0 255.255.255.0 [110/20] via 164.1.131.1, 0:02:05, inside
O IA 10.7.7.0 255.255.255.0 [110/921] via 164.1.131.1, 0:02:05, inside
O IA 164.1.45.0 255.255.255.248 [110/10918] via 164.1.131.1, 0:02:05,
inside
O IA 164.1.47.0 255.255.255.0 [110/920] via 164.1.131.1, 0:02:05,
inside
O IA 164.1.55.0 255.255.255.0 [110/920] via 164.1.131.1, 0:02:05,
inside
O IA 164.1.0.5 255.255.255.255 [110/919] via 164.1.131.1, 0:02:05,
inside

- 864 -
O IA 164.1.0.4 255.255.255.255 [110/919] via 164.1.131.1, 0:02:05,

inside
O IA 164.1.0.3 255.255.255.255 [110/138] via 164.1.131.1, 0:02:05,
inside
O 164.1.12.0 255.255.255.0 [110/74] via 164.1.131.1, 0:02:05, inside
O 164.1.23.0 255.255.255.0 [110/138] via 164.1.131.1, 0:02:05,
inside
O 164.1.26.0 255.255.255.0 [110/75] via 164.1.131.1, 0:02:08, inside
O E2 164.1.126.0 255.255.255.0 [110/20] via 164.1.131.1, 0:02:08,
inside
O IA 150.4.7.7 255.255.255.255 [110/921] via 164.1.131.1, 0:02:08,
inside
O IA 150.4.5.5 255.255.255.255 [110/920] via 164.1.131.1, 0:02:08,
inside
O IA 150.4.4.4 255.255.255.255 [110/920] via 164.1.131.1, 0:02:08,
inside
O IA 150.4.3.3 255.255.255.255 [110/139] via 164.1.131.1, 0:02:08,
inside
O 150.4.6.6 255.255.255.255 [110/76] via 164.1.131.1, 0:02:08,
inside
O 150.4.2.2 255.255.255.255 [110/75] via 164.1.131.1, 0:02:08,
inside
O 150.4.1.1 255.255.255.255 [110/11] via 164.1.131.1, 0:02:08,
inside
SCRack4SW2#show ip route rip

R 204.12.4.0/24 [120/1] via 164.1.128.13, 00:00:05, Vlan128
R 54.4.2.0 [120/1] via 164.1.128.13, 00:00:05, Vlan128
R 10.7.7.0 [120/1] via 164.1.128.13, 00:00:05, Vlan128
R 10.3.3.0 [120/1] via 164.1.128.13, 00:00:05, Vlan128
R 10.0.0.0 [120/1] via 164.1.128.13, 00:00:05, Vlan128
R 164.1.131.0/24 [120/1] via 164.1.128.13, 00:00:05, Vlan128
R 164.1.45.0/29 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.47.0/24 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.55.0/24 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.0.5/32 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.0.4/32 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.0.3/32 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.12.0/24 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.23.0/24 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.26.0/24 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 164.1.126.0/24 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 150.4.7.7/32 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 150.4.6.6/32 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 150.4.5.5/32 [120/1] via 164.1.128.13, 00:00:06, Vlan128
R 150.4.4.4/32 [120/1] via 164.1.128.13, 00:00:08, Vlan128
R 150.4.3.3/32 [120/1] via 164.1.128.13, 00:00:08, Vlan128
R 150.4.2.2/32 [120/1] via 164.1.128.13, 00:00:08, Vlan128
R 150.4.1.1/32 [120/1] via 164.1.128.13, 00:00:08, Vlan128

- 865 -

Known via "ospf 1", distance 110, metric 20, type extern 2, forward
metric 1
Task 1.5 Solution

ASA1:
!
router rip
version 2
no auto-summary
network 164.1.0.0
redistribute ospf 1 metric 1

!
router ospf 1
network 192.10.9.12 255.255.255.255 area 51

redistribute rip subnets


Interface
192.10.9.254 1 FULL/DR 0:00:34 192.10.9.254
inside

BGP
inter area
O E2 51.51.51.51 255.255.255.255 [110/20] via 192.10.9.254, 0:08:38,

inside

- 866 -

BGP
inter area
R 204.12.4.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside

R 54.4.2.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 10.7.7.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 10.3.3.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 10.0.0.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 164.1.128.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23,
outside
R 164.1.131.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23,
outside
R 164.1.45.0 255.255.255.248 [120/1] via 164.1.126.6, 0:00:23,
outside
R 164.1.47.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 164.1.55.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 164.1.0.5 255.255.255.255 [120/1] via 164.1.126.6, 0:00:23,
outside
R 164.1.0.4 255.255.255.255 [120/1] via 164.1.126.6, 0:00:23,
outside
R 164.1.0.3 255.255.255.255 [120/1] via 164.1.126.6, 0:00:23,
outside
R 164.1.12.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:23, outside
R 164.1.23.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:26, outside
R 164.1.26.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:26, outside
R 150.4.6.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:26, outside
R 150.4.7.7 255.255.255.255 [120/1] via 164.1.126.6, 0:00:26,
outside
R 150.4.5.5 255.255.255.255 [120/1] via 164.1.126.6, 0:00:26,
outside
R 150.4.4.4 255.255.255.255 [120/1] via 164.1.126.6, 0:00:26,
outside
R 150.4.3.3 255.255.255.255 [120/1] via 164.1.126.6, 0:00:26,
outside
R 150.4.2.2 255.255.255.255 [120/1] via 164.1.126.6, 0:00:26,
outside
R 150.4.1.1 255.255.255.255 [120/1] via 164.1.126.6, 0:00:26,
outside
R 150.4.8.0 255.255.255.0 [120/1] via 164.1.126.6, 0:00:26, outside

- 867 -

Known via "rip", distance 120, metric 1
Redistributing via ospf 1, rip
Advertised by ospf 1 subnets
Task 1.6 Solution

ASA1:
!
! Configure an IM inspect class-map and match on IM and the 2 services
!
class-map type inspect im match-all CMAP_INS_IM_MSN_GAMES_WEBCAM
match protocol msn-im
match service games webcam
!
! Configure an IM inspect policy-map to drop these connections
!
policy-map type inspect im PMAP_INS_IM_MSN_GAMES_WEBCAM
parameters
class CMAP_INS_IM_MSN_GAMES_WEBCAM
drop-connection
!
! Apply the inspection globally
!
inspect im PMAP_INS_IM_MSN_GAMES_WEBCAM

Rack4ASA1# show service-policy global inspect im
Global policy:
Inspect: im PMAP_INS_IM_MSN_GAMES_WEBCAM, packet 0, drop 0,
reset-drop 0
class CMAP_INS_IM_MSN_GAMES_WEBCAM
drop-connection, packet 0

- 868 -
Task 1.7 Solution

ASA2:
!
! Configure the DHCP pool and enable service for the outside interface
!
dhcpd address 164.1.128.170-164.1.128.200 outside
dhcpd enable outside
!
! Configure domain, lease, DNS servers ONLY for the clients’ on the
! outside interface
!
dhcpd dns 164.1.128.99 164.1.128.100 interface outside
dhcpd lease 7200 interface outside
dhcpd domain internetworkexpert.com interface outside

Rack4ASA2# show dhcpd state
Context Configured as DHCP Server
Interface inside, Not Configured for DHCP
Interface outside, Configured for DHCP SERVER
SCRack4SW2(config)#interface vlan 128

SCRack4SW2(config-if)#ip address dhcp
%DHCP-6-ADDRESS_ASSIGN: Interface Vlan128 assigned DHCP address

164.1.128.171
Rack4ASA2(config)# show dhcpd binding
IP address Hardware address Lease expiration Type
164.1.128.171 0063.6973.636f.2d30. 7188 seconds

Automatic
3030.612e.3861.3365.
2e37.3538.302d.566c.
3132.38
SCRack4SW2(config)#interface vlan 128

SCRack4SW2(config-if)# ip address 164.1.128.8 255.255.255.0

- 869 -
Task 2.1 Solution

R4:
!
! Allow inbound TCP connection on port 80 to server 204.12.4.100 and
! allow BGP sessions to establish; additionally, permit ICMP types for
! traceroute to be successful
!

permit icmp any any time-exceeded
permit icmp any any port-unreachable
!
! Configure access-list to match on VLAN 407 subnet; map HTTP traffic
on ! port 8080 for traffic sourced in VLAN 407
!
ip port-map http port 8080 list 47
!
! Configure inspection for TCP, UDP and ICMP traffic
!
ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT http
ip inspect name INSPECT icmp
ip inspect tcp idle-time 216000
!
! Configure access-list to be used in NAT overload
!
ip access-list standard NET_150
permit 150.4.0.0 0.0.255.255
!
ip access-list standard NET_10
permit 10.0.0.0 0.255.255.255
!
! Configure the 2 NAT pools
!
ip nat pool POOL1 204.12.9.150 204.12.9.151 prefix 24
ip nat pool POOL2 204.12.9.250 204.12.9.251 prefix 24
!
! Configure static NAT for 204.12.4.100 HTTP server and NAT overload
!
ip nat inside source static tcp 164.1.47.100 8080 204.12.9.100 80
ip nat inside source list NET_150 pool POOL1 overload
ip nat inside source list NET_10 pool POOL2 overload

- 870 -
!
! Apply access-list inbound and inspection outbound
!
ip nat outside
ip inspect INSPECT out
!
! Configure the inside NAT interfaces
!
ip nat inside
!
interface Serial0/1
ip nat inside
!
ip nat inside

SCRack4R4#show ip inspect all
connections
minute.
bytes
Inspection name INSPECT
Outgoing inspection rule is INSPECT
Inbound access list is FROM_BB3

- 871 -
SCRack4SW1#traceroute 204.12.9.254

1 164.1.47.4 0 msec 4 msec 4 msec

2 204.12.9.254 8 msec * 4 msec
SCRack4R4#show ip port-map http

Default mapping: http tcp port 80 system
defined
Host specific: http tcp port 8080 in list 47 user defined


State/PfxRcd
150.4.6.6 4 100 351 354 11 0 0 05:47:38
10
204.12.9.254 4 54 162 158 11 0 0 02:33:57
10

global
tcp 204.12.9.100:80 164.1.47.100:8080 --- ---

- 872 -
Trying 204.12.9.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB3>

Session 844F0400 (164.1.47.7:23249)=>(204.12.9.254:23) tcp SIS_OPEN

!!!!!

Session 844EFE70 (164.1.47.7:8)=>(204.12.9.254:0) icmp SIS_OPEN
SCRack4SW1#telnet 204.12.9.254 /source-interface loopback 0

Trying 204.12.9.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB3>

- 873 -

global
tcp 204.12.9.151:27375 150.4.7.7:27375 204.12.9.254:23
204.12.9.254:23
tcp 204.12.9.100:80 164.1.47.100:8080 --- ---
SCRack4SW1#telnet 204.12.9.254 /source-interface vlan 7

Trying 204.12.9.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB3>

global
tcp 204.12.9.251:52163 10.7.7.7:52163 204.12.9.254:23
204.12.9.254:23
tcp 204.12.9.100:80 164.1.47.100:8080 --- ---
Task 2.2 Solution

R4:
!
! Configure TFTP inspection
!
ip inspect name INSPECT tftp

- 874 -

Initiate a TFTP session from SW1 to a host in VLAN43 and verify inspection stats
on R4.
SCRack4SW1#copy system:running-config tftp:

Address or name of remote host []? 204.12.9.10
Destination filename [scRack4sw1-confg]?

Session 844EFE70 (164.1.47.7:63368)=>(204.12.9.10:69) tftp SIS_OPEN
Pre-generated Sessions
Pre-gen session 844F0138
204.12.9.10[1024:65535]=>164.1.47.7[63368:63368] tftp-data
Task 2.3 Solution

R3:
!
! Configure the access-list
!
ip access-list extended FRAME_IN
permit gre host 150.4.5.5 host 150.4.3.3
permit esp host 150.4.5.5 host 150.4.3.3
permit ospf any any
permit udp any host 10.0.0.100 eq syslog
permit tcp any host 10.0.0.100 eq tacacs
permit udp any host 10.0.0.100 range 1645 1646
permit udp any host 10.0.0.100 range 1812 1813
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit tcp any eq telnet any
permit tcp any eq 22 any
deny ip any any log
!
! Apply the access-list inbound on Serial interface
!
ip access-group FRAME_IN in

- 875 -

Extended IP access list FRAME_IN
10 permit gre host 150.4.5.5 host 150.4.3.3
20 permit esp host 150.4.5.5 host 150.4.3.3
30 permit ospf any any (6 matches)
40 permit tcp host 150.4.4.4 eq bgp host 150.4.6.6
50 permit tcp host 150.4.4.4 host 150.4.6.6 eq bgp (3 matches)
60 permit udp any host 10.0.0.100 eq syslog
70 permit tcp any host 10.0.0.100 eq tacacs
80 permit udp any host 10.0.0.100 range 1645 1646
90 permit icmp any any echo
120 permit icmp any any packet-too-big
130 permit tcp any any eq telnet
140 permit tcp any eq telnet any
160 permit tcp any eq 22 any
170 deny ip any any log

- 876 -
Task 2.4 Solution

R5:
!
! Configure interfaces as inside and outside NAT
!
ip nat inside
!
ip nat outside
!
ip nat outside
!
! Configure the NAT pool type rotary
!
ip nat pool SERVERS 164.1.55.150 164.1.55.152 prefix 24 type rotary
!
! Identify HTTP traffic to server
!
ip access-list extended VIRTUAL_SERVER
!
! Configure destination NAT for load-balancing
!
ip nat inside destination list VIRTUAL_SERVER pool SERVERS

