1.1 Solution PDF

【CCIE】CCIE Security V5.
0 Lab CFG1 Solution
版本号：1.4
文档类型：讨论 测试 正式
文档等级：开放 内部 机密
修订记录
修订日期修订人版本审核人修订说明
2017-04-10 飞天剑舞号1.0 飞天剑舞正式发布
2017-04-20 飞天剑舞 1.1 飞天剑舞完善需求
2017-05-30 飞天剑舞 1.2 飞天剑舞更新拓扑
1. 更新 1.2 FO 子接口以及 NAT
2. 更新 1.3 cluster 配置
3. 更新 3.3 site_a AS 号
2017-06-30 飞天剑舞 1.3 飞天剑舞 4. 更新 3.2 证书访问控制列表
5. 更新 3.3 GETVPN ACL
6. 更新 4.1 支持远程桌面拨号
1. 更新 3.4 FLEXVPN 整体配置

2017-07-16 飞天剑舞 1.4 飞天剑舞 2. 更新 4.3 SSH radius 配置
3. 更新 5.1 syslog 配置
4. 更新 NTP 时区以及验证配置
5. 更新 NTP 配置。
CONTENTS
Task 1.1a : configure ASA1_V and ASA11_V For Active-Standby Failover ........................................ 2
Task 1.1b : configure ASA2_V and ASA22_V For Active-Standby Failover ........................................ 6
Task 1.2 : configure ASA1 and ASA2 For the Active-Active Failover .......................................... 10
Task 1.3 : configure ASA3 and ASA4 for Clustering ......................................................... 22
Task 1.4 : configure Access Policy On NGIPS ............................................................... 29
1.1 : Permit EIGRP routing process between R1 and R2. .................................................. 29
1.2 : Allow HTTP traffic at port 8080 from 172.16.1.0/24 network to server1 and server2 ................. 39
1.3 : Allow HTTP traffic at port 8080 from 10.1.22.0/24 network to server1 and server2 .................. 44
Task 2.1 : configure WCCP Redirection On R2 For server1 and server2 HTTP traffic originated From client_pc1 . 48
Task 2.2 : configure HTTP traffic Access Policy On WSA .................................................... 56
Task 2.3 : Install FireAMP connector on candidate PC and configure FireAMP Cloud ........................... 64
Task 3.1 : configure Clientless SSL VPN between ASA2_V and Client_PC2 ...................................... 65
Task 3.2 : configure Site-To-Site certificate Based VPN between R15 R16 and R17 ............................ 72
Task 3.3 : configure VRF-Aware GETVPN betwwen R3 R4 and R5 ................................................ 79
Task 3.4 : configure FLEXVPN between R9 R10 and R11 ....................................................... 94
Task 3.5 : configure SXP between SW2_P and ASA3 .......................................................... 101
Task 4.1 : configure anyconnect IKEv2 between ASA1_V and client_pc1 ....................................... 108
Task 4.2 : configure SW2_P Gig1/0/9 To Authentication Dot1x Session From dot1x_pc ......................... 124
Task 4.3 : configure R1 For The SSH Authentication ....................................................... 137
Task 4.4 : configure SW2_P Gig1/0/9 To authentication And Authorize PC mab_pc And IP Phone ................ 146
Task 5.1 : configure syslog On R1 and R17 ................................................................ 146
Task 5.2 : configure secure wireless deployment between WLC ISE SW2_P AP And wireless_client .............. 149
Task 5.3 : configure NTP Between R1 R2 R15 R16 and R17 ................................................... 163
Task 1.1a: configure ASA1_V and ASA11_V For Active-Standby Failover

Your configuration should meet the following requirements:
ASA1_V
Interface Gi0/0 :
Address Primary-Standby: 20.1.1.1/24-20.1.1.2/24
Name: outside
Interface Gi0/1:
Address Primary-Standby: 10.1.11.1/24-10.1.1.11.2/24
Name: inside
Interface Management 0/0:

Address primary-standby: 150.1.7.53/24-150.1.7.54/24
Name: mgmt.
Security level : 100
Failover :
Unit primary
Lan-link interface: Gi0/2
Primary-standby：10.10.11.1/24-10.10.11.2/24
Name: FO
EIGRP Routing :
Autonomous system ： 12
Network:10.1.11.0/24
EIGRP Authentication :
Mode MD5
Key-ID : 1
Password：cisco
ASA11_V
Failover：
Unit secondary
Lan-link interface Gi0/2
Primary-standby : 10.10.11.1/24-10.10.11.2/24
Name : FO
Note：
Make sure that all the interface are being monitored for this failover implementation。
Points：2
Solution
=======================================
ASA1v/ASA11v
ASA1v(config)# show firewall
Firewall mode: Router
ASA1v(config)#
========================================
ASA1v/ASA11v:
interface GigabitEthernet0/2
no shutdown
=========================================
ASA1_V：
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
ASA11_V：
failover lan unit secondary
ASA1v:
Failover
ASA11v:
Failover
========================================
Verify
=====================================================
ASA1v: primary/active
no shutdown
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
no shutdown
nameif inside
security-level 100
authentication key eigrp 12 cisco key-id 1
authentication mode eigrp 12 md5
interface Management0/0
no shutdown
nameif mgmt
security-level 100
EIGRP：
router eigrp 12
network 10.1.11.0 255.255.255.0
redistribute static metric 1000 100 255 1 1500
================================================
verify
Task 1.1b: configure ASA2_V and ASA22_V For Active-Standby Failover
ASA2_V
Interface Gi0/0:
Address primary-standby :20.1.2.1/24-20.1.2.2/24
Name : outside
interface Gi0/1:
address primary-standby: 10.1.22.1/24-10.1.22.2/24
name : inside
interface management 0/0:

address primary-standby: 150.1.7.55/24-150.1.7.56/24
name : mgmt.
security level : 100
failover :
unit primary
lan-link interface ：Gi0/2
primary-standby：10.10.22.1/24-10.10.22.2/24
name: FO
EIGRP Routing:
Autonomous system: 12
Network : 10.1.22.0/24
EIGRP authentication:
Mode md5
Key-id: 1
Password : cisco
ASA22_V
failover :
unit secondary
lan-link interface ：Gi0/2
primary-standby：10.10.22.1/24-10.10.22.2/24
name: FO
Note:
Make sure that all the interfaces are being monitored for this failover implementation
Points: 2
Solution
=======================================
ASA1v/ASA11v
ASA1v(config)# show firewall
ASA1v(config)#
========================================
ASA1v/ASA11v:
no shutdown
==========================================
ASA2_v：
ASA22_v：
ASA2v:
Failover
ASA22v：
Failover
==============================================
Verify
==========================================================
ASA2v:
no shutdown
nameif outside
security-level 0
no shutdown
nameif inside
security-level 100
authentication key eigrp 12 cisco key-id 1
authentication mode eigrp 12 md5
interface Management0/0
no shutdown
nameif mgmt
security-level 100
EIGRP：
router eigrp 12
network 10.1.22.0 255.255.255.0
======================================================
Verify
Task 1.2 : configure ASA1 and ASA2 For the Active-Active Failover
ASA1-system
Interface Gi0/0.1:
Vlan 2
Interface Gi0/0.2:
Vlan 3
Interface Gi0/1.1：
Vlan 4
Interface Gi0/1.2:
Vlan 5
Interface Gi0/2.1
Vlan 6
Interface Gi0/2.2:
Vlan 7
Failover :
Unit primary
Lan interface Gi0/3
Primary-standby: 10.100.201.1/24-10.100.201.2
Name: LAN
Unit primary
Lan interface Gi0/4
Primary-standby : 10.100.202.1/24-10.100.202.2
Name : STATE
Failover Group 1 : primary

