Professional Documents
Culture Documents
Cisco ASA Second Generation's OS 9.x PDF
Cisco ASA Second Generation's OS 9.x PDF
Page 2 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Baldev Singh Deshwal , CCIE No. 37094, is a Senior Network Security Engineer at Network Bulls.
His primary job responsibilities include configuring maintain & t-shoot NB network . As well as he
also provides corporate trainning & cisco certification Training.
Page 3 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 4 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Dedications
This book is dedicated to the only & only Almighty Lord Shiva. Who created such condition that I
could not stop myself to write this book.
Page 5 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Special Thanks
Page 6 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Contents At A Glance
Chapter 5 RIP
Chapter 6 EIGRP
Chapter 7 OSPF
Chapter 9 SLA
Chapter 10 Multicasting
Chapter 14 CTP
Chapter 21 Context
Page 7 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 22 Failover
Chapter 23 MPF
Chapter 24 OSPFv3
Chapter 28 BGP
Chapter 31 Clustering
Page 8 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Contents
Section I. Firewall Overview
Chapter 1 Firewall Introduction
Introduction of Firewall
Packet Filtering
Proxy Server
State Full Firewall
Transparent Firewall
Chapter 2 ASA Introduction
Introduction of ASA
ASA Features
Proprietary Operating System (P)
State Full Firewall
User Based Authentication
Protocols & Application Inspection
Modular Policy Frame Work
Virtual Private Network
Virtual Firewall
Web Based Management
Transparent Firewall
Statefull Failover (P)
IPv6
Clustering
VPN LoadBalancing (P)
Chapter 3 ASA Basics
How to set Hostname
How to set enable password
How to assign IP address to interface
How to assign security-level
How to enable Telnet
How to enable SSH
How to enable HTTP
How to take Backup of ASA
How to Upgrade ASA
How to recover ASA password
Diagrams & Labs:-
Section II. Routing on ASA
Chapter 4 Routing Introduction
Introduction of Routing
Routing Types
Static Routing
Default Routing
Dynamic Routing
Routing Protocols
Routed Protocols
IGP
EGP
AS
IGP Types
EGP Types
Distance Vector
Page 9 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Link State
Enhanced Distance Vector
Chapter 5 RIP
Introduction of RIP
RIP Versions
Difference between V1 & V2
RIP Timers
RIP Loop Avoidance Techniques
Route Poisoning
Poison Reverse
Split-Horizon
Diagrams & Labs:-
Chapter 6 EIGRP
Introduction of EIGRP
EIGRP Components
Protocol Dependent Module
Reliable Transport Protocols
Neighbour Discovery & Recovery
Diffusing Update Algorithm
EIGRP Messages
EIGRP Terminologies
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirements
Advertise Distance/Reported Distance
Input Event
Local Computation
Going Active
EIGRP Additional Features
Incremental Updates
Multicast Updates
Unequal Cost Load Balancing
EIGRP Tables
Neighbour Tables
Topology Table
Routing Table
EIGRP Neighbour ship Requirements
EIGRP Metric
EIGRP Modes
Diagrams & Labs:-
Chapter 7 OSPF
Introduction of OSPF
Difference Between Distance vector & Link State
OSPF Tables
OSPF Messages
OSPF Hello Message Contents
OSPF Message Contents
OSPF States
OSPF Priority
DR & BDR
Page 10 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF Metric
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Virtual Links
OSPF Neighbours Requirements
Diagrams & Labs:-
Chapter 8 IPv6 Introduction
Introduction of IPv6
IPv6 styles
Global Unicast
Unique Local
Link-local
Link-local Address
IPv6 Structure
IPv6 Routing Protocols
RIPng
IS-ISv6
OSPFv3
EIGRPv6
MP-BGP-4
Diagrams & Labs:-
Chapter 9 SLA
Introduction of SLA
Diagrams & Labs:-
Chapter 10 Multicasting
IP Addresses Style
Unicast
Broadcast
Multicast
Multicast Mac Structure
Multicast Address
IGMP
Version 1
Version 2
Version 3
IGMP Snooping
Multicast Routing Protocols
PIM
RPF
Distribution Tree
Source Tree
Shared Tree
PIM Modes
Dense Mode
Sparse Mode
Sparse-Dense-Mode
PIM versions
Diagrams & Labs:-
Section III. Access-list & NAT
Page 11 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 12 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Main Mode
Aggressive Mode
Quick Mode
IKE Phases
Phase 1
Phase 1.5
Phase 2
IPSec Mode
Transport Mode
Tunnel Mode
SA
SA Components
SAD
SPD
NAT-T
NAT-T Steps
NAT-T Support
NAT-T Detection
NAT-T Decision
ISAKMP
Chapter 16 Site-Site VPN
Introduction
Working
Diagrams & Labs:-
Chapter 17 Remote Access VPN
Introduction
Modes
Client
Network Extension
Network Extension Plus
Diagrams & Labs:-
Chapter 18 VPN Load balancing
Introduction
Supported Protocols
Cluster
Master
Member
Load balancing
Virtual Cluster Agent
Diagrams & Labs:-
Chapter 19 SSL VPN
SSL Introduction
SSL Mode
Clientless
Thin-client
Thick-client
Requirements
Working
Diagrams & Labs:-
Section V. Advance Firewall Features
Chapter 20 Transparent Firewall
Page 13 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 14 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DNS
TFTP
HTTP
RSH
SQL.NET
SIP
SCCP
CTIQBE
MGCP
Diagrams & Labs:-
Section VI. OS 9.x Advance Features
Chapter 24 OSPFv3
Diagrams & Labs:-
Chapter 25 NAT on OS 9.2.x on IPv6
Diagrams & Labs:-
Static
Dynamic
PAT
Static PAT
Identity NAT
Twice NAT
Chapter 26 Site-Site VPN on IPv6
Diagrams & Labs:-
Chapter 27 SSL VPN on IPv6
Diagrams & Labs:-
Clientless
Thin-client
Chapter 28 BGP
BGP Introduction
BGP Messages
iBGP
eBGP
BGP States
BGP Terminology
Next-hop-self
Route-reflector-client
BGP-redistribute internal
Summarization or Aggregation
Diagrams & Labs:-
Chapter 29 Dynamic Routing in Context
Diagrams & Labs:-
EIGRP
OSPF
Chapter 30 Site-Site VPN in Context
Diagrams & Labs:-
Chapter 31 Clustering
Introduction of Clustering
Clustering Terminology
Master
Slaves
Interface Types
Page 15 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 16 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 17 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 1
Firewall
Firewall techniques
Packet Filtering
Proxy Server
State full Firewall
Transparent Firewall
Page 18 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Firewall Introduction
Firewall a system or group of system. That manage access between two or more network.
Firewall Techniques
1. Packet Filtering
2. Proxy Server
3. State-full Firewall
4. Transparent Firewall
Packet Filtering
In Packet filtering packets are filtered using access-list. On Cisco IOS we can use Standard or
Extended access-list, Named access-list,Time Based access-list, Dynamic access-list,Reflexive access-
list, TCP Establish access-list to filter the traffic .
Advantages
Easy to implement
Cost- effective
Disadvantages
Not-scalable
Complex access-list are hard to create & maintain
Proxy Server
It works as an intermediate system b/w inside & outside world
It will not allow inside user to go outside directly vice-versa
Limitations
Single point of failure
It introduce delay
Stateful Firewall
As name tells us that State-full .it maintain the state of connection when packet is travelling through
the appliance. It maintain the state of connection in state table. After adding information in state
table it forwards the packet to the destination. When it receive the reply-packet it match the
packet's information to state-table if match packet is accepted otherwise drop.
Page 19 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Transparent Firewall
It works at layer 2, or it forwards the frames based on destination Mac. But still it has capabilities to
filter the traffic from layer 2 to layer 7.
Page 20 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 2
Cisco ASA
Cisco ASA Features
Page 21 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA Features
Proprietary Operating system
State-Full Firewall
User Base Authentication (CTP)
Protocol and application inspection
MPF
VPN
Virtual Firewalls
Web Base management
Transparent Firewall
State Full Failover
IPV6
Clustering
VPN LoadBalancing
Page 22 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
VPN
Cisco ASA support IPSec, SSL PPTP protocols for VPN
IPSec (site-site, & remote-access)
SSL (Clientless, Thin, Thick)
L2TP
Virtual Firewall
We can divide an appliance into many virtual appliances these virtual appliances are call virtual
firewall or security context.
IPv6
Cisco ASA also support ipv6 routing. Like static, Dynamic, Default.
Clustering
A feature introduce in OS Version 9.0 it enables us to group multiple appliances as a single appliance.
A Cisco Proprieatry Feature of cisco firewall . It enable multiple remote vpn servers to appear as a
single server.
Page 24 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 3
ASA Basic
After Reading this chapter you would be able to configure & Describe
Page 25 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
ASA Mode
ciscoasa> (User mode)
ciscoasa> enable
Password:
ciscoasa# conf t (enable mode)
ciscoasa(config)# ! hostname (config-mode)
ciscoasa(config)# hostname ASA1
Page 26 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 27 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! verification on pc
Page 28 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! verification in pc
Page 29 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! verification in pc2
PC2#ssh -l shiva 192.168.102.1
Password:
Type help or '?' for a list of available commands.
ASA1>
! you can't telnet to lowest security-level
ASA1(config)# telnet 0 0 outside
ASA1(config)# ssh 0 0 outside
PC2#telnet 192.168.102.1
Trying 192.168.102.1 ...
% Connection timed out; remote host not responding
PC2#ssh
PC2#ssh -l
PC2#ssh -l shiva 192.168.102.1
Page 30 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Password:
Page 31 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Note:-
if some wrong
please run these commands on asa
ASA1(config)# asdm image disk0:/asdm-66114.bin
initiate connection again.........................................
Page 32 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 33 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 34 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 35 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! ASA os Backup
ASA1(config)# sh fla
ASA1(config)# sh flash:
--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate
147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096 Aug 29 2014 12:48:00 log
21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop
165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg
Page 38 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! password recovery
ASA1(config)# enable password asdasdwwqek89geuqbdqweqw
ASA1(config)# wr
ASA1(config)# write
ASA1# ex
Logoff
.
Cryptochecksum (unchanged): 3968c06d 20751a6b 73f37918 d875d53d
Page 39 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
***
*** --- START GRACEFUL SHUTDOWN ---
ASA1> en
ASA1> enable
Password: (now no password)
ASA1#
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Page 40 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 4
Routing
Routing rules
Types of routing
Static Routing
Routing Protocols
Routed Protocols
IGP
EGP
Distance Vector
Link State
Enhanced Distance Vector
Page 41 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Routing
A process of transferring a packet from one network to another is called routing.
Routing Rules
1. If the destination is in the same subnet or network then a device directly forwards a packet to
destination.
Note:- ARP request is used to find out destination Mac-address.
2. If the destination is not in the same subnet or network then a device directly forwards a packet to
default gateway.
Note:- ARP request is used to find out default gateway Mac-address
Routing Types
Static
Default
Dynamic
Static Routing
In static routing we define route manually with appropriate next-hop.
In static routing we always define indirectly connected network.
Advantages
Easy to implement
Less CPU-overload
Less bandwidth consumption
Disadvantages
Not scale-able
Default Routing
It is used on stub router or network. A stub router has only one entry or exit point. It can be used to
reduce the size of routing table
Limitation
It can cause of loop in the network.
Page 42 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Dynamic Routing
In dynamic routing we use routing protocol. They dynamically learn about route & do send route
information to the neighbours routers.
Routed Protocols
They are those protocol which have capabilities to send data from one device to another device.
Like IP,IPX, Apple Talk
Distance Vector
A Distance Vector routing protocol selects the route based on distance
That is called hop count.
Hop Count
When a packet across a router that is called one hop
Page 43 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
A Distance Vector routing protocol select that route which provides a network at least hop.
Examples:- RIP, IGRP.
Link State
As name tells us link state a link state routing protocol sends update based in the state of link. When
a link comes up & goes down it sends update.
It sends update with a sequence number. 0x80000001 goes till 0xFFFFFFFF.
Examples:- OSPF,IS-IS.
Enhance DV
EIGRP is an Enhanced DV routing protocol based in distance vector algorithm. & sends incremental
update like link state i.e. Some people called it hybrid . But Cisco called it Enhanced DV.
Diagram:-
Page 44 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
Page 45 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
Routing
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.1.2
ASA1(config-if)# interface g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz1
INFO: Security level for "dmz1" set to 0 by default.
ASA1(config-if)# security-level 60
ASA1(config-if)# ip add 192.168.2.2
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.3.2
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz2
INFO: Security level for "dmz2" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip add 192.168.4.2
ASA1(config-if)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up up
GigabitEthernet0/1 192.168.2.2 YES manual up up
GigabitEthernet0/2 192.168.3.2 YES manual up up
Page 46 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 47 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 48 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
But.........................
R2#telnet 172.10.1.1
Trying 172.10.1.1 ...
% Connection timed out; remote host not responding
R2#telnet 172.30.1.1
Trying 172.30.1.1 ... Open
Password required, but none set
[Connection to 172.30.1.1 closed by foreign host]
R2#telnet 172.40.1.1
Trying 172.40.1.1 ... Open
Password required, but none set
[Connection to 172.40.1.1 closed by foreign host]
If you want
Apply Access-list on ASA................
ASA1(config)# access-list dmz1 permit ip 172.20.0.0 255.255.0.0 172.10.0.0 255.255.0.0
ASA1(config)# access-group dmz1 in interface dmz1
R2#ping 172.10.1.1 source loopback 1
Page 49 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 50 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 5
RIP
RIP
RIP Version
RIP Timers
RIP Loop avoidance Techniques
Route Poisoning
Poisoning Reverse
Split-Horizon
Page 51 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Version 1 Version 2
Class-full Class-less
DV DV
AD 120 AD 120
Metric Hop count Metric Hop count
Max-hop 15 Max-hop 15
Broadcast Update Multicast Update
255.255.255.255 224.0.0.9
Default Manual
Send v1 Send v2
Receive v1&v2 Receive v2
No authentication Support authentication
Class-full Classless
Page 52 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Route Poisoning
Rip separate the bad news with a special type of metric that is infinite-metric i.e.16. When rip
advertise a route with 16 metric that is called Route Poisoning.
Route Poisoning
Router1>>>>> 101.0=16>>>>>>>>>Router2
Poison Reverse
When a router receive Route Poisoning update it accept is and updates it routing table, and it sends
same update to the neighbour.
(Router1>>>>> 101.0=16>>>>>>>>>Router2 )
(Router1<<<<< 101.0=16<<<<<<<<<Router2) is Poison Reverse
Split Horizon
A rule in distance vector routing protocol. It doesn't allow a routing protocol to send an information
on an interface which was receive from same interface.
RIP Timers
Update 30sec
Invalid 180sec
Hold 180sec
Flush 240sec
Page 53 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
Page 54 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 55 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 56 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R2
router rip
no au
ver 2
net 0.0.0.0
R3
router rip
no au
ver 2
net 0.0.0.0
R4
router rip
no au
ver 2
net 0.0.0.0
ASA1
router rip
no au
ver 2
net 0.0.0.0
ASA1# sh route
Page 57 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!Redistribution in RIP
ASA1(config-router)# router rip
ASA1(config-router)# !redistribute
ASA1(config-router)# redistribute static metric 1
! Verification on Routers
R1#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:24, FastEthernet0/0
R2#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.2.2, 00:00:24, FastEthernet0/0
R4#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.4.2, 00:00:08, FastEthernet0/0
ASA1(config-router)# router rip
ASA1(config-router)# no redistribute static metric 1
! Verification on Routers
R1#sh ip route rip on R2, R3, R4
R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:17, FastEthernet0/0
ASA1# sh route inside
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
Page 58 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Verification on ASA
ASA1(config-router)# sh route inside
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R 172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
R 172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
R 172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
ASA1# clear route all
ASA1# sh route inside
R 172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
R 172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
R 172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
Page 59 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Verification on Router
R1#sh ip route rip
172.20.0.0/24 is subnetted, 6 subnets
R 172.20.1.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.2.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.3.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.4.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R 172.20.5.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
Page 60 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 6
EIGRP
EIGRP
EIGRP Components
EIGRP Messages
EIGRP Terminology
EIGRP Tables Types
EIGRP Modes
EIGRP Neighbours Requirements
Page 61 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Enhanced Components
PDM (Protocol Dependent Module)
RTP(Reliable Transport Protocol)
NDR(Neighbour Discovery and Recovery)
DUAL(Diffusing Update Algorithm)
PDM
It is used to support different type of routed protocol
Like IP, IPX, Apple Talk.
RTP
It is used to send some EIGRP messages
EIGRP messages:-
1. Hello Multicast
2. Update via RTP Multicast
3. Acknowledgement Unicast
4.Query via RTP Multicast
5.Reply via RTP Unicast
NDR
It is used to maintain neighbour ship. Function
First it determines that how many neighbours are exist.
Second how many hello or Acknowledgement will be expected
If continue 3 hello missed neighbour is removed from neighbour table.
Page 62 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
DUAL
A modification in distance vector algorithm is called DUAL
It provides a loop free failover path.
EIGRP Terminology
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirement
AD/RD
Input Event
Local Computation
Going Active
Successor
A best route to reach a subnet or network.
Feasible Distance
Calculated metric of successor is called Feasible Distance.
Feasible Successor
An another best route it provides backup to successor.
Page 63 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
AD/RD
A Router's FD is called AD/RD for its neighbours.
Input Event
An information which has capabilities to change the data base.
Local Computation
A term it has two function
If successor goes down it use FS
If FS is not available then it become active for that route
Going Active
It means that a router is sending query to its neighbour for a route.
EIGRP Tables
Neighbour Table
Topology Table
Routing Table
Page 64 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Neighbour Tables
First of all EIGRP built neighbour table. It contain following information.
IP add of neighbour
Interface
Up time
Hold time
Sequence no of last packet
Packet in queue
SRTT
RTO
Topology Tables
After neighbour table EIGRP maintain topology table
It contain successor & feasible successor.
Routing Tables
It contain three types of route
Internal
External
Summary
EIGRP Metric
EIGRP metric is called composite metric. It contain 5 elements, these elements are called K-values.
Bandwidth
Delay
Load
Reliability
MTU
Only Bandwidth & delay is used for metric calculation.
EIGRP Modes
Passive mode
When a successor goes down and router has FS , it is called Passive mode.
Active mode
When a successor goes down and router has no FS , it is called Passive mode.
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
Page 66 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
Page 67 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.1.2
ASA1(config-if)# interface g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz1
INFO: Security level for "dmz1" set to 0 by default.