- 877 -

SCRack4R5#debug ip nat detailed
IP NAT detailed debugging is on
SCRack4R5#telnet 164.1.55.100 80 /source-interface ser 0/1

Trying 164.1.55.100, 80 ...
NAT: o: tcp (164.1.45.5, 55725) -> (164.1.55.100, 80) [58629]
NAT: s=164.1.45.5, d=164.1.55.100->164.1.55.150 [58629]
NAT: o: tcp (164.1.45.5, 55725) -> (164.1.55.100, 80) [58629]
NAT: s=164.1.45.5, d=164.1.55.100->164.1.55.150 [58629]

Trying 164.1.55.100, 80 ...
NAT: o: tcp (164.1.45.5, 30557) -> (164.1.55.100, 80) [46961]
NAT: s=164.1.45.5, d=164.1.55.100->164.1.55.151 [46961]
: NAT: o: tcp (164.1.45.5, 30557) -> (164.1.55.100, 80) [46961]
NAT: s=164.1.45.5, d=164.1.55.100->164.1.55.151 [46961]

Trying 164.1.55.100, 80 ...
NAT: o: tcp (164.1.45.5, 53656) -> (164.1.55.100, 80) [24133]
NAT: s=164.1.45.5, d=164.1.55.100->164.1.55.152 [24133]
NAT: o: tcp (164.1.45.5, 53656) -> (164.1.55.100, 80) [24133]
NAT: s=164.1.45.5, d=164.1.55.100->164.1.55.152 [24133]
Task 2.5 Solution

R6:
!
! Configure a inspect type class-map and match on TCP, UDP and ICMP
!
class-map type inspect match-any cmap_icmp_tcp_udp
match protocol tcp
match protocol icmp
match protocol udp
!
! Configure a parameter-map to specify a maximum number of sessions and
! enable audit-trail
!
parameter-map type inspect my_param_max_sess
sessions maximum 100
audit-trail on

- 878 -
!
! Configure a type inspect policy-map and police traffic
!
policy-map type inspect pmap_zbf
class type inspect cmap_icmp_tcp_udp
inspect my_param_max_sess
!
! Create security zones and add interfaces to it
!
!
int Serial 0/0/0
!

!
! Configure the firewall policy for both directions
!
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect pmap_zbf
!
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect pmap_zbf

Simulate TCP and ICMP traffic from inside to outside; test connectivity and
confirms matches in MPF statistics:
Trying 54.9.2.254 ... Open
+-----------------------------------------------------------------------+
| |
| |
| |
| |
+-----------------------------------------------------------------------+
SC.9.9.BB1>

- 879 -

!!!!!
policy exists on zp inside-to-outside

Service-policy inspect : pmap_zbf
Class-map: cmap_icmp_tcp_udp (match-any)

Match: protocol tcp
1 packets, 24 bytes
1 packets, 80 bytes
Match: protocol udp
0 packets, 0 bytes
Inspect
tcp packets: [0:38]

Police

Match: any
Drop
0 packets, 0 bytes

- 880 -
policy exists on zp outside-to-inside

Service-policy inspect : pmap_zbf
Class-map: cmap_icmp_tcp_udp (match-any)

Match: protocol tcp
0 packets, 0 bytes
0 packets, 0 bytes
Match: protocol udp
0 packets, 0 bytes
Inspect
Police

Match: any
Drop
0 packets, 0 bytes
000082: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(inside-to-

outside:cmap_icmp_t cp_udp):Stop icmp session: initiator (164.1.26.2:8)
sent 360 bytes -- responder (54.4.2.254:0) sent 0 bytes

- 881 -
Task 3.1 Solution

R5:
!
! Configure the tunnel interface sourced and destined on Loopbacks
!
interface Tunnel 0
ip address 35.35.35.5 255.255.255.0
!
! Disable ISKAMP negotiations. We will set up IPSec SA manually,
! therefore it will never actually expire
!
no crypto isakmp enable
!
! Configure the proxy-ACL to trigger IPSec session
!
ip access-list extended GRE_TUNNEL
!
! Configure the transform-set
!
!
! 3DES Cipher key is 192 bits = 48 hex digits (each is 4 bits).
! Actually, only 168 bits are used for encryption (i.e. like with
! 64 bit DES key only 56 bits are used)
!
! Authenticator key is 128 bits = 32 hex digits
! Make sure the keys match on the both sides
!
crypto map VPN 10 ipsec-manual
set peer 150.4.3.3
set session-key inbound esp 3355 cipher
123456789012345678901234567890123456789012345678 authenticator
12345678901234567890123456789012
set session-key outbound esp 5533 cipher
123456789012345678901234567890123456789012345678 authenticator
12345678901234567890123456789012
match address GRE_TUNNEL
!
crypto map VPN
!
crypto map VPN

- 882 -
!
! Configure policy-routing to force all traffic coming on interface
! FastEthernet0/0 to exit out the Tunnel
!
route-map POLICY permit 10
set interface Tunnel 0
!
ip policy route-map POLICY
R3:
!
! Configure the tunnel interface sourced and destined on Loopbacks
!
interface Tunnel 0
ip address 35.35.35.3 255.255.255.0
!
! Disable ISKAMP negotiations. We will set up IPSec SA manually,
! therefore it will never actually expire
!
no crypto isakmp enable
!
! Configure the proxy-ACL to trigger IPSec session
!
ip access-list extended GRE_TUNNEL
!
!
!
! Cipher key is 168 bits = 42 hex digits
! Authenticator key is 128 bits = 32 hex digits
!
crypto map VPN 10 ipsec-manual
set peer 150.4.5.5
set session-key inbound esp 5533 cipher
123456789012345678901234567890123456789012345678 authenticator
12345678901234567890123456789012
set session-key outbound esp 3355 cipher
123456789012345678901234567890123456789012345678 authenticator
12345678901234567890123456789012
match address GRE_TUNNEL
!
crypto map VPN

- 883 -
!
! Configure policy-routing to force all traffic coming on interface
! FastEthernet0/0 to exit out the Tunnel
!
route-map POLICY
set interface Tunnel 0
!
ip policy route-map POLICY

ISAKMP is turned off

!!!!!
ms


current outbound spi: 0xD1B(3355)
inbound esp sas:

spi: 0x159D(5533)
no sa timing
IV size: 8 bytes
replay detection support: N
Status: ACTIVE

- 884 -
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xD1B(3355)
no sa timing
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
SCRack4R3#ping 35.35.35.5 source fastEthernet 0/1

!!!!!
SCRack4R3#sho crypto ipsec sa | i pkts


- 885 -
Task 3.2 Solution

ASA1:
!
! Enable WebVPN on the outside interface on port 4043; allow users to
! select the group
!
webvpn
port 4043
enable outside
tunnel-group-list enable
!
! Web-type access-list to permit only ports 80
!
access-list WEBACCESS webtype permit tcp 192.10.4.0 255.255.255.0 eq
www
!
! Group-policy to apply web-type access-list
! and enable content filtering
!
group-policy WEBVPN internal
group-policy WEBVPN attributes
webvpn
functions url-entry filter
html-content-filter java scripts
filter value WEBACCESS
!
! Local username to authenticate remote users
!
username CISCO password CISCO123
!
! Tunnel-group definition
!
tunnel-group WEBVPN type webvpn
tunnel-group WEBVPN general-attributes
default-group-policy WEBVPN
!
! Configure group-alias to enlist on WebVPN login page
!
tunnel-group WEBVPN webvpn-attributes
group-alias WEBVPN enable
authentication aaa
!
! Lock the user into WEBVPN group only
!
username CISCO attributes
group-lock value WEBVPN

- 886 -

Move the TestPC to VLAN 126 and initiate a WEBVPN session:
Test PC:
Step 1:
Login to WebVPN services:

- 887 -

- 888 -
Task 3.3 Solution

ASA1:
!
! Permit telnet access in WebACL
!
access-list WEBACCESS webtype permit tcp host 192.10.4.254 eq 23
!
! Port-forwarding configuration is global
!
webvpn
port-forward TELNET_BB2 2023 192.10.4.254 telnet
!
! Configure port-forwarding in the group-policy
!
group-policy WEBVPN attributes
webvpn
port-forward-name value Application Access

port-forward auto-start TELNET_BB2

- 889 -

Test PC:
Login to WebVPN and start application access:

- 890 -
Test PC:
Connect to the local port and ensure it forwards to BB2:
Task 3.4 Solution

R2:
!
! Configure the ISAKMP policy
!
auth pre
enc aes
hash sha
group 2
!
! Encrypt the pre-shared key in the router configuration with AES
!
key config-key password-encrypt MASTER-123
password encryption aes
!
! Configure the pre-shared-key
!
crypto isakmp key cisco address 164.0.0.0 255.0.0.0
!
!
crypto ipsec transform-set MY-GET-T-SET esp-aes esp-sha-hmac

- 891 -
!
! Configure the IPSec profile
!
crypto ipsec profile ipsec-prof-get
set transform-set MY-GET-T-SET
set pfs group2
!
! Configure the proxy-ACL for interesting IPSec traffic
!
!
! Configure the RSA key pair to sign re-keying messages
!
crypto key generate rsa general-keys label GETVPN modulus 1024
!
! Configure the key server
!
identity number 1
server local
rekey authentication mypubkey rsa GETVPN
sa ipsec 1
profile ipsec-prof-get
R1:
!
!
auth pre
enc aes
hash sha
group 2
!
!
!
! Configure the GDOI server
!
identity number 1

- 892 -
!
! Configure and apply the crypto map
!
crypto map GET-MAP 10 gdoi
set group group1
!
crypto map GET-MAP
R6:
!
!
auth pre
enc aes
hash sha
group 2
!
!
!
! Configure the GDOI server
!
identity number 1
!
! Configure and apply the crypto map
!
crypto map GET-MAP 10 gdoi
set group group1
!
crypto map GET-MAP

- 893 -

SCRack4R2#show running-config | section crypto isakmp
encr aes
group 2
crypto isakmp key 6 e]^cI]WORHabOCNLIUbeGKUDXbCAAB address 164.0.0.0
255.0.0.0
SCRack4R2#show crypto gdoi group group1

Group Name : group1 (Unicast)
Group Identity : 1
Group Members : 2
Group Rekey
Group Retransmit
IPSec SA Number : 1
Profile Name : ipsec-prof-get
SA Rekey
SCRack4R1#sho crypto isakmp sa

150.4.2.2 164.1.12.1 GDOI_IDLE 1009 0 ACTIVE

- 894 -
SCRack4R1#show crypto gdoi ipsec sa
SA created for group group1:

Serial0/0.12:
protocol = icmp
local ident = 150.4.6.6, port = 0
remote ident = 150.4.1.1, port = 0
direction: Both, replay(method/window): Counter/64
protocol = icmp
local ident = 150.4.1.1, port = 0
remote ident = 150.4.6.6, port = 0
direction: Both, replay(method/window): Counter/64

!!!!!
ms
SCRack4R1#sho crypto ipsec sa
Crypto map tag: GET-MAP, local addr 164.1.12.1


current outbound spi: 0x63323A01(1664236033)
inbound esp sas:

spi: 0x63323A01(1664236033)
conn id: 323, flow_id: 323, crypto map: GET-MAP
IV size: 16 bytes
Status: ACTIVE

- 895 -
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x63323A01(1664236033)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


current outbound spi: 0x63323A01(1664236033)
inbound esp sas:

spi: 0x63323A01(1664236033)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:

- 896 -
outbound esp sas:

spi: 0x63323A01(1664236033)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Task 4.1 Solution

sensor# setup

- 897 -
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
exit
exit
overrides
exit
exit
overrides
exit
exit

Enter host name[sensor]: Rack4IPS
Enter telnet-server status[disabled]: enable
No entries
Permit: 10.0.0.0/24
Permit:

- 898 -
service host
network-settings
host-ip 10.0.0.10/24,10.0.0.3
host-name Rack4IPS
telnet-option enabled
ftp-timeout 300
exit
time-zone-settings
offset 0
exit
ntp-option disabled
exit
service web-server
port 443
exit
overrides
exit
exit
overrides
exit
exit
overrides
exit
exit

*11:37:55 UTC Sat Aug 29 2009

- 899 -

sensor# ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3): 56 data bytes
--- 10.0.0.3 ping statistics ---

login: cisco
Password:
Last login: Mon Sep 28 07:19:47 on pts/0
***NOTICE***
<snip>
Rack4IPS#

- 900 -
Task 4.2 Solution

SW2:
!
! Configure the switch interface towards the IPS sensing interface as
! trunk
!
!
! Put R4 interface FastEthernet0/1 in VLAN 413
!
IPS:
!
! Enable the sensing interface and create the VLAN Pair
!
sensor# conf t
sensor(config)# service interface
sensor(config-int)# physical-interfaces gigabitEthernet0/0
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 413
sensor(config-int-phy-inl-sub)# vlan2 43
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes?[yes]:yes
sensor(config)#
!
! Configure the new signature definition called “Sig1”
!
sensor(config)# service signature-definition Sig1
Editing new instance Sig1.
!
! Configure the new event action rule called “Rules1”
!
sensor(config)# service event-action-rules Rules1
Editing new instance Rules1.
sensor(config-eve)# exit

- 901 -
!
! Configure the new anomaly detection policy called “AD1”
!
sensor(config)# service anomaly-detection AD1
Editing new instance AD1.
sensor(config-ano)# exit
!
! Configure the new virtual sensor called “VS1”
!
sensor(config)# service analysis-engine
sensor(config-ana)# virtual-sensor VS1
sensor(config-ana-vir)# signature-definition Sig1
sensor(config-ana-vir)# event-action-rules Rules1
sensor(config-ana-vir)# anomaly-detection
sensor(config-ana-vir-ano)# anomaly-detection-name AD1
sensor(config-ana-vir-ano)# exit
sensor(config-ana-vir)# physical-interface gigabitEthernet0/0
sensor(config-ana-vir)# exit
sensor(config-ana)# exit

Confirm that R4 still has IP connectivity to BB3.