Failover Group 2 : Secondary
Contexts:
Name : admin
Allocate interface: management 0/0
URL : admin.cfg
Name: c1
Allocate interface: GigabitEthernet0/0.1 GigabitEthernet0/1.1 GigabitEthernet0/2.1
Labels Respectively : inside_c1 , dmz_c1 , outside_c1
Join failover group : 1
URL: c1.cfg
Name: c2
Allocate interfaces : GigabitEthernet0/0.2 GigabitEthernet0/1.2 GigabitEthernet0/2.2
Labels Respectively : inside_c2 , dmz_c2 , outside_c2
Join failover group : 2
URL: c2.cfg
ASA1-admin
Interface management0/0:
Address primary-standby: 150.1.7.57/24-150.1.7.58
Name: management
Security level : 100
ASA1-c1
Interface inside_c1:
Address primary-standby : 10.100.2.1/24-10.100.2.2
Name : inside
Interface dmz_c1:
Name : dmz
Security level : 50
Interface outside_c1:
Name : outside
Address Translation :
server5 should be accessible from outside using outside interface.
Network object used for the translation should be named server5_c1
Traffic Filtering:
Server5 should be accessible only from 192.168.10.0/24 network for the HTTP traffic at port
80 and ICMP Echo message.
ACL for the traffic filtering should be named server5_c1.
ACL Should be network and host specific.
static routes:
Server5 network accessible via next hop R7
192.168.10.0/24 network accessible via next hop R9
ASA1-c2
Interface inside_c2
Address primary-standby: 10.100.3.1/24-10.100.3.2
Name : inside
Interface dmz_c2
Address primary-standby:10.100.5.1/24-10.100.5.2
Name: dmz
Security level: 50
Interface outside_c2
Name : outside
Address translation :
Server6 should be accessible from outside using outside interface
Network object used for the translation should be named server6_c2
Traffic filtering:
Server6 should be accessible only from 192.168.11.0/24 network for the HTTP at port 80 and
ICMP Echo messages.
ACL For the traffic filtering should be named server6_c2.
ACL should be network and host specific.
Static routes:
Server6 network accessible via next hop R8.
192.168.11.0/24 network accessible via next hop R9.
ASA2-system
Failover :
Unit secondary
Lan interface Gi0/3

Primary-standby:10.100.201.1/24-10.100.201.2
Name : LAN
Link interface : Gi0/4

Primary-standby: 10.100.202.1/24-10.100.202.2
Name : STATE
Note:
Make sure that all the interface are being monitored for this failover implementation.
Points : 5
Solution
=======================================================
ASA1/ASA2
ASA1(config)# show mode
Security context mode: multiple
ASA1(config)# show firewall
ASA1(config)#
---------------------------------------------------------------------
ASA1/ASA2
Mode multiple
Delete *.cfg
no firewall transparent
=======================================================
Interface initial
=======================================================
ASA1：
interface e0
no shutdown
interface e1
no shutdown
interface e2
no shutdown
interface e3
no shutdown
interface e4
no shutdown
interface e5 ------instead management 0/0
no shutdown
interface Ethernet0.1
vlan 2
!
vlan 3
!
vlan 4
!
vlan 5
!
vlan 6
!
vlan 7
!
====================================================
Failover
====================================================
ASA1：
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2

failover lan interface LAN Ethernet3
failover link STATE Ethernet4
failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
failover interface ip STATE 10.100.202.1 255.255.255.0 standby 10.100.202.2
failover group 1
preempt
failover group 2
secondary
preempt
----------------------------------------------------------------------
ASA2：
Interface e3
No shutdown
Exit
Interface e4
No shutdown
failover lan interface LAN Ethernet3
failover link STATE Ethernet4
failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
failover interface ip STATE 10.100.202.1 255.255.255.0 standby 10.100.202.2
failover group 1
secondary
preempt
failover group 2
primary
preempt
context c1
!
context c2
ASA1#ping 10.100.201.2
ASA1#ping 10.100.202.2
ASA1(config)# failover
ASA2(config)# failover
=======================================================
Verify
ASA1：
=======================================================
Creat context
========================================================
ASA1
admin-context admin
context admin
allocate-interface Ethernet5
!
context c1
allocate-interface Ethernet0.1 inside_c1
allocate-interface Ethernet1.1 dmz_c1
allocate-interface Ethernet2.1 outside_c1
!
context c2
allocate-interface Ethernet0.2 inside_c2
allocate-interface Ethernet1.2 dmz_c2
allocate-interface Ethernet2.2 outside_c2
!
==================================================
Context c1
===================================================
ASA1-C1：
changeto context c1
interface inside_c1
nameif inside
security-level 100
interface dmz_c1
nameif dmz
security-level 50
interface outside_c1
nameif outside
security-level 0
monitor-interface inside
monitor-interface dmz
monitor-interface outside
---------------------------------------------------------------------------
Verify:
===========================================================
Static Route
===========================================================
ASA1-C1：
route outside 192.168.10.0 255.255.255.0 10.100.6.9
route dmz 192.168.105.7 255.255.255.255 10.100.4.7
===========================================================
NAT
===========================================================
ASA1-C1 NAT：
object network server5_c1
host 192.168.105.7
nat (dmz,outside) static interface
-----------------------------------------------------------------------
Verify: After Task 3.4
=====================================================
Traffic filter
======================================================
ASA1-C1：
R7:
Ip http server
access-list server_c1 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.105.7 eq

www
access-list server_c1 extended permit icmp 192.168.10.0 255.255.255.0 host 192.168.105.7
echo
access-group server_c1 in interface outside
================================================
Context C2
================================================
ASA2-C2：
Changeto context c2
interface inside_c2
nameif inside
security-level 100
interface dmz_c2
nameif dmz
security-level 50
interface outside_c2
nameif outside
security-level 0
monitor-interface inside
monitor-interface dmz
monitor-interface outside
-------------------------------------------------------------------------
Verify ：
=======================================================
Static route
======================================================
ASA1-C2：
route outside 192.168.11.0 255.255.255.0 10.100.7.9
route dmz 192.168.106.8 255.255.255.255 10.100.5.8
=======================================================
NAT
========================================================
ASA1-C2：
object network server6_c2
host 192.168.106.8
nat (dmz,outside) static interface
-----------------------------------------------------------------
Verify: After Task 3.4
=====================================================
Traffic filter
=====================================================
R8：
Ip http server
ASA1-C2：
access-list server6_c2 extended permit tcp 192.168.11.0 255.255.255.0 host 192.168.106.8 eq
www
access-list server6_c2 extended permit icmp 192.168.11.0 255.255.255.0 host 192.168.106.8
echo
access-group server6_c2 in interface outside
=====================================================
Context admin
=====================================================
ASA1-admin：
ASA1-admin
Interface e5 -----instead Management0/0
management-only
nameif management
security-level 100
------------------------------------------------------------------------
Verify:
===========================================================
failover verification ! important !!!
===========================================================
Task 1.3 : configure ASA3 and ASA4 for Clustering
ASA3-system
Interface mode:
Interface: port-channel1:
Subinterface:1.8
Vlan number: vlan 8
Subinterface:1.9
Vlan number: vlan 9
Subinterface:1.10
Vlan number: vlan 10
Interface : Gi0/0
Member of channel-group: 1
Interface : Gi0/1
Member of channel-group: 1
Group : ccie
Interface: Gi0/2
Addresss : 10.100.203.1/24
Name: ASA3
Master
ASA3-admin
Management pool:
Mgmt.-pool
150.1.7.60-150.1.7.61
Management interface :
Mgmt.
Address : 150.1.7.59/24
Interface port-channel1.8
Address 10.100.8.1/24
Name inside
Interface port-channel 1.9