ASA1(config-if)# security-level 60
ASA1(config-if)# ip add 192.168.2.2
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.3.2
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shu
ASA1(config-if)# nameif dmz2
INFO: Security level for "dmz2" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip add 192.168.4.2
ASA1(config-if)# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.2 YES manual up up
GigabitEthernet0/1 192.168.2.2 YES manual up up
GigabitEthernet0/2 192.168.3.2 YES manual up up
GigabitEthernet0/3 192.168.4.2 YES manual up up
ASA1(config-if)# sh nameif
Interface Name Security
GigabitEthernet0/0 inside 100
GigabitEthernet0/1 dmz1 60
GigabitEthernet0/2 outside 0
GigabitEthernet0/3 dmz2 50
ASA1(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Page 68 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 69 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 70 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
D 172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.4.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.5.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.10.6.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
D 172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
D 172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
D 172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
D 172.30.1.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.2.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.3.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.4.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.5.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.30.6.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
D 172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
D 172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
Page 71 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 72 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Redistribution in EIGRP
ASA1(config)# router eigrp 100
ASA1(config-router)# redistribute static metric 1 1 1 1 1
ASA1(config-router)# default-metric 1 1 1 1 1
ASA1(config-router)# redistribute static
R1#sh ip route eigrp on R2, R3, R4
D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0
ASA1(config-router)# no redistribute static
Page 73 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1#
*Sep 28 09:29:38.091: EIGRP: Sending HELLO on Loopback6
*Sep 28 09:29:38.091: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
! Verification
ASA1(config-router)# router eigrp 100
ASA1(config-router)# distribute-list 10 in interface inside
ASA1(config)# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
D 172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
D 172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
D 172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
Page 74 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! EIGRP AD Changing
ASA1(config-router)# router eigrp 100
ASA1(config-router)# distance eigrp 111 222
ASA1(config-router)# sh route inside
D 172.10.1.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D 172.10.2.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D 172.10.3.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
Page 75 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! Summrization in EIGRP
ASA1(config-if)# interface gigabitEthernet 0/0
ASA1(config-if)# summary-address eigrp 100 0 0
! Verification on Router1
R1#sh ip route eigrp
D* 0.0.0.0/0 [90/28416] via 192.168.1.2, 00:00:30, FastEthernet0/0
Page 76 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 77 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Chapter 7
OSPF
OSPF
Difference between link State & Distance Vector
OSPF Tables
OSPF Messages & Contents
OSPF States
DR & BDR
DR & BDR Requirements
OSPF Area Structure
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Neighbour Ship Requirement
OSPF Authentication Types
OSPF Summarization Types
OSPF Virtual Link
Page 78 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Link State
As name tells us link state a link state routing protocol sends update based in the state of link. When
a link comes up & goes down it sends update.
It sends update with a sequence number. 0x80000001 goes till
0xFFFFFFFF.
Priority
DR & BDR information
Authentication
Stub information
OSPF States
Down
Attempt
Initialization
2 way
Ex-start
Exchange
Loading
Full
Page 80 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
when hello is exchanged between two OSPF routers that is called 2 way.
DR & BDR is elected here.
Page 81 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF Area
Backbone Area
Regular Area
Apart from area zero all other areas are called regular area.
they must be connected to backbone area.
OSPF Priority
OSPF Hello message has 8 bits priority field. default value 1 , maximum 255.
if priority is zero then router will not participate in DR & BDR election.
Designated Router
Router when OSPF router are connected to a multi-access network. Then there is a responsibility of
one router who is responsible for making adjacencies with other router that is called DR.
Page 82 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Router ID Requirements
1. Highest Loopback
2. if no loopback then highest up physical interface ip
3. We can configure manual .
OSPF Metric
Is called Cost formula= 100 Mbps /bandwidth.
Cisco
Broadcast
P2P
P2MPNB
Page 83 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Internal Router
Back Bone Router
ABR
ASBR
Internal Router
A router consist it's all interfaces in regular area, i.e. called Internal router.
Backbone Router
A router consist it's all interfaces in area 0 Backbone area, i.e. called Internal router.
Area Border Router a router which connect Backbone area to regular area is called ABR.
ASBR
A router which connects OSPF routing domain to another routing domain is called ASBR.
Page 84 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Note:- OSPF sends incremental updates these updates are called LSA
Link state advertisement.
LSA Types
Router LSA
Network LSA
Summary LSA
AS LSA
External LSA
Group member ship LSA
NSSA LSA
Router LSA
It contain router ID of a router . it is sent within area.
Network LSA
It contain DR router ID sent by DR. is sent within area.
Summary LSA
When the routes of one area go to another area , they go as summary LSA.
it is sent by ABR.
AS ASBR LSA
It contain ASBR router ID . it is generated by ABR when an ABR receives External LSA form ASBR.
External LSA
It contain external routes it is sent by ASBR.
Page 85 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NSSA LSA
It contain external route . it is used in NSSA area , it allow an ASBR to send external route through
stub area to back bone.
Why because STUB/NSSA area LSA 5 in not allowed they are filtered so do hide LSA 5 they are
encapsulated as LSA 7 and LSA 7 is only recognized by NSSA area.
Standard Area
It contain entire OSPF domain itself.
if you are using standard area then you can't reduce the size of routing table
to reduce the size of routing table we use another area types.
Stub Area
It filter the external routes and place them as default route.
Page 86 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NSSA
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:-
but it filter the external route coming from ABR
it doesn't generate default-route.
Totally NSSA
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:-
but it filter the external route & inter-area route coming from ABR
It does generate default-route.
Page 87 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
In Metric-type 2 internal cost is not added when route are propagated in OSPF domain.
In Metric-type 1 internal cost is do added when route are propagated in OSPF domain.
If you want that best path should be used for External router you have to use metric-type 1.
Seed Metric
when routes are redistributed in routing Protocol that wants a starting point
that starting point is called seed metric
OSPF seed metric is 20 . if you want to change it you can change it at the time of redistribution.
Important Note
Area 0 can't be stub
virtual link are not allowed in stub area
All router must be agree that we are a part of stub area.
Page 88 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
OSPF AD 110
Default max-path 4 , maximum 16
224.0.0.6 is used by NON-DR to DR only for update & acknowledgement
224.0.0.5 is used for Hello NON-DR or DR to NON-DR
224.0.0.5 is used for Update DR to NON-DR
Diagram:-
Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
Page 89 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shu
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
Page 90 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 91 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R1(config)#router os 100
R1(config-router)#net 192.168.1.0 0.0.0.255 area 1
R1(config-router)#net 172.10.0.0 0.0.7.255 area 4
R2
R2(config)#router os 100
R2(config-router)#net 192.168.2.0 0.0.0.255 area 0
R2(config-router)#router ei 100
R2(config-router)#no au
R2(config-router)#net 172.20.0.0 0.0.7.255
R3
R3(config)#router os 100
R3(config-router)#net 192.168.3.0 0.0.0.255 area 2
R3(config-router)#net 172.30.0.0 0.0.7.255 area 2
R4
R4(config)#router os 100
R4(config-router)#net 192.168.4.0 0.0.0.255 area 3
R4(config-router)#router ei 200
R4(config-router)#no au
R4(config-router)#net 172.40.0.0 0.0.7.255
ASA1(config)# router os 100
ASA1(config-router)# net 192.168.1.0 255.255.255.0 area 1
ASA1(config-router)# net 192.168.2.0 255.255.255.0 area 0
ASA1(config-router)# net 192.168.3.0 255.255.255.0 area 2
ASA1(config-router)# net 192.168.4.0 255.255.255.0 area 3
Page 92 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 93 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 94 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
NO AREA 4 routes
! Virtual Link in OSPF
Page 95 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
O 172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.2 255.255.255.255 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz1
L 192.168.2.2 255.255.255.255 is directly connected, dmz1
C 192.168.3.0 255.255.255.0 is directly connected, outside
L 192.168.3.2 255.255.255.255 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, dmz2
L 192.168.4.2 255.255.255.255 is directly connected, dmz2
Page 96 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 97 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 98 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Page 99 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R4(config-router)#
*Sep 28 11:10:58.275: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
INIT to DOWN, Neighbor Down: Adjacency forced to reset
R4(config-router)#
*Sep 28 11:11:03.631: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
LOADING to FULL, Loading Done
! Stub Verification
R4#sh ip route ospf
172.10.0.0/32 is subnetted, 6 subnets
O IA 172.10.6.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.5.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.4.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.3.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.2.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.10.1.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
172.30.0.0/32 is subnetted, 6 subnets
O IA 172.30.3.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.2.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.1.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.6.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.5.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 172.30.4.1 [110/12] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 192.168.1.0/24 [110/11] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 192.168.2.0/24 [110/11] via 192.168.4.2, 00:00:38, FastEthernet0/0
O IA 192.168.3.0/24 [110/11] via 192.168.4.2, 00:00:38, FastEthernet0/0
O*IA 0.0.0.0/0 [110/2] via 192.168.4.2, 00:00:38, FastEthernet0/0
! By Default OSPF Treat loopback as single host if you want that it should be treat as network
please do the following
R1(config)#interface loopback 1
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 2
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 3
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 4
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 5
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 6
R1(config-if)#ip ospf network point-to-point
ASA1(config-router)# sh route
! OSPF AD Changing
ASA1(config-router)# router ospf 100
ASA1(config-router)#distance ospf inter-area 110 intra-area 110 external 180
ASA1(config-router)# sh route
O 172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:27, outside
O 172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O 172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O 172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O 172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
O N1 172.40.1.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.2.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.3.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.4.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.5.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
O N1 172.40.6.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
! Mannual Router ID
ASA1(config-router)# router ospf 100
ASA1(config-router)# router-id 123.123.123.123
Chapter 8
IPv6 Introduction
IPv6
IPv6 Styles
IPv6 Routing Protocols
RIPng
OSPFv3
EIGRPv6
IPv6
Before IPv6 we have to understand IP
IP Address
IP Addresses Styles
A logical address it enable a machine to communicate with other machine of network.
1. Unicast
2. Broadcast
IP Part
3. Multicast
1. Network ID
2. Host ID
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat
Network ID
upitour bandwidth.
enable us to determine that what is the network location in a class
Broadcast
Host ID
In it we send
It enable usdata to all . it that
to determine is useful
whatwhen
is the destination
location of a is unknown
host . it is used by DHCP, ARP,
in a network
RIPv1. Each NIC receive the broadcast and does process with it doesn't matter that, it is for
him or not. But they are not forwarded by router or appliance.
IP Address Classes
Multicast
in it source generate a stream & that is distributed among the clients.
or
A (1-126)/8
when a host join a multicast group their NIC is again re-programmed. & it start capturing
B (128-191)/16
data for joined group.
C (192-223)/24
D (224-239)
Multicast
EMac
(240-255)
it is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always
zero. and last 23 bits obtain from multicast IP address
IP Address Types
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
Public
Multicast Addresses
Private
1. Link Local 224.0.0.0/24
2. Source
Public Specific 232.0.0.0/8
3. GLOP
They are accessible via internet , unique in the world 233.0.0.0/8
4. Administratively Scoped 239.0.0.0/8
Private Scoped
5. Globally 224.0.1.0-231.255.255.255
They are not accessible via internet. they can be used 234.0.0.0-238.255.255.255
by private organization.
Link Local
they send will TTL value one
Source Specific
Page 110 of 846
In Source Specific a host receive a multicast traffic form a single server.
Secure Your Network With Cisco ASA Second Generation's OS 9.x
GLOP
it allocate 256 multicast address to each AS. middle 16 bits are obtain from AS number.
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Brief
32 bits address
Decimal format
separated by ( . )
20 bytes header
IPv6
128 bits address
Hexadecimal format
separated by( : )
40 bytes header
IPv6 Style
Unicast
Multicast
Anycast
Unicast Types
Unicast Types
Global Unicast
Unique Local
Link Local
Global Unicast
They are the public address routable over internet like ipv4 public addresses.
Start with 2000::/3
Unique Local
They are the private address not routable over internet like ipv4 private addresses. Start with
FD00::/8
Link Local
They are automatically created by device they are used by routing protocols to communicate
each other
Start with FE80::/10
Link Local address contain 64 interface ID
Interface ID contain 48 Bits MAC & 16 Bits EUI
EUI is FFFE
Procedure of Link Local
for example
MAC is 0000.0c07.ac01
MAC address 1st bytes 7th bit is replaced with zero to 1
do
MAC now 100.0c07.ac01
Add EUI
100.0cFF.FE07.ac01
ADD Link Local Prefix
FE80:: 100.0cFF.FE07.ac01/10
Multicast
They are just like IPv4 multicast addresses
FF02::1 for all host
FF02::2 for all router
FF02::5 for OSPF
FF02::6 for OSPF
FF02::9 for RIPng
FF02::A for EIGRP
FF02::D for PIM
IPV6 Format
1234:1234:1234:1234:1234:1234:1234:1234 (right)
2000:0000:0000:1111:0000:0000:0000:0001 (right)
2000:0:0:1111:0:0:0:1 (right)
:: Only Once
RIPng
Routing Information Protocol next generation
It is based on RIPv2
It use UDP port 521
Multicast update FF02::9
No authentication support
We can run multiple RIPng process now.
Max-Path 16
IS-ISv6
It use same concept of IS-IS. it use IP protocol no. 131 (0x83).
It works at OSI layer 3
It PDU is directly encapsulated in frame.
EIGRPv6
Cisco Proprietary
IP protocol no. 88
Same concept like EIGRP
Max-Path 16
Default Shutdown
It require Router ID
Multicast at FF02::A
MD5 authentication
OSPFv3
Still Open Standard
IP protocol no. 89
Use IPSec Authentication
It ADD 16 bytes Header while OSPF ADD 24 bytes
Note
Cisco ASA OS version 8.6 support only static & default IPv6 routing
Cisco ASA OS version 9.2.2.4 support only static & default & OSPFv3 IPv6 routing.
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:1::1/48
int lo1
ipv6 add 192:168:101::1/48
ipv6 route ::/0 192:168:1::2
R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:2::1/48
int l1
ipv6 add 192:168:102::1/48
ipv6 route ::/0 192:168:2::2
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:3::1/48
int l1
ipv6 add 192:168:103::1/48
ipv6 route ::/0 192:168:3::2
R4
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:4::1/48
int lo1
ipv6 add 192:168:104::1/48
ipv6 route ::/0 192:168:4::2
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:2::2/48
!
interface GigabitEthernet0/2
nameif outside
security-level 0
no ip address
ipv6 address 192:168:3::2/48
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:4::2/48
!
ASA1(config)# sh ipv6 int brief
inside [up/up]
fe80::6e20:56ff:febd:ea87
192:168:1::2
dmz1 [up/up]
fe80::6e20:56ff:febd:ea84
192:168:2::2
outside [up/up]
fe80::6e20:56ff:febd:ea88
192:168:3::2
dmz2 [up/up]
fe80::6e20:56ff:febd:ea85
192:168:4::2
GigabitEthernet0/4 [administratively down/down]
unassigned
GigabitEthernet0/5 [administratively down/down]
unassigned
Management0/0 [administratively down/down]
unassigned
ASA1(config)# ping 192:168:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:2::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:3::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:3::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192:168:4::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192:168:4::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R4
R4#ping 192:168:101::1 source loopback 1
Chapter 9
SLA
if over primary link will goes down then appliance will use secondary.
But here condition is this , there is no problem in our access-link , but ISP networks has
problem means that ISP1 is not able to give us connectivity.
in this situation, appliance will not use ISP2 link. Because ISP1 link is up
to solve this problem we have SLA (Service Level Agreement).
In SLA we check reach ability from over end to public server. using ICMP Echo-request.
that is called in Track, Track is associated with static route example ISP1
if reach ability is available , track will remain up , track is up route will remain in routing
table.
if no reach ability track will go down , track down appliance will remote primary link form
table then secondary will use.
Diagram:-
Initial-config
PC1
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#no shutdown
PC1(config-if)#ip add 192.168.101.100 255.255.255.0
PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1
ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#no shutdown
ISP(config-if)#ip add 101.1.1.1 255.255.255.0
ISP(config-if)#int f0/1
ISP(config-if)#no shutdown
ISP(config-if)#ip add 102.1.1.1 255.255.255.0
ISP(config-if)#int l1
ISP(config-if)#ip add 1
ISP(config-if)#ip add 1.1.1.1 255.255.255.255
Page 121 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
ASA1(config)# hostname ASA1
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no sh
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.101.1 255.255.255.0
ASA1(config-if)# int g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside1
INFO: Security level for "outside1" set to 0 by default.
ASA1(config-if)# ip add 101.1.1.100 255.255.255.0
ASA1(config-if)# int g0/2
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside2
INFO: Security level for "outside2" set to 0 by default.
ASA1(config-if)# ip add 102.1.1.100 255.255.255.0
! SLA on ASA
sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 interface outside1
timeout 1000
frequency 1
exit
sla monitor schedule 1 start-time now life forever
track 11 rtr 1 reachability
route outside1 0 0 101.1.1.1 track 11
route outside2 0 0 102.1.1.1 2
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Up
2 changes, last change 00:00:17
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
ISP(config-if)#int l1
ISP(config-if)#shutdown
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Down
5 changes, last change 00:00:14
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
ISP(config-if)#int l1
ISP(config-if)#no sh
ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Up
6 changes, last change 00:00:08
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
Chapter 10
Multicasting
IP addresses styles
Multicast Mac
Multicast addresses
IGMP (internet group management protocol)
IGMP snooping
Multicast routing protocols
RPF (Reverse path forwarding)
Distribution tree
PIM (protocol independent multicast )
PIM version
IP Addresses Styles
1. Unicast
2. Broadcast
3. Multicast
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat up our
bandwidth.
Broadcast
In it we send data to all . it is useful when destination is unknown . it is used by DHCP, ARP, RIPv1.
Each NIC receive the broadcast and does process with it doesn't matter that, it is for him or not. But
they are not forwarded by router or appliance.
Multicast
in it source generate a stream & that is distributed among the clients.
or
when a host join a multicast group their NIC is again re-programmed. & it start capturing data for
joined group.
Multicast Mac
It is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always zero. and
last 23 bits obtain from multicast IP address
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
Multicast Addresses
1. Link Local 224.0.0.0/24
2. Source Specific 232.0.0.0/8
3. GLOP 233.0.0.0/8
4. Administratively Scoped 239.0.0.0/8
5. Globally Scoped 224.0.1.0-231.255.255.255
234.0.0.0-238.255.255.255
Link Local
they send will TTL value one
Source Specific
In Source Specific a host receive a multicast traffic form a single server.