!!!!!
ms


- 902 -

State/PfxRcd
150.4.6.6 4 100 1668 1695 84 0 0 20:24:48
10
204.12.9.254 4 54 1494 1487 84 0 0 00:42:40
10
Task 4.3 Solution

R4:
!
! Enable AAA and configure a non-default authentication login list
!
aaa new-model
aaa authentication login MY-TAC group tacacs+
!
! Enable SSH on the router
!
!
! Configure a TACACS+ server; R4 has a redundant path towards the AAA
! server so source TACACS traffic from Loopback0
!
ip tacacs source-interface loop 0
tacacs-server host 10.0.0.100
tacacs-server key cisco
!
! Apply the authentication list to all VTY lines
!
line vty 0 181
login authentication MY-TAC

- 903 -
ACS & IDM:
Step 1:
Add R4 as a new TACACS+ client to the ACS server

Step 2:
Create a new user named “IPS” with a password of “cisco” in the ACS server.
Step 3:
Let the IPS obtain the public RSA key for the SSH process in R4. Go to
Configuration | SSH | Known Host Keys:

- 904 -
Step 4:
Add new device login profile in the IPS. Go to Configuration | Blocking |

Device Login Profiles. If the ACS user does not have privilege level 15,
make sure to configure the Enable Password for the login profile:

- 905 -
Step 5:
Add new blocking device corresponding to R4 and bind the device login profile to
it. Go to Configuration | Blocking | Blocking Devices and click
Add:

- 906 -
Step 6:
Add new blocking device interface to R4. Go to Configuration | Blocking

| Router Blocking Device Interfaces and click Add:

- 907 -
Step 7:
Locate the ICMP Flood signature for virtual sensor VS1 and configure it for rate-
limiting at 1% of the bandwidth. Go to Configuration | Policies |
Signature Definitions | Sig1 and edit signature 2152:

- 908 -

- 909 -
Step 7:
Configure traffic coming from Loopback0 of R4 from ever trigger any action on
any signature for virtual sensor VS1. Go to Configuration | Policies |
Event Action Rules | Rules1 | Event Action Filters and click
Add:

- 910 -

SCRack4R4#who
* 0 con 0 idle 00:00:00
66 vty 0 IPS idle 00:00:05 10.0.0.10
SCRack4R4#show ssh
Connection Version Encryption State
Username
66 1.5 3DES Session started IPS
%No SSHv2 server connections running.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ms
SCRack4R4#show running-config | section Serial0/0.345

ip address 164.1.0.4 255.255.255.128
ip nat inside
ip virtual-reassembly
ip ospf network point-to-multipoint
snmp trap link-status
frame-relay interface-dlci 403
service-policy output IDS_RL_POLICY_MAP_1

- 911 -
Serial0/0.345

0 packets, 0 bytes
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 1 %
transmit
drop

Match: any
evIdsAlert: eventId=1252139016862890678 severity=medium vendor=Cisco

originator:
hostId: Rack4IPS
appName: sensorApp
appInstanceId: 368
time: 2009/09/28 10:56:48 2009/09/28 10:56:48 UTC
signature: description=ICMP Flood id=2152 version=S1
subsigId: 0
marsCategory: DoS/Network/ICMP
interfaceGroup: VS1
vlan: 413
participants:
attacker:
target:
actions:
rateLimitRequested: true
interface: ge0_0
protocol: icmp

- 912 -
Task 4.4 Solution

When you have a task like this, where you are not sure exactly what signature
should be used, use the search function by the signature name, using keywords
from the task. In our example: “non-http”, “post”, “del”.
Step 1:
Enable the AIC engine and tune the AIC Web Ports values. Go to
Configuration | Policies | Signature Definitions | Sig1 |
Miscellaneous to accomplish this:

- 913 -
Step 2:
Activate the signature for FTP “DELE” command and set the actions. Go to
Configuration | Policies | Signature Definitions | Sig1 and
edit actions for signature 12907: Set the action to Deny Connection Inline.
Step 3:
Activate the signature for HTTP “POST” method and set the actions. Go to
edit actions for signature 12683: Set the action to Produce Alert
Step 4:
Activate the signature for non-HTTP traffic and set the actions. Go to
edit actions for signature 12674: Set the action to Deny Connection Inline.

- 914 -
Task 5.1 Solution

ASA1:
!
! Configure the RADIUS server
!
aaa-server RAD (outside) host 10.0.0.100 cisco
!
! When network access authentication is combined with the virtual
telnet
! server the access-list needs to match also the telnet traffic to the
! virtual telnet IP address
!
access-list AUTH permit tcp 192.10.4.0 255.255.255.0 any eq 139
access-list AUTH permit tcp 192.10.4.0 255.255.255.0 host 192.10.4.50
eq 23
!
! Configure authentication so that connections on TCP port 139 are
! allowed
!
aaa authentication match AUTH inside RAD
!
! Enable the virtual telnet server
!
virtual telnet 192.10.4.50

- 915 -
ACS:
Step 1:
Add ASA1 as a RADIUS client to the ACS server using the authentication key
value of “cisco”.
Step 2:
Add a user “USER1” with a password of “cisco” in the ACS server.

Rack4ASA1# test aaa authentication RAD username USER1 password cisco
SC.9.9.BB2>telnet 192.10.9.50
Trying 192.10.9.50 ... Open
LOGIN Authentication
Username: USER1
Password:
Authentication Successful

Current Most Seen
user 'USER1' at 192.10.9.254, authenticated

- 916 -
Task 5.2 Solution

ASA2:
!
! Allow SSH connections from anywhere since we are not told where NOC
! users are located, on the inside or on the outside of the ASA
!
ssh 0 0 inside
ssh 0 0 outside
!
! Configure the TACACS server for user authentication
!
aaa-server TAC protocol tacacs
aaa-server TAC (inside) host 10.0.0.100 cisco
!
! Configure SSH authentication to use TACACS server
!
aaa authentication ssh console TAC
!
! Enable local command authorization so that levels 2-15 can be used-
aka
! enable password for levels 2-15
!
aaa authorization command LOCAL
enable password CISCO5 level 5
!
! Put the “show run” command available at privilege-level 5
!
privilege show level 5 command running-config

- 917 -
ACS:
Step 1:
Add ASA2 as a TACACS+ client in the ACS server.
Step 2:
Create a user named “NOC-USER” with the password “cisco” in the ACS server.

Rack4ASA2# test aaa authentication TAC username NOC-USER password cisco
SCRack4R1#ssh -l NOC-USER 164.1.131.13
Password:
Rack4ASA2> enable 5
Password: ******
Rack4ASA2# show running-config
: Saved
:
ASA Version 8.0(4)
!
hostname Rack4ASA2
enable password zdCTvh0TBpS6TU4W level 5 encrypted
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
nameif outside
security-level 0
ip address 164.1.128.13 255.255.255.0
!
nameif inside
security-level 100
ip address 164.1.131.13 255.255.255.0
!
shutdown
no nameif
no security-level
no ip address

- 918 -
Task 5.3 Solution

R5:
!
! Enable AAA. Configure two login authentication lists, one for VTY and
! another for the console line
!
aaa new-model
aaa authentication login VTY group radius line
!
! Configure authorization exec via RADIUS with local fallback
!
aaa authorization exec default group radius local if-authenticated
!
! Configure level 12 commands accounting
!
aaa accounting command 12 default start-stop group tacacs+
!
! Define and configure RADIUS, TACACS+ servers
!
ip radius source Loopback0
!
ip tacacs source Loopback0
!
! Make the commands available for privilege-level 12
!
privilege exec all level 12 undebug
!
! Apply the authentication lists on VTY lines and console
!
line vty 0 181
!
line con 0

- 919 -
Step 1:
Add R5 as a TACACS+ client in the ACS server.
Step 2:
Add R5 as a RADIUS client in the ACS server. You may use the same IP
address you used for TACACS+ client just use a different client name.
Step 3:
Enable the use of “cisco-av-pair” in the user profiles. Go to Interface

Configuration | RADIUS (Cisco IOS/PIX 6.x).

- 920 -
Step 4:
Add a new user named “R5USER” with a password of “CISCO” in the ACS
server.
Configure the following RADIUS “cisco-av-pair” attribute for this user to assign
privilege-level 12:

- 921 -

SCRack4R5#test aaa group radius R5USER CISCO legacy
Username: R5USER
Password:
SCRack4R5#show privilege
SCRack4R5#debug ip rip
SCRack4R5#undebug all
All possible debugging has been turned off
SCRack4R5#conf t
^
SCRack4R5#exit

- 922 -
AAA Server:
Check the reports and activity for R5user and notice the logged commands. Go
to Reports and Activity | TACACS+ Administration:

- 923 -
Task 5.4 Solution

SW1:
!
! Authorization list can be left unconfigured since by default
! console authorization is not enabled
!
aaa new-model
aaa authentication login VTY group radius
aaa authorization exec default group radius
!
! Configure the RADIUS server
!
ip radius source loopback 0
!
!
! Apply the authentication login list to all VTY lines
!
line vty 0 15

- 924 -
ACS:
Step 1:
Add SW1 as RADIUS client in the ACS server using the authentication key value
of “cisco”.
Step 2:
Edit RADIUS Interface settings and enable the following attribute for the
“User” profile:

- 925 -
Step 3:
Create new user named “ADMIN” with a password of “cisco” in the ACS server.
Set RADIUS Service-Type attribute for this to the value of “Administrative”:

- 926 -
Step 5:
Create new user named “USER” with a password of “cisco” in the ACS server.
Set RADIUS Service-Type attribute for this user to “Login”.

- 927 -

SCRack4SW1#test aaa group radius ADMIN cisco legacy
User was successfully authenticated
SCRack4SW1#test aaa group radius USER cisco legacy

Username: ADMIN
Password:
SCRack4SW1#show privilege
SCRack4SW1#conf t
SCRack4SW1(config)#exit
SCRack4SW1#exit
Username: USER
Password:
SCRack4SW1>show privilege
SCRack4SW1>exit

- 928 -
Task 5.5 Solution

Make sure you restarted the services after generating the self-signed certificate.
AAA Server:
Go to System Configuration | ACS Certificate Setup | Generate

Self-Signed Certificate. Generate a new Self-Signed certificate and
install it:

- 929 -
Task 6.1 Solution

SW1:
!
! Configure access-list to match RIP traffic between R3 and AAA
!
ip access-list extended LEGAL_RIP
permit udp host 10.0.0.100 eq 520 any eq 520
permit udp host 10.0.0.3 eq 520 any eq 520
!
! Configure access-list to match all traffic on UDP port 520-RIP
!
ip access-list extended RIP_UPDATES
permit udp any eq 520 any eq 520
!
! Permit Legal RIP updates
!
match ip address LEGAL_RIP
action forward
!
! Drop every other RIP update
!
match ip address RIP_UPDATES
action drop
!
! Permit everything else
!
action forward
!
! Apply the filtering only on VLAN 33
!
vlan filter VLAN33_FILTER vlan-list 33

SCRack4SW1#show vlan access-map
Vlan access-map "VLAN33_FILTER" 10
Match clauses:
ip address: LEGAL_RIP
Action:
forward
Match clauses:
ip address: RIP_UPDATES
Action:
drop
Match clauses:
Action:

- 930 -
Task 6.2 Solution

R4:
!
! Enable MD5 authentication globally under the OSPF process
!
router ospf 1
!
! Configure the key number and key string at the interface level; on
! FastEthernet0/1 there is no need for authentication as there are
! no adjacencies there
!
!
!
R3:
!
!
router ospf 1
!
! Configure the key number and key string at the interface level
!
R5:
!
!
router ospf 1
!
!
!