Address 10.100.9.1/24
Name outside
Interface port-channel1.10
Address 10.100.10.1/24
name dmz
Security level 50
Address translation :
Server3 should be accessible from inside via 19.16.103.14

Network objects used for the translation should be named server3 and server3_t for and to
translated address respectively .
Server4 should be accessible from inside via 19.16.104.14

Network objects useds for the translation should be named server4 and server4_t for and to
translated address respectively .
Traffic filtering:
Server3 192.168.103.14 should be accessible only from security-group name pc1 for the HTTP
traffic at port 80.
Server4 192.168.104.14 should be accessible only from security-group name pc2 for the HTTP
traffic at port 80.
ACL for the traffic filtering should be named server3-4
ACL should be host specific.
Static routes:
ASA4-system
Group ccie
Interface Gi0/2
Address 10.100.203.2/24
Name ASA4
Slave
Points : 4
Solution
==============================
ASA3(config)#
ASA4(config)#
======================================================
Cluster
======================================================
ASA3/ASA4：
cluster interface-mode spanned force
interface gigabitEthernet 2
no shutdown
------------------------------------------------------------
ASA3：
cluster group ccie
local-unit ASA3
cluster-interface GigabitEthernet2 ip 10.100.203.1 255.255.255.0
priority 1
enable （ASA 5512X only）
Would you like to remove these commands? [Y]es/[N]o:Y
--------------------------------------------------------------
ASA4：
cluster group ccie
local-unit ASA4
cluster-interface GigabitEthernet2 ip 10.100.203.2 255.255.255.0
priority 2
enable as-slave（ASA 5512X only）
Would you like to remove these commands? [Y]es/[N]o:Y
-------------------------------------------------------------------------
Verify: (ASA 5512X only）
==========================================================
SW1(physical)=SW1_P（virtual） SW2(physical)=SW2_P(virtual)=SW22_P(virtual)
===========================================================
SW1/SW1_P：
Vlan 8-10
Vlan 150
-----------------------------------------------------------------
SW2/SW2_P：
Vlan 8-10
Vlan 150
interface range E0/2 , E4/2

switchport host
switchport access vlan 150
exit
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 8-10
switchport mode trunk
exit
interface rang E0/0 – 1 , E4/0 – 1 （lacp active）

switchport trunk allowed vlan 8-10
channel-group 1 mode on ---virtual
channel-protocol lacp ---physical, optional
channel-group 1 mode active ---physical
==============================================
Initial interface
===============================================
ASA3:
interface Port-channel1
port-channel span-cluster
!
no shutdown
no shutdown
interface gigabitEthernet 3 ----instead management 0/0

no shutdown
interface Port-channel1.8
vlan 8
!
vlan 9
!
vlan 10
admin-context admin
context admin
allocate-interface GigabitEthernet3
allocate-interface Port-channel1.8-Port-channel1.10
=======================================
Context admin
=======================================
Changeto context admin
ip local pool mgmt-pool 150.1.7.60-150.1.7.61
interface GigabitEthernet3 ---instead management 0/0

management-only
nameif mgmt
security-level 100
ip address 150.1.7.59 255.255.255.0 cluster-pool mgmt-pool
nameif inside
security-level 100
ip address 10.100.8.1 255.255.255.0
nameif outside
security-level 0
ip address 10.100.9.1 255.255.255.0
nameif dmz
security-level 50
ip address 10.100.10.1 255.255.255.0
=========================================
Static route
==========================================
route dmz 192.168.103.14 255.255.255.255 10.100.10.14
route dmz 192.168.104.14 255.255.255.255 10.100.10.14
-----------------------------------------------------------------
verify ：
====================================================
NAT
====================================================
ASA3：
object network server3_t
host 19.16.103.14
object network server4_t
host 19.16.104.14
object network server3

host 192.168.103.14
nat (dmz,inside) static server3_t
object network server4

host 192.168.104.14
nat (dmz,inside) static server4_t
R14:
Ip http server
------------------------------------------------------------
Verify:
Server3:
Server4:
Task 1.4 : configure Access Policy On NGIPS
1.1: Permit EIGRP routing process between R1 and R2.
R1 Should be in the external Zone

R2 Should be in the internal Zone
Logging for the rules at the beginning of the connection.
Solution
========================================================
NGIPS initial
=========================================================
====================================================
FMC initial
===================================================
Registered successful：
===========================================================
Permit EIGRP traffic
==========================================================
OR
Permit eigrp in application table when license installed
-------------------------------------------------------------------------------
verify：
1.2: Allow HTTP traffic at port 8080 from 172.16.1.0/24 network to server1 and server2
172.16.1.0/24 Should be in the external zone.

Server1 And server2 should be in the internal zone.
able logging for the rules at the beginning of the connection .
solution
==========================================================
IPS
==========================================================
========================================================
R3 server
========================================================
Ip http server
Ip http port 8080
------------------------------------------------------------------------------
Verify : After Task 2.1 2.2 4.1
RDP client_pc1 :
FMC:
1.3: Allow HTTP traffic at port 8080 from 10.1.22.0/24 network to server1 and server2
10.1.22.1/24 Should be in the external zone

Server1 and server2 should be in the internal zone
able logging for the rules at the beginning of the connection .
Note :
Information not provide to implement this task can be assumed by the candidate.
Points : 5
=====================================================
IPS
=====================================================
--------------------------------------------------------------------
Verify: After Task 2.1 2.2 3.1
Task 2.1 configure WCCP Redirection On R2 For server1 and server2 HTTP
traffic originated From client_pc1
Traffic should be redirected to WSA at 150.1.7.213

WCCP communication between R2 and WSA should be authenticated using password cisco
Any traffic filtering applied should be network and host specific for the HTTP port 8080
Note:
This task can only be verified after the successful implementation of Task 1.1a Task 1.4 and
Task 4.1 ( to be able to perform end-to-end connectivity test )
Points : 5
=================================================
WSA initial:
===================================================
WCCP config:
R2：
Ip access-list extended RED
permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080
permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080
exit
ip access-list standard WSA

permit host 150.1.7.213
ip wccp 90 redirect-list RED group-list wsa password cisco
interface e0/2
ip wccp 90 redirect in
verify:
Task 2.2 : configure HTTP traffic Access Policy On WSA
HTTP traffic at port 8080 originated from 172.16.1.0/24 network directed to server1 and
server2 should be allowed if Firefox as a browser is used but dropped if originated from
the internet explorer , all the other traffic should be allowed .
identification profile 1:
Name： monitor profile
For source 172.16.1.0/24
For browser type-version Firefox-any
Identification profile 2:
Name： Block profile
Check For source 172.16.1.0/24
Check For browser type-version IE-Any
URL Category should be named as CCIE Lab Rule monitoring for server1.cisco.com and
server2.cisco.com
Responding Access policies should be named as monitor policy and block policy
respectively and referencing CCIE Lab Rule
Note:
This task can only be verified after the successful implementation of Task 1.1a Task 2.1 and
Task 4.2 ( to be able to perform end-to-end connectivity test )
Points : 4
Solution
=============================================
----------------------------------------------------------------
Change http port
identification profile 1：
identification profile 2：
-------------------------------------------------------------------------------
verify：finish Task 1.4 Task 4.1
Task 2.3 : Install FireAMP connector on candidate PC and configure FireAMP
Cloud
The PC should be part of group called ccielab in the FireAMP cloud.