GLOP
it allocate 256 multicast address to each AS. middle 16 bits are obtain from AS number.
Administratively Scoped
they just like IPv4 Private addresses they can be used by private organization.
239.192.0.0 organization local
239.252.0.0 site local
Globally Scoped
they are fully routable over internet.
Version 1
Router sends query after every 60 seconds.
No group leaving mechanism.
Query age out time 3 minutes.
No information that which group is active at interface.
Version 2
Router sends query after every 60 seconds on 224.0.0.1
Host can leave group using 224.0.0.2.
Query interval response time.
Group specific Queries.
Querier election
Version 3
use SSM Source specific multicast
IGMP Snooping
It enable switches to determine which port is requesting for which multicast.
Distribution Tree
Multicast routing path is called distribution tree
types
Source Tree
Shared Tree
Source Tree
in it they take the shortest path from source to destination. used in PIM
they pre-calculated path Because of dense-mode.
Shared Tree
in it they use a common set of links . First packet pass through RP after receiving packet the select
the shortest path.
(
PIM (Protocol Independent Multicast)
Modes
Dense Mode
Sparse Mode
Sparse Dense Mode
Dense Mode
it assume that multicast recipient is in every subnet.
in it stream is flooded to each router if no receiver then they send prune message to stop un
wanted flooding.
Sparse Mode
Multicast tree is not built until some will not make request.
PIM Versions
Version 1
Version 2
Version1
it provides auto or manual RP process.
RP announce at 224.0.1.39
RP discovery at 224.0.1.40
we must define candidate of each router
Version 2
It use BSR boot Strap Router.
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
Page 129 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
ip add 192.168.101.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.30 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
Server1
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
interface gig 0/0
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface gig 0/1
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
PC1#debug ip icmp
ICMP packet debugging is on
PC2#debug ip icmp
ICMP packet debugging is on
PC3#debug ip icmp
ICMP packet debugging is on
Server1#debug ip icmp
ICMP packet debugging is on
*Mar 1 00:10:19.647: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 0 from 192.168.101.10, 60 ms
*Mar 1 00:10:21.659: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 1 from 192.168.101.10, 72 ms
*Mar 1 00:10:23.679: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 2 from 192.168.101.10, 92 ms
*Mar 1 00:10:25.667: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 3 from 192.168.101.10, 80 ms
*Mar 1 00:10:27.659: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 4 from 192.168.101.10, 72 ms
Server1#
Server1#ping 239.1.1.2 repeat 5
*Mar 1 00:10:37.391: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 0 from 192.168.101.20, 60 ms
*Mar 1 00:10:39.415: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 1 from 192.168.101.20, 84 ms
*Mar 1 00:10:41.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 2 from 192.168.101.20, 56 ms
*Mar 1 00:10:43.383: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 3 from 192.168.101.20, 52 ms
*Mar 1 00:10:45.399: ICMP: echo reply rcvd, src 192.168.101.20, dst 192.168.102.100
Reply to request 4 from 192.168.101.20, 68 ms
Server1#
Server1#ping 239.1.1.3 repeat 5
*Mar 1 00:10:53.259: ICMP: echo reply rcvd, src 192.168.101.30, dst 192.168.102.100
PC1#debug ip icmp
ICMP packet debugging is on
PC1#
*Mar 1 00:09:49.379: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:20.795: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:22.807: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:24.823: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:26.823: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
*Mar 1 00:11:28.803: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC2#debug ip icmp
ICMP packet debugging is on
PC2#
*Mar 1 00:10:39.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:41.863: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:43.871: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:45.847: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC2#
*Mar 1 00:10:47.859: ICMP: echo reply sent, src 192.168.101.20, dst 192.168.102.100
PC3#debug ip icmp
ICMP packet debugging is on
PC3#
*Mar 1 00:08:39.027: %SYS-5-CONFIG_I: Configured from console by console
PC3#
*Mar 1 00:10:54.587: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:10:56.571: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:10:58.571: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:11:00.595: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
PC3#
*Mar 1 00:11:02.579: ICMP: echo reply sent, src 192.168.101.30, dst 192.168.102.100
Chapter 11
Access-list
Object Group
Object Group Types
Access-list
A list of condition it is used to categorized packets.
Types:
Standards Access-list
Extended Access-list
Named Base Access-list
Time Base Access-list
Standards Access-list
It is used to allow or deny entire ip packet. mostly used for route filtering
(range 1-99,100-1999)
Extended Access-list
It is used to allow or deny Layer 3 , Layer 4 & upper layer protocols. Mostly used for traffic filtering.
(100-199,2000-2699)
Object Group
A feature of Cisco ASA it simplify access-list management.
Types
1. Network Object Group
2. Protocol Object Group
3. Service Object Group
4. ICMP Object Group
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
passive-interface fastEthernet 0/1
TSS1
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
Page 137 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
login local
exit
username shiva privilege 15 secret shiva
TSS2
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
TSS3
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
WEB1
interface f0/0
no shutdown
ip add 192.168.20.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
WEB2
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
WEB3
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ISP
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
ASA1
interface GigabitEthernet 0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet 0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet 0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet 0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
! Network Object
ASA1
object network inside
subnet 192.168.1.0 255.255.255.0
object network inside-lan
subnet 192.168.101.0 255.255.255.0
object network TSS1
host 192.168.10.10
ASA1(config)# object-group ?
! Service Object
object-group service TELNET tcp
port-object eq telnet
object-group service SSH tcp
port-object eq ssh
object-group service HTTP tcp
port-object eq www
object-group service HTTPS tcp
port-object eq https
! ICMP Object
object-group icmp-type MY-ICMP-OBJECT
icmp-object echo-reply
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group TELNET
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group SSH
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTP
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTPS
access-list out extended permit icmp any object inside object-group MY-ICMP-OBJECT
access-list out extended permit icmp any object inside-lan object-group MY-ICMP-OBJECT
R1#ping 101.1.1.1
ASA1(config)# sh xlate
8 in use, 8 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz1:192.168.10.10 to outside:101.1.1.101
flags s idle 0:12:26 timeout 0:00:00
NAT from dmz1:192.168.10.20 to outside:101.1.1.102
flags s idle 0:12:20 timeout 0:00:00
NAT from dmz1:192.168.10.30 to outside:101.1.1.103
flags s idle 0:12:16 timeout 0:00:00
Chapter 12
NAT on OS 8.0
Static Nat
Dynamic NAT
PAT
Static PAT
NAT Bypass
Identity NAT
NAT Exemption
Policy NAT
NAT
Types
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. NAT Bypass
a. Identity NAT
b. NAT exemption
6. Policy NAT
Static NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
Dynamic NAT
In dynamic NAT we map multiple IP addresses to some.
PAT
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
Static PAT
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
Page 153 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
NAT Bypass
When we enable NAT-control in OS 8.0 then natting is must. If you want to avoid NAT rule then we
use NAT Bypass.
Identity NAT
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI.
NAT Exemption
It is used for VPN traffic to exclude it for NAT rule in 8.0.
Policy NAT
In policy NAT we can define condition for natting
It could be port based or IP based.
Diagram:
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Server2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/60 ms
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/20/20 ms
ASA1(config)#
! static nat
nat-control
static (inside,outside) interface 192.168.1.1
static (inside,outside) 101.1.1.101 192.168.101.1
static (inside,outside) 101.1.1.102 192.168.101.100
ASA1(config)# sh xlate
3 in use, 3 most used
Global 101.1.1.100 Local 192.168.1.1
Global 101.1.1.101 Local 192.168.101.1
Global 101.1.1.102 Local 192.168.101.100
! TCP & UDP will Work for ICMP ACL
access-list out permit icmp any interface outside
access-list out permit icmp any host 101.1.1.101
access-list out permit icmp any host 101.1.1.102
access-group out in interface outside
! in OS 8.0 we open access-list for natted ip
ISP#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f0
R1#ping 101.1.1.1 source f0/1
ISP#
*Mar 1 00:17:01.699: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.751: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.795: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.815: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:17:01.835: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:17:06.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Mar 1 00:17:08.903: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:08.971: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:08.987: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Mar 1 00:17:09.007: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Mar 1 00:17:35.855: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Mar 1 00:17:40.675: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Mar 1 00:17:41.667: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Mar 1 00:17:42.679: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
! static nat is bi-directional
! private will map with public
! public will map with private
ASA1(config)# sh xlate
3 in use, 4 most used
Global 101.1.1.100 Local 192.168.1.1
Global 101.1.1.101 Local 192.168.101.1
Page 158 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
clear configure nat
clear configure access-list
clear configure static
! dynamic nat
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 101.1.1.101-101.1.1.106
! TCP & UDP will Work for ICMP ACL
access-list out permit icmp any host 101.1.1.101
access-list out permit icmp any host 101.1.1.102
access-list out permit icmp any host 101.1.1.103
access-list out permit icmp any host 101.1.1.104
access-list out permit icmp any host 101.1.1.105
access-list out permit icmp any host 101.1.1.106
access-group out in interface outside
R1#ping 101.1.1.1
ASA1(config)# sh xlate
6 in use, 6 most used
Global 101.1.1.105 Local 192.168.20.100
Global 101.1.1.104 Local 192.168.10.100
Global 101.1.1.103 Local 192.168.101.1
Global 101.1.1.106 Local 192.168.101.100
Page 161 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
! PAT
ASA1
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 interface
! TCP & UDP will Work FOR ICMP ACL
access-list out permit icmp any interface outside
R1#ping 101.1.1.1
ASA1(config)# sh xlate
3 in use, 7 most used
PAT Global 101.1.1.100(1) Local 192.168.102.100(138)
PAT Global 101.1.1.100(5) Local 192.168.101.100 ICMP id 1
ISP#
*Mar 1 00:42:11.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.839: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.867: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.887: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:11.911: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:42:15.423: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:15.523: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:15.543: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:15.563: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:15.575: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:42:18.475: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:18.555: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:18.579: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:18.603: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:42:18.623: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:43:05.327: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:43:06.303: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
ISP#
*Mar 1 00:43:07.315: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Mar 1 00:43:08.311: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
!ASA1
! static PAT
! now we have 5 servers telnet,ssh,http,https,ftp
! telnet , ssh in dmz1
! http , https in dmz2
! ftp in inside
static (inside,outside) tcp interface 21 192.168.101.100 21
static (dmz1,outside) tcp interface 22 192.168.10.100 22
static (dmz1,outside) tcp interface 23 192.168.10.100 23
static (dmz2,outside) tcp interface 80 192.168.20.100 80
static (dmz2,outside) tcp interface 443 192.168.20.100 443
! traffic will orginate form lower to higher apply access-list
access-list out permit tcp any interface outside eq 21
access-list out permit tcp any interface outside eq 22
access-list out permit tcp any interface outside eq 23
access-list out permit tcp any interface outside eq 80
access-list out permit tcp any interface outside eq 443
access-group out in interface outside
R1#telnet 192.168.10.100
Trying 192.168.10.100 ...
% Connection refused by remote host
R1#telnet 192.168.20.100
Trying 192.168.20.100 ...
% Connection refused by remote host
! you cann't access inside to dmz1 or dmz2 bcoz of nat-control
! here we will use nat bypass
! 1 identity
! 2 nat exemption
Identity NAT
static (inside,dmz1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz1) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
Nat Exemption
access-list nat-exemption permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nat-exemption permit ip 192.168.101.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nat-exemption
R1#telnet 192.168.10.100
Trying 192.168.10.100 ... Open
Username: shiva
Password:
Server1#
Server1#ex
Server1#exit
ISP
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
R1#telnet 101.1.1.1
Trying 101.1.1.1 ... Open
Username: shiva
Password:
ISP#
ASA1(config)# sh xlate
2 in use, 8 most used
PAT Global 101.1.1.23(1024) Local 192.168.1.1(11440)
Password:
ISP#
ASA1(config)# sh xlate
1 in use, 8 most used
PAT Global 101.1.1.22(1024) Local 192.168.1.1(15918)
R1#ping 101.1.1.1
Note:-
Please open access-list for natted ip address or service in os till 8.0, 8.1, 8.2.
Please use the same topology & configuration for CTP lab.............................................Thanks
Chapter 13
NAT on OS 9.2.2.4
Static Nat
Dynamic NAT
PAT
Static PAT
Identity NAT
Twice NAT
NAT
Types
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. Identity NAT
6. Twice NAT
Static NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
Dynamic NAT
In dynamic NAT we map multiple IP addresses to some.
PAT
Static PAT
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
Identity NAT
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI or VPN traffic in OS Version 8.4 & later.
Twice NAT
In Twice NAT we can define condition for natting that.
If source is A destination is B translate into X.
If source is A destination is C translate into Y.
Diagram:-
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Page 175 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Server2
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
! Static nat
object network r1
nat (inside,outside) static ip1
object network r1-lan
nat (inside,outside) static ip2
object network pc1
nat (inside,outside) static ip3
object network server1
nat (dmz1,outside) static ip4
object network server2
nat (dmz2,outside) static ip5
ISP#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
ASA1# sh xlate
5 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.1 to outside:101.1.1.101
flags s idle 0:01:30 timeout 0:00:00
NAT from dmz1:192.168.10.100 to outside:101.1.1.104
flags s idle 0:01:21 timeout 0:00:00
NAT from dmz2:192.168.20.100 to outside:101.1.1.105
flags s idle 0:01:12 timeout 0:00:00
Page 179 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Static is bi-directional
ASA1
access-list out permit tcp any object pc1
access-list out permit tcp any object server1
access-list out permit tcp any object server2
access-group out in interface outside
ASA1(config)# sh xlate
5 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.1 to outside:101.1.1.101
flags s idle 0:02:46 timeout 0:00:00
NAT from dmz1:192.168.10.100 to outside:101.1.1.104
flags s idle 0:02:42 timeout 0:00:00
ASA1(config)# ! Dynamic
object network all_network
subnet 192.168.0.0 255.255.0.0
object network dpool
range 101.1.1.101 101.1.1.104
ASA1# sh xlate
4 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ISP#
*Sep 29 04:56:12.735: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.739: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.743: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
*Sep 29 04:56:12.743: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
*Sep 29 04:56:15.335: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.335: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.339: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.339: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
*Sep 29 04:56:15.343: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.102
ISP#
*Sep 29 04:56:26.475: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:56:27.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:56:28.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ISP#
*Sep 29 04:56:29.479: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.103
ASA(config) ! PAT
! PAT
object network inside
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface
R1#ping 101.1.1.1
ASA1(config)# sh xlate
1 in use, 5 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
! static pat
object network pc1
host 192.168.101.100
nat (inside,outside) static interface service tcp 21 2121
! open acl
access-list out permit tcp any object pc1 eq 21
access-group out in interface outside
R1#telnet 101.1.1.1
Trying 101.1.1.1 ... Open
Username: shiva
Password:
ISP#
ASA1(config)# sh xlate
8 in use, 8 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23
flags srIT idle 0:00:28 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 22-22 to inside:0.0.0.0/0 22-22
flags srIT idle 0:06:36 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 21-21 to inside:0.0.0.0/0 21-21
flags srIT idle 0:06:08 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 80-80 to inside:0.0.0.0/0 80-80
flags srIT idle 0:06:00 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 443-443 to inside:0.0.0.0/0 443-443
flags srIT idle 0:05:50 timeout 0:00:00
ASA1(config)# sh xlate
7 in use, 9 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23
flags srIT idle 0:01:23 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 22-22 to inside:0.0.0.0/0 22-22
flags srIT idle 0:00:22 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 21-21 to inside:0.0.0.0/0 21-21
flags srIT idle 0:08:51 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 80-80 to inside:0.0.0.0/0 80-80
flags srIT idle 0:00:04 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 443-443 to inside:0.0.0.0/0 443-443
flags srIT idle 0:00:03 timeout 0:00:00
!ASA
! twice nat using ip
object network inside
subnet 192.168.0.0 255.255.0.0
object network internet
subnet 101.1.1.0 255.255.255.0
object network internet-lan
subnet 192.168.102.0 255.255.255.0
object network ip
object network ip1
host 101.1.1.111
object network ip2
host 101.1.1.222
exit
nat (inside,outside) source dynamic inside ip1 destination static internet internet
nat (inside,outside) source dynamic inside ip2 destination static internet-lan internet-lan
access-list out permit icmp any object inside
access-group out in interface outside
ISP#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
ISP#debug ip icmp
ICMP packet debugging is on
ISP#
*Sep 29 07:49:50.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Sep 29 07:49:50.591: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
ISP#
*Sep 29 07:49:52.783: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.783: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.787: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.787: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
*Sep 29 07:49:52.787: ICMP: echo reply sent, src 192.168.102.1, dst 101.1.1.222
ISP#
! ASA1(config)# ! identity nat
R1#ping 101.1.1.1
*Sep 29 07:57:00.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
*Sep 29 07:57:02.627: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.1.1
ISP#
*Sep 29 07:57:14.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:16.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:18.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:20.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
ISP#
*Sep 29 07:57:22.203: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.101.1
Chapter 14
CTP (Cut-Through-Proxy)
CTP (Cut-Through-Proxy)
A feature in Cisco ASA using It we can authenticate the request of following protocols like TELNET,
HTTP, HTTPS, FTP for inbound or outbound connection.
But either inbound or outbound. Not both at a time.
Working
1. Client will initiate a request for a destination
2. ASA will prompt for username & password
3. Client will provide username & password
4. ASA will redirect credential to AAA server
5. AAA will authenticate user credential
6. If User is authenticated by AAA server ASA will add connection and forward the request to actual
destination.
7. Otherwise request will be drop
Authentication
It means validating a user access when he or she wants to access network resource.
Authorization
It means what a user can perform in the network.
Accounting
It means that what has been done by user.
Page 194 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
AAA Protocols
1. Radius(Remote authentication dial in user service)
2.Tacacs+ (Terminal Access Controller Access Control Server)
Radius
Tacacs+
Tacacs was invented by DOD Department of Defence of U.S.A
But Tacacs+ was introduced by Cisco
It use TCP port 49
It encrypt entire packet
Single connection for AAA
Diagram:-
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
Server2
Page 196 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/60 ms
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/20/20 ms
ASA1(config)#
ISP
ip domain-name cisco.com
ASA1# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'shiva' at 192.168.101.100, authenticated (idle for 0:00:10)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1# clear uauth
If ask username & password again click cancel Tab & Refresh the ftp Page
Chapter 15
IPsec Introduction
IPsec VPN
IPsec VPN Features
Encryption Algorithms
Pre-shared Key
Public Key Infrastructure
ESP
AH
IKE
ISAKMP
NAT-T
Security Association
IPsec VPN
Confidentiality
It mean your data will keep as secret using encryption algorithm
Like DES, 3DES, AES.