- 931 -
SW1:
!
!
router ospf 1
!
!
int vlan 407

SCRack4SW1#show ip ospf neighbor

Interface
150.4.4.4 1 FULL/BDR 00:00:30 164.1.47.4
Vlan407

Cost: 781
5
Next 0x0(0)/0x0(0)
SCRack4R5#show ip ospf neighbor

Interface
150.4.4.4 0 FULL/ - 00:00:32 164.1.45.4
Serial0/1
150.4.3.3 0 FULL/ - 00:01:41 164.1.0.3
Serial0/0.345

- 932 -

9999
Next 0x0(0)/0x0(0)

Cost: 64
5
Next 0x0(0)/0x0(0)
SCRack4R4#show ip ospf neighbor

Interface
150.4.7.7 1 FULL/DR 00:00:35 164.1.47.7
FastEthernet0/0
150.4.5.5 0 FULL/ - 00:00:35 164.1.45.5
Serial0/1
150.4.3.3 0 FULL/ - 00:01:59 164.1.0.3
Serial0/0.345

- 933 -

Next 0x0(0)/0x0(0)

9999
Next 0x0(0)/0x0(0)

- 934 -
SCRack4R4# show ip ospf interface serial 0/0.345

Cost: 64
5
Next 0x0(0)/0x0(0)
Task 6.3 Solution

R6:
!
! Enable logging for server 10.0.0.100
!
Logging on
logging 10.0.0.100
!
! Enable logging with facility local3; enable log level to be critical
!
logging facility local3
logging trap critical
!
! Enable syslog message sequence numbering for protection against
! tempering
!
service sequence-numbers

- 935 -

SCRack4R6#show logging
disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 230 messages logged, xml

disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level critical, 232 message lines logged

authentication disabled, encryption disabled, link down),
filtering disabled
Task 6.4 Solution

R3:
access-list 100 deny icmp 150.4.0.0 0.0.255.255 any
access-list 100 permit icmp any any
!
class-map CMAP_CONTROL_PLANE
!
policy-map PMAP_CONTROL_PLANE
class CMAP_CONTROL_PLANE
!
control-plane host
service-policy input PMAP_CONTROL_PLANE

- 936 -


!!.!!.!!.!
ms
SCRack4R2#ping 150.4.3.3 size 1000 repeat 10 source loopback 0

!!!!!!!!!!
508/510/513 ms
SCRack4R3#show policy-map control-plane host

Control Plane Host
Service-policy input: PMAP_CONTROL_PLANE
Class-map: CMAP_CONTROL_PLANE (match-all)

police:
transmit
drop
drop

Match: any

- 937 -
Task 7.1 Solution

R6:
!
! Access-list denies all failed packets and logs them
!
access-list 100 deny ip any any log
!
ip verify unicast source reachable-via any 100
!
ip verify unicast source reachable-via any 100

<snip>
IP verify source reachable-via ANY, ACL 100
SCRack4R6#show ip interface serial 0/0/0

<snip>
IP verify source reachable-via ANY, ACL 100
%SEC-6-IPACCESSLOGP: list 100 denied tcp 54.9.3.254(0) -> 54.9.3.6(0),

1 packet
Task 7.2 Solution

SW1 and SW2:
!
! Set the logging level to informational, lower than debugging and save
! it on local flash;
!
logging file flash:syslog.txt informational

- 938 -

SCRack4SW1#more flash:syslog.txt
SCRack4SW2#more flash:syslog.txt
Task 7.3 Solution

SW2:
!
! Configure the MAC access-list to drop IPX packets and permit the rest
!
mac access-list extended BLOCK_ALL_IPX
deny any any 0x8137 0x0

deny any any 0x8137 0x0
permit any any
!
! Apply the access-list to the interface facing BB2
!
mac access-group BLOCK_ALL_IPX in

Verify that the new policy does not block ARPs
Rack4ASA1# clear arp inside
Rack4ASA1# ping 192.10.9.254

!!!!!
Rack4ASA1# show arp

inside 192.10.9.254 0000.0c0a.049d 2
inside 224.0.0.5 0100.5e00.0005 95
outside 224.0.0.9 0100.5e00.0009 203

- 939 -
Task 7.4 Solution

R5:
!
! Configure 3 class-maps for OSPF, ICMP and telnet traffic
!
class-map match-any PRIORITY
match protocol ospf
!
class-map match-all ICMP
match protocol icmp
!
class-map match-all TELNET
!
! Configure policy-map and prioritize OSPF, police ICMP and mark telnet
!
policy-map OUTGOING
class PRIORITY
priority percent 25
class ICMP
police rate percent 5
class TELNET
set dscp af43

service-policy out OUTGOING


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
28/31/33 ms
Trying 164.1.45.4 ... Open
Username: R5USER
Password:
SCRack4R4>exit
SCRack4R5#show policy-map interface Serial 0/1

Serial0/1
Service-policy output: OUTGOING

- 940 -
Class-map: PRIORITY (match-any)

Match: protocol ospf
5 minute rate 0 bps
Queueing
Strict Priority
Bandwidth 25 (%)
Bandwidth 386 (kbps) Burst 9650 (Bytes)
(total drops/bytes drops) 0/0

police:
rate 5 %
rate 77000 bps, burst 2406 bytes
transmit
drop

QoS Set
dscp af43
Packets marked 72

Match: any

- 941 -
Task 7.5 Solution

R1:
!
! Match traffic from the subnet in an access-list
!
ip access-list extended acl-fasttrack
permit ip 164.1.131.0 0.0.0.255 any
!
! Configure class-map and match on ACL plus the “fasttrack” protocol
!
class-map match-all cmap-fasttrack
match access-group name acl-fasttrack
match protocol fasttrack
!
! Drop traffic that matches the class-map
!
policy-map pmap-fasttrack
class cmap-fasttrack
drop
!
! Apply the policy outbound on interface Serial0/0.12
!
service-policy output pmap-fasttrack

Serial0/0.12
Service-policy output: pmap-fasttrack
Class-map: cmap-fasttrack (match-all)

0 packets, 0 bytes
Match: access-group name acl-fasttrack
Match: protocol fasttrack
drop

Match: any

- 942 -
Task 8.1 Solution

R4:
!
! Configure the prefix-list to match on prefixes <=24
!
ip prefix-list SLASH_24_AND_SHORTER permit 0.0.0.0/0 le 24
!
! Apply the filter inbound and specify the maximum number of prefixes
!
router bgp 100
neighbor 204.12.4.254 prefix-list SLASH_24_AND_SHORTER in
neighbor 204.12.4.254 maximum 10000
R6:
!
! Configure the prefix-list to match on prefixes <=24
!
ip prefix-list SLASH_24_AND_SHORTER permit 0.0.0.0/0 le 24
!
! Apply the filter inbound and specify the maximum number of prefixes
!
router bgp 100
neighbor 54.4.2.254 prefix-list SLASH_24_AND_SHORTER in
neighbor 54.4.2.254 maximum 10000

SCRack4R6#show ip bgp neighbors 54.4.2.254 policy
Neighbor: 54.4.2.254, Address-Family: IPv4 Unicast
Locally configured policies:
prefix-list SLASH_24_AND_SHORTER in
maximum-prefix 10000
SCRack4R4#show ip bgp neighbors 204.12.4.254 policy

Neighbor: 204.12.4.254, Address-Family: IPv4 Unicast
Locally configured policies:
prefix-list SLASH_24_AND_SHORTER in
maximum-prefix 10000

- 943 -
Task 8.2 Solution

SW1:
!
! Configure SW1 with the lowest STP priority for all VLANs; do NOT use
! the command “spanning-tree root primary” as the result might not be
! the desired one
!
spanning-tree vlan 1-4094 priority 0
!
! Enable root guard on trunk port facing SW2
!
spanning-tree guard root
SW2:
!
! Configure BPDU-Fiter at the interface level
!
interface range FastEthernet 0/16 - 18
spanning-tree bpdufilter enable

- 944 -

SCRack4SW1#show spanning-tree root
Root Hello Max Fwd

Vlan Root ID Cost Time Age Dly Root
Port
---------------- -------------------- --------- ----- --- --- --------
-
VLAN0001 1 0012.0183.5900 0 2 20 15
VLAN0003 3 0012.0183.5900 0 2 20 15
VLAN0005 5 0012.0183.5900 0 2 20 15
VLAN0007 7 0012.0183.5900 0 2 20 15
VLAN0026 26 0012.0183.5900 0 2 20 15
VLAN0033 33 0012.0183.5900 0 2 20 15
VLAN0043 43 0012.0183.5900 0 2 20 15
VLAN0049 49 0012.0183.5900 0 2 20 15
VLAN0055 55 0012.0183.5900 0 2 20 15
VLAN0112 112 0012.0183.5900 0 2 20 15
VLAN0118 118 0012.0183.5900 0 2 20 15
VLAN0122 122 0012.0183.5900 0 2 20 15
VLAN0126 126 0012.0183.5900 0 2 20 15
VLAN0128 128 0012.0183.5900 0 2 20 15
VLAN0131 131 0012.0183.5900 0 2 20 15
VLAN0255 255 0012.0183.5900 0 2 20 15
VLAN0407 407 0012.0183.5900 0 2 20 15
VLAN0413 413 0012.0183.5900 0 2 20 15
VLAN0417 417 0012.0183.5900 0 2 20 15
SCRack4SW1#show spanning-tree interface fastEthernet 0/23
Vlan Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------
-
VLAN0413 Desg BKN*19 128.23 P2p *ROOT_Inc

- 945 -
Notice that the STP instance for VLAN431 is in root inconsistent state on the
port:
SCRack4SW1#show spanning-tree vlan 413
VLAN0413
Spanning tree enabled protocol ieee
Root ID Priority 413
Address 0012.0183.5900
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 413 (priority 0 sys-id-ext 413)

Address 0012.0183.5900
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------
-
Fa0/23 Desg BKN*19 128.23 P2p *ROOT_Inc
SCRack4SW2#show spanning-tree vlan 413
VLAN0413
Spanning tree enabled protocol ieee
Root ID Priority 43
Address 0012.0183.5900
Cost 38
Port 10 (FastEthernet0/10)
Bridge ID Priority 33181 (priority 32768 sys-id-ext 413)

Address 000f.f703.3c00
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------
-
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/10 Root FWD 19 128.10 P2p
Fa0/23 Desg FWD 19 128.23 P2p

- 946 -
SW1 prefers the path to the root through port Fa0/10 over the inter-switch link on
Fa0/23, because of the IPS being in the inline mode and bypassing the BPGUs.

!!!!!
Task 8.3 Solution

R2:
!
ip options drop

SCRack4R1#ping
Protocol [ip]:
Repeat count [5]: 2
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)

- 947 -
Request 0 timed out

Request 1 timed out
SCRack4R2#show ip traffic | section Drop

2 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
Drop due to input queue full: 0
Task 8.4 Solution

SW2:
!
! Configure to save the binding database in flash
!
ip dhcp snooping database flash:/snoop.txt
!
! Enable DHCP snooping on vlan 128; make sure to enter both commands
! otherwise the feature is not functional
!
ip dhcp snooping
!
! Configure the port towards ASA2’s outside interface as trusted
! to allow DHCP Offer packets in- and rate limit DHCP traffic
!
ip dhcp snooping limit rate 100
ip dhcp snooping trust

SCRack4SW2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
128
DHCP snooping is operational on following VLANs:
128
DHCP snooping is configured on the following L3 Interfaces:

- 948 -
Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: 000f.f703.3c00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
FastEthernet0/14 yes yes 100
Custom circuit-ids:
SCRack4SW2#show ip dhcp snooping database

Agent URL : flash:/snoop.txt
Write delay Timer : 300 seconds
Abort Timer : 300 seconds
Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running
Last Succeded Time : 03:46:07 UTC Tue Mar 2 1993

Last Failed Time : None
Last Failed Reason : No failure recorded.
Total Attempts : 1 Startup Failures : 0

Successful Transfers : 1 Failed Transfers : 0
Successful Reads : 0 Failed Reads : 0
Successful Writes : 1 Failed Writes : 0
Media Failures : 0

- 949 -
Task 8.5 Solution

SW2:
!
! Configure port-security and and IP Source-Guard with MAC-IP filtering
!
ip verify source port-security
!
! Configure a manual IP to MAC binding for Source Guard
!
ip source binding 1234.2345.3456 vlan 128 164.1.128.55 interface Fa0/7

SCRack4SW2#show ip verify source interface fastEthernet 0/7
Interface Filter-type Filter-mode IP-address Mac-address
Vlan
--------- ----------- ----------- --------------- -----------------
Fa0/7 ip-mac inactive-no-snooping-vlan
SCRack4SW2#show ip source binding

MacAddress IpAddress Lease(sec) Type VLAN
Interface
------------------ --------------- ---------- ------------- ---- -
-
12:34:23:45:34:56 164.1.128.55 infinite static 128
FastEthernet0/7
Total number of bindings: 1

- 950 -

Task 1.1 Solution
ASA1:
static (Outside,Inside) tcp interface 2323 150.4.1.1 23 7 2
router ospf 51
network 192.10.4.0 255.255.255.0 area 51
network 191.1.123.0 255.255.255.0 area 51
icmp permit any echo-reply Outside
logging trap 3
logging host Outside 10.0.0.100
logging timestamp
ntp authentication-key 1 md5 CISCO

ntp server 150.4.6.6 key 1
R6:
ntp trusted-key 1
no ntp disable

Some thingscannot be tested at this time, due to the lack of connectivity to R6.
Make sure to come back and verify after you have completed other sections. For
testing the port translation, you can connect from BB2. Alternatively, you can
add an SVI on the subnet on one of the switches temporarily, and test from there.
SCRack4BB2>telnet 192.10.4.12 2323

Trying 192.10.4.12, 2323 ... Open
Password:
SCRack4R1>

- 951 -
Verify that you can ping from ASA1 to R3, but not from R3 to ASA1.
SCRack4ASA1(config)# ping 191.1.123.3

!!!!!
SCRack4ASA1(config)#

.....
SCRack4R3#
SCRack4ASA1(config)# show logging

Facility: 20
Timestamp logging: enabled
Trap logging: level errors, facility 20, 2 messages logged
Logging to Outside 10.0.0.100
Device ID: disabled

- 952 -
With logging enabled, debug NTP will show packets sent and received.
NTP: xmit packet to 150.4.6.6:
leap 3, mode 3, version 3, stratum 0, ppoll 64
rtdel 0000 (0.000), rtdsp 10400 (1015.625), refid 00000000 (0.0.0.0)
ref 00000000.00000000 (06:28:16.000 UTC Thu Feb 7 2036)
org ce13acb6.7daa11a1 (03:44:54.490 UTC Fri Jul 24 2009)
rec aeefd673.2b514a66 (08:53:07.169 UTC Sat Jan 2 1993)
xmt aeefd6b3.2ae09842 (08:54:11.167 UTC Sat Jan 2 1993)
NTP: rcv packet from 150.4.6.6 to 191.1.123.12 on Outside:
leap 0, mode 4, version 3, stratum 4, ppoll 64
rtdel 0000 (0.000), rtdsp 001d (0.443), refid 7f7f0101 (127.127.1.1)
ref ce13ace7.5b863a76 (03:45:43.357 UTC Fri Jul 24 2009)
org aeefd6b3.2ae09842 (08:54:11.167 UTC Sat Jan 2 1993)
rec ce13acf6.7db04252 (03:45:58.490 UTC Fri Jul 24 2009)
xmt ce13acf6.7db685fc (03:45:58.491 UTC Fri Jul 24 2009)
inp aeefd6b3.2b540480 (08:54:11.169 UTC Sat Jan 2 1993)
SCRack4ASA1(config)# show ntp assoc det

- 953 -
Task 1.2 Solution

ASA2:
mode multiple
hostname Rack4ASA2
admin-context MGT
context MGT
config-url flash:MGT.cfg

no shut
!
no shut
!
context A
config-url disk0:/A.cfg
allocate-int Eth0/0
allocate-int Eth0/1
changeto context A

nameif VLAN133

nameif VLAN136
exit
!
same-security-traffic permit inter-interface
ip address 255.255.255.255 255.255.255.255
access-list L2 ethertype deny bpdu

access-list L2 ethertype permit any
access-group L2 in interface VLAN133

access-group L2 in interface VLAN136
Although configuring the firewall for multiple contexts is not required for this step,
it is needed for a later section of the lab. Make sure to read through the entire
lab before configuring. For traffic between interfaces, you can use the “same-
security-traffic” command with both interfaces at the same security level.