The group should have the descryption of For Lab Windows.
The group should be part of system protect policy.
Make sure the FireAMP connector on candidate PC shows up as connected with the FireAMP
Cloud.
Points : 4
Solution
=================================================
=================================================
Task 3.1 : configure Clientless SSL VPN between ASA2_V and Client_PC2
Your configuration should meet the following requirements on ASA2_V:
VPN access credentials should be username: ccie password:ccie

Connection banner should be Enjoy The Lab!
Group alias should be named cciesecurity
The Ca trustpoint should be configured as follows:

Name ccietrust
Enrollement self
RSA key cciekey
Session idle time 48 hours
The web ACL implementation should only allow the following URLs:
http://server1.cisco.com:8080
http://server2.cisco.com:8080
the bookmarks for the above servers should appear in the WebVPN portal as server1 and
server2 respectively.
Notes:
On client_pc2 connection stub ssl_vpn has been created in the FireFox to test the
implementation.
The verification of this task depends on successful implementation of Task 1.1b and Task 1.4
VPN session should be in established state and you are able to open the sessions to server1
and server2 when you have ended your lab.
The VPN session should terminate on ASA2_v being the Active ASA in the pair.
Make sure that even when you close the RDP connection to client_pc2 that should not tear
down the established VPN session.
The DNS server is at 150.1.7.200
Note:
Any information not provided for this task can be assumed by the candidate.
Points : 3
Solution
Note : vpn-sessiondb logoff all ---license restriction connection
===============================================
DNS ！！！
===============================================
ASA2v
dns domain-lookup mgmt
dns name-server 150.1.7.200
domain-name cisco.com
=================================================
Enroll certificate
================================================
crypto key generate rsa label cciekey modulus 1024
crypto ca trustpoint ccietrust

enrollment self
keypair cciekey
fqdn asa2.cisco.com
subject-name CN=asa2.cisco.com
ASA2V(config)# crypto ca enroll ccietrust

% The fully-qualified domain name in the certificate will be: ASA2V
% Include the device serial number in the subject name? [yes/no]: no
Generate Self-Signed Certificate? [yes/no]: yes
=============================================
WEBVPN
=============================================
access-list WEB-ACL webtype permit url http://server1.cisco.com:8080

access-list WEB-ACL webtype permit url http://server2.cisco.com:8080
group-policy cciesecurity internal

group-policy cciesecurity attributes
banner value Enjoy The Lab!
vpn-session-timeout 2880
vpn-idle-timeout 2880
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value WebVPN
filter value WEB-ACL
tunnel-group cciesecurity type remote-access

tunnel-group cciesecurity general-attributes
default-group-policy cciesecurity
tunnel-group cciesecurity webvpn-attributes

group-alias cciesecurity enable
webvpn
enable outside
tunnel-group-list enable
ssl trust-point ccietrust outside
username ccie password ccie
username ccie attributes

vpn-group-policy cciesecurity
service-type remote-access
http server enable

http 150.1.7.0 255.255.255.0 mgmt
===========================================================
bookmark
===========================================================
Verify: finish Task 1.4 Task 2.1 Task 2.2
===================================================
ACTIVE ASA22v AND APPLY BOOKMARK AGAIN.
====================================================
ASA2v:
ASA2v(config)# no failover active
ASA2v(config)#
Switching to Standby
ASA2v(config)#
Task 3.2 : configure Site-To-Site certificate Based VPN between R15 R16 and
R17

The VPN session should secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks.
Configure trustpoint by the name of ccier15 on R15 as follows:
Common Name as r15
Organization as cisco.com
Certificate should include R15 loopback0 interface.
Enroll using loopback0 as the source interface
Enroll with CA running at R17 using its loopback0 interface.
RSA key pair should be ccier15
Configure trustpoint by the name of ccier16 on R16 as follows:

Common name as r16
Organization as cisco.com
Certificate should include R16 loopback0 interface
Enroll using loopback0 as the source interface
Enroll with CA running at R17 using its loopback0 interface.
RSA key pair should be ccier16
Note:
Points : 3
Solution
=============================================
NTP Task 5.3
================================================
================================================
R17 CA Server PRE-CONFIG
================================================
crypto key generate rsa label ccier17 modulus 1024 ---pre-config maybe , need to verify
below .
Ip http server
crypto pki server ccieca
database level complete
issuer-name CN=r17 O=cisco.com
grant auto
no shutdown
password : cisco123 ---shutdown→no shutdown ---verify server enable
-----------------------------------------------------
Verify:
================================================
R15 enroll certificate
====================================================
Ip domain-name cisco.com
Ip name-server 150.1.77.200
crypto key generate rsa label ccier15 modulus 1024
crypto pki trustpoint ccier15

enrollment url http://172.16.100.17:80
ip-address loopback 0
subject-name cn=r15 o=cisco.com
revocation-check crl
source interface Loopback0
rsakeypair ccier15
----------------------------------------------------------------
R15(config)#crypto pki authenticate ccier15

Certificate has the following attributes:
Fingerprint MD5: 3F132300 572BF9B9 214C1804 2CA56145
Fingerprint SHA1: 7BD034F8 A8AEE5A6 83E867CB 3F028BAF 3C98AD44
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R15(config)#crypto pki enroll ccier15

% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: enter
Re-enter password: enter
% The subject name in the certificate will include: cn=r15 o=cisco.com

% The subject name in the certificate will include: R15
% Include the router serial number in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose ccier15' commandwill show the fingerprint.
Apr 24 04:24:04.932: CRYPTO_PKI: Certificate Request Fingerprint MD5: F7303D59
EA755119 3CCA65E6 191E7E23
Apr 24 04:24:04.932: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 39860FEC
F1AE881C 704752CB 4C4D8CEE 3C36C109
Apr 24 04:24:19.288: %PKI-6-CERTRET: Certificate received from Certificate Authority
R15(config)#
-----------------------------------------------------------------------------
Verify
====================================================
R16 enroll certificate
====================================================
Ip domain-name cisco.com
Ip name-server 150.1.7.200
crypto key generate rsa label ccier16 modulus 1024
crypto pki trustpoint ccier16

enrollment url http://172.16.100.17:80
ip-address loopback 0
subject-name CN=r16 O=cisco.com
source interface Loopback0
revocation-check crl
rsakeypair ccier16
R16(config)#crypto pki authenticate ccier16

Certificate has the following attributes:
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R16(config)#crypto pki enroll ccier16
----------------------------------------------------
Verify:
*************************************************************************************
Note: PKI error , should delete trustpoint and keypair !!!
***************************************************************************************
No crypto pki trustpoint ccier16
yes
Crypto key zeroized rsa
yes
-------------------------------------------------------------------------
Verify :
=====================================================
R15
======================================================
Crypto isakmp policy 10
Authentication rsa-sig
Exit
Crypto ipsec transform-set TS esp-aes esp-sha-hmac
Mode tunnel
Exit
Ip access-list extended VPN

Permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
Exit
Crypto map VPN 10 ipsec-isakmp
Set peer 20.1.7.16
Set transfor-set TS
Match address VPN
Reverse-route static
Exit
Interface g 1
Crypto map VPN
Exit
=================================================
R16
=================================================
Crypto isakmp policy 10
Authentication rsa-sig
Exit
Crypto ipsec transform-set TS esp-aes esp-sha-hmac

Exit
Ip access-list extended VPN

Permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
Exit
Crypto map VPN 10 ipsec-isakmp

Set peer 20.1.6.15
Match address VPN
set transform-set TS
exit
interface g2
crypto map VPN
exit
=================================================
certificate map --- Suggestion
=================================================
R15：
crypto pki certificate map CERTMAP 10
subject-name co cn = r16 o=cisco.com
crypto isakmp profile IKEV1PROFILE
ca trust-point ccier15
match certificate CERTMAP
crypto map IKEV1MAP 10 ipsec-isakmp

set isakmp-profile IKEV1PROFILE
-------------------------------------------------------------------
R16：
crypto pki certificate map CERTMAP 10
subject-name co cn = r15 o=cisco.com
crypto isakmp profile IKEV1PROFILE

ca trust-point ccier16
match certificate CERTMAP
crypto map IKEV1MAP 10 ipsec-isakmp

set isakmp-profile IKEV1PROFILE
Task 3.3 : configure VRF-Aware GETVPN betwwen R3 R4 and R5
VFR for Site_a should be site_a

VRF for site_b should be site_b
Registration link should be in vrf mgmt.
Preshared key between the sites should be cisco

ISAKMP policy should have encryption 3des and DH Group 2
Identity number for site_a should be 100

Identity number for site_b should be 200
Rekeyring authentication should use RSA key cciekey for both sites
The implementation should secure traffic site_a between 192.168.4.0/24 and 192.168.5.0/24
networks.
The implementation should secure traffic site_b between 192.168.4.0/24 and 192.168.5.0/24
networks.
EIGRP routing process for site_a and site_b should be authenticated using mode MD5 and
password ccie
Notes:
Prefer to the topology for addressing VLAN and EIGRP routing information.
SW1_V is preconfigured for this task.
Points : 3
Solution
=======================================================
EIGRP ROUTE
========================================================
-----------------------------------------------------------------------
R4:
ip vrf mgmt
rd 20:20
!
ip vrf site_a
rd 100:100
!
ip vrf site_b
rd 200:200
!
key chain ccie
key 1
key-string ccie ---ccie
!
interface Loopback100
ip vrf forwarding site_a
ip address 192.168.4.4 255.255.255.255
!
ip vrf forwarding site_b
ip address 192.168.4.4 255.255.255.255
!
!
interface Ethernet0/2.20
encapsulation dot1Q 20
ip vrf forwarding mgmt
ip address 10.1.20.4 255.255.255.0
!
ip address 10.1.45.4 255.255.255.0
ip authentication mode eigrp 403 md5
ip authentication key-chain eigrp 403 ccie
!
ip address 10.1.45.4 255.255.255.0
!
router eigrp 45
!
address-family ipv4 vrf site_a autonomous-system 403
network 10.1.45.0 0.0.0.255
network 192.168.4.0
exit-address-family
!
address-family ipv4 vrf site_b autonomous-system 405
network 10.1.45.0 0.0.0.255
network 192.168.4.0
exit-address-family
!
----------------------------------------------------------------------
R5:
ip vrf mgmt
rd 20:20
!
ip vrf site_a
rd 100:100
!
ip vrf site_b
rd 200:200
!
key chain ccie
key 1
key-string cisco ---ccie
!
ip address 192.168.5.5 255.255.255.255
!
ip address 192.168.5.5 255.255.255.255
!
ip vrf forwarding mgmt
ip address 10.1.20.5 255.255.255.0
!
ip address 10.1.45.5 255.255.255.0
!
ip address 10.1.45.5 255.255.255.0
!
!
router eigrp 45
!
address-family ipv4 vrf site_a autonomous-system 403
network 10.1.45.0 0.0.0.255
network 192.168.5.0
exit-address-family
!
address-family ipv4 vrf site_b autonomous-system 405
network 10.1.45.0 0.0.0.255
network 192.168.5.0
exit-address-family
!
----------------------------------------------------------
Verify:
==================================================
KS Server R3
=================================================
crypto isakmp policy 10

encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSPROFILE
!
crypto gdoi group site_a
identity number 100
server local
rekey algorithm aes 256
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile IPSPROFILE
match address ipv4 site_a
address ipv4 10.1.20.3
!
crypto gdoi group site_b
identity number 200
server local
rekey algorithm aes 256
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile IPSECPROFILE
match address ipv4 site_b
address ipv4 10.1.20.3
!
interface Loopback1
ip address 192.168.101.3 255.255.255.255
!
interface Loopback2
ip address 192.168.102.3 255.255.255.255
!
ip http server
ip http port 8080
!
ip access-list extended site_a
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended site_b
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
!
R3#
=========================================================
R4/R5 Group member

========================================================
crypto keyring mgmt vrf mgmt

pre-shared-key address 10.1.20.3 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto gdoi group site_a
identity number 100
server address ipv4 10.1.20.3
client registration interface Ethernet0/2.20
!
crypto gdoi group site_b
identity number 200
server address ipv4 10.1.20.3
client registration interface Ethernet0/2.20
!
crypto map site_a 10 gdoi
set group site_a
!
crypto map site_b 10 gdoi
set group site_b
!
crypto map site_a
!
crypto map site_b
===========================================================
verify
===========================================================
R4 site_a:
R4 site_b:
R5 site_a:
R5 site_b:
R3 ks:
-------------------------------------------------------------------------------
verify:
Task 3.4 : configure FLEXVPN between R9 R10 and R11
Configure Hub-Spoke FLEXVPN setup between R9 HUB R10 R11 SPOKES.
Preshared key between R9 and R10 should be ccier10

Preshared key between R9 and R11 should be ccier11
IPsec protected Tunnel Tu34 should be established between R9 and R10.

IPsec protected Tunnel Tu35 should be established between R9 and R11.
Loopback1 interfaces on R9 R10 and R11 should be included in the EIGRP routing domain.
Tu34 should secure the traffic between 192.168.10.0/24 and host 10.100.6.1
Tu35 should secure the traffic between 192.168.11.0/24 and host 10.100.7.1
Notes:
The verification of this task depends on the successful implementation of Task 1.2
Refer to the topology for addressing and EIGRP routing information.
Any information not provided for this task can be assumed by the candidate
Points : 3
Solution
Note:
============================================
R9
============================================
crypto ikev2 proposal PROPOSAL ---option

encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy POLICY ---option
match fvrf any
proposal PROPOSAL
crypto ikev2 keyring KEYRING

peer R10
address 20.1.4.10
pre-shared-key ccier10
!
peer R11
address 20.1.5.11
!
!
crypto ikev2 profile IKEV2PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING

!
!
crypto ipsec profile IPSECPROFILE
set ikev2-profile IKEV2PROFILE
!
!
interface Tunnel34
ip address 172.16.2.9 255.255.255.0
no ip redirects
no ip split-horizon eigrp 34
ip nhrp map multicast dynamic
ip nhrp network-id 9
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key KEY1
tunnel protection ipsec profile IPSECPROFILE shared
!
interface Tunnel35
ip address 172.16.3.9 255.255.255.0
no ip redirects
no ip split-horizon eigrp 35
ip nhrp map multicast dynamic
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key KEY2
tunnel protection ipsec profile IPSECPROFILE shared
!
!
interface Ethernet0/1
ip address 20.1.3.9 255.255.255.0
!
ip address 10.100.6.9 255.255.255.0
!
ip address 10.100.7.9 255.255.255.0
!
router eigrp 34
network 10.100.6.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 192.168.9.0
passive-interface Ethernet0/2.1
no auto-summary
!
router eigrp 35
network 10.100.7.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 192.168.9.0
passive-interface Ethernet0/2.2
no auto-summary
======================================================
R10
======================================================
crypto ikev2 proposal PROPOSAL
integrity sha256
group 2
!
crypto ikev2 policy POLICY
match fvrf any
proposal PROPOSAL
!
peer R9
address 20.1.3.9
!
!
match identity remote address 20.1.3.9 255.255.255.255
!
!
!
interface Tunnel34
ip address 172.16.2.10 255.255.255.0
ip nhrp nhs 172.16.2.9
tunnel source 20.1.4.10
tunnel destination 20.1.3.9
tunnel key KEY1
tunnel protection ipsec profile IPSECPROFILE
!
!
router eigrp 34
network 172.16.2.0 0.0.0.255
network 192.168.10.0
!
=============================================
R11
=============================================
crypto ikev2 proposal PROPOSAL
integrity sha256
group 2
!
crypto ikev2 policy POLICY
match fvrf any
proposal PROPOSAL
!
peer R9
address 20.1.3.9
!
match identity remote address 20.1.3.9 255.255.255.255
!
!
!
crypto ipsec profile IPSPROFILE
!
interface Tunnel35
ip address 172.16.3.11 255.255.255.0
ip nhrp nhs 172.16.3.9
tunnel source 20.1.5.11
tunnel destination 20.1.3.9
tunnel key KEY2
tunnel protection ipsec profile IPSPROFILE
!
router eigrp 35
network 172.16.3.0 0.0.0.255
network 192.168.11.0
================================================
Verify:
-----------------------------------------------
R10:
----------------------------------------------
R11:
Task 3.5 : configure SXP between SW2_P and ASA3
The SXP session between SW2_P and ASA3 should be authenticated using password ccie
ASA3 should download the CTS enviroment data from ISE .
Note:
TFTP server is available on candidate_pc
SW2 will receive supplicant authentication/authorization request.
Any information not provided in this task can be assumed by the candidate.
Points : 3
===============================================
ISE：
AAA client：
Generate PAC:
Transfer PAC to ASA3：
---------------------------------------------------------------
ASA3：
aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.212
key cisco
cts server-group ISE
=======================================================
SXP
=======================================================
ASA3：
cts sxp enable
cts sxp default password ccie
cts sxp default source-ip 150.1.7.59
cts sxp connection peer 150.1.7.45 source 150.1.7.59 password default mode peer speaker
SW2/SW2P/SW22_P：
cts sxp enable
cts sxp default source-ip 150.1.7.45
cts sxp default password ccie
cts sxp connection peer 150.1.7.59 source 150.1.7.45 password default mode peer listener
-----------------------------------------------------------------------------
Verify：
===========================================================
traffic filtering
===========================================================
ASA3：
object-group security PC1

security-group name PC1
object-group security PC2
security-group name PC2
access-list server3-4 extended permit tcp object-group-security PC1 10.100.8.0

255.255.255.0 host 192.168.103.14 eq www
access-list server3-4 extended permit tcp object-group-security PC2 10.100.8.0
255.255.255.0 host 192.168.104.14 eq www
access-group server3-4 in interface inside
--------------------------------------------------------------------------
Verify:
mab_pc:
-----------------------------------------------------------------------
dot1x_pc:
Task 4.1 ：configure anyconnect IKEv2 between ASA1_V and client_pc1
Your configuration should meet the following requirements on ASA1_V:
The tunnel should negotiate IKEv2 policy and IPsec proposal for AES-256 encryption.
The tunnel should only secure traffic for server1 and server2.
The client address pool should be 172.16.1.0-172.16.10.0/24.
The session tunnel should remain connected for 48 hours even without any activity.
The group alias for the session should be ccieprofile
The trustpoint for the implementation should be named ccietrust using RSA key pair cciekey.
ASA should authenticate the session using AAA with ISE at 150.1.7.212.
Credentials should be username cisco password Midhumo2
User cisco should be part of ISE internal database.
ISE should check for NAS IP address to authorize the session.
Notes:
The verification of this task depends on successful implementation of Task 1.1 a Task 1.2 Task
2.1 and Task 2.2.
Tunnel destination asa1.cisco.com resolves to ASA1 outside address.
VPN session should be terminated on ASA1_V being the an active ASA in the pair.
VPN session should be in established state when you have ended the configuration module.
Use the FireFox browser to test your connectivity with server1 and server2
Points : 4
Solution
ASA1v DNS：
dns domain-lookup mgmt
dns name-server 150.1.7.200
domain-name cisco.com
http server enable

http 150.1.7.0 255.255.255.0 mgmt
=============================================
Upload anyconnect software on ASA1v/ASA11v
==========================================
asa1v /asa11v:
asa1v(config)#ping 150.1.7.201 (Candidate PC)
OR
============================================
Enroll certificate
==============================================
ASA1v trustpoint：
crypto ca trustpoint ccietrust
enrollment self
id-usage ssl-ipsec
fqdn asa1.cisco.com
subject-name CN=asa1.cisco.com
keypair cciekey
asa1(config)# crypto ca enroll ccietrust

% The fully-qualified domain name in the certificate will be: asa1.cisco.com
% Include the device serial number in the subject name? [yes/no]: no
Generate Self-Signed Certificate? [yes/no]: yes
===============================================
WEBVPN
===============================================
ASA1v：
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg
anyconnect enable
tunnel-group-list enable
ip local pool ccieprofile 172.16.1.0-172.16.10.0 mask 255.255.255.0 ---more attention please .

access-list servers standard permit host 192.168.101.3
access-list servers standard permit host 192.168.102.3
group-policy ccieprofile internal

group-policy ccieprofile attributes
vpn-idle-timeout 2880
vpn-tunnel-protocol ikev2 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value servers
default-domain value cisco.com
tunnel-group ccieprofile type remote-access
tunnel-group ccieprofile general-attributes

address-pool ccieprofile
authentication-server-group ISE
default-group-policy ccieprofile
tunnel-group ccieprofile webvpn-attributes

group-alias ccieprofile enable
aaa-server ISE protocol radius

aaa-server ISE (mgmt) host 150.1.7.212
key cisco
crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ccietrust
crypto ikev2 policy 10

encryption aes-256
crypto ipsec ikev2 ipsec-proposal ccieprofile

protocol esp encryption aes-256
protocol esp integrity sha-1
crypto dynamic-map ccieprofile 10 set ikev2 ipsec-proposal ccieprofile

crypto dynamic-map ccieprofile 10 set reverse-route
crypto map ccieprofile 65535 ipsec-isakmp dynamic ccieprofile