Encryption Algorithms
Encryption is simply a mathematical algorithm, a key applied to data to make the contents
unreadable to everyone except those who have the ability to decrypt it
Symmetric Encryption
Asymmetric Encryption
Symmetric Encryption
Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there
is a single, secret key that is used to both encrypt and decrypt the data.
DES
56-bit key, has been broken in less than 24 hours using modern computers.
3DES
Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) to create
The cipher text. It has not yet been broken, but has theoretical aws.
AES
It is considered the symmetric encryption choice today. 128 Bits to 256 bits
Integrity
It insure that your data is altered during transmission or not. Using hash algorithm like MD5, SHA.
Pre-Shared
A single key is applied on both peers.
PeersDevices and people who securely communicate across a network. Also known as end
hosts.
Certication authority (CA)Grants and maintains digital Certicates. Also known as a trusted
entity or a trust point.
Digital certicateContains information to uniquely identify a peer, a signed copy of the public
encryption key used for secure communications, certicate validity data, and the signature of the CA
that issued the certicate. X.509v3 is the current version of digital certicate.
Distribution mechanismA means to distribute certicate revocation lists (CRLs) across the
network. LDAP and HTTP are examples.
Anti-Replay
It means that of your data will arrive late it will consider as alter & it will be
drop. Anti-Replay can be define in kilobytes or seconds.
IPsec Protocols
ESP
AH
IKE
AH (Authentication Header)
It doesn't provides confidentiality, because it doesn't use encryption
It use IP protocol no 51.
It doesn't works with NAT
It doesn't use NAT-T
It does include external IP for ICV.
It doesn't include TTL value for ICV
IKE Modes
Main Mode
Aggressive Mode
Quick Mode
Main Mode
In main mode 6 attributes or messages in three steps.
1. Initiator will send own proposal to responder, and responder will send own proposal to initiator.
2. Initiator will send own key to responder, and responder will send own key to initiator.
3. At the end they will authenticate the session.
OR
Step1
Message 1-initiator will send own proposal to responder
Message 2-responder will send own proposal to initiator
Step2
Message 3-initiator will send own key to responder
Message 4-responder will send own key to initiator
Step3
Message 5-initiator will authenticate the session
Message 6-responder will authenticate the session
Aggressive Mode
Note: - Either main mode or aggressive mode will work not both
Quick Mode
In quick mode they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with
every packet by peers.
IKE Phases
1. Phase1
2. Phase1.5 (optional)
3. Phase2
Phase 1
In Phase1 they create single IKE bi-direction tunnel. Single key is used to authenticate the session. In
phase1 main mode or aggressive mode will work.
Phase 1.5
It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication, called Xauth, or
Extended Authentication. Xauth forces the user to authenticate before use Of the IPsec connection
is granted.
Phase 2
When phase1 is successfully completed Phase2 is started.
If phase1 is not successfully completed Phase2 will not start.
In phase2 they create multiple IPsec tunnels. Two tunnels per protocol
ESP or AH.
ISAKMP
IKE is a management protocol actually is use isakmp for key exchange.
Internet security association key management protocol. it use UDP Port 500.
IKE Versions
IKE Version1 IKE Version2
6 messages 4-6 messages
Use isakmp Use isakmp
NAT-T support NAT-T support
Fire & Forget Check peer existence via cookies
No VOIP support VOIP support
No cryptography mechanism for key exchange Use suit B cryptography
IKE Version 2
Steps
IKE_SA_INIT_ (Two Messages)
IKE_AUTH+CREATE_CHID_SA (Two Messages)
IKE_ CREATE_SECOND_CHID_SA (Optional)/ (Two Messages)
IKE_SA_INIT: Message 1
The Initiator Proposes Basic SA Attribute Along with
Authentication Material
Equivalent to messages 1 and 3 in IKEv1
IKE_SA_INIT: Message 2
The responder sends back a set of attributes acceptable
Under SA, along with authentication material
Equivalent to messages 2 and 4 in IKEv1
IKE_AUTH: Message 3
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 5 Main Mode
And part of the Quick Mode in IKEv1
IKE_AUTH: Message 4
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 6 Main Mode
And part of the Quick Mode in IKEv1
Note:-
VTI and GRE/ IPsec Complete after this Message
Optional
CREATE_CHILD_SA: Message 1
The Initiator Sends Its Authentication Material and ID
Additional child exchange equivalent to Quick Mode in IKEv1
CREATE_CHILD_SA: Message 2
The Responder Sends Its Authentication Material and ID
Additional child exchange equivalent to Quick Mode in IKEv1
IPsec Modes
1. Transport mode
2. Tunnel mode
Transport Mode
It protect layer4 & upper layer data. Used in DMVPN.
Tunnel Mode
It protect layer3 & upper layer data. Used in Site-Site, Remote-Access, GETVPN.
NAT Transversal
A feature it enable us to establish VPN session through NAT device.
In NAT-T VPN devices add UDP header before ESP header, so that NAT device can perform NAT with
packet.
Why NAT-Traversal
AH doesn't work with nat. Because it include external IP address for ICV.
It include data, key, external-IP for integrity check value. If AH packet will pass through Nat device,
Nat device will translate external IP. When peer will receive AH packet it will verify packet ICV, due
to Nat peer will found ICV mismatch. So Packet will drop.
Note: - AH doesn't include TTL value for ICV. Because TTL is changed at every hop.
ESP doesn't include external IP for ICV. But it encrypt the data. A Nat device require layer 4
information but it is encrypted by esp. no layer 4 information so no Nat will perform.
To resolve this issue we use NAT-T, in NAT-T devices add UDP header before ESP header for Nat
device. That header is UDP 4500.
NAT-T Support
In IKE Phase1, two peers exchange their vender id and IOS version information to each other to
determine that which features are supported.
NAT-T Detection
In IKE Phase1, they create a payload of external IP addresses. They hash it after hashing payload &
hash product is exchanged between peers. They verify hash if hash match, no Nat exist in the VPN
peer path otherwise Nat exist.
NAT-T Decision
In IKE Phase2, if they found Nat in the VPN peer path. UDP 4500 header in inserted before ESP
header.
A group of security parameters & policies which is agreed between two IPsec peers.
Security Association
A group of security parameters and policies which is agreed between two IPsec peers.
Parts
SAD
SPD
stop the ca
start the ca
password is shiva
Start>run>type http://192.168.105.100/certsrv/mscep/mscep.dll
this url will use to obtain one time password for vpn
if this ca is in virual box you can use it for real network or gns topology
if it is for gns set following things
press OK...
user= administrator
press OK..........
http://192.168.112.100/certsrv/mscep/mscep.dll
http://192.168.112.100/certsrv
R1#dir nvram:
Directory of nvram:/
Chapter 16
Site-Site VPN
Site-Site VPN
Working
Site-Site VPN
It enables two sites to communicate with each other in a secure way over insecure network.
Working
192.168.101.0/24 192.168.102.0/24
Diagram:-
Site-Site-pre-8.0
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface e0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
Page 336 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface ethernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/70 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/20/30 ms
ASA2
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/30 ms
ASA1
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto isakmp enable outside
ASA2
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 101.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto isakmp enable outside
R1#ping 192.168.102.100 repeat 100
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA_s2s_pre_8.0_overlapping_subnet
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/40 ms
ASA1(config)# pin
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/50 ms
ASA2
ASA2(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/24/70 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA_s2s_rsa_8.0
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface ethernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA1# sh clock
22:08:49.224 UTC Mon Sep 29 2014
ASA2# sh clock
22:10:22.070 UTC Mon Sep 29 2014
ASA1
domain-name cisco.com
crypto key generate rsa
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
%% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************(this password will obtain from ca)
Re-enter password: ****************
Page 347 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
To obtain new OTP please go to CA & refresh the page copy & Paste
ASA2
domain-name cisco.com
crypto key generate rsa
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
yes
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
ASA1
ASA2
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
trust-point ttt
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
cry isakmp enable outside
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 20/50/264 ms
R2#ping 192.168.101.100 re
R2#ping 192.168.101.100 repeat 100
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA_s2s_pre_ikev1
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
route outside 0 0 101.1.1.1
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
ASA1# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
ASA2
ASA2# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2# pin
ASA2# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
R1
R1#ping 192.168.102.100 repeat 100
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA2# sh crypto ip
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102.1.1.100
ASA_s2s_pre_ikev2
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
IKEv2 SAs:
IKEv2 SAs:
ASA_s2s_rsa_ikev1
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.108.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp master
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
ERROR: Signature public key not found - Abort.
domain-name cisco.com
crypto key generate rsa
ASA1(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
!!!!! if ca does not give cert please remove ca & install again ca on 2008!!!!!!
ASA2
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
yes
crypto ca enroll ttt
ERROR: Signature public key not found - Abort.
Page 366 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
domain-name cisco.com
crypto key generate rsa
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
ASA1
crypto ikev1 policy 1
authentication rsa-sig
encryption a
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 trust-point
ikev1 trust-point ttt
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA_s2s_rsa_ikev1_ios_ca
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
int f0/0
ip add 101.1.1.1 255.255.255.0
no sh
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1 255.255.255.0
no shu
int g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
ASA1# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# pin
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3
R3#clock set 13:52:30 7 oct 2014
R3#conf t
R3(config)#ntp master
R3
configure R3 AS CA
crypto key generate rsa general-keys exportable label shiva modulus 1024
crypto key export rsa shiva pem url nvram: 3des cisco123
yes
ip http server
crypto pki server cisco
database level minimum
database url nvram:
issuer-name cn=cisco1.cisco.com l=gurgaon c=in
lifetime certificate 365
grant auto
no shutdown
(give password 999999999)
ASA1
ASA1(config)# crypto ca trustpoint ttt
ASA1(config-ca-trustpoint)# enrollment url http://101.1.1.1
ASA1(config-ca-trustpoint)# ex
ASA1(config)# crypto ca authenticate ttt
ASA2
ASA1
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 trust-point ttt
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev1 enable outside
ASA1
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA_s2s_rsa_ikev2
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.108.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2(config)# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp master
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
exit
crypto ca authenticate ttt
ASA1(config)# crypto ca en ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
ASA2
crypto ca trustpoint ttt
Page 379 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
IKEv2 SAs:
IKEv2 SAs:
ASA1
object network inside
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
ex
nat (inside,outside) source static inside inside destination static s2s s2s
nat (inside,outside) source dynamic any interface
access-list out permit icmp any object inside
ASA_s2s_rsa_ikev2_2012_ca
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.112.1 255.255.255.0
ASA1
int g0/0
no shu
nameif inside
ip add 192.168.101.1
interface g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# pin
ASA1# ping 102.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# pin
ASA1# ping 192.168.112.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.112.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.112.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.112.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA2# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2# pin
ASA2# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA2# pin
ASA2# ping 192.168.112.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.112.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R3
GO TO CA SERVER
http://192.168.112.100/certsrv/mscep/mscep.dll
copy OTP for ASA1 & Refresh page Obtain new for ASA2
ASA2
ASA2(config)# crypto ca trustpoint ttt
ASA2(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll
ASA2(config-ca-trustpoint)# ex
ASA2(config)# crypto ca authenticate ttt
ASA1
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
ASA2
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev2 ipsec-proposal ppp
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test 10 set trustpoint ttt
crypto map test interface outside
crypto ikev2 enable outside
IKEv2 SAs:
IKEv2 SAs:
current_peer: 101.1.1.100
Chapter 17
Modes
Client
Network extension
Network extension plus
Note
It is unidirectional only client can access server lan. But server lan can't access client.
It can be implemented on software or hardware.
Note
It is unidirectional only client can access server lan. But server lan can't access client.
Network Extension
In Network Extension internal ip address is not offered to remote client.
Note
it is bi-directional
it can be implemented only on hardware.
Note
It is bi-directional
It can be implemented only on hardware.
Working
Diagram:-
ASA_ra_pre_8.0
Initial-config
R1
interface fastEthernet 0/0
no shut
ip add 101.1.1.1 255.255.255.0
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
Page 397 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
router ei 100
no au
net 192.168.2.0
net 192.168.20.0
ADMIN
interface fastEthernet 0/0
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
MGMT
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside 0 0 101.1.1.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
ASA1(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/50 ms
ASA1(config)# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/50 ms
PAT
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outside
access-group out in interface outside
admin#ping 101.1.1.1
authentication pre-share
encryption 3des
group 2
hash sha
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto isakmp enable outside
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.100
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
pre-shared-key admin
tunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
pre-shared-key mgmt
save
same task for mgmt click new tab on vpn client
do same
go to asa
ASA1(config)# username shiva password shiva privilege 15
Page 409 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
go to pc1
click OK
ping reply is not coming reason NAT exclude vpn traffic from nat
using nat exemption
access-list nat-exemption permit ip any 192.168.100.0 255.255.255.0
access-list nat-exemption permit ip any 192.168.200.0 255.255.255.0
nat (inside1) 0 access-list nat-exemption
nat (inside2) 0 access-list nat-exemption
on asa
ASA1
! banner
group-policy admin attributes
banner value ADMIN_GROUP
group-policy mgmt ge
group-policy mgmt attributes
banner value MGMT_GRPUP
no connection due to time acl now time is 8:59 wait 1 min try @ 9:00
ASA1# sh clock
08:59:43.968 UTC Tue Sep 30 2014
ASA1#
ASA1# sh clock
08:59:58.371 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.029 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.820 UTC Tue Sep 30 2014
ASA1# sh clock
09:00:01.090 UTC Tue Sep 30 2014
ASA_ra_rsa_8.0
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no sh
ip add 101.1.1.1 255.255.255.0
int f01
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
do sh hist
router ei 100
no au
net 192.168.2.0
net 192.168.20.0
ADMIN
interface fastEthernet 0/0
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
MGMT
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz
security-level 50
ip address 192.168.105.1 255.255.255.0
! route outside 0 0 101.1.1.1
router eigrp 100
no aut
net 192.168.1.0
net 192.168.2.0
net 192.168.105.0
redistribute static metric 1 1 1 1 1
ASA1(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 101.1.1.100 YES manual up up
Ethernet0/1 192.168.1.1 YES manual up up
Ethernet0/2 192.168.2.1 YES manual up up
Ethernet0/3 192.168.105.1 YES manual up up
Ethernet0/4 unassigned YES unset administratively down up
Ethernet0/5 unassigned YES unset administratively down up
ASA1
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outside
access-group out in interface outside
admin#ping 101.1.1.1
R1
R1#clock set 09:19:15 30 sep 2014
R1#
*Sep 30 09:19:15.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:18:29 UTC Fri
Mar 1 2002 to 09:19:15 UTC Tue Sep 30 2014, configured from console by console.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ntp master
ASA1
crypto isakmp policy 1
authentication rsa-sig
encryption 3des
group 2
hash sha
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto isakmp enable outside
trust-point ttt
tunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
trust-point ttt
username shiva password shiva privilege 15
STATIC PAT for CA so that internet user can obtain certificates from CA
go to pc
ping 101.1.1.100
start
run
type
http://101.1.1.100/certsrv
if you see this error it is saying that update your ca enrolment pages from microsoft
tips
1. update ca pages
2. use client XP, ca 2003
3. use client win 7, ca 2008
yes
install cert
yes
yes
ASA1
tunnel-group admin general-attributes
default-group-policy admin
tunnel-group mgmt general-attributes
default-group-policy mgmt
for split tunnel
ASA_ra_ikev1_pre
Initial-config
R1
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
interface gigabitEthernet 0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface g0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 192.168.2.0
net 192.168.20.0
R4
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R5
interface f0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ASA1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1#
sh history
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
ikev1 pre-shared-key admin
tunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
ikev1 pre-shared-key mgmt
username shiva password shiva privilege 15
ASA1
access-list stacl permit 192.168.0.0 255.255.0.0
group-policy admin internal
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt internal
group-policy mgmt attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
sh history
tunnel-group admin general-attributes
default-group-policy admin
tunnel-group mgmt general-attributes
default-group-policy mgmt
ASA1#
ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA1
object network admin
subnet 192.168.100.0 255.255.255.0
object network mgmt
subnet 192.168.200.0 255.255.255.0
exit
object network inside1
subnet 192.168.10.0 255.255.255.0
object network inside2
subnet 192.168.20.0 255.255.255.0
ex
sh running-config object
nat (inside1,outside) 1 source static inside1 inside1 destination static admin admin
nat (inside1,outside) 1 source static inside1 inside1 destination static mgmt mgmt
nat (inside2,outside) 1 source static inside2 inside2 destination static admin admin
nat (inside2,outside) 1 source static inside2 inside2 destination static mgmt mgmt
R4#ping 101.1.1.1
ASA_ra_ikev1_rsa
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
int g0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface gigabitEthernet 0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
interface gigabitEthernet 0/3
no shu
nameif dmz
security-level 50
ip add 192.168.108.1
route outside 0 0 101.1.1.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no au
net 0.0.0.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http server
R5
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ASA1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1# ping 192.168.108.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1# ping 192.168.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R1
R1#clock set 15:00:40 1 oct 2014
R1#conf t
R1(config)#ntp master
ASA1(config)# ntp server 101.1.1.1
ASA1
crypto ca trustpoint ttt
enrollment url http://192.168.108.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
ASA1(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************
Re-enter password: ****************
ASA1
crypto ikev1 policy 1
authentication rsa-sig
encryption 3des
group 2
ex
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
sh history
ip local pool admin 192.168.100.100-192.168.100.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin
tunnel-group admin ipsec-attributes
ikev1 trust-point ttt
username shiva password shiva privilege 15
ASA1
Page 454 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA
Static-pat
object network ca
host 192.168.108.100
nat (dmz,outside) static interface service tcp 80 80
access-list out permit tcp any object ca eq 80
access-group out in interface outside
http://101.1.1.100/certsrv
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Chapter 18
Limitation
Cluster
A logical group of devices or appliances which provides common application access it is identified
with a virtual ip.
Master
An appliance which has a higher priority. Master is responsible for handling client request and it
distributes client request to group members based on load. Master is responsible for cluster ip.
Default ASA priority 1
Member
An appliance which is participating in cluster.
This protocols is used for vpn load balancing it use udp port 9023
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.102.1 255.255.255.0 secondary
ip add 192.168.103.1 255.255.255.0 secondary
ip add 192.168.104.1 255.255.255.0 secondary
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.3 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 101.1.1.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif admin
security-level 100
ip address 192.168.100.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
!
!
!
ASA2(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.103.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.103.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
!
!