- 954 -
Task 1.3 Solution

ASA1:
multicast-routing
pim rp-address 150.4.3.3
access-list OUTSIDE permit udp any host 239.1.1.1

access-group OUTSIDE in interface Outside
access-list IGMP standard permit host 239.1.1.1
!
igmp access-group IGMP

SW1: (testing only)
ip multicast-routing
!
interface vlan 122
ip address 192.10.4.7 255.255.255.0
ip pim sparse
R3:
ip sla 1
udp-echo 239.1.1.1 5000 control disable
timeout 1000
frequency 1
ip sla schedule 1 life forever start-time now
ASA1:
access-list CAPTURE permit ip any 239.0.0.0 255.0.0.0
capture IN access-list CAPTURE interface Inside
Looking at the capture, you can see the traffic flowing from R3, and SW1
attempting the IGMP joins Look at the output of show igmp groups, to verify
that the ASA is restricting the groups allowed.

- 955 -
SCRack4ASA1(config)# capture IN access-list CAPTURE interface Inside

real-time
Warning: using this option with a slow console connection may

result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 08:28:14.271546 191.1.123.3.57018 > 239.1.1.1.5000: udp 16

2: 08:28:16.270921 191.1.123.3.62324 > 239.1.1.1.5000: udp 16
3: 08:28:17.861665 192.10.4.7 > 239.1.1.1: ip-proto-2, length 8
4: 08:28:18.270188 191.1.123.3.56179 > 239.1.1.1.5000: udp 16
5: 08:28:20.273606 191.1.123.3.55374 > 239.1.1.1.5000: udp 16
6: 08:28:21.861985 192.10.4.7 > 239.1.1.2: ip-proto-2, length 8
7: 08:28:22.272965 191.1.123.3.59133 > 239.1.1.1.5000: udp 16
8: 08:28:24.272294 191.1.123.3.54272 > 239.1.1.1.5000: udp 16
9: 08:28:26.271668 191.1.123.3.51860 > 239.1.1.1.5000: udp 16
10: 08:28:28.270997 191.1.123.3.58266 > 239.1.1.1.5000: udp 16
11: 08:28:30.270417 191.1.123.3.59877 > 239.1.1.1.5000: udp 16
12: 08:28:32.273759 191.1.123.3.58333 > 239.1.1.1.5000: udp 16
SCRack4ASA1(config)# show igmp groups

IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
239.1.1.1 Inside 00:00:27 00:03:52 192.10.4.7
SCRack4ASA1(config)# capture IN access-list CAPTURE interface Inside

real-time
Warning: using this option with a slow console connection may

result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 08:28:14.271546 191.1.123.3.57018 > 239.1.1.1.5000: udp 16

2: 08:28:16.270921 191.1.123.3.62324 > 239.1.1.1.5000: udp 16
3: 08:28:17.861665 192.10.4.7 > 239.1.1.1: ip-proto-2, length 8
4: 08:28:18.270188 191.1.123.3.56179 > 239.1.1.1.5000: udp 16
5: 08:28:20.273606 191.1.123.3.55374 > 239.1.1.1.5000: udp 16
6: 08:28:21.861985 192.10.4.7 > 239.1.1.2: ip-proto-2, length 8
7: 08:28:22.272965 191.1.123.3.59133 > 239.1.1.1.5000: udp 16
8: 08:28:24.272294 191.1.123.3.54272 > 239.1.1.1.5000: udp 16
9: 08:28:26.271668 191.1.123.3.51860 > 239.1.1.1.5000: udp 16
10: 08:28:28.270997 191.1.123.3.58266 > 239.1.1.1.5000: udp 16
11: 08:28:30.270417 191.1.123.3.59877 > 239.1.1.1.5000: udp 16
12: 08:28:32.273759 191.1.123.3.58333 > 239.1.1.1.5000: udp 16
10 packets shown.
0 packets not shown due to performance limitations.

- 956 -
SCRack4ASA1(config)# show igmp groups

IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
239.1.1.1 Inside 00:06:48 00:02:18 192.10.4.254
SCRack4ASA1(config)# show mroute
Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host
Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT
Timers: Uptime/Expires
Interface state: Interface, State
(*, 239.1.1.1), 00:04:39/never, RP 150.4.3.3, flags: SCJ

Incoming interface: Outside
RPF nbr: 191.1.123.3
Outgoing interface list:
Inside, Forward, 00:04:39/never
(191.1.123.3, 239.1.1.1), 00:24:32/00:03:27, flags: SFJT

Incoming interface: Outside
RPF nbr: 191.1.123.3
Immediate Outgoing interface list: Null
R3:
no ip sla schedule 1 life forever start-time now
SW1:
no interface vlan122
no ip multicast-routing
no ip pim rp-address 150.4.3.3

- 957 -
Task 2.1 Solution

R3:
no service dhcp
no ip bootp server
no ip source-route
no cdp enable
no ip unreachables
ip inspect name MYFW tcp router-traffic

ip inspect name MYFW udp router-traffic
ip inspect name MYFW icmp router-traffic
ip access-list extended FW
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 191.1.0.0 0.0.255.255 any
deny ip 150.4.0.0 0.0.255.255 any
permit tcp any host 10.0.0.100
R3:
ip inspect MYFW out
ip access-group FW in
ip access-list extended NAT

permit 191.1.55.0 0.0.0.255 any
ip nat pool VLAN133 204.12.4.30 204.12.4.30 prefix-length

!
ip nat enable
!
interface Serial1/3
ip nat enable
!
ip nat enable
!
ip nat source list NAT pool VLAN133

- 958 -

SCRack4R3#show ip nat nvi stat
Total active translations: 2 (0 static, 2 dynamic; 1 extended)
NAT Enabled interfaces:
FastEthernet0/0, FastEthernet0/1, Serial1/0.34, Serial1/3
Hits: 967 Misses: 0
CEF Translated packets: 484, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Source [Id: 2] access-list NAT pool VLAN133 refcount 2
pool VLAN133: netmask 255.255.255.0
start 204.12.4.30 end 204.12.4.30
type generic, total addresses 1, allocated 1 (100%), misses 0
SCRack4R3#show ip nat nvi trans

Pro Source global Source local Destin local Destin
global
icmp 204.12.4.30:10 191.1.55.5:10 204.12.4.6:10
204.12.4.6:10
--- 204.12.4.30 191.1.55.5 --- ---
SCRack4R3#
Task 2.2 Solution

R3:
ip inspect name MYFW http java-list 33
Task 2.3 Solution

R3:
!
! By adding the alternate HTTP ports to the inspection for HTTP,
! they will be subject to the same java filtering list configured
! in the prior section.
!
ip port-map http port tcp 8080 10080

- 959 -
Task 3.1 Solution

R4, R5:
encry des
hash sha
group 5
crypto ipsec transform-set MY456 esp-3des esp-sha-hmac
R4:
ip route 10.4.4.0 255.255.255.0 null0
ip nat inside
!
ip nat outside
interface Serial0/1
ip nat outside

!
crypto map MYMAP local-address loop0
match address 145
set peer 150.4.5.5
set transform-set MY456
!
crypto map MYMAP
!
crypto map MYMAP
!
router ospf 1
crypto isakmp key VPN address 150.4.5.5

- 960 -
R5:
ip route 10.5.5.0 255.255.255.0 null0
ip nat inside
!
interface Serial0/1
ip nat outside
!
ip nat outside
crypto map MYMAP local-address loop0

match address 145
set peer 150.4.4.4
interface Serial0/1
crypto map MYMAP
!
crypto map MYMAP
!
router ospf 1
redist static subnets
!

- 961 -

metric 9999
Last update from 191.1.45.4 on Serial0/1, 00:25:39 ago

metric 9999
Last update from 191.1.45.5 on Serial0/1, 00:07:06 ago
SCRack4R4#ping 10.5.5.5 source fa0/1

..!!!
SCRack4R4#
SCRack4R4#show cry isa sa detail


Lifetime Cap.
1001 150.4.4.4 150.4.5.5 ACTIVE des sha psk 5

23:57:52
SCRack4R4#

- 962 -
SCRack4R4#show ip nat trans

global
--- 10.4.4.4 10.45.45.4 --- ---
--- 10.4.4.0 10.45.45.0 --- ---
SCRack4R4#
SCRack4R5#show cry ipsec sa | i peer|caps|dent

SCRack4R5#
Task 3.2 Solution

R6:
encry des
hash sha
group 5
auth pre-share

crypto ipsec profile TEST

interface tunnel1
ip address 191.1.145.6 255.255.255.0
tunnel source lo0
tunnel mode gre multi
no ip next-hop-self eigrp 1
tunnel protection ipsec profile TEST

- 963 -
router eigrp 1
no auto-summary
network 191.1.145.0 0.0.0.255
network 10.6.6.0 0.0.0.255
R4:

interface tunnel1
ip address 191.1.145.4 255.255.255.0
tunnel source lo0
tunnel mode gr multi
ip nhrp map 191.1.145.6 150.4.6.6
ip nhrp nhs 191.1.145.6
ip nat outside
interface loop0
no ip route 10.4.4.0 255.255.255.0 null0
router eigrp 1
no auto-summary
network 10.4.4.0 0.0.0.255
network 191.1.145.0 0.0.0.255
R5:
!
!
interface tunnel1
ip address 191.1.145.5 255.255.255.0
tunnel source lo0
tunnel mode gr multi
ip nhrp map 191.1.145.6 150.4.6.6
ip nhrp nhs 191.1.145.6
ip nat outside
!
no ip route 10.5.5.0 255.255.255.0 null0
interface loop0
!

- 964 -
router eigrp 1
no auto-summary
network 10.5.5.0 0.0.0.255
network 191.1.145.0 0.0.0.255


!!!!!
ms

!!!!!
ms
SCRack4R6#
SCRack4R4#show ip nat translation

global
icmp 10.4.4.4:11 10.45.45.4:11 191.1.145.6:11
191.1.145.6:11
--- 10.4.4.4 10.45.45.4 --- ---
--- 10.4.4.0 10.45.45.0 --- ---
SCRack4R4#
R4:
no cry map MYMAP
interface Serial0/1
no crypto map MYMAP
no crypto map MYMAP
R5:
interface ser0/1
no cry map MYMAP
!
no cry map MYMAP
!
no crypto map MYMAP

- 965 -
Verify that you can ping from R4 to R5 off the FastEthernet interfaces:

!!!!!
ms

global
icmp 10.4.4.4:21 10.45.45.4:21 10.5.5.5:21
10.5.5.5:21
--- 10.4.4.4 10.45.45.4 --- ---
--- 10.4.4.0 10.45.45.0 --- ---
SCRack4R4#show cry ipsec sa | i peer|caps|dent
SCRack4R4#
Task 3.3 Solution

GET VPN configuration allows R4 and R5 to use different ISAKMP keys, since
R4 and R5 will be negotiating with the key server. Also, R6 does not need
ISAKMP keys for R4 or R5, just for the GET VPN key server.
R3:
encry des
hash sha
group 5
auth pre-share
!
crypto key generate rsa label MYKEYS mod 1024
!
crypto isakmp key R4isakmp address 150.4.34.4

- 966 -
ip access-list extended FW
no deny ip any any log
permit udp host 204.12.4.6 eq 848 host 150.4.3.3 eq 848
permit esp nost 150.4.6.6 host 150.4.4.4
permit esp host 150.4.6.6 host 150.4.5.5
deny ip any any log
!
!
crypto ipsec profile MYGET
!
ip access-list extended GETACL
permit gre any any
!
identity number 1
server local
rekey lifetime seconds 86400
rekey retransmit 10 number 2
rekey authentication mypubkey rsa MYKEYS
sa ipsec 1
profile MYGET
match address ipv4 GETACL
replay counter window-size 1024
R4:
no crypto isakmp key VPN address 150.4.6.6
!
crypto gdoi group MYGET
identity number 1
!
crypto map MYMAP 10 gdoi
set group MYGET
!
interface Tunnel1
no tunnel protection ipsec profile TEST
crypto map MYMAP
!
interface Serial0/1
crypto map MYMAP
no access-list 145

- 967 -
R5:
!
identity number 1
!
set group MYGET
!
interface Tunnel1
crypto map MYMAP
!
interface Serial0/1
crypto map MYMAP
no access-list 145
R6:
!
identity number 1
!
set group MYGET
!
interface Tunnel1
crypto map MYMAP