crypto map ccieprofile interface outside
export profile on ASA11v
---------------------------------------------------------------------------
upload ccieprofile to ASA11v
-----------------------------------------------------------------------------
Verify
ASA1v/ASA11v：
--------------------------------------------------------------------------
AAA Client：
-------------------------------------------------------------------------------
Verify
-------------------------------------------------------------
switching active and testing on ASA11v
Task 4.2 : configure SW2_P Gig1/0/9 To Authentication Dot1x Session From
dot1x_pc
Dot1x session should DHCP IP address from the SW2_P local pool in VLAN8.
ISE should authentication Dot1x user ccie password should be set Ccie123 user ccie should
be part of ISE internal database.
ISE should authorize session based on the NAS IP address.
On Successful authorization ISE should assign the session VLAN8 SGT of PC2 and push DACL
to permit IP traffic from any source to any destination.
From dot1x_pc you should be able to only browser server4 to verify the implementation.
Notes:
The verification of this task depends on the successful implementation of Task 1.3 and Task
3.5.
Make sure your implementation of AAA should not impact SW2_P console access.
Dot1x session should be in established state when you have ended your lab.
Any information not provided to implementation this task can be assumed by the candidate .
Points : 3
Solution
=================================================
SW2=SW2_P=SW22_P
===================================================
------------------------------------------------------------------
!
interface GigabitEthernet1/0/10
!
Vlan 8
Vlan 150
Vlan 215
ip routing
interface Vlan8
ip address 10.100.8.22 255.255.255.0
!
interface Vlan150
ip address 150.1.7.45 255.255.255.0
!
interface Vlan215
ip address 10.100.215.22 255.255.255.0
!
ip route 19.16.103.14 255.255.255.255 10.100.8.1

ip route 19.16.104.14 255.255.255.255 10.100.8.1
-----------------------------------------------------------------
ip dhcp pool VLAN8

network 10.100.8.0 255.255.255.0
default-router 10.100.8.1
!
ip dhcp pool VLAN215
network 10.100.215.0 255.255.255.0
default-router 10.100.215.22
option 150 ip 150.1.7.215
ip dhcp excluded-address 10.100.8.1

!
------------------------------------------------------------------
aaa new-model
!
aaa authentication login NOACS line none
line con 0
login authentication NOACS
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
radius-server host 150.1.7.212 auth-port 1812 acct-port 1813 key cisco
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication
!
ip device tracking
dot1x system-auth-control
!
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any any eq tftp
permit icmp any any
deny ip any any log
switchport mode access
switchport voice vlan 215
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
Note: adding command authentication open is according to the pre-config ACL-DEFAULT.

Creat mab_pc MAC:
IP Phone MAC：
dot1x_pc profile：VLAN8、DACL（permit any）.
mab_pc profile：
dot1x_pc SGT： SGT=PC2
mab_pc SGT： SGT=PC1

dot1x_pc authorization profile：match wire 802.1x , account ccie，NAS IP=150.1.7.45
mab_pc authorization policy:
IP Phone authorization policy

==================================================
Dot1x_pc
========================================================
==============================================
verify：
一、dot1x_pc：
二、mab_pc：
三、IP Phone：
四、ACL：
Task 4.3 : configure R1 For The SSH Authentication
The authentication request should be forwarded to RADIUS server ISE.

ISE should check SSH user in the Active Directory database . Active Directory is preconfigured
For SSH user credentials admin1/Cisc0123 o Not Zero.
Make sure that user admin1 belongs to user group Lab_Admin in ISE.
To authorize the session ISE should check SSH user belongs to Lab_Admin and the NAS IP
address.
The user admin1 should be assigned privilege level 15 on successful authorization.
The session should not timeout for 48 hours even without any activity.
Notes:
You need to test the SSH from candidate PC where r1.cisco.com connection profile has been
created putty client.
SSH session should be in the established state when you have ended your configuration
module,
Required use account ccie/Cisc0123 to join ISE with AD.
Any information not provided to implementation this task can be assumed by the candidate .
Points : 3
Solution
================================================
ISE join AD
=================================================
Note : ISE join AD three conditions 1. ISE time sync 2. DNS 3.domain name
Time SYNC : ISE should SYN NTP server 150.1.7.200 (AD/DNS server)
-----------------------------------------------------------------------
Remember it , maybe delete at real examination !
=================================================
R1
=================================================
-------------------------------------------
Verify RSA key
ip domain name cisco.com
crypto key generate rsa modulus 1024
--------------------------------------------------
****************************************************************************
R1 PRE-CONFIG
*****************************************************************************
aaa new-model
R1(config)#no radius-server vsa send authentication
R1(config)#radius server ccie
R1(config-radius-server)#adddress-ipv4 150.1.7.212 auth-port 1645 acct-port 1646
R1(config-radius-server)#key cisco
========================================================
aaa authentication login NOACS line none

line con 0
line aux 0
aaa group server radius ISE

server name ccie
aaa authentication login SSH group ISE

aaa authorization exec SSH group ISE
R1(config)#line vty 0 ?
<1-98> Last Line number
<cr>
R1(config)#line vty 0 98
R1(config-line)#login authentication SSH
R1(config-line)#authorization exec SSH
R1(config-line)#session-timeout 2880
R1(config-line)#exec-timeout 2880
R1(config-line)#
====================================================
Verify
Task 4.4 : configure SW2_P Gig1/0/9 To authentication And Authorize PC
mab_pc And IP Phone
The mab_pc should DHCP address from the SW2_P local pool in VLAN8
IP Phone should DHCP address from the SW2_P local pool in VLAN 225 and assign TFTP
address 150.1.7.215.
ISE should authentication and authorize mab_pc and IP Phone.

ISE authorization for both the supplicants should be based on NAS IP address.
On Successful authorization ISE should assign mab_pc VLAN 8 SGT of PC1 and push DACL
to permit to traffic from any source any destination.
On Success authorization ISE should push the DACL to permit IP traffic form any source to
any destination for the IP phone.
From mab_pc you should be able to only browse server3 to verify the implementation.
From SW2 you should be able to ping IP Phone IP address and CUCM IP address to verify
the implementation.
Notes:
The verification of this task depends on the successful implementation of Task 1.3 and Tsk 3.5
Make sure your implementation of AAA should not impact SW2_P console access.
MAB session should be in the established state when you have ended your lab.
Any information not provided to implement this task can be assumed by the candidate.
Points : 3
Solution
Finish at Task 4.2
Task 5.1 : configure syslog On R1 and R17

R1 should send information level messages to syslog server setup at the candidate PC.
Messages seen from R1 on the syslog server are marked with R1 hostname.
R17 should send debug level messages to syslog server setup at candidate PC.
Messages seen from on R17 on the syslog server are marked with string CA.
Notes:
Candidate PC is preconfigured with kiwi syslog server for this task.
Points : 2
Solution
================================================
R1
================================================
Logging on
logging origin-id hostname
logging host 150.1.7.201
logging trap informational
===================================================
R17
==================================================
Logging on
logging trap debugging
logging origin-id string CA
logging host 150.1.7.201
--------------------------------------------------------------------------
verify：
R1:
R17:
Task 5.2 : configure secure wireless deployment between WLC ISE SW2_P AP
And wireless_client
WLC:
Management interface should have address of 10.100.102.1
Configure the WLAN1 witch SSID podYY YY is your pod number that can be seen in your
commserver hostname.
Layer 2 security should be WPA with ASCII format PSK and having string Cisco123 o Not Zero
encryption type should be AES.
SW2_P:
AP should be authenticated on port Gi1/0/7 using MAB with ISE as the RADIUS server.
ISE:
On successful authorization of AP ISE should push DACL to permit IP traffic from any source
to any destination.
ISE should authorize the session based on the NAS IP address.
AP:
Candidate may need to configure the following on AP if not pre-configured.
AP IP Address 10.100.102.33/24
AP Default Gateway 10.100.102.1
Primary controller name cciewlc
Primary controller IP 10.100.102.1
Wireless_Client:
Candidate needs to configure the following for the Wireless_Client wireless NIC.
IP Address 10.100.102.1YY/24 YY is your pod number that can be seen in your commserver
hostname
Default Gateway 10.100.102.33
Notes:
AP username/password/enable is Cisco/Cisco/Cisco and this should NOT be changed.
AP hostname ccieap should not be changed.
The Wireless_Client should be able to associate with SSID podYY YY is your pod number that
can be seen in your commserver hostname. !!! DO NOT associate with any other SSID!!!.
As a task verification , you should be able to ping 10.100.102.11 and 10.100.102.22 from
wireless_client after you are able connect to podYY SSID.
Points : 6
Solution
===================================================
Initial WLC , Check Interface network Pre-CONFIG First
===================================================
Check network preconfig :
(Cisco Controller) >config wlan disable all