!
ASA1
!
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
ip local pool admin 192.168.100.100-192.168.100.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
ikev1 pre-shared-key admin
username shiva password shiva privilege 15
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
crypto map test interface outside
crypto ikev1 enable outside
ip local pool admin 192.168.200.100-192.168.200.254
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
ikev1 pre-shared-key shiva
username shiva password shiva privilege 15
ASA1
vpn load-balancing
cluster ip address 101.1.1.100
interface lbpublic outside
interface lbprivate inside
priority 10
participate
ASA2
vpn load-balancing
cluster ip address 101.1.1.100
interface lbpublic outside
interface lbprivate inside
priority 9
participate
ASA1
ASA1# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------
Enabled Master n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
--------------------------------------------------------------------------
Master 10 ASA5512 4 101.1.1.101*
Backup 9 ASA5512 4 101.1.1.102
----------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
2 0 0% 250 0 0% 101.1.1.101*
2 0 0% 250 0 0% 101.1.1.102
ASA2
ASA2# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------
Enabled Backup n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
--------------------------------------------------------------------------
Backup 9 ASA5512 4 101.1.1.102*
Master 10 ASA5512 4 101.1.1.101
ASA1
ASA1# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------
Enabled Master n/a Disabled 1 101.1.1.100
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
Page 485 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
--------------------------------------------------------------------------
Master 10 ASA5512 4 101.1.1.101*
Backup 9 ASA5512 4 101.1.1.102
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
--------------------------------------------------------------------------
Backup 9 ASA5512 4 101.1.1.102*
Master 10 ASA5512 4 101.1.1.101
ASA1
ASA1# sh route outside
Chapter19
SSL initiate request at session layer, its data is protected at presentation layer. and that is carried by
transport layer. So in both OSI or TCP/IP modals, SSL works on the behalf of Transport Layer.
SSL Modes
Clientless
Thin Client
Thick Client
Clientless Mode
As name suggest us Clientless in clientless there is no need of any client software. In clientless client
makes a request to SSL gateway, gateway proxy it to internal resources.
Clientless provides secure communication only of web based applications.
Like, HTTP, HTTPS, SMTP, POP3 ,IMAP or MS exchange Server etc.
Also known as Port-Forwarding. In thin-client, client makes a request to SSL gateway, gateway proxy
it to internal resources. Like Telnet, SSH, RDP etc.
SSL Requirements
Clientless requirements
Only web browser.
Thin requirements
Web browser
Java
Active x and pop ups should be enables on client web browser.
Thick requirements
Web browser
Java
Active x and pop ups should be enable on client web browser
Any-connect package & cisco secure desktop package.
Working
Client will initiate a request to server
Server will provide a certificate to client. This certificate contain public key of server.
Client generates a shared key. That key is protected by public key of server
Encrypted shared secret is delivered to server. Server decrypt is using its private key.
No both has same secret bulk encryption happen.
Diagram:-
ASA_ssl_8.0
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ASA1
interface Ethernet0/0
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
no auto-summary
Page 491 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
admin
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
mgmt
interface fastEthernet 0/0
no shutdown
ASA1
webvpn
enable outside
username shiva password shiva privilege 15
ASA1
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
webvpn
tunnel-group-list enable
webvpn
enable outside
svc image disk0:/svc2.5.pkg 1
svc enable
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
tunnel-group-list enable
webvpn
no enable outside
port 9090
enable outside
https://101.1.1.100:9090
webvpn
onscreen-keyboard logon
admin
ip dhcp pool admin
network 192.168.100.0
default-router 192.168.100.
mgmt
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
global (outside) 1 interface
access-list out permit icmp any interface outside
access-group out in interface outside
admin#ping 101.1.1.1
mgmt#ping 101.1.1.1
split-tunnel-policy tunnelspecified
admin#ping 101.1.1.1
2e35.3230.312d.636c.
6965.6e74.312d.696e.
7369.6465.3100
admin#ping 101.1.1.1
mgmt#ping 101.1.1.1
Page 531 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA_ssl_9.2
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no au
net 0.0.0.0
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R5
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
int gigabitEthernet 0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface gigabitEthernet 0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
route outside 0 0 101.1.1.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
redistribute static metric 1 1 1 1 1
ASA1# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1# ping 192.168.10.100
Type escape sequence to abort.
ASA1
webvpn
enable outside
username shiva password shiva privilege 15
ASA thin
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
Page 538 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
tunnel-group-list enable
ASA1(config-webvpn)# username shiva password shiva privilege 15
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
Page 544 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
webvpn
csd image disk0:/csd_3.6.6203-k9.pkg
csd enable
exit
http server enable
http 0 0 outside
username shiva password shiva privilege 15
PC
https://101.1.1.100/ for ssl
https://101.1.1.100/admin for ASDM
webvpn
no csd enable
webvpn
smart-tunnel list sss telnet telnet.exe
group-policy admin attributes
webvpn
port-forward disable
smart-tunnel enable sss
https://101.1.1.100
Chapter 20
Transparent Firewall
Transparent Firewall
ASA Modes
Advantages
Limitations
Difference between Switching &Transparent Firewall
Transparent Firewall
Cisco ASA comes in two modes Routed mode, & transparent mode.
Routed Mode
In routed mode asa works as a layer 3 device. It forward the packet based on destination IP address.
Transparent Mode
In transparent mode asa works as layer 2 device it forwards the frames based on destination mac.
But still it has capabilities to filter the traffic from layer 2 to layer 7.
Advantages
If you want to implement firewall in your network without readdressing the network.
Transparent Firewall
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R5
interface fastEthernet 00/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R1
R1#ping 102.1.1.100
R2
R2#ping 101.1.1.100
R1
interface fastEthernet 0/0
ip nat inside
interface fastEthernet 0/1
ip nat outside
exit
ip access-list extended natacl
permit ip 192.168.0.0 0.0.255.255 any
exit
ip nat inside source list natacl interface fastEthernet 0/1 overload
R2
interface fastEthernet 0/0
ip nat inside
R1
R1#ping 101.1.1.1 source fastEthernet 0/0
R1
interface t0
ip add 192.168.123.1 255.255.255.0
tunnel source 101.1.1.100
tunnel destination 102.1.1.100
tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R2
interface tunnel 0
ip add 192.168.123.2 255.255.255.0
tunnel source 102.1.1.100
tunnel destination 101.1.1.100
R1
R1#sh ip route ospf
O 192.168.102.0/24 [110/1001] via 192.168.123.2, 00:00:04, Tunnel0
R2
R2#sh ip route ospf
O 192.168.101.0/24 [110/1001] via 192.168.123.1, 00:00:28, Tunnel0
R1
R1#ping 192.168.102.1 source fastEthernet 0/0
ASA1
ASA2
ASA2(config)# firewall transparent
ciscoasa(config)# ho
ciscoasa(config)# hostname ASA2
ASA2(config)#
ASA2(config)#
ASA1
interface bvI 1
ip address 192.168.101.111 255.255.255.0
interface gigabitEthernet 0/0
no shu
nameif inside
bridge-group 1
interface gigabitEthernet 0/1
no shu
nameif outside
bridge-group 1
route outside 0 0 192.168.101.1
ASA2
interface bvI 1
ip add 192.168.102.111 255.255.255.0
interface gigabitEthernet 0/0
no shu
nameif inside
bridge-group 1
R4
R4#ping 192.168.102.100
R5
R5#ping 192.168.
*Oct 4 06:24:54.215: %SYS-5-CONFIG_I: Configured from console by console
R5#ping 192.168.101.100
ASA1
access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
access-group out in interface outside
ASA2
access-list out permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-group out in interface outside
R4#ping 192.168.102.100
R5#ping 192.168.101.100
ASA1
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
ASA1
access-list out permit icmp any object obj_net_192.168.101.0
access-group out in interface outside
R4#ping 192.168.101.1
*Oct 4 07:02:21.219: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.219: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.223: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.223: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
*Oct 4 07:02:21.227: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
ASA2
object network obj_net_192.168.102.0
subnet 192.168.102.0 255.255.255.0
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
object network obj_net_192.168.222.0
subnet 192.168.222.0 255.255.255.0
R2#debug ip icmp
ICMP packet debugging is on
R5#ping 192.168.101.100
R2(config)#
*Oct 4 12:39:14.351: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:16.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:18.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:20.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R2(config)#
*Oct 4 12:39:22.347: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
ASA2
R5#ping 192.168.101.100
R2(config)#
*Oct 4 12:40:43.367: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.371: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.371: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.375: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
*Oct 4 12:40:43.375: ICMP: echo reply sent, src 192.168.102.1, dst 192.168.222.100
R4#ping 101.1.1.1
R5#ping 101.1.1.1
R4#ping 101.1.1.1
R5#ping 192.168.101.100
Chapter 21
Context
Context
Context Requirement
Context Use
Advantages
Limitations
Context Terminology
Context
We can partition an appliance in many virtual appliances these virtual appliances are called security
context.
Requirement
Assume you are running a company that provides web host services and you have 200 clients. Now
the client demands that we require a dedicated appliance for our servers. To fulfil client
requirements we have to purchase 200 appliance. 200 appliance are very costly. So virtual context
solve this problem.
Context Use
Active-Active failover
Web Hosting Companies
Companies needing more than one firewall on a single location
Advantages
Cost Saving
Eco-Friendly or Go Green
No dynamic routing
No VPN
But in ASA OS 9.2.2.4
They also support Dynamic routing & IPsec site-site VPN
Context Terminology
System Area
Admin Context
Context Channing
Shared Interface
System Area
When an appliance boots in multiple mode than you will find yourself in system area.
Functions
Admin Context
When an appliance boot in multiple mode admin context is default created.
It is used for appliance management. When appliance is in multiple mode there should be one admin
context. it is used for appliance management.
Context Channing
We can connect one context to another i.e. called context Channing. It is only possible with shared
interface.
Shared Interface
When we call one interface in more than one context that interface is called shared interface.
A command use with only shared interface to avoid mac problems because one interface has one
mac when we use shared interface one interface is shared in multiple context. Both context will use
same mac when a packet will arrive a physical interface classifier will confused to classify frame. To
solve this problem we use Mac Address auto is command that automatically generate mac for each
shared interface.
Diagram:-
Initial-config
ASA_Context
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
Page 586 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
ASA1(config)# sh mode
Security context mode: multiple
context c1
context c2
context c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
ASA1
ASA1(config-ctx)# changeto context c1
changeto context c1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
ASA1
changeto context c1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
ASA1/c1(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:07 timeout 0:00:00
R2#ping 101.1.1.1
ASA1/c2(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:07 timeout 0:00:00
ASA_inter-context_routing
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
context c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
config-url disk0:/c2.cfg
!
changeto context c2
R3#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 101.1.1.1 - 44e4.d987.ecde ARPA FastEthernet0/0
Internet 101.1.1.100 22 6c20.56bd.ea84 ARPA FastEthernet0/0
Internet 101.1.1.101 1 a283.ea00.0002 ARPA FastEthernet0/0
Internet 101.1.1.102 0 a283.ea00.0006 ARPA FastEthernet0/0
Internet 102.1.1.1 - 44e4.d987.ecdf ARPA FastEthernet0/1
Internet 102.1.1.100 21 6c20.56bd.ea85 ARPA FastEthernet0/1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
Chapter 22
Failover
Failover
Failover Types
Failover Implementation types
Failover System Requirements
The Failover and Stateful Failover Links
Device Initialization and configuration
Failover Behaviour
Failover Triggers
Stateless (Regular) and Stateful Failover
Things not replicated during failover
Failover Health Monitoring
Interface Monitoring
Failover configuration limitation
Failover
A cisco proprietary feature it provides us uninterrupted network access.
Failover types
Stateless Failover
Hardware Failover
State full Failover
Stateless
Stateless failover provides logical redundancy. If primary link goes down secondary path is used.
Hardware Failover
When failover was introduced only Hardware Failover was supported. It provides hardware
redundancy & configuration replication. If failover occur we have to re-establish the connection.
It not only provides hardware redundancy but also configuration replication ARP table replication,
Xlate replication, VPN connection replication, conn table replication. if failover occur there is no
need to re-establish the connection.
Active-Standby
In active-standby failover we require two appliances. One primary, another secondary. Primary will
works as an active secondary will works as standby. If primary goes down secondary will take role.
OR
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby
state. Active/Standby failover is available on units running in either single or multiple context mode.
Active-Active
In active-active failover we require two appliances & two security context or even context . Each
appliance will active for one context. With Active/Active failover, both units can pass network traffic.
Active/Active failover is available only on units running in multiple context mode.
Hardware Requirements
The two units in a failover configuration must have the same hardware configuration.
They must be the same model
They must have the same number and types of interfaces
The same amount of RAM
The same SSMs installed (if any).
Note: - The Exception is Flash memory. If using units with different Flash memory sizes in your
failover configuration, make sure the unit with the smaller Flash memory has enough space to
accommodate the software image files and the configuration files. Otherwise configuration
synchronization will fail.
Software Requirements
The two units in a failover configuration must be in the operating modes. They software version.
However, you can use different versions of the software during an upgrade process
License Requirements
The two units in a failover pair constantly communicate over a failover link and Stateful Failover to
determine the operating status of each unit.
Like:-
Caution: - All information sent over the failover and Stateful Failover links is sent in clear text
unless you secure the communication with a failover key.
Types:-
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a
crossover cable or a straight-through cable. If you use a straight-through cable, the interface
automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
Distance limitation.
Slower configuration replication.
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface. However, this option is not recommended.
Note:-
Enable the Port Fast option on Cisco switch ports that connect directly to the security
appliance.
Using a data interface as the Stateful Failover interface is only supported in single context,
routed mode.
In multiple context mode, the Stateful Failover link resides in the system context
Failover Behaviour
Failover Triggers
The unit has a hardware failure.
The unit has a power failure.
The unit has a software failure.
The no failover active or the failover active command is entered
Interface Down
When a failover occurs, all active connections are dropped. Clients need to re-establish connections
when the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state
information to the standby unit.
The security appliance determines the health of the other unit by monitoring the failover link. When
a unit does not receive three consecutive hello messages on the failover link, the unit sends
interface hello messages on each interface, including the failover interface, to validate whether or
not the peer interface.
If the security appliance receives a response then it does not fail over.
If the security appliance does not receive a response on the failover link, but receives a
response on another interface, then the unit does not failover.
The failover link is marked as failed. You should restore the failover link as soon as possible
because the unit cannot fail over to the standby while the failover link is down.
If the security appliance does not receive a response on any interface, then the standby unit
switches to active mode and classifies the other unit as failed.
Interface Monitoring
1. Link Up/Down test
2. Network Activity test
3. ARP test
4. Broadcast Ping test
Link Up/Down testA test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests.
Network Activity testA network activity test. The unit counts all received packets for up to 5
seconds. If no traffic is received, the ARP test begins
ARP testA reading of the unit ARP cache for the 2 most recently acquired entries. The unit counts
all received traffic for up to 5 seconds. no traffic has been received, the ping test begins.
Broadcast Ping testA ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds.
Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
You cannot configure failover when Easy VPN remote is enabled on the ASA 5505 adaptive
security appliance.
CA server is not supported.
Diagram:-
ASA_active_standby
Initial-config
R1
int fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R2
int fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http au local
username shiva privilege 15 secret shiva
R3
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0 standby 101.1.1.101
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
ASA1(config-if)# route outside 0 0 101.1.1.1
ASA1
R3#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
R2#ping 101.1.1.1
R3#debug ip icmp
ICMP packet debugging is on
R3#
*Oct 4 10:10:31.019: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.019: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 4 10:10:31.023: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 4 10:10:38.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
R3#
*Oct 4 10:10:40.207: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 4 10:10:40.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 4 10:10:40.211: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 4 10:10:40.215: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
ASA1
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2
interface gigabitEthernet 0/3
no shu
failover lan unit secondary
failover lan interface shiva g0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2(config)# Beginning configuration replication from mate.
ASA1
ASA1(config)# ! State full failover
ASA1(config)# failover link shiva
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 16:07:52 UTC Oct 4 2014
This host: Primary - Active
Active time: 296 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Monitored)
Interface outside (101.1.1.100): Normal (Monitored)
Interface dmz (192.168.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.2): Normal (Monitored)
Interface outside (101.1.1.101): Normal (Monitored)
Interface dmz (192.168.20.2): Normal (Monitored)
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 2 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 10:06:18 UTC Oct 4 2014
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.2): Normal (Monitored)
Interface outside (101.1.1.101): Normal (Monitored)
Interface dmz (192.168.20.2): Normal (Monitored)
Other host: Primary - Active
Active time: 392 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Monitored)
Interface outside (101.1.1.100): Normal (Monitored)
Interface dmz (192.168.20.1): Normal (Monitored)
General 42 0 56 0
sys cmd 42 0 42 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 6 0
ARP tbl 0 0 6 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 2 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
ASA1(config)# ! ASA2
ASA1(config)# fa
ASA1(config)# failover a
ASA1(config)# failover active
Switching to Active
PC1
ASA2
ASA1(config)# failover active
Switching to Active
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: n
Proceed with reload? [confirm]
ASA1(config)#
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
PC1
ASA_Active_Active
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
interface fastEthernet 0/0
no shutdown
class c1
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource Mac-addresses 45.0%
limit-resource VPN Other 125
!
class c2
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource Mac-addresses 45.0%
limit-resource VPN Other 125
!
context c1
member c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
member c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
!
changeto context c1
interface gigabitEthernet 0/0
nameif inside
changeto context c2
interface gigabitEthernet 0/2
no shu
nameif inside
ip add 192.168.102.1 255.255.255.0 standby 192.168.102.2
interface gigabitEthernet 0/3
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0 standby 102.1.1.101
route outside 0 0 102.1.1.1
changeto context c1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
ASA1/c1(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:09 timeout 0:00:00
changeto context c2
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.102.0 255.255.255.0
access-group out in interface outside
R2#ping 101.1.1.1
ASA1/c2(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:08 timeout 0:00:00
ASA1
failover lan unit primary
failover lan interface shiva g0/4
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2
interface gigabitEthernet 0/4
no shutdown
failover lan unit secondary
failover lan interface shiva g0/4
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2(config)# .