- 968 -

SCRack4R3#show cry isak sa
150.4.3.3 191.1.45.5 GDOI_IDLE 1004 0 ACTIVE
150.4.3.3 191.1.34.4 GDOI_IDLE 1001 0 ACTIVE
150.4.3.3 204.12.4.6 GDOI_IDLE 1005 0 ACTIVE
150.4.3.3 191.1.45.4 GDOI_IDLE 1002 0 ACTIVE
150.4.3.3 191.1.25.5 GDOI_IDLE 1003 0 ACTIVE
SCRack4R5#show access-list
SCRack4R5#
SCRack4R5#show run | i crypto isakmp key

SCRack4R5#
SCRack4R4#show run | i crypto isakmp key


!!!!!
ms

!!!!!
ms
SCRack4R5#
SCRack4R4#ping 10.6.6.6 sou fa0/1

!!!!!
ms
SCRack4R4#

- 969 -
Task 4.1 Solution

IPS:
service host
network-settings
host-ip 10.0.0.123/24,10.0.0.7
exit
exit
yes
service interface
physical-interfaces GigabitEthernet0/0
admin-state enabled
subinterface-type inline-vlan-pair
subinterface 1
vlan1 1014
vlan2 1008
exit
exit
exit
exit
yes
service analysis-enginge
virtual-sensor vs0
physical-interface GigabitEthernet0/0 subinterface-number 1
exit
exit
yes

signatures 2000 0
status
enabled true
exit
exit
signatures 2004 0
status
enabled true
exit
exit
yes
SW2:

- 970 -

SCRack4SW2#show interface FastEthernet0/10 trunk

Port Vlans allowed on trunk

Fa0/10 1008,1014
Port Vlans allowed and active in management domain

Fa0/10 1008,1014
Port Vlans in spanning tree forwarding state and not pruned

Fa0/10 1008,1014
SCRack4SW2#
Task 4.2 Solution

IPS:
target-value mission-critical target 191.1.114.4
target-value medium target 191.1.114.200
exit
filters insert MYFILTER begin
signature-id-range 2000,2004
actions-to-remove deny-attacker-inline
exit
exit
yes
Task 4.3 Solution

IPS:
service notification
read-only-community IPSRO
read-write-community IPSRW
trap-community-name CISCO
trap-destinations 10.0.0.100
exit
enable-set-get true
enable-notifications true
exit
yes

signatures 2004 0
engine atomic-ip
event-action request-snmp-trap

- 971 -
Task 4.4 Solution

Start by importing the public key. You can copy and paste it into the
configuration.
R6:
SCRack4R6#more realm-cisco.pub.key.txt
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A
02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B
4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3
6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF
3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93
C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3
F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E
AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2
892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E
B4B094D3
F3020301 0001
quit
exit
exit
mkdir flash:/ipsdir
conf t
ip ips name R6IPS
ip ips config location flash:/ipsdir
category all
retired true
exit
retired false
exit
exit
ip ips R6IPS in
end

- 972 -
copy flash:IOS-S347-CLI.pkg idconf
conf t
signature 2000 0
status
enabled true
retired false
exit
exit
signature 2004 0
status
enabled true
retired false
exit
exit

- 973 -

SCRack4R6#show ip ips signatures engine atomic-ip
Cisco SDF release version S347.0

Trend SDF release version V0.0

Trait=alert-traits EC=event-count AI=alert-interval
Signature Micro-Engine: atomic-ip: Total Signatures 303

atomic-ip enabled signatures: 103
atomic-ip retired signatures: 280
atomic-ip compiled signatures: 23
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
9433:1 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
9430:1 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
9418:1 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
9403:2 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
4607:9 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
4607:8 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
4607:7 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
4607:6 N* Nr A HIGH 0 1 0 0 0 FA N 100 S256
50000:2 N* Nr A HIGH 0 1 0 0 300 FA N 100 S181
50000:1 N* Nr A HIGH 0 1 0 0 300 FA N 100 S181
50000:0 N* Nr A HIGH 0 1 0 0 300 FA N 100 S181
4608:5 Y* Nr A HIGH 0 1 0 0 0 FA N 100 S177
4608:4 Y* Nr A HIGH 0 1 0 0 0 FA N 100 S177
4608:3 Y* Nr A HIGH 0 1 0 0 0 FA N 100 S177
4607:5 Y* Nr A HIGH 0 1 0 0 0 FA N 100 S177
1108:0 Y Y A HIGH 0 1 0 0 30 FA N 100 S27
<snip>
Generate some ICMP traffic from R3 by pinging R6, or by pinging BB3 from R6.

- 974 -

!!!!!
SCRack4R6#
%IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:25 ICMP Echo Reply

[204.12.4.254:0 -> 204.12.4.6:8] VRF:NONE RiskRating:25
SCRack4R6#
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 ICMP Echo Request


- 975 -
Task 4.5 Solution

ASA1:
domain-name INE.com
crypto key gen rsa modulus 1024
ssh 10.0.0.123 255.255.255.255 Outside
username ips1 password ips priv 15
R5 and R6:
crypto key gen rsa mod 1024
username ips password ips
line vty 0 15
login local
IPS:
Step 1:
Add the host keys under SSH | Known Host Keys.
Step 2:
Add the login information under Blocking | Device Login Properties.
Step 3:
Add the devices under Blocking | Blocking Devices
Step 4:
Under Router Blocking Devices, add R5 and R6.
Step 5:
Under Monitoring | Active Host Blocks, add the IP addresses

88.88.88.88 and 99.99.99.99
Step 6:
Verify that the blocks show up on R6 and the ASA.

- 976 -
SCRack4R6#show run interface Serial0/0/0
ip address 54.4.2.6 255.255.255.0
ip access-group IDS_Ser0/0/0_in_1 in
encapsulation frame-relay
frame-relay map ip 54.4.2.254 100
no frame-relay inverse-arp
frame-relay lmi-type cisco
end
Extended IP access list IDS_Ser0/0/0_in_1
10 permit ip host 10.0.0.123 any
20 deny ip host 99.99.99.99 any
30 deny ip host 88.88.88.88 any
SCRack4R6#
In order to install a shun entry, ASA firewall needs a route to reach the shunned
host/network. Use static routing commands to accomplish this.
route Outside 88.88.88.88 255.255.255.255 191.1.123.3

route Outside 99.99.99.99 255.255.255.255 191.1.123.3
SCRack4ASA1(config)# show shun

shun (Outside) 88.88.88.88 0.0.0.0 0 0 0
shun (Outside) 99.99.99.99 0.0.0.0 0 0 0
Under Monitoring | Rate Limits, add a rate-limit for the protocol icmp,
with a rate of 50 and source ip of 88.88.88.88. Next, Verify the policy applied to
R5.

- 977 -
%SYS-5-CONFIG_I: Configured from console by ips on vty0 (150.4.5.5)
SCRack4R5#show policy-map interface Serial0/0.25
Serial0/0.25
Service-policy input: IDS_RL_POLICY_MAP_1
Class-map: IDS_RL_CLASS_MAP_icmp-Axxx-50_1 (match-any)

0 packets, 0 bytes
Match: access-group name IDS_RL_ACL_icmp-Axxx-50_1
0 packets, 0 bytes
5 minute rate 0 bps
police:
cir 50 %
transmit
drop

Match: any
Extended IP access list IDS_RL_ACL_icmp-Axxx-50_1
10 permit icmp host 88.88.88.88 any
SCRack4R5#
Task 5.1 Solution

ASA1:
aaa-server RAD (Outside) host 10.0.0.100
key cisco
static (Inside,Outside) 191.1.123.99 192.10.4.99 netmask

255.255.255.255
virtual http 192.10.4.99
aaa authentication include http Outside 0 0 RAD
aaa authentication include https Outside 0 0 RAD
aaa authentication secure-http-client

- 978 -
AAA Server:
Step 1:
Configure a downloadable ACL with an entry to allow HTTP access to devices

on VLAN122

- 979 -

- 980 -
Step 2:
Assign the downloadable ACL to the user HTTPUSER.
ASA1:
Access-group OUTSIDE permit tcp any 191.1.123.99 eq 80
Access-group OUTSIDE permit tcp any 191.1.123.99 eq 443
access-group OUTSIDE in interface Outside per-user-override

- 981 -

Test authentication from the TEST PC, by connecting to the translated IP
address of the virtual HTTP server. After authentication, verify that the output of
packet tracer shows access to the web server on VLAN 122. By using the per-
user-override option for the access-group on the interface, ACL entries that
are pushed from the ACS server will allow traffic that is not permitted in the
outside ACL.
SCRack4ASA1# show uauth

Current Most Seen
user 'HTTPUSER' at 191.1.114.200, authenticated
access-list #ACSACL#-IP-BB2-4a78c0e6 (*)
SCRack4ASA1# show access-list #ACSACL#-IP-BB2-4a78c0e6
access-list #ACSACL#-IP-BB2-4a78c0e6; 2 elements (dynamic)
access-list #ACSACL#-IP-BB2-4a78c0e6 line 1 extended permit tcp any
192.10.4.0 255.255.255.0 eq www (hitcnt=0) 0x7e435eb9
access-list #ACSACL#-IP-BB2-4a78c0e6 line 2 extended permit tcp any
host 191.1.123.99 eq www (hitcnt=3) 0xdc3bff6b
SCRack4ASA1#
SCRack4ASA1# packet-tracer input Outside tcp 191.1.114.200 55000

192.10.4.200 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
in 192.10.4.0 255.255.255.0 Inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule

- 982 -
Forward Flow based lookup yields rule:

in id=0xd5d86420, priority=13, domain=permit, deny=false
hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=191.1.114.200, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: ACCESS-LIST
Subtype: aaa-user
Result: ALLOW
Config:
in id=0xd5d7cfa8, priority=12, domain=aaa-user, deny=false
hits=1, user_data=0xa, cs_id=0x0, flags=0x0, protocol=6
src ip=191.1.114.200, mask=255.255.255.255, port=0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
in id=0xd592b0b8, priority=0, domain=permit-ip-option, deny=true
hits=363, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 6
Type: AAA
Subtype: aaa-auth
Result: ALLOW
Config:
in id=0xd5d86560, priority=89, domain=aaa-auth, deny=true
hits=1, user_data=0xd5d99a80, cs_id=0x0, flags=0x0, protocol=0
src ip=191.1.114.200, mask=255.255.255.255, port=0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Reverse Flow based lookup yields rule:
in id=0xd595a610, priority=0, domain=permit-ip-option, deny=true
hits=80, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0

- 983 -
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
New flow created with id 1769, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...

snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
found next-hop 192.10.4.200 using egress ifc Inside
adjacency Active
next-hop mac address 0012.0183.5900 hits 165
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
SCRack4ASA1#

- 984 -
SCRack4ASA1(config)# show uauth

Current Most Seen
SCRack4ASA1(config)# Doing aaa for user HTTPUSER, session id 2147483712
radius mkreq: 0x11
alloc_rip 0xd5e42f08
new request 0x11 --> 22 (0xd5e42f08)
got user 'HTTPUSER'
got password
add_req 0xd5e42f08 session 0x11 id 22
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 128).....
01 16 00 80 b0 29 ae 4f dc e5 ba 6b c8 61 86 47 | .....).O...k.a.G
74 9d 12 e3 01 0a 48 54 54 50 55 53 45 52 02 12 | t.....HTTPUSER..
38 dc f8 8a 3b cc f3 ba 21 4d 18 80 3e d9 18 2e | 8...;...!M..>...
04 06 bf 01 7b 0c 05 06 00 00 00 0e 3d 06 00 00 | ....{.......=...
00 05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 | ..."......ip:sou
72 63 65 2d 69 70 3d 31 39 31 2e 31 2e 31 31 34 | rce-ip=191.1.114
2e 32 30 30 1f 1c 69 70 3a 73 6f 75 72 63 65 2d | .200..ip:source-
69 70 3d 31 39 31 2e 31 2e 31 31 34 2e 32 30 30 | ip=191.1.114.200
Parsed packet data.....