(Cisco Controller) >config interface vlan management 102
(Cisco Controller)>config interface address management 10.100.102.1 255.255.255.0
10.100.102.22
(Cisco Controller) >config interface dhcp service-port disable
(Cisco Controller) >config interface address service-port 150.1.7.214 255.255.255.0
(Cisco Controller) >config network secureweb enable
(Cisco Controller) >config wlan enable all
---------------------------------------------------------------------------
Practice only for initial wlc !!!
Would you like to terminate autoinstall? [yes]:enter
AUTO-INSTALL: starting now...
System Name [Cisco_b9:66:e0] (31 characters max): cciewlc
AUTO-INSTALL: process terminated -- no configuration loaded
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): Cisco123
Re-enter Administrative Password : Cisco123
Service Interface IP Address Configuration [static][DHCP]: static
Service Interface IP Address: 150.1.7.214
Service Interface Netmask: 255.255.255.0
Management Interface IP Address: 10.100.102.1
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.100.102.22
Management Interface VLAN Identifier (0 = untagged): 102
Management Interface Port Num [1 to 1]: 1
Management Interface DHCP Server IP Address: 10.100.102.22
Virtual Gateway IP Address: 1.1.1.1
Mobility/RF Group Name: cisco
Network Name (SSID): cisco
Configure DHCP Bridging Mode [yes][NO]: enter
Allow Static IP Addresses [YES][no]: enter
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]: us,cn
Enable Auto-RF [YES][no]: enter
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Configuration saved!
Resetting system with new configuration...
================================================
AP initial
=================================================
CLI
ccieap#capwap ap hostname ccieap
ccieap#capwap ap ip address 10.100.102.33 255.255.255.0
ccieap#capwap ap controller ip address 10.100.102.1
ccieap#capwap ap primary-base cciewlc 10.100.102.1
ccieap#capwap ap ip default-gateway 10.100.102.1
GUI
WLC hostname
========================================================
WLC WLAN
========================================================
========================================================
ISE
=========================================================
Note: maybe AP platform is cisco-AIR-LAP-1602 on real exam.
------------------------------------------------------------------------------
==================================================
PRE-CONFIG
SW1:
interface Vlan102
ip address 10.100.102.11 255.255.255.0
SW2:
interface Vlan102
ip address 10.100.102.22 255.255.255.0
----------------------------------------------------------------------
Sw2:
switchport access vlan 102
switchport mode access
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
=========================================================
Verify
===========================================================
Verify SSID
===========================================================
-------------------------------------------------------------------------------
Enable radio , just for practice only !!! keep default local mode on real exam.
Note : Only flex-connect mode can enable radio on vwlc.
-------------------------------------------------------------------------------
Task 5.3 : configure NTP Between R1 R2 R15 R16 and R17
NTP server R1
Reference R1 R2 R15 R16 and R17 clocks should be setup to show PST time zone.
Points : 3
Solution
==========================================================
R1 NTP pre-config
==========================================================
Clock timezone PST -8
ntp authentication-key 12 md5 13061E010803 7
ntp authenticate
ntp trusted-key 12
ntp source GigabitEthernet3
ntp master 1
=======================================================
NTP R2/R15/R16/R17
========================================================
Note: R1 is NTP server , copy key and timezone from R1.
ntp authentication-key 12 md5 02050D480809 7

ntp authenticate
ntp trusted-key 12
ntp server 150.1.7.231 key 12
------------------------------------------------------------
Verify:
R2/R15/R16/R17

1.1 Solution PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1.1 Solution PDF

Uploaded by

Copyright:

Available Formats

【CCIE】CCIE Security V5.

0 Lab CFG1 Solution

1. 更新 3.4 FLEXVPN 整体配置

Task 1.3 : configure ASA3 and ASA4 for Clustering ......................................................... 22

Task 1.4 : configure Access Policy On NGIPS ............................................................... 29

1.1 : Permit EIGRP routing process between R1 and R2. .................................................. 29

Task 2.2 : configure HTTP traffic Access Policy On WSA .................................................... 56

Task 3.3 : configure VRF-Aware GETVPN betwwen R3 R4 and R5 ................................................ 79

Task 3.4 : configure FLEXVPN between R9 R10 and R11 ....................................................... 94

Task 4.3 : configure R1 For The SSH Authentication ....................................................... 137

Task 5.1 : configure syslog On R1 and R17 ................................................................ 146

Task 1.1a: configure ASA1_V and ASA11_V For Active-Standby Failover

Interface Management 0/0:

Task 1.1b: configure ASA2_V and ASA22_V For Active-Standby Failover

Your configuration should meet the following requirements:

interface management 0/0:

Your configuration should meet the following requirements:

Failover Group 1 : primary

Lan interface Gi0/3

Link interface : Gi0/4

failover lan unit primary

access-list server_c1 extended permit tcp 192.168.10.0 255.255.255.0 host 192.168.105.7 eq

Your configuration should meet the following requirements:

Interface port-channel 1.9

Server3 should be accessible from inside via 19.16.103.14

Server4 should be accessible from inside via 19.16.104.14

interface range E0/2 , E4/2

interface rang E0/0 – 1 , E4/0 – 1 （lacp active）

interface gigabitEthernet 3 ----instead management 0/0

Changeto context admin

ip local pool mgmt-pool 150.1.7.60-150.1.7.61

interface GigabitEthernet3 ---instead management 0/0

object network server3

object network server4

Task 1.4 : configure Access Policy On NGIPS

Your configuration should meet the following requirements:

1.1: Permit EIGRP routing process between R1 and R2.

R1 Should be in the external Zone

172.16.1.0/24 Should be in the external zone.

10.1.22.1/24 Should be in the external zone

traffic originated From client_pc1

Your configuration should meet the following requirements:

Traffic should be redirected to WSA at 150.1.7.213

ip access-list standard WSA

ip wccp 90 redirect-list RED group-list wsa password cisco

Task 2.2 : configure HTTP traffic Access Policy On WSA

Your configuration should meet the following requirements:

Your configuration should meet the following requirements:

The PC should be part of group called ccielab in the FireAMP cloud.

Your configuration should meet the following requirements on ASA2_V:

VPN access credentials should be username: ccie password:ccie

The Ca trustpoint should be configured as follows:

Note : vpn-sessiondb logoff all ---license restriction connection

crypto key generate rsa label cciekey modulus 1024

crypto ca trustpoint ccietrust

ASA2V(config)# crypto ca enroll ccietrust

access-list WEB-ACL webtype permit url http://server1.cisco.com:8080

group-policy cciesecurity internal

tunnel-group cciesecurity type remote-access

tunnel-group cciesecurity webvpn-attributes

ssl trust-point ccietrust outside

username ccie password ccie

username ccie attributes