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 14:59:26 UTC Oct 4 2014
This host: Primary - Active
Active time: 152 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 09:15:12 UTC Oct 4 2014
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Primary - Active
Active time: 169 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
ASA1
ASA1(config)# ! state full failover
ASA1(config)# failover link shiva
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 09:15:12 UTC Oct 4 2014
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.2): Normal (Monitored)
c1 Interface outside (101.1.1.101): Normal (Monitored)
c2 Interface inside (192.168.102.2): Normal (Monitored)
c2 Interface outside (102.1.1.101): Normal (Monitored)
Other host: Primary - Active
Active time: 307 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
c2 Interface inside (192.168.102.1): Normal (Monitored)
c2 Interface outside (102.1.1.100): Normal (Monitored)
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 3 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
ASA1
ASA1(config)# ! to replicate http
ASA1(config)# failover replication http
ASA1
! TO change timers
failover polltime msec 200
failover polltime unit msec 200
ASA1
ASA1(config)# failover key shiva
ASA1 primary
failover group 1
primary
preempt
failover group 2
secondary
preempt
context c1
join-failover-group 1
context c2
join-failover-group 2
ASA1
failover
ASA2
failover
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:13:11 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
sys cmd 64 0 62 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 12 0 0 0
ARP tbl 8 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 2
Router ID 0 0 0 0
User-Identity 12 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:13:13 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
Xmit Q: 0 1 121
ASA1
ASA1/act(config)#
ASA1/act(config)# changeto context c1
ASA1/c1/act(config)#
ASA1/c1/act(config)# changeto context c2
ASA1/c2/stby(config)#
ASA2
ASA1/stby(config)#
ASA1/stby(config)# changeto context c
ASA1/stby(config)# changeto context c1
ASA1/c1/stby(config)#
ASA1/c1/stby(config)# changeto context c2
ASA1/c2/act(config)#
R1#ping 101.1.1.1
R2#ping 101.1.1.1
ASA1/c1/act(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:01 timeout 0:00:00
ASA2
ASA1/c2/act(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
ASA2
ASA1/act(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 15:25:12 UTC Oct 4 2014
Group 2 last failover at: 15:13:21 UTC Oct 4 2014
R1#ping 101.1.1.1
R2#ping 101.1.1.1
Chapter 23
MPF Function
Inspection of connection
Connection restriction
Traffic Prioritization
Traffic Policing
MPF Components
Class Map
Policy Map
Service Policy
DCE
SUN RPC
ILS
NET BIOS
IPSec-Pass_throu
XDMCP
ICMP Inspection
FTP Modes
SMTP
DNS
TFTP
HTTP
RSH
SQL .NET
SIP
SCCP
CTIQBE
MGCP
Inspection of connection
Connection Restriction
Traffic Priortization
Traffic Policing
Inspection of connection
Using this feature we can configure the Cisco Appliance that which protocol should be add in state
table along with TCP & UDP, For example ICMP. Using inspection of connection we can make ICMP
as a stateful traffic.
Connection Restriction
Using connection restriction we can set per protocol max-conn, per-client-max conn, max-embronic
conn, per-client embronic connection etc.
Traffic Prioritization
Using this feature we can give priority to delay sensitive data like voice traffic or vpn traffic.
Traffic Policing
Using this feature we can police incoming & outgoing traffic limit on an interface.
MPF Components
Class-map
Policy-map
Service-policy
Class-map types
L3/L4 Class-map
L7 Class-map
Regex Class-map
Policy-map types
L3/L4 Class-map
L7 Class-map
Serive-policy
FTP
DNS
H.323 RAS
H.323 225
RSTP
RSH
SIP
SCCP
SQL.NET
SUN RPC
ESMTP
TFTP
NETBIOS
XDMCP
IP_OPTION
A protocols it is used by programmers to make softwares. It allow software to work over multiple
systems , But it appear that software is working on a single system. It use TCP Port 135
By default it is not inspected by cisco appliance if any company is using it we have to inspect it.
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect dce
SUN RPC
It was developed by sun . It is useed by NFS (Network File System) for file sharing.
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect sunrpc
It protocol is used by microsoft active directory , netmetting . This protocol allow systems to gather
the information which is required to communicate with other system in a domain.
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect ils
NET BIOS
If you are not using it you can remove it from inspected protocol list
class-map class_default
match default_inspection
policy-map global_policy
class class_default
no inspect netbios
IPsec-Pass-Throu
When a vpn client establish vpn session it establish 2 connection per protocols ESP or AH.
But By default no limitation , They can establish more than 2 connection , to solve this problem
appliance as a feature ipsec-pass-throu using this we can set per client ESP or AH max connection.
It use UDP port 500.
policy-map global_policy
class default_class
inspect ipsec-pass-thru l7-ipsec-pass-thru
When the PC was came in this world . it was very costly so a solution was developed by UNIX
X-Dispaly, in this solution we use a diskless client & A X Server. It is By default inspected.
Working:-
When client bootup it use UDP dynamic port & hit to UDP 177 of X server . this is called
management connection . after management connection client use TCP & hit to TCP 6000 for display
if there is an outbound connection nothing to do
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect xdmcp
ICMP
This protocol is use for connectivity checking. but it could be used to overload a server with ICMP
traffic i.e. it is inspected by appliance. it use ip protocol no 1.
if you want you can configure it as an inspected traffic.
class-map shiva_class
match default-inspection-traffic
policy-map shiva_policy
class shiva_class
inspect icmp
inspect icmp error
FTP
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect ftp
Modes
Active mode
Passive mode
SMTP
It is used to send mail . it use TCP port 25. Appliance has capability to apply deeper inspection of
SMTP. like SMTP Boby Length.
Working
policy-map shiva
class smtp
inspect esmtp l7-esmtp
service-policy shiva global
DNS
Domain Name System use for name resolution . it use TCP or UDP port 53.
DNS Gurad
it allow only first reply of DNS query
DNS Doctoring
This feature enale appliance to translate inside inside query with another ip address used on another
interface.
commands
static (inside,outside) interface 192.168.101.53 dns
TFTP
Used for backup & upgrade network aplliance it use UDP port 69
Default inspected
Working
HTTP
Used for web browsing it use TCP port 80. Appliance has capabilities to block http site using name &
ip address.
regex fb \.facebook\.com
regex 420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
policy-map shiva
class http-class
inspect http l7-http
service-policy shiva global
RSH
Used in Unix for remote terminal. it use TCP port 514
working
Default Inspected.
SQL.NET
Working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 1521 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1521 Server
SIP/SCCP/CTIQUBE (TCP-UDP-5060/TCP-2000/TCP-2748)
MGCP
Used by VOIP gateway to call-manager
Working
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.106.1 255.255.255.0 secondary
router ei 100
no auto-summary
net 0.0.0.0
R2
interface fastEthernet 0/0
no sh
ip add 192.168.10.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
username shiva privilege 15 secret shiva
R3
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 101.1.1.1 255.255.255.0
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 102.1.1.1 255.255.255.0
!
interface FastEthernet0/0.60
encapsulation dot1Q 60
ip address 103.1.1.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.104.1 255.255.255.0
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R5
interface fastEthernet 0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
ip dns server
ip host www.cisco.com 101.1.1.111
ip host www.abc.com 101.1.1.222
ip host www.google.com 1.1.1.1
ip host www.facebook.com 2.2.2.2
ip host www.gmail.com 3.3.3.3
R6
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
ASA2
ASA2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# pin
ASA2(config)# ping 192.168.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 101.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping 102.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1
object network R2
host 192.168.10.100
object network R4
host 192.168.20.100
object network www.cisco.com
host 101.1.1.111
object network www.abc.com
host 101.1.1.222
ASA1
R3#debug ip icmp
ICMP packet debugging is on
R1#ping 101.1.1.1
R2#ping 101.1.1.1
R4#ping 101.1.1.1
R3#debug ip icmp
ICMP packet debugging is on
R3#
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.583: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:55.587: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 8 07:06:58.843: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.847: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.847: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.851: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
*Oct 8 07:06:58.851: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100
R3#
*Oct 8 07:07:01.019: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
*Oct 8 07:07:01.771: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
*Oct 8 07:07:02.519: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
*Oct 8 07:07:14.867: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.871: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.875: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
*Oct 8 07:07:14.875: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.111
R3#
*Oct 8 07:07:24.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.707: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.711: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
*Oct 8 07:07:24.715: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.222
R3
R3(config)#ip domain-lookup
R3(config)#ip name-server 102.1.1.100
R3#ping www.cisco.com
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping www.abc.com
PC 192.168.104.100
ASA1
ASA1(config)# access-list out permit tcp any object R2 eq 22
ASA1(config)# access-list out permit tcp any object R2 eq 23
ASA1
class-map telnet-class
match access-list telnet-limit
policy-map shiva_policy
class telnet-class
set connection conn-max 123
set connection embryonic-conn-max 1
set connection per-client-max 2
set connection per-client-embryonic-max 1
ASA1
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101.1.1.100 type ipsec-l2l
tunnel-group 101.1.1.100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 101.1.1.100
crypto map test 10 match address 102
crypto map test interface outside
crypto ikev1 enable outside
ASA1
!
priority-queue outside
class-map s2s-class
match tunnel-group 103.1.1.100
policy-map shiva_policy
class s2s-class
priority
ASA1
ASA1
access-list traffic-limit deny ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list traffic-limit permit ip 192.168.101.0 255.255.255.0 any
class-map traffic-limit-class
match access-list traffic-limit
policy-map shiva_policy
class traffic-limit-class
police input 8000 conform-action transmit exceed-action drop
police output 8000 conform-action transmit exceed-action drop
FTP Inspection
outbound connection is working
check inbound connection
not working
ASA1
policy-map shiva_policy
class shiva_class
inspect ftp
SMTP
GO on Internet User
policy-map shiva_policy
class smtp-class
Page 668 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
ASA1(config)# sh conn
8 in use, 11 most used
UDP outside 10.0.0.255:137 inside 10.0.0.10:137, idle 0:00:13, bytes 25650, flags -
UDP outside 10.0.0.255:137 dmz1 10.0.0.10:137, idle 0:00:13, bytes 25800, flags -
UDP outside 102.1.1.100:53 inside 192.168.101.100:54918, idle 0:00:12, bytes 80, flags h
UDP outside 102.1.1.100:53 inside 192.168.101.100:55714, idle 0:00:38, bytes 78, flags h
UDP outside 102.1.1.100:53 inside 192.168.101.100:63759, idle 0:00:53, bytes 84, flags h
UDP outside 102.1.1.100:53 inside 192.168.101.100:63597, idle 0:01:02, bytes 80, flags h
R3#ping www.cisco.com
R1(config)#ip domain-lookup
R1(config)#ip name-server 102.1.1.100
R1#ping www.cisco.com
ASA1
policy-map shiva_policy
class shiva_class
inspect dns l7-dns
nat (inside,outside) source static inside inside destination static s2s s2s
nat (dmz1,outside) source static R2 www.cisco.com dns
nat (dmz2,outside) source static R4 www.abc.com dns
R1#ping www.cisco.com
regex fb \.facebook\.com
policy-map shiva_policy
class shiva_class
inspect ils
inspect dcerpc
inspect sunrpc
inspect netbios
inspect xdmcp
inspect rsh
inspect sqlnet
inspect tftp
inspect sip
inspect skinny
inspect ctiqbe
inspect mgcp
class-map ipsec-pass-class
match access-list ipsec-pass-acl
policy-map shiva_policy
class ipsec-pass-class
inspect ipsec-pass-thru l7-ipsec-pass-thru
Chapter 24
OSPFv3
OSPFv3
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:1::1/48
Page 685 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
interface fastEthernet 0/1
ipv6 add 192:168:101::1/48
no shutdown
!
int lo1
ipv6 add 172:10:1::1/48
int lo2
ipv6 add 172:10:2::1/48
int lo3
ipv6 add 172:10:3::1/48
int lo4
ipv6 add 172:10:4::1/48
int lo5
ipv6 add 172:10:5::1/48
int lo6
ipv6 add 172:10:6::1/48
R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:2::1/48
no shutdown
int lo1
ipv6 add 172:20:1::1/48
int lo2
ipv6 add 172:20:2::1/48
int lo3
ipv6 add 172:20:3::1/48
int lo4
ipv6 add 172:20:4::1/48
int lo5
ipv6 add 172:20:5::1/48
int lo6
ipv6 add 172:20:6::1/48
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:3::1/48
no shutdown
!
interface fastEthernet 0/1
ipv6 add 192:168:103::1/48
no shutdown
!
int lo1
ipv6 add 172:30:1::1/48
int lo2
ipv6 add 172:30:2::1/48
int lo3
ipv6 add 172:30:3::1/48
int lo4
ipv6 add 172:30:4::1/48
int lo5
ipv6 add 172:30:5::1/48
int lo6
ipv6 add 172:30:6::1/48
R4
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:4::1/48
no shutdown
int lo1
ipv6 add 172:40:1::1/48
int lo2
ipv6 add 172:40:2::1/48
int lo3
ipv6 add 172:40:3::1/48
int lo4
ipv6 add 172:40:4::1/48
int lo5
ipv6 add 172:40:5::1/48
int lo6
ipv6 add 172:40:6::1/48
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:2::2/48
!
interface GigabitEthernet0/2
nameif outside
security-level 0
no ip address
ipv6 address 192:168:3::2/48
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:4::2/48
R1
ipv6 router ospf 100
router-id 1.1.1.1
exit
interface fastEthernet 0/0
ipv6 ospf 100 area 1
interface fastEthernet 0/1
ipv6 ospf 100 area 1
int l1
ipv6 ospf 100 area 4
int l2
ipv6 ospf 100 area 4
int l3
ipv6 ospf 100 area 4
int l4
ipv6 ospf 100 area 4
int l5
ipv6 ospf 100 area 4
int l6
ipv6 ospf 100 area 4
R2
ipv6 router ospf 100
router-id 2.2.2.2
int f0/0
ipv6 ospf 100 area 0
ipv6 router ei 100
no shutdown
int lo1
ip add 2.2.2.2 255.255.255.255
ipv6 eigrp 100
int lo2
ipv6 eigrp 100
int lo3
ipv6 eigrp 100
int lo4
ipv6 eigrp 100
int lo5
ipv6 eigrp 100
int lo6
ipv6 eigrp 100
R3
ipv6 router os 100
router-id 3.3.3.3
int f0/0
ipv6 ospf 100 area 2
int f0/1
ipv6 ospf 100 area 2
int l1
ipv6 ospf 100 area 2
int l2
ipv6 ospf 100 area 2
int l3
ipv6 ospf 100 area 2
int l4
ipv6 ospf 100 area 2
int l5
ipv6 ospf 100 area 2
int l6
ipv6 ospf 100 area 2
R4
ipv6 router ospf 100
router-id 4.4.4.4
int f0/0
ipv6 ospf 100 area 3
ASA1
ipv6 router ospf 100
router-id 5.5.5.5
int g0/0
ipv6 ospf 100 area 1
int g0/1
ipv6 ospf 100 area 0
int g0/2
ipv6 ospf 100 area 2
int g0/3
ipv6 ospf 100 area 3
O 172:30:5::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:6::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 192:168:101::1/128 [110/10]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, outside
R3
R3#sh ipv6 route ospf
IPv6 Routing Table - 35 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
OI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:1::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:2::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:3::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:4::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:5::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OE1 172:20:6::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:4::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 172:10:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:4::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA88, FastEthernet0/0
ASA1
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 3 stub
OI ::/0 [110/2]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:10:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:1::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:2::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:3::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:4::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:5::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 172:30:6::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:1::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:1::2/128 [110/1]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:2::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:3::/48 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:101::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:101::1/128 [110/11]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
OI 192:168:103::/48 [110/12]
via FE80::6E20:56FF:FEBD:EA85, FastEthernet0/0
R1(config-if)#interface lo1
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo2
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo3
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo4
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo5
R1(config-if)#ipv6 ospf network point-to-point
R1(config-if)#interface lo6
R1(config-if)#ipv6 ospf network point-to-point
ASA1
ASA1# sh ipv6 route ospf
Chapter 25
Diagram:-
Initial-config
R1
ipv6 unicast-routing
int f0/0
no shutdown
ipv6 add 192:168:1::1/48
int f0/1
no shutdown
ipv6 add 192:168:101::1/48
R2
ipv6 unicast-routing
int fastEthernet 0/0
no shutdown
ipv6 add 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login lo
exit
username shiva privilege 15 secret shiva
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 192:168:102::1/48
no shutdown
R4
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:20::100/48
ipv6 route ::/0 192:168:20::1
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
R5
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:101::111/48
no shutdown
ipv6 route ::/0 192:168:1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login lo
exit
username shiva privilege 15 secret shiva
ip http server
ip http secure-server
ip http authentication local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:10::1/48
!