Radius: Code = 1 (0x01)
Radius: Identifier = 22 (0x16)
Radius: Length = 128 (0x0080)
Radius: Vector: B029AE4FDCE5BA6BC8618647749D12E3
Radius: Type = 1 (0x01) User-Name
Radius: Length = 10 (0x0A)
Radius: Value (String) =
48 54 54 50 55 53 45 52 | HTTPUSER
Radius: Type = 2 (0x02) User-Password
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Value (IP Address) = 191.1.123.12 (0xBF017B0C)
Radius: Type = 5 (0x05) NAS-Port
Radius: Value (Hex) = 0xE
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 31 | ip:source-ip=191
2e 31 2e 31 31 34 2e 32 30 30 | .1.114.200

- 985 -
Radius: Type = 31 (0x1F) Calling-Station-Id

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 31 | ip:source-ip=191
2e 31 2e 31 31 34 2e 32 30 30 | .1.114.200
send pkt 10.0.0.100/1645
rip 0xd5e42f08 state 7 id 22
rad_vrfy() : response message verified
rip 0xd5d016f8
: chall_state ''
: state 0x7
: timer 0x0
: reqauth:
b0 29 ae 4f dc e5 ba 6b c8 61 86 47 74 9d 12 e3
: info 0x11
session_id 0x11
request_id 0x16
user 'HTTPUSER'
response '***'
app 443
reason 0
skey 'cisco'
sip 10.0.0.100
type 1
RADIUS packet decode (response)
--------------------------------------
02 16 00 70 6f b5 6c 00 2b d9 f5 25 89 57 6a 2d | ...po.l.+..%.Wj-
01 0b 82 01 1a 3c 00 00 00 09 01 36 41 43 53 3a | .....<.....6ACS:
43 69 73 63 6f 53 65 63 75 72 65 2d 44 65 66 69 | CiscoSecure-Defi
6e 65 64 2d 41 43 4c 3d 23 41 43 53 41 43 4c 23 | ned-ACL=#ACSACL#
2d 49 50 2d 42 42 32 2d 34 61 37 38 63 30 65 36 | -IP-BB2-4a78c0e6
08 06 ff ff ff ff 19 1a 43 41 43 53 3a 30 2f 31 | ........CACS:0/1
38 36 31 34 2f 62 66 30 31 37 62 30 63 2f 31 34 | 8614/bf017b0c/14

Radius: Vector: 6FB56C002BD9F52589576A2D010B8201
41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS:CiscoSecure-
44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Defined-ACL=#ACS
41 43 4c 23 2d 49 50 2d 42 42 32 2d 34 61 37 38 | ACL#-IP-BB2-4a78
63 30 65 36 | c0e6
Radius: Type = 8 (0x08) Framed-IP-Address
Radius: Value (IP Address) = 255.255.255.255 (0xFFFFFFFF)
Radius: Type = 25 (0x19) Class

- 986 -

43 41 43 53 3a 30 2f 31 38 36 31 34 2f 62 66 30 | CACS:0/18614/bf0
31 37 62 30 63 2f 31 34 | 17b0c/14
rad_procpkt: ACCEPT
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
01 17 00 d7 b0 29 ae 4f dc e5 ba 6b c8 61 86 47 | .....).O...k.a.G
74 9d 12 e3 01 1a 23 41 43 53 41 43 4c 23 2d 49 | t.....#ACSACL#-I
50 2d 42 42 32 2d 34 61 37 38 63 30 65 36 02 12 | P-BB2-4a78c0e6..
04 06 bf 01 7b 0c 05 06 00 00 00 0f 3d 06 00 00 | ....{.......=...
00 05 1a 17 00 00 00 09 01 11 61 61 61 3a 73 65 | ..........aaa:se
72 76 69 63 65 3d 76 70 6e 1a 1e 00 00 00 09 01 | rvice=vpn.......
18 61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 | .aaa:event=acl-d
6f 77 6e 6c 6f 61 64 50 12 f6 7f a3 a5 3d 8e 1e | ownloadP....=..
c2 bb 85 2b be 6e 62 dd 30 1a 22 00 00 00 09 01 | ...+.nb.0.".....
1c 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 | .ip:source-ip=19
31 2e 31 2e 31 31 34 2e 32 30 30 1f 1c 69 70 3a | 1.1.114.200..ip:
73 6f 75 72 63 65 2d 69 70 3d 31 39 31 2e 31 2e | source-ip=191.1.
31 31 34 2e 32 30 30 | 114.200

Radius: Length = 215 (0x00D7)
Radius: Vector: B029AE4FDCE5BA6BC8618647749D12E3
Radius: Type = 1 (0x01) User-Name
23 41 43 53 41 43 4c 23 2d 49 50 2d 42 42 32 2d | #ACSACL#-IP-BB2-
34 61 37 38 63 30 65 36 | 4a78c0e6
Radius: Type = 2 (0x02) User-Password
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Value (IP Address) = 191.1.123.12 (0xBF017B0C)
Radius: Type = 5 (0x05) NAS-Port
Radius: Value (Hex) = 0xF
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Value (Hex) = 0x5

- 987 -
61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e | aaa:service=vpn
Radius: Length = 30 (0x1E)
61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f | aaa:event=acl-do
77 6e 6c 6f 61 64 | wnload
Radius: Type = 80 (0x50) Message-Authenticator
f6 7f a3 a5 3d 8e 1e c2 bb 85 2b be 6e 62 dd 30 | ...=.....+.nb.0
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 31 | ip:source-ip=191
2e 31 2e 31 31 34 2e 32 30 30 | .1.114.200
Radius: Type = 31 (0x1F) Calling-Station-Id
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 31 | ip:source-ip=191
2e 31 2e 31 31 34 2e 32 30 30 | .1.114.200
send pkt 10.0.0.100/1645
rip 0xd5e42f08 state 7 id 23
rad_vrfy() : response message verified
rip 0xd5d016f8
: chall_state ''
: state 0x7
: timer 0x0
: reqauth:
b0 29 ae 4f dc e5 ba 6b c8 61 86 47 74 9d 12 e3
: info 0x11
session_id 0x11
request_id 0x17
user '#ACSACL#-IP-BB2-4a78c0e6'
response '***'
app 443
reason 0
skey 'cisco'
sip 10.0.0.100
type 1

- 988 -
RADIUS packet decode (response)
--------------------------------------
02 17 00 c0 4f 42 eb 5c e8 9b f3 d8 3d 46 d2 f5 | ....OB.\....=F..
03 29 7f 1e 1a 40 00 00 00 09 01 3a 69 70 3a 69 | .)..@.....:ip:i
6e 61 63 6c 23 31 3d 70 65 72 6d 69 74 20 74 63 | nacl#1=permit tc
70 20 61 6e 79 20 31 39 32 2e 31 30 2e 31 2e 30 | p any 192.10.4.0
20 32 35 35 2e 32 35 35 2e 32 35 35 2e 30 20 65 | 255.255.255.0 e
71 20 38 30 1a 39 00 00 00 09 01 33 69 70 3a 69 | q 80.9.....3ip:i
6e 61 63 6c 23 32 3d 70 65 72 6d 69 74 20 74 63 | nacl#2=permit tc
70 20 61 6e 79 20 68 6f 73 74 20 31 39 31 2e 31 | p any host 191.1
2e 31 32 33 2e 39 39 20 65 71 20 38 30 19 21 43 | .123.99 eq 80.!C
41 43 53 3a 66 66 66 66 66 66 66 66 2f 31 38 36 | ACS:ffffffff/186
31 35 2f 62 66 30 31 37 62 30 63 2f 31 35 50 12 | 15/bf017b0c/15P.
d2 22 d6 e0 21 01 4b b4 13 05 d2 bf 63 89 6a 6d | ."..!.K.....c.jm

Radius: Length = 192 (0x00C0)
Radius: Vector: 4F42EB5CE89BF3D83D46D2F503297F1E
69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69 | ip:inacl#1=permi
74 20 74 63 70 20 61 6e 79 20 31 39 32 2e 31 30 | t tcp any 192.10
2e 31 2e 30 20 32 35 35 2e 32 35 35 2e 32 35 35 | .1.0 255.255.255
2e 30 20 65 71 20 38 30 | .0 eq 80
69 70 3a 69 6e 61 63 6c 23 32 3d 70 65 72 6d 69 | ip:inacl#2=permi
74 20 74 63 70 20 61 6e 79 20 68 6f 73 74 20 31 | t tcp any host 1
39 31 2e 31 2e 31 32 33 2e 39 39 20 65 71 20 38 | 91.1.123.99 eq 8
30 | 0
Radius: Type = 25 (0x19) Class
43 41 43 53 3a 66 66 66 66 66 66 66 66 2f 31 38 | CACS:ffffffff/18
36 31 35 2f 62 66 30 31 37 62 30 63 2f 31 35 | 615/bf017b0c/15
Radius: Type = 80 (0x50) Message-Authenticator
d2 22 d6 e0 21 01 4b b4 13 05 d2 bf 63 89 6a 6d | ."..!.K.....c.jm
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xd5e42f08 session 0x11 id 23
free_rip 0xd5e42f08
Processing ACL: permit tcp any 192.10.4.0 255.255.255.0 eq 80

- 989 -
radius: send queue empty

Processing ACL: permit tcp any host 191.1.123.99 eq 80
find_acl(#ACSACL#-IP-BB2-4a78c0e6) = 5
user: HTTPUSER authenticated, session id: 2147483712
Task 5.2 Solution

ASA1:
aaa-server TAC protocol tacacs+
aaa-server TAC (Outside) host 10.0.0.100
key cisco
aaa authentication include telnet Inside 0 0 TAC
AAA Server:
Step 1:
Create a user on the AAA server with a username of TELNETUSER and a

password of cisco. Add ASA2 as a network client for TACACS+.

- 990 -
Test from BB2, or move the TEST PC to vlan 122.
SC.9.9.BB2>telnet 150.4.2.2
Username: TELNETUSER
Password:
SC.9.9.BB2>telnet 150.4.2.2
Password:
SCRack4R2>
SCRack4ASA1# show uauth
Current Most Seen
user 'TELNETUSER' at 192.10.4.254, authenticated
SCRack4ASA1#
Next, configure network authorization:
ASA1:
aaa authorization include telnet Inside 0 0 TAC
SC.9.9.BB2>telnet 150.4.4.4
Password:
Error: Authorization Denied

SC.9.9.BB2>

- 991 -
AAA Server:
Now that you have verified that the authorization fails, configure the ACS for the
command authorization for the user. Also, you can add a banner on R4, so that
you know when you are logging into the Router, and when you are authenticating
against the ASA.

- 992 -
R4:
banner login c R4 banner c
SC.9.9.BB2>telnet 150.4.4.4
Password:
SC.9.9.BB2>telnet 150.4.4.4
R4 banner
Username: ADMIN
Password:
SCRack4R4#
Verify that telnet to R5 fails.
SC.9.9.BB2>telnet 150.4.5.5
Trying 150.4.5.5 ...
SC.9.9.BB2>
Finally, add an accounting rule for the telnet sessions:
ASA1:
aaa accounting include telnet Inside 0 0 TAC

- 993 -
AAA Server:
Verify Accounting reports in the ACS server:
Task 6.1 Solution

ASA1:
interface Etherneternet0/0
ospf authentication
R3:

SCRack4R3#show ip ospf interface FastEthernet0/0 | i is up|thent
SCRack4R3#
SCRack4ASA1# show ospf int Outside
Outside is up, line protocol is up

Process ID 51, Router ID 192.10.4.12, Network Type BROADCAST, Cost:
10
<snip>
SCRack4ASA1#

- 994 -
Task 6.2 Solution

R3:
ip access-list extended BGP
permit tcp any eq 179 any
ip access-list extended IGP

permit ospf any any
ip access-list ext FRAGS

permit tcp any any fragments
permit udp any any fragments
permit icmp any any fragments
ip access-list extended MGT

permit tcp any any eq http
ip access-list extended TELZERO
permit tcp any any eq telnet prec 0
class-map BGP
match access-group name BGP
class-map IGP
match access-group name IGP
class-map FRAGS
match access-group name FRAGS
class-map MGT
match access-group name MGT
class-map TELZERO
match access-group name TELZERO
policy-map MYCP
class BGP
police rate 1000 pps burst 2000 packets conform-action trans exceed-
action drop
class IGP
police rate 50 pps burst 100 packets conform-action transmit exceed-
action drop
class TELZERO
drop
class FRAGS
action drop
class MGT
action drop
control-plane
service-policy input MYCP

- 995 -
If you don't specify a burst value, it may default to 0, and traffic may be dropped.
If you see your BGP sessions drop, double check the output of show policy-map
control-plane to see if you are dropping traffic.
SCRack4R3#show policy-map control-plane

Control Plane
Service-policy input: MYCP
Class-map: BGP (match-all)

Match: access-group name BGP
police:
rate 1000 pps, burst 2000 packets, peak-burst 1500 packets
transmit
drop
violated 0 packets; actions:
drop
conformed 0 pps, exceed 0 pps, violate 0 pps
Class-map: IGP (match-all)

0 packets, 0 bytes
Match: access-group name IGP
police:
transmit
drop
drop
Class-map: TELZERO (match-all)

0 packets, 0 bytes
Match: access-group name TELZERO
drop

- 996 -
Class-map: FRAGS (match-all)

0 packets, 0 bytes
Match: access-group name FRAGS
police:
transmit
drop
drop
Class-map: MGT (match-all)

Match: access-group name MGT
police:
transmit
drop
drop

Match: any
SCRack4R3#
For the Queue Threshold limitations, configure class maps of the type “queue-
threshold”, and a “queue-threshold” policy map.
R3:
class-map type queue-threshold match-any BGPQ
match protocol bgp
class-map type queue-threshold match-any SSHQ

match protocol ssh
class-map type queue-threshold match-any TELQ

class-map type queue-threshold match-any OTHERQ

match host-protocols
policy-map type queue-threshold MYCPQ

class BGPQ

- 997 -
queue-threshold 50
class SSHQ
queue-limit 25
class TELQ
queue-limit 40
class OTHERQ
queue-limit 30
control-plane host
service-policy type queue-threshold input MYCPQ
SCRack4R3#show policy-map type q control-plane host

queue-limit 50
queue-limit 25
queue-limit 40
queue-limit 30
Control Plane Host
Service-policy queue-threshold input: MYCPQ
Class-map: BGPQ (match-any)

Match: protocol bgp
5 minute rate 0 bps
Class-map: SSHQ (match-any)

0 packets, 0 bytes
Match: protocol ssh
0 packets, 0 bytes
5 minute rate 0 bps
Class-map: TELQ (match-any)

5 minute rate 1000 bps
Class-map: OTHERQ (match-any)

0 packets, 0 bytes
Match: host-protocols
0 packets, 0 bytes
5 minute rate 0 bps

0 packets, 0 bytes
Match: any
SCRack4R3#

- 998 -
Task 6.3 Solution

In order to protect the AAA server, another context can be added to ASA2. Make
sure to allow traffic as needed for other sections. In the earlier IPS section, the
sensor was configured to send SNMP traps to the AAA server address.
SW2:
SW1:
int FastEthernet0/20
ASA2:
no shut
vlan 19
vlan 79
context B
config-url B.cfg
allocate-interface Ethernet0/2.19
allocate-interface Ethernet0/2.79
changeto context B
ip address 255.255.255.255 255.255.255.255

!
nameif outside
!
nameif inside
names
name 10.0.0.100 ACS
access-list O permit udp any host ACS eq 1812
access-list O permit tcp any host ACS eq 49
access-list O permit icmp any host ACS echo
access-list O permit icmp any host ACS echo-reply
access-list O permit udp host 10.0.0.123 host ACS eq snmptrap

- 999 -
access-group O in interface Outside

access-list NOTAC permit tcp any any neq 49
access-list L2 ethertype deny bpdu
access-list L2 ethertype permit any
access-group L2 in interface
class-map TAC
!
class-map TCP
match access-list NOTAC
policy-map LIMIT
class TAC
set conn embryonic-conn-max 7
class TCP
set conn embryonic-conn-max 3
!
service-policy LIMIT interface outside
Task 6.3 Solution

Rack4ASA2/B# show service-policy flow tcp host 150.4.5.5 host
10.0.0.100 eq 49
Global policy:
Match: any
Action:
Output flow:
Interface outside:
Service-policy: LIMIT
Class-map: TAC
Match: port tcp eq tacacs
Action:
Input flow: set connection embryonic-conn-max 7
Match: any
Action:

- 1000 -
Rack4ASA2/B# show service-policy flow tcp host 150.4.5.5 host

10.0.0.100 eq 23
Global policy:
Match: any
Action:
Output flow:
Interface outside:
Service-policy: LIMIT
Class-map: TCP
Match: access-list NOTAC
Access rule: permit tcp any any neq tacacs
Action:
Input flow: set connection embryonic-conn-max 3
Match: any
Action:
Rack4ASA2/B#
Task 6.4 Solution

R4:
aaa new-model
aaa authentication login VTY group radius local
aaa authorization exec VTY group radius local
username R4ACCESS view ACCESS password cisco

username ADMIN view root password cisco
Watch the configuration order carefully. username ADMIN view root

password cisco is not the same as username ADMIN password cisco
view root. Make sure the password is last in the line, otherwise you will not be
assigning a view to the user, but configure a password of "cisco view root".