interface GigabitEthernet0/2
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:20::1/48
ASA1
STATIC
host 192:168:10::100
object network obj_net_192:168:20::100
host 192:168:20::100
object network obj_net_101:1:1::101
host 101:1:1::101
object network obj_net_101:1:1::102
host 101:1:1::102
object network obj_net_101:1:1::103
host 101:1:1::103
object network obj_net_101:1:1::104
host 101:1:1::104
! ASA will allow TCP & UDP for ICMP open ACL
access-list out permit icmp6 any object obj_net_192:168:1::1
access-list out permit icmp6 any object obj_net_192:168:101::1
access-list out permit icmp6 any object obj_net_192:168:101::111
access-list out permit icmp6 any object obj_net_192:168:10::100
access-list out permit icmp6 any object obj_net_192:168:20::100
access-group out in interface outside
R1#ping 101:1:1::1
ASA1(config)# sh xlate
5 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192:168:1::1/128 to outside:101:1:1::100/128
flags s idle 0:02:20 timeout 0:00:00
NAT from dmz1:192:168:10::100/128 to outside:101:1:1::103/128
flags s idle 0:01:55 timeout 0:00:00
NAT from dmz2:192:168:20::100/128 to outside:101:1:1::104/128
flags s idle 0:01:50 timeout 0:00:00
NAT from inside:192:168:101::1/128 to outside:101:1:1::101/128
flags s idle 0:02:14 timeout 0:00:00
Dynamic
ASA1
object network obj_net_inside
subnet 192:168:1::/48
object network obj_net_inside_lan
subnet 192:168:101::/48
object network obj_net_dmz1_lan
subnet 192:168:10::/48
object network obj_net_dmz2_lan
subnet 192:168:20::/48
object network obj_net_dpool
range 101:1:1::101 101:1:1::104
object network obj_net_inside
nat (inside,outside) dynamic obj_net_dpool
object network obj_net_inside_lan
nat (inside,outside) dynamic obj_net_dpool
object network obj_net_dmz1_lan
nat (dmz1,outside) dynamic obj_net_dpool
object network obj_net_dmz2_lan
nat (dmz2,outside) dynamic obj_net_dpool
R1#ping 101:1:1::1
R5#ping 101:1:1::1
R2#ping 101:1:1::1
R4#ping 101:1:1::1
R3
R3#
*Oct 5 09:03:31.375: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.375: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 09:03:31.375: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
*Oct 5 09:03:31.379: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.379: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 09:03:31.379: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.379: ICMPv6: Sending echo reply to 101:1:1::104
*Oct 5 09:03:31.383: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.383: ICMPv6: Sending echo reply to 101:1:1::104
R3#
*Oct 5 09:03:31.383: ICMPv6: Received echo request from 101:1:1::104
*Oct 5 09:03:31.383: ICMPv6: Sending echo reply to 101:1:1::104
R3#
*Oct 5 09:03:33.095: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.095: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.095: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.095: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Received echo request from 101:1:1::101
*Oct 5 09:03:33.099: ICMPv6: Sending echo reply to 101:1:1::101
*Oct 5 09:03:33.103: ICMPv6: Received echo request from 101:1:1::101
ASA1
PAT
ASA1(config-network-object)# sh xlate
6 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ASA1
STATIC PAT
Password:
R1#
ASA1(config)# sh xlate
1 in use, 20 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside:192:168:1::1/128 22-22 to outside:101:1:1::100/128 22-22
flags sr idle 0:00:12 timeout 0:00:00
ASA1(config)# sh conn
1 in use, 28 most used
TCP outside 101:1:1::1:40109 inside 192:168:1::1:22, idle 0:00:03, bytes 2452, flags UIOB
Password:
R1#ex
R1#exit
ASA1(config)# sh conn
0 in use, 28 most used
ASA1
Identity NAT
R1#ping 101:1:1::1
R3#
*Oct 5 09:36:02.555: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.555: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.559: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:02.563: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 09:36:07.555: ICMPv6: Received ICMPv6 packet from 101:1:1::100, type 136
R3#
*Oct 5 09:36:11.039: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.043: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:11.047: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 09:36:12.551: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 135
R3#
*Oct 5 09:36:17.551: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
R3#
*Oct 5 09:36:25.651: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.655: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 09:36:25.659: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 09:36:28.591: ICMPv6: Received echo request from 192:168:101::1
*Oct 5 09:36:28.591: ICMPv6: Sending echo reply to 192:168:101::1
R3#
*Oct 5 09:36:30.591: ICMPv6: Received echo request from 192:168:101::1
*Oct 5 09:36:30.591: ICMPv6: Sending echo reply to 192:168:101::1
R3#
*Oct 5 09:36:32.591: ICMPv6: Received echo request from 192:168:101::1
ASA1
Twice NAT
R1#ping 101:1:1::1
R3#
*Oct 5 09:46:16.803: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.803: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.803: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.803: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.807: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:16.811: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:16.811: ICMPv6: Sending echo reply to 101:1:1::111
R3#
*Oct 5 09:46:20.155: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.155: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.159: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Sending echo reply to 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Received echo request from 101:1:1::111
*Oct 5 09:46:20.163: ICMPv6: Sending echo reply to 101:1:1::111
R3#
*Oct 5 09:46:28.055: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.055: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.055: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.055: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.059: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:28.063: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:28.063: ICMPv6: Sending echo reply to 101:1:1::222
R3#
*Oct 5 09:46:31.047: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Sending echo reply to 101:1:1::222
*Oct 5 09:46:31.051: ICMPv6: Received echo request from 101:1:1::222
*Oct 5 09:46:31.055: ICMPv6: Sending echo reply to 101:1:1::222
Chapter 26
Site-Site on IPv6
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:101::100/48
no shutdown
ipv6 route ::/0 192:168:101::1
R2
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:102::100/48
no shutdown
ipv6 route ::/0 192:168:102::1
R3
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
interface fastEthernet 0/1
no shutdown
ipv6 add 102:1:1::1/48
ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ipv6 add 192:168:101::1/48
interface gigabitEthernet 0/1
no shu
nameif outside
ipv6 add 101:1:1::100/48
ipv6 route outside ::/0 101:1:1::1
ASA2
interface gigabitEthernet 0/0
no shu
nameif inside
ipv6 add 192:168:102::1/48
no shu
interface g0/1
no shu
nameif outside
ipv6 add 102:1:1::100/48
no shu
ipv6 route outside ::/0 102:1:1::1
ASA1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102:1:1::100 type ipsec-l2l
tunnel-group 102:1:1::100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192:168:101::/48 192:168:102::/48
crypto map test 10 set ikev1 transform-set t-set
crypto map test 10 set peer 102:1:1::100
crypto map test 10 match address 101
crypto map test interface outside
crypto ikev1 enable outside
ASA2
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101:1:1::100 type ipsec-l2l
tunnel-group 101:1:1::100 ipsec-attributes
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ASA2
ASA2(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Chapter 27
SSL on IPv6
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 192:168:101::1/48
no shutdown
ipv6 add 192:168:102::1/48
R2
ipv6 unicast-routing
int f0/0
no shutdown
ipv6 add 192:168:1::2/48
no sh
int f0/1
no shutdown
ipv6 add 192:168:10::1/48
exit
ipv6 router ospf 100
router-id 2.2.2.2
int f0/0
ipv6 ospf 100 area 0
int f0/1
ipv6 ospf 100 area 0
R3
ipv6 unicast-routing
int f0/0
no shutdown
ipv6 add 192:168:2::2/48
int f0/1
no sh
ipv6 add 192:168:20::1/48
exit
ipv6 router ospf 100
router-id 3.3.3.3
int f0/0
ipv6 ospf 100 area 0
int f0/1
ipv6 ospf 100 area 0
R4
ipv6 unicast-routing
interface fastEthernet 0/0
ipv6 add 192:168:10::100/48
no shutdown
ipv6 route ::/0 192:168:10::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http au local
username shiva privilege 15 secret shiva
R5
ipv6 unicast-routing
int f0/0
no shutdown
ipv6 add 192:168:20::100/48
no shutdown
ipv6 route ::/0 192:168:20::1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
login local
exit
ip http server
ip http secure-server
ip http au local
username shiva privilege 15 secret shiva
ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48
!
interface GigabitEthernet0/1
nameif inside1
security-level 100
no ip address
ipv6 address 192:168:1::1/48
ipv6 ospf 100 area 0
!
interface GigabitEthernet0/2
nameif inside2
security-level 100
no ip address
ipv6 address 192:168:2::1/48
ipv6 ospf 100 area 0
!
ipv6 route outside ::/0 101:1:1::1
ipv6 router ospf 100
router-id 1.1.1.1
log-adjacency-changes
!
ASA1(config)# sh ipv6 ospf neighbor
ASA1
webvpn
enable outside
username shiva password shiva privilege 15privilege 15
https://[101:1:1::100]
webvpn
port 9090
enable outside
webvpn
port 9090
enable outside
port-forward admin 2222 192:168:10::100 ssh
port-forward admin 2323 192:168:10::100 telnet
port-forward admin 8080 192:168:10::100 www
port-forward admin 8181 192:168:10::100 https
port-forward mgmt 2222 192:168:20::100 ssh
port-forward mgmt 2323 192:168:20::100 telnet
port-forward mgmt 8080 192:168:20::100 www
port-forward mgmt 8181 192:168:20::100 https
webvpn
tunnel-group-list enable
Chapter 28
BGP Messages
BGP Tables
BGP States
BGP Terminology
BGP Lab
BGP Messages
Open
Keep Alive
Update
Notification
Open
BGP sends open message using TCP port 179
Contain:-
1.Version
2.My AS
3.Router ID
4.Hold Time default 180sec
Keep Alive
BGP sends periodic keep alive after every 60 sec.
Update
When two router become BGP neighbour they send update message to each other.
Contain:-
1. Route
2. Route's Attributes
Route's Attributes
They are those criteria which are used to select best route.
they are also called Rich Metric.
Notification
When a neighbour is rested then it sends notification message.
Contain:-
it contain cause of resetting.
BGP can be implemented within AS i.e. called iBGP.
BGP can be implemented over AS i.e. called eBGP.
BGP Tables
Neighbour Table
BGP Table
Routing Table
BGP States
Idle
Connect
Open Sent
Open Confirm
Establish
1.Idle
it means that searching neighbour.
2.Connect
it means that TCP three-way hand-shake complete.
3. Open Sent
it means that Open message has been sent.
4. Open Confirm
it means that Open acknowledgement has been received.
5. Establish
it means that neighbour ship complete.
Next-hop-self
When a BGP edge router learns the external route then it advertise those route with default next-
hop to iBGP neighbour, to solve this problem we use next-hop-self .This command force a router to
send own IP address as next-hop to iBGP neighbour.
Route-reflector-client
Normally an iBGP router doesn't exchange the route of one neighbour with another neighbour.
To solve this we use route-reflector-client. this command force a router to exchange the routes of
one neighbour with another.
EBGP-Multi-hop
When a BGP router wants to establish eBGP neighbour ship it set TTL value 1 in open message. if
your neighbour is not directly connected. than neighbour ship will not establish.
Using EBGP-Multi-hop command we can increase TTL value.
Max-Path
By default BGP select one best path using its attributes. or we can say
that by default BGP don't use load-balancing. if you want to use load-balancing then change max-
path value using Max-Path command.
Source-update
If you want to establish neighbour ship you can use physical interface IP for peering. But physical
interface can be goes down. this is not recommended for BGP peering.
you can use loopback for peering. if you are using loopback for peering you have to use update-
source command . this command tells a router when you send message to your peer use particular
loopback IP as source otherwise neighbour ship will not perform.
BGP-redistribute Internal
We can redistribute IGP to iBGP, or IGP to eBGP, eBGP to IGP.
But iBGP to IGP redistribution not allowed if you want we have to use BGP-redistribute Internal.
Diagram:-
Initial-config
R1
interface Loopback1
ip address 192.10.1.1 255.255.255.0
!
interface Loopback2
ip address 192.10.2.1 255.255.255.0
!
interface Loopback3
ip address 192.10.3.1 255.255.255.0
!
interface Loopback4
ip address 192.10.4.1 255.255.255.0
!
interface Loopback5
ip address 192.10.5.1 255.255.255.0
!
interface Loopback6
ip address 192.10.6.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
Page 760 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
!
interface FastEthernet0/1
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.35.1 255.255.255.0
no shutdown
int l1
ip add 192.168.103.1 255.255.255.0
no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.104.1 255.255.255.0
no shutdown
R5
interface f0/1
no shutdown
ip add 192.168.35.2 255.255.255.0
no shutdown
int f0/0
no shutdown
ip add 192.168.105.1 255.255.255.0
no shutdown
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz1
security-level 60
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 192.168.4.2 255.255.255.0
!
ASA1(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config)# ping 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
R1
R1(config)#router bgp 100
R1(config-router)#neighbor 192.168.1.2 remote-as 100
R1(config-router)#net 192.168.1.0
R1(config-router)#net 192.168.101.0
R1(config-router)#net 192.10.1.0
R1(config-router)#net 192.10.2.0
R1(config-router)#net 192.10.3.0
R1(config-router)#net 192.10.4.0
R1(config-router)#net 192.10.5.0
R1(config-router)#net 192.10.6.0
R2
R2(config)#router bgp 100
R2(config-router)#neighbor 192.168.2.2 remote-as 100
R2(config-router)#net 192.168.2.0
R2(config-router)#net 192.168.102.0
R3
R3(config)#router bgp 200
R3(config-router)#neighbor 192.168.3.2 remote-as 100
R3(config-router)#neighbor 192.168.35.2 remote-as 200
R3(config-router)#net 192.168.3.0
R3(config-router)#net 192.168.103.0
R3(config-router)#net 192.168.35.0
R4
R4(config)#router bgp 100
R4(config-router)#neighbor 192.168.4.2 remote-as 100
R4(config-router)#net 192.168.4.0
R4(config-router)#net 192.168.104.0
R5
R5(config)#router bgp 200
R5(config-router)#neighbor 192.168.35.1 remote-as 200
R5(config-router)#net 192.168.35.0
R5(config-router)#net 192.168.105.0
ASA1
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# neighbor 192.168.1.1 remote-as 100
ASA1(config-router-af)# neighbor 192.168.2.1 remote-as 100
ASA1(config-router-af)# neighbor 192.168.3.1 remote-as 200
ASA1(config-router-af)# neighbor 192.168.4.1 remote-as 100
ASA1(config-router-af)# network 192.168.1.0
ASA1(config-router-af)# network 192.168.2.0
ASA1(config-router-af)# network 192.168.3.0
ASA1(config-router-af)# network 192.168.4.0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 1
Keepalives: 3 4
Route Refresh: 0 0
Total: 8 6
Default minimum time between advertisement runs is 0 seconds
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 7 n/a
Bestpath from iBGP peer: 2 n/a
Total: 9 0
Number of NLRIs in the update sent: max 4, min 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 1
Keepalives: 4 4
Route Refresh: 0 0
Total: 9 6
Default minimum time between advertisement runs is 0 seconds
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 7 n/a
Bestpath from iBGP peer: 2 n/a
Total: 9 0
Number of NLRIs in the update sent: max 4, min 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 3 2
Keepalives: 4 5
Route Refresh: 0 0
Total: 8 8
Default minimum time between advertisement runs is 30 seconds
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 3 n/a
Total: 3 0
Number of NLRIs in the update sent: max 9, min 0
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 1
Keepalives: 4 5
Route Refresh: 0 0
Total: 9 7
Default minimum time between advertisement runs is 0 seconds
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 7 n/a
Bestpath from iBGP peer: 2 n/a
Total: 9 0
Number of NLRIs in the update sent: max 4, min 0
ASA1# sh bgp
BGP Authentication
ASA1
ASA1(config-router-af)# neighbor 192.168.1.1 next-hop-self
ASA1(config-router-af)# neighbor 192.168.2.1 next-hop-self
ASA1(config-router-af)# neighbor 192.168.3.1 next-hop-self
ASA1(config-router-af)# neighbor 192.168.4.1 next-hop-self
R1
R1#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:04:48
B 192.168.35.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.103.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:04:48
B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:04:48
R2
R2#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.2.2, 00:00:09
B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:12:39
B 192.168.35.0/24 [200/0] via 192.168.2.2, 00:00:08
B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:12:39
B 192.168.103.0/24 [200/0] via 192.168.2.2, 00:00:08
B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:12:39
R4
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.35.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.103.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:12:43
R3
R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:22:24
B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:00:47
R5#ping 192.168.3.2
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 6 5
Keepalives: 2 3
Route Refresh: 0 0
Total: 9 9
Default minimum time between advertisement runs is 30 seconds
Total: 10 9
Default minimum time between advertisement runs is 30 seconds
ASA1# sh route
Note:-
BGP is out of the scope of this book this book is specially designed for ASA
if you want to know which commands are working or available please have a look blow
.........Thanks....
Chapter 29
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
Page 778 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
no shutdown
ip add 192.168.101.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.101.1
interface l1
ip add 1.1.1.1 255.255.255.0
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.102.1
int l1
ip add 2.2.2.2 255.255.255.0
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
context c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
!
changeto context c1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
changeto context c2
interface gigabitEthernet 0/2
no shu
nameif inside
ip add 192.168.102.1
interface gigabitEthernet 0/3
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
route outside 0 0 102.1.1.1
ASA1/c2(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1/c2(config)# pin
ASA1/c2(config)# pin
ASA1/c2(config)# ping 101.1.1.100
changeto context c1
router ei 100
no au
net 192.168.101.0
redistribute static metric 1 1 1 1 1
R1
router ei 100
no auto-summary
net 0.0.0.0
Routing Table: c1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
D 1.1.1.0 255.255.255.0
[90/130816] via 192.168.101.100, 00:00:48, inside
R2(config-if)#int f0/0
R2(config-if)#ip ospf 100 area 0
R2(config-if)#int lo1
R2(config-if)#ip ospf 100 area 0
Routing Table: c2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
O 2.2.2.2 255.255.255.255
[110/11] via 192.168.102.100, 00:00:38, inside
Chapter 30
Diagram:-
Initial-config
R1
ASA1
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
!
class c1-class
limit-resource VPN Other 125
!
class c2-class
limit-resource VPN Other 125
!
!
context c1
member c1-class
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
!
context c2
member c2-class
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
!
ASA1(config-ctx)# changeto context c1
ASA1/c1(config)#
changeto context c1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface gigabitEthernet 0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Chapter 31
Clustering
Clustering
Clustering Terminology
Configuration Replication
ASA Cluster Management
ASA Features and Clustering
Centralized Featuring
Performance Throughput
Clustering
Clustering enables we group multiple ASAs together as a single logical device.
Note:-
ASA OS version 9.2 Support for 16 members for the cluster. The ASA 5585-X now supports 16-unit
clusters. Support for 32 active links in a spanned Ether-Channel for clustering
Clustering Terminology
Master Unit
Slave Unit
New Connection Ownership
ASA Cluster Interfaces & Modes
Cluster Control Link
High Availability within the ASA Cluster
Data Path Connection State Replication
Master Unit
1. The First device on which you will configure Clustering that become master unit.
2. You must perform all configuration on the master unit only the configuration is then
replicated to the slave units.
3. Bootstrap is configured on all master & slaves.
1. When you enable clustering for a unit it broadcasts an election request every 3 seconds.
2. If after 45 seconds, a unit does not receive a response from another unit with a higher
priority, then it becomes master.
3. Note if multiple units tie for the highest priority, the cluster unit name, and then the serial
number is used to determine the master.
4. If a unit later joins the cluster with a higher priority, it does not automatically become the
master unit; the existing master unit always remains as the master unless it stops
responding, at which point a new master unit is elected.
Note: - You can manually force a unit to become the master. For centralized features, if you force a
master unit change, then all connections are dropped, and you have to re-establish the connections
on the new master unit.
Slave Unit
When we enable clustering on other devices. They join the cluster as slaves. or we can configure
Spanned EtherChannel
Interfaces on multiple members of the cluster are grouped into a single EtherChannel.
Each unit must dedicate at least one hardware interface as the cluster control link. Cluster control
link traffic includes both control and data traffic.
Each cluster control link has an IP address on the same subnet. This subnet should be isolated from
all other traffic.
The master unit monitors every slave unit by sending keepalive messages over the cluster
control link periodically (the period is configurable).
Each slave unit monitors the master unit using the same mechanism.
Interface monitoring
Each unit monitors the link status of all hardware interfaces in use, and reports status changes to the
master unit.
Spanned EtherChannelUses cluster Link Aggregation Control Protocol (cLACP). Each unit
monitors the link status and the cLACP protocol messages to determine if the port is still
active in the EtherChannel. The status is reported to the master unit.
Individual interfaces (Routed mode only)each unit self-monitors its interfaces and reports
interface status to the master unit.
When health monitoring is enabled, a unit is removed from the cluster if it fails or if its interfaces
fail.
When a unit in the cluster fails, the connections hosted by that unit are seamlessly transferred to
other units state information for traffic flows is shared over the control cluster link.
If the master unit fails, then another member of the cluster with the highest priority (lowest
number) becomes the master.
Configuration Replication
All units in the cluster share a single configuration. Except for the initial bootstrap configuration
Connection Roles
There are 3 different ASA roles defined for each connection:
OwnerThe unit that initially receives the connection. The owner maintains the TCP state
and processes packets. A connection has only one owner.
DirectorThe unit that handles owner lookup requests from forwarders and also maintains
the connection state to serve as a backup if the owner fails. When the owner receives a new
connection, it chooses a director based on a hash of the source/destination IP address and
TCP ports, and sends a message to the director to register the new connection. If packets
arrive at any unit other than the owner, the unit queries the director about which unit is the
owner so it can forward the packets. A connection has only one director.
ForwarderA unit that forwards packets to the owner. If a forwarder receives a packet for a
connection it does not own, it queries the director for the owner, and then establishes a
flow to the owner for any other packets it receives for this connection. The director can also
be a forwarder. Note that if a forwarder receives the SYN-ACK packet, it can derive the
owner directly from a SYN cookie in the packet, so it does not need to query the director (if
you disable TCP sequence randomization, the SYN cookie is not used; a query to the director
is required). For short-lived flows such as DNS and ICMP, instead of querying, the forwarder
immediately sends the packet to the director, which then sends them to the owner. A
connection can have multiple forwarders; the most efficient throughput is achieved by a
good load-balancing method where there are no forwarders and all packets of a connection
are received by the owner.
1. The SYN packet originates from the client and is delivered to an ASA (based on the load
balancing method), which becomes the owner. The owner creates a flow, encodes owner
information into a SYN cookie, and forwards the packet to the server.
2. The SYN-ACK packet originates from the server and is delivered to a different ASA (based on
the load balancing method). This ASA is the forwarder.
3. Because the forwarder does not own the connection, it decodes owner information from the
SYN cookie, creates a forwarding flow to the owner, and forwards the SYN-ACK to the
owner.
4. The owner sends a state update to the director, and forwards the SYN-ACK to the client.
5. The director receives the state update from the owner, creates a flow to the owner, and
records the TCP state information as well as the owner. The director acts as the backup
owner for the connection.
6. Any subsequent packets delivered to the forwarder will be forwarded to the owner.
7. If packets are delivered to any additional units, it will query the director for the owner and
establish a flow.
8. Any state change for the flow results in a state update from the owner to the director.
These features cannot be configured with clustering enabled, and the commands will be rejected.
Unified Communications
Remote access VPN (SSL VPN and IPsec VPN)
The following application inspections:
CTIQBE
GTP
H323, H225, and RAS
IPsec passthrough
MGCP
MMP
RTSP
SIP
SCCP (Skinny)
WAAS
WCCP
Centralized Features
The following features are only supported on the master unit, and are not scaled for the cluster. For
example, you have a cluster of eight units (5585-X with SSP-60). The Other VPN license allows a
maximum of 10,000 IPsec tunnels for one ASA 5585-X with SSP-60. For the entire cluster of eight
units, you can only use 10,000 tunnels; the feature does not scale. For centralized features, if the
master unit fails, all connections are dropped, and you have to re-establish the connections on the
new master unit.
Site-to-site VPN
The following application inspections:
DCERPC
NetBios
PPTP
RADIUS
RSH
SUNRPC
TFTP
XDMCP
Dynamic routing (spanned EtherChannel mode only)
Multicast routing (individual interface mode only)
Static route monitoring
IGMP multicast control plane protocol processing (data plane forwarding is distributed
across the cluster)
PIM multicast control plane protocol processing (data plane forwarding is distributed across
the cluster)
Authentication and Authorization for network access. Accounting is decentralized.
Filtering Services
When you place the cluster in your network, the upstream and downstream routers need to be able
to load-balance the data coming to and from the cluster. Using one of the following methods:
The upstream and downstream routers perform load balancing between units using route maps and
ACLs.
Performance Throughput
70% of the combined throughput
60% of maximum connections
50% of connections per second
For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real
world firewall traffic when running alone.
For a cluster of 8 units, 8*10= 80 Gbps will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56
Gbps
For a cluster of 16 units, 16*10=160 Gbps will be approximately 70% of 160 Gbps: 112 Gbps
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/1
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
interface GigabitEthernet0/0
no sh
!
cluster group shiva
local-unit A
cluster-interface GigabitEthernet0/0 ip 192.168.1.1 255.255.255.0
priority 1
key shiva
enable noconfirm
!
cluster group shiva
local-unit B
cluster-interface GigabitEthernet0/0 ip 192.168.1.2 255.255.255.0
priority 20
key shiva
enable as-slave
Master Configuration
! MASTER
interface gigabitEthernet 0/1
no shutdown
channel-group 1 mode active
interface gigabitEthernet 0/3
no shudown
channel-group 2 mode active
interface Port-channel1
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Port-channel2
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
ASA1/A(config)#
ASA1/A(config)#
ASA1/A(config)# sh cluster info
Cluster shiva: On
Interface mode: spanned
This is "A" in state MASTER
ID :0
Version : 9.2(2)4
Serial No.: FCH16407FXZ
CCL IP : 192.168.1.1
CCL MAC : 6c20.56bd.ea87
Last join : 16:14:25 UTC Oct 10 2014
Last leave: N/A
Other members in the cluster:
Unit "B" in state SLAVE
ID :1
Version : 9.2(2)4
Serial No.: FCH16407G0X
CCL IP : 192.168.1.2
CCL MAC : 6c20.56bd.df21
Last join : 16:20:50 UTC Oct 10 2014
Last leave: 16:17:39 UTC Oct 10 2014
A(LOCAL):*************************************************************
8 in use, 10 most used, stub connection 0 in used, 0 most used
B:********************************************************************
8 in use, 10 most used, stub connection 0 in used, 1 most used
B(LOCAL):*************************************************************
8 in use, 10 most used, stub connection 0 in used, 1 most used
A:********************************************************************
9 in use, 10 most used, stub connection 0 in used, 0 most used
A(LOCAL):*************************************************************
11 in use, 11 most used, stub connection 0 in used, 0 most used
B:********************************************************************
13 in use, 13 most used, stub connection 0 in used, 1 most used
B(LOCAL):*************************************************************
13 in use, 13 most used, stub connection 0 in used, 1 most used
A:********************************************************************
11 in use, 11 most used, stub connection 0 in used, 0 most used
SW1
SW1#sh running-config
Building configuration...
no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
no ip domain-lookup
!
!
!
!
crypto pki trustpoint TP-self-signed-3398030592
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3398030592
revocation-check none
rsakeypair TP-self-signed-3398030592
!
!
crypto pki certificate chain TP-self-signed-3398030592
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333938 30333035 3932301E 170D3933 30333031 30303031
34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393830
33303539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B71A 93D8E49D C81AF71A 6691EA05 DEC986D2 BB34BFC9 94C85C14 F5FD5663
401DBF29 94356037 D453D201 9A7D5346 717D2C40 9FBC2F07 172590EF A9D508C1
33EE703E 0197FC1F D8F23810 A54A1D61 D88D8761 246C8E27 1290964B F46CB991
9BF2270A 05EB0159 C1815D12 4BB98EE4 A708FB5C A3728098 20D7E002 9846919A
767B0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
551D1104 08300682 04535731 2E301F06 03551D23 04183016 8014A77A 6EE8D5A3
2F3CC9BA DA830E8F A8567A87 BD4B301D 0603551D 0E041604 14A77A6E E8D5A32F
3CC9BADA 830E8FA8 567A87BD 4B300D06 092A8648 86F70D01 01040500 03818100
8CBB655C 8805B6AA B6C6E88A 0F97321C 9386F7D1 D6FC8E56 AC95263D 4A3C353E
4E3BF867 CB3ACCBF 4746DBCA 9997C688 52EE83C0 3EFBED29 EE46D396 186A01B7
3BF59B1A 37E690C9 1162867E EBAB3A32 8AA8DB26 2759EB33 9601F7A5 40285F02
8DA8A86B 8BECB5F0 4782C36F D0CCADD6 BD15EB13 B4C0E5A4 B28DB1A4 E96E2CCF
quit
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface Port-channel1
switchport access vlan 101
switchport mode access
!
interface FastEthernet1/0/1
switchport access vlan 101
switchport mode access
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 101
switchport mode access
channel-group 1 mode active
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 101
switchport mode access
channel-group 1 mode active
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
ip address dhcp
!
ip classless
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end
SW1#
SW2
SW2#sh ru
SW2#sh running-config
Building configuration...
no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
crypto pki trustpoint TP-self-signed-1187955840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1187955840
revocation-check none
rsakeypair TP-self-signed-1187955840
!
!
crypto pki certificate chain TP-self-signed-1187955840
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313837 39353538 3430301E 170D3933 30333031 30303031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383739
35353834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B68A 8F1A0987 7DE1BEE3 8A770370 2889D0D7 38086A59 6C976F82 04FAEB9C
59CEA030 70552551 CEFCD186 FA411F3B 6674363A 0BB0EFAA 030F4619 47F3CC18
D5889167 A42B3D0B 5EEF8076 49A7B1F3 7BDDCC2B EDE3FC20 4306AF7C 5E4B9E6B
0BB6C927 10C5D9BF 9940AA46 96C91F35 DED5E9B5 BE5A031D D910D861 1AC0569F
58830203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
551D1104 08300682 04535732 2E301F06 03551D23 04183016 80143605 878C31DB
DC5A5428 7B800116 62CFD3DB 80AC301D 0603551D 0E041604 14360587 8C31DBDC
5A54287B 80011662 CFD3DB80 AC300D06 092A8648 86F70D01 01040500 03818100
3CC0DD50 37CBC9C8 42B37386 79FEFA3C 02F53B4C 23DA6BEE 5E1ED166 17F5414F
48DF65EE F1AF7509 63DE1E42 3899E5F3 133B11AC BBEB2210 99197D5C 89391410
1AA41D6A CA850B39 AB5CC299 17F17F02 1002E315 ECEC95D1 00900B2E 357D040B
A4F6A1B2 EB0A839B 381C611B 7F63BE09 31C31232 DCCB3C83 6F6F0A5D 110BAB80
quit
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Port-channel2
switchport access vlan 102
switchport mode access
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport access vlan 102
switchport mode access
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport access vlan 102
switchport mode access
channel-group 2 mode active
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
switchport access vlan 102
switchport mode access
channel-group 2 mode active
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
!
end
SW2#
ASA1/Master
ASA1(config)# sh running-config
: Saved
:
: Serial Number: FCH16407FXZ
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
description Clustering Interface
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Port-channel2
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
!
ftp mode passive
access-list out extended permit icmp any any
cluster group shiva
key *****
local-unit A
cluster-interface GigabitEthernet0/0 ip 192.168.1.1 255.255.255.0
priority 10
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
pager lines 24
mtu inside 1500
mtu outside 1500
mtu cluster 1500
sno failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group out in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:49b89413b0c2641169352402952806c1
: end
ASA1(config)#
ASA2/Slave
ASA1(cfg-cluster)# sh running-config
: Saved
:
: Serial Number: FCH16407G0X
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
description Clustering Interface
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Port-channel2
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
!
ftp mode passive
access-list out extended permit icmp any any
cluster group shiva
key *****
local-unit B
cluster-interface GigabitEthernet0/0 ip 192.168.1.2 255.255.255.0
priority 20
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
pager lines 24
mtu inside 1500
mtu outside 1500
mtu cluster 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group out in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5bfa37f9cceb992fef77e50f46518ca1
: end
Chapter 32
Management of ASA
ASA as DHCP
ASA as DHCP Relay Agent
Disable Fragmentation on ASA
Enabling uRPF on ASA
Ether-channal
Redundent Interface
Diagram:-
Initial-config
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface fastEthernet 0/0
no shutdown
no ip address
R3
interface fastEthernet 0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int l1
ip add 102.1.1.1 255.255.255.0
no shutdown
R4
interface fastEthernet 0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.20.1
SW1
ip routing
int vlan 1
ip add 192.168.101.1 255.255.255.0
no shutdown
exit
interface range fastEthernet 1/0/10 - 11
no switchport
channel-group 1 mode active
interface Port-channel 1
ip add 192.168.1.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
ASA1
interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/3
member-interface GigabitEthernet0/4
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
ASA1
nat (inside,outside) source dynamic any interface
access-list out permit icmp any 192.168.1.0 255.255.255.0
access-list out permit icmp any 192.168.101.0 255.255.255.0
access-group out in interface outside
R1#ping 101.1.1.1
R1
R1(config)#interface lo1
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#^Z
ASA1(config)# sh xlate
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:02:49 timeout 0:00:00
ICMP PAT from inside:1.1.1.1/6 to outside:101.1.1.100/6 flags ri idle 0:00:02 timeout 0:00:3
ASA1# sh xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:04:15 timeout 0:00:00
ASA AS DHCP
ASA1(config)# dhcpd address 192.168.10.100-192.168.10.254 dmz1
ASA1(config)# dhcpd enable dmz1
ASA1(config)# dhcpd option 3 ip 192.168.10.1
R2
int f0/0
no shutdown
ip add dhcp
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.100 YES DHCP up up
FastEthernet0/1 unassigned YES NVRAM up up
R2#sh ip ro
R2#sh ip route st
R4
R4(config)#ip dhcp pool dmz1
R4(dhcp-config)#network 192.168.10.0
R4(dhcp-config)#default-router 192.168.10.1
R4(dhcp-config)#ex
R4(config)#ip dhcp excluded-address 192.168.10.1
ASA1
ASA1(config)# dhcprelay server 192.168.20.100 dmz2
ASA1(config)# dhcprelay enable dmz1
Chapter 33
Active-Standby IPv6 FO
Active-Standby FO
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface FastEthernet0/0
ipv6 address 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
!
R2
ipv6 unicast-routing
interface FastEthernet0/0
Page 828 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x
R3
interface FastEthernet0/0
ipv6 address 101:1:1::1/48
ASA1
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:10::1/48 standby 192:168:10::2
!
interface GigabitEthernet0/1
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48 standby 101:1:1::101
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
no ip address
ipv6 address 192:168:20::1/48 standby 192:168:20::2
!
ipv6 route outside ::/0 101:1:1::1
ASA1
nat (inside,outside) source static inside inside destination static s2s s2s
nat (inside,outside) source static R1 interface ipv6 service telnet telnet
nat (inside,outside) source dynamic any interface ipv6
R3#telnet 101:1:1::100
Trying 101:1:1::100 ... Open
R1>
ASA1
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key shiva
failover replication http
failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02
failover mac address GigabitEthernet0/2 0000.0c07.ac03 0000.0c07.ac04
ASA2
failover
failover lan unit secondary
failover lan interface shiva GigabitEthernet0/3
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key shiva
failover replication http
failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02
failover mac address GigabitEthernet0/2 0000.0c07.ac03 0000.0c07.ac04
failover mac address GigabitEthernet0/1 0000.0c07.ac05 0000.0c07.ac06
failover link shiva GigabitEthernet0/3
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 11:55:35 UTC Oct 9 2014
This host: Primary - Active
Active time: 160 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 577 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac02): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac06): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac04): Normal (Monitored)
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 10 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 06:30:14 UTC Oct 9 2014
This host: Secondary - Standby Ready
Active time: 577 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac02): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac06): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac04): Normal (Monitored)
Other host: Primary - Active
Active time: 122 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Monitored)
ASA1
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: y
Cryptochecksum: e120f795 a8075185 3bbb3555 55f80897
ASA2
ASA1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 06:37:03 UTC Oct 9 2014
This host: Secondary - Active
Active time: 17 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Waiting)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Waiting)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Waiting)
Other host: Primary - Failed
Active time: 408 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)
Interface inside (0.0.0.0): Unknown (Monitored)
Interface outside (0.0.0.0): Unknown (Monitored)
Interface dmz (0.0.0.0): Unknown (Monitored)
Chapter 34
Active-Active IPv6 FO
Active-Active IPv6 FO
Diagram:-
Initial-config
R1
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:101::100/48
no sh
ipv6 route ::/0 192:168:101::1
R2
ipv6 unicast-routing
interface fastEthernet 0/0
no shutdown
ipv6 add 192:168:102::100/48
no shutdown
ipv6 route ::/0 192:168:102::1
R3
ipv6 unicast-routing
int fastEthernet 0/0
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 102:1:1::1/48
no shutdown
ASA1
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA2
ASA2(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA1
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitEthernet 0/1
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitEthernet 0/2
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitEthernet 0/3
ASA1(config-if)# no shutdown
class c1
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource VPN Other 125
!
class c2
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource VPN Other 125
!
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
member c1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
member c2
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/c2.cfg
join-failover-group 2
!
failover group 1
preempt
failover group 2
secondary
preempt
!
!
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/4
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
ASA1/c1(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ipv6 local pool inside 192:168:101::111/48 10
ipv6 local pool outside 101:1:1::111/48 10
!
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
ipv6 address 192:168:101::1/48 cluster-pool inside
!
interface GigabitEthernet0/1
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48 cluster-pool outside
!
access-list out extended permit icmp6 any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface ipv6
access-group out in interface outside
ipv6 route outside ::/0 101:1:1::1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:885c4647c80e89f4ec3a2eaa43731b2f
: end
ASA1/c2(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d7353dc0e7aca0f5812eb5557e8df3dd
: end
ASA1(config)#
failover
failover lan unit primary
failover lan interface shiva GigabitEthernet0/4
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover replication http
failover link shiva GigabitEthernet0/4
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
failover group 1
preempt
failover group 2
secondary
preempt
ASA1/act(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:02:41 UTC Oct 11 2014
Group 2 last failover at: 19:02:45 UTC Oct 11 2014
STS Table 0 0 0 0
ASA1/stby(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:02:42 UTC Oct 11 2014
Group 2 last failover at: 19:02:44 UTC Oct 11 2014
sys cmd 19 0 19 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 3 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 2 0 4 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
R1
R1#ping 101:1:1::1
R2#ping 101:1:1::100
ASA1/act(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: shiva GigabitEthernet0/4 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Group 1 last failover at: 19:13:41 UTC Oct 11 2014
Group 2 last failover at: 19:02:44 UTC Oct 11 2014
IPv6 ND tbl 2 0 5 2
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 3 0 6 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0