- 1001 -
R4:
line vty 0 181
login authent VTY
end
!
enable view
!
conf t
parser view ACCESS
secret cisco
commands exec include logout
commands exec include wr mem
commands exec include show ip interface brief
commands configure include interface loopback 0
commands configure include all interface serial 0/0
commands configure include all interface ser0/1
commands exec include show priv
commands router include all network
commands configure include router
commands configure include interface
commands exec include config t
commands interface include all ip address
!
ip radius source-int lo0

- 1002 -
AAA Server:
On the ACS server, add R4 as a Cisco RADIUS client.
Add the user to the ACS - username R4ACCESS and the password of cisco. Set
the Cisco RADIUS attribute 009\001 cli-view-name=ACCESS to match the
view configured on the router.

- 1003 -
For the ADMIN user, configuration is the same with the attribute cli-view-
name=root
If you want to see the information downloaded from the AAA server, you can
debug RADIUS sessions while connecting to the VTY line.

- 1004 -
Username:
Password:
RADIUS/ENCODE(00000009): ask "Username: "

RADIUS/ENCODE(00000009): send packet; GET_USERR4ACCESS
RADIUS/ENCODE(00000009): ask "Password: "
RADIUS/ENCODE(00000009): send packet; GET_PASSWORD
RADIUS/ENCODE(00000009):Orig. component type = EXEC
RADIUS: AAA Unsupported Attr: interface [174] 5
RADIUS: 74 74 79 [tty]
RADIUS/ENCODE(00000009): dropping service type, "radius-server
attribute 6 on-for-login-auth" is off
RADIUS(00000009): Config NAS IP: 150.4.4.4
RADIUS/ENCODE(00000009): acct_session_id: 5
RADIUS(00000009): sending
RADIUS(00000009): Send Access-Request to 10.0.0.100:1645 id 1645/7, len
84
RADIUS: authenticator DF 58 23 41 02 E0 54 69 - 20 AF E1 FF 98 47 96
0E
RADIUS: User-Name [1] 10 "R4ACCESS"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 66
RADIUS: NAS-Port-Id [87] 7 "tty66"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: Calling-Station-Id [31] 11 "150.4.4.4"
RADIUS: NAS-IP-Address [4] 6 150.4.4.4
RADIUS: Received from id 1645/7 10.0.0.100:1645, Access-Accept, len 80
RADIUS: authenticator 46 02 1D 50 1F 25 D5 6D - EE CE 7E B4 80 5E C2
13
RADIUS: Framed-IP-Address [8] 6 255.255.255.255
RADIUS: Vendor, Cisco [26] 28
RADIUS: Cisco AVpair [1] 22 "cli-view-name=ACCESS"
RADIUS: Class [25] 26
RADIUS: 43 41 43 53 3A 30 2F 31 37 64 39 32 2F 39 36 30
[CACS:0/17d92/960]
RADIUS: 31 30 34 30 34 2F 36 36 [10404/66]
RADIUS(00000009): Received from id 1645/7
SCRack4R4#show priv
Currently in View Context with view 'ACCESS'
SCRack4R4#

- 1005 -
SCRack4R4(config)#?
Configure commands:
do To run exec commands in config mode
interface Select an interface to configure
router Enable a routing process
SCRack4R4(config)#
For local fallback testing, shut down both serial interfaces and verify that the
users are still allowed to log in.
Username: R4ACCESS
Password:
SCRack4R4#show priv
Currently in View Context with view 'ACCESS'
SCRack4R4#

- 1006 -
Task 7.1 Solution

R3:
ip access-list ext FW
ASA1:
access-list OUTSIDE permit tcp any host 192.10.4.150 eq 21
access-list OUTSIDE permit tcp any host 192.10.4.150 eq 80
!
class-map HTTP
match port tcp eq www
class-map FTP
match port tcp eq ftp
!
regex CMD "[cC][mM][dD]\.[eE][xX][eE]"
class-map type inspect http match-all HTTPCMD
match request uri regex CMD
!
policy-map type inspect ftp MYFTP
parameters
match request-command get put
reset
!
policy-map type inspect http MYHTTP
parameters
match req-resp content-type mismatch
log
class HTTPCMD
reset
!
policy-map OUTSIDEPOL
class HTTP
inspect http MYHTTP
class FTP
inspect ftp strict MYFTP
!
service-policy OUTSIDEPOL interface outside

SCRack4ASA1# show service-policy inspect http
Global policy:
Interface Outside:
Service-policy: OUTSIDEPOL
Class-map: HTTP
Inspect: http MYHTTP, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
match req-resp content-type mismatch
log, packet 0

- 1007 -
class HTTPCMD
reset, packet 0
Class-map: FTP
SCRack4ASA1#
SCRack4ASA1# show service-policy inspect ftp
Global policy:
Interface Outside:
Service-policy: OUTSIDEPOL
Class-map: HTTP
Class-map: FTP
Inspect: ftp strict MYFTP, packet 0, drop 0, reset-drop 0
match request-command get put
reset, packet 0
SCRack4ASA1#
Task 7.2 Solution

ASA1:
!
! Note: This command will send a reset for IDENT sessions,
! since that traffic is not permitted by the
! firewall, rather than having to wait for a timeout.
i
service resetoutside
Task 7.3 Solution

R6:
ip nat inside
!
ip nat outside
!

- 1008 -

Test connection from another device and confirm that you see NAT translation on
R6.
Trying 204.12.4.100 ... Open
SC.9.9.BB1_FRS>
global
tcp 204.12.4.100:23 112.0.0.1:23 204.12.4.3:37884
204.12.4.3:37884
--- 204.12.4.100 112.0.0.1 --- ---
SCRack4R6#
Task 7.4 Solution

Start with a basic policy configuration on R6:
R6:
class-map TELNET
match protocolocol telnet
policy-map TELNET
class TELNET
set prec 3
service-policy output TELNET
R3:
ip access-list ext FW
100 permit tcp any any eq 23 prec 3
110 permit tcp any any eq 23 prec 4
SW1:
mls qos trust ip-precedence
SW2:

- 1009 -

Test by connectiong from R6 and BB1.
Password:
Verify that you see matches in the ACL:
permit tcp any any eq telnet precedence flash (27 matches)
Task 8.1 Solution

Since there an ACL already applied to the Frame-Relay interface by the virtue of
IPS management, you may want to use a "pre-block ACL" in the IPS. Another
option is to block the traffic using a method different from access-group.
R6:
time-range WEB
periodic daily 08:00 to 22:59
access-list 102 permit tcp any host 204.12.4.150 eq 80 time-range WEB

class-map dropweb
policy-map dropweb
class dropweb
drop
service-policy input dropweb

- 1010 -

SCRack4R6#show policy-map interface Serial0/0/0
Serial0/0/0
Service-policy input: dropweb
Class-map: dropweb (match-all)

0 packets, 0 bytes
drop

Match: any
SCRack4R6#
Task 8.2 Solution

SW1:
storm-control unicast level 6.0

Generate a ping flow from R6 and look at the output of show storm-control on the
switch.
SCRack4SW1#show storm-control unicast

--------- ------------- ----------- ----------- ----------
Fa0/6 Forwarding 6.00% 6.00% 1.43%
If you generate a lot of traffic, you can see the log message for the
filter.
SCRack4R6#ping 204.12.4.254 repeat 10000 size 14500 timeout 0
%STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/6. A packet

filter action has been applied on the interface.
SCRack4SW1#show storm-control uni

--------- ------------- ----------- ----------- ----------
Fa0/6 Blocking 6.00% 6.00% 14.47%

- 1011 -
Task 8.3 Solution

R5:
ip dhcp pool V55
network 191.1.55.0 /24
dns-server 191.1.55.200 191.1.55.201
domain-name INE.com
default-router 191.1.55.5
SW1:
ip dhcp snooping
ip dhcp snooping trust

- 1012 -

You can temporarily add an IP address to the switch for testing
SW1:
Interface VLAN 55
ip address DHCP
Interface Vlan55 assigned DHCP address 191.1.55.2, mask 255.255.255.0
SCRack4SW1#show ip route | i \ 0.0.0.0

Gateway of last resort is 191.1.55.5 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 191.1.55.5
SCRack4SW1#
Task 8.4 Solution

SW1:
switchport port-security max 3
mac address-table static 1234.5678.90ab vlan 19 drop

Action
-----------------------------------------------------------------------
----
Fa0/7 3 0 0
Shutdown
-----------------------------------------------------------------------
----
SCRack4SW1#
SCRack4SW1#show mac address static | excl CPU

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
19 1234.5678.90ab STATIC Drop
Total Mac Addresses for this criterion: 49
SCRack4SW1

- 1013 -
Task 8.5 Solution

Stealth Nmap scanning uses TCP SYN packets. (signature 3002) The signature
is enabled by default with an action of produce alert. Change the action to deny
attacker inline. In order to restrict a signature from firing on certain IP addresses,
there are a few different approaches that you can take with configuring filters.
You can filter under the signature with the src-addr-filter option, or
configure an event filter.
IPS:
signatures 3002 0
engine sweep
event-action deny-attacker-inline
specify-src-addr-filter yes
src-addr-filter 0.0.0.0-191.1.123.199,191.1.123.201-
255.255.255.255
exit

- 1014 -

Iewb-Sc-Vol2 ALLSOLUTIONS v5 02

Uploaded by

Copyright:

Available Formats

Iewb-Sc-Vol2 ALLSOLUTIONS v5 02

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iewb-Sc-Vol2 ALLSOLUTIONS v5 02

Uploaded by

Copyright:

Available Formats

CCIE Security Lab Workbook Volume II for CCIE v3.

Copyright © 2011 Internetwork Expert www.INE.com

Copyright © 2011 Internetwork Expert www.INE.com

Copyright © 2011 Internetwork Expert www.INE.com

Copyright © 2011 Internetwork Expert www.INE.com

Copyright © 2011 Internetwork Expert www.INE.com

Copyright © 2011 Internetwork Expert www.INE.com

IEWB-SC-VOL2 Lab 1 Solutions

Task 1.2 Solution

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.2 Breakdown

In order to ensure the default gateway rechability a monitoring process need to

Tasks 1.1-1.2 Verification

Rack4ASA(config)# show ospf neighbor

Neighbor ID Pri State Dead Time Address

Copyright © 2011 Internetwork Expert www.INE.com

Rack4ASA(config)# show sla monitor operational-state 1

Rack4ASA(config)# show track

Rack4ASA(config)# show route | include 0.0.0.0

Rack4SW2#show ip route ospf | inc 0.0.0.0

Copyright © 2011 Internetwork Expert www.INE.com

Rack4R5(config)#interface fastEthernet 0/1

Rack4ASA(config)# show track

Rack4ASA(config)# show route | inc 0.0.0.0

Rack4SW2#sh ip route ospf

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.3 Solution

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.3 Breakdown

Task 1.4 Solution

Tasks 1.3 – 1.4 Verification

Copyright © 2011 Internetwork Expert www.INE.com

Rack4ASA(config)# show failover

Stateful Failover Logical Update Statistics

Logical Update Queue Information

Copyright © 2011 Internetwork Expert www.INE.com

Rack4ASA(config)# show monitor-interface

Rack4ASA(config)# show failover

Interface outside (183.4.125.13): No Link (Waiting)

Copyright © 2011 Internetwork Expert www.INE.com

Rack4ASA(config)# show monitor-interface

User Access Verification

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.5 Solution

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.5 Breakdown

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.5 Verification

Rack4ASA(config)# show service-policy global

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.6 Solution

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.6 Breakdown

Copyright © 2011 Internetwork Expert www.INE.com

Task 1.6 Verification

Type escape sequence to abort.

1 183.4.123.2 32 msec 28 msec 32 msec

Type escape sequence to abort.

Copyright © 2011 Internetwork Expert www.INE.com