Professional Documents
Culture Documents
IMPORTANT! This content is community developed and is not subject to standard dCloud verification or support. Please contact
dCloud Support for more information.
• Requirements
• Scenario Dependencies
• Topology
• Get Started
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
● Laptop ● Cisco AnyConnect®
Other new features, such as configuration backup and restore, can be performed, but were left out of the lab for practical purposes.
The lab pods provide an FTD (NGFW3) that is not used in the scenarios, so students may try configuring and testing features not
covered in the lab without fear of interfering with the lab Scenarios.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 23
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active dCloud session and
in the scenario steps that require their use.
NOTE: For simplicity, not all IP addresses and VLANs are shown.
Credentials
Login credentials are provided in line in the guide steps as needed. However, for your convenience, the following table lists the
credentials used in these scenarios.
VM Login Password
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 23
Cisco dCloud
There are also several users that have been created for purposes of passive authentication and RBAC.
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. It is assumed in this guide that you are connecting to all devices from the Jumpbox RDP session, using the provided details.
NOTE: You can also connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on your
laptop [Show Me How]
Jumpbox: 198.18.133.50, Username: administrator, Password: C1sco12345
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 23
Cisco dCloud
In addition to these enhancements, the student is invited to examine the improved How-To functionality.
NOTE: Chrome loads pages faster than Firefox (particularly for the FMC). However, Chrome will generate more security warnings
and will not cache credentials for NGFW2 and NGFW3. Either or both browsers can be used.
In Chrome, the bookmarks where imported from Firefox, so they are in a subfolder on the bookmark bar, as shown below.
1. On the Jumpbox, open Firefox. The homepage is the FMC UI and the credentials (login admin, password C1sco12345) will
auto-populate.
2. In the FMC, in the upper right corner, navigate to admin > User Preferences.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 23
Cisco dCloud
4. When presented with the Switch to Light Theme dialog box, select Use Light theme.
dCloud: The Cisco Demo Cloud
5. You will use the Light UI theme as you work through the remaining scenarios.
NOTE: If you find the new theme hard to use, you can, at any time, switch back to the classic theme. Just click admin in the upper
right of the FMC UI and select Switch to Classic Theme.
However, the instructions and screenshots in this guide are based on the Light Theme.
1. In the FMC, navigate to Policies > Access Control > Access Control. Edit the Base_Policy.
NOTE: Wild cards and name-value pairs are supported. Example: src:198.18.1*9.0
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 23
Cisco dCloud
4. Note that in the search box a filter icon that was added in 6.5. This converts a search into a filter. Click this icon.
5. Note that now only two rules are now visible. You can click the icon again to go from filter back to search.
6. While you are in the policy edit page, you can observe one more added feature. The FMC can hide columns in the rules, if you
wish. Click the cog at the upper-right of the page, and deselect the columns you wish to hide.
In the 6.3 release, a custom FMC CLI was introduced, similar to the FTD CLI. However, the default CLI if you connected by SSH
to the FMC was a Linux BASH shell. The FMC CLI needed to be enabled manually (FMC UI: System > Configuration> Console
Configuration > Enable CLI access). For this reason, familiarity with the FMC CLI was limited. In 6.5, the FMC CLI has become
the default CLI for the FMC.
2. Log in as admin, password C1sco12345. Note that you are presented with a > prompt. In 6.4 you have a shell prompt $.
3. Type ?. Note that like the FTD , a BASH shell is available by typing expert.
a. configure ?. Note that you can change the Linux BASH shell password, the user agent password and the maximum
number of concurrent logins to the FMC.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 23
Cisco dCloud
b. show ?. Version and maximum number of concurrent logins to the FMC can be displayed
c. system ?. You can shut down or reboot the device, generate trouble-shooting files, or you can lockdown (disable)
Linux BASH shell access. Shell access is potentially dangerous and should only be used in conjunction withDemo
dCloud: The Cisco Cisco
Cloud
support. Be aware that to re-enable the BASH shell requires contacting Cisco support.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 23
Cisco dCloud
As a result, customers must migrate to ISE or ISE-PIC. For customers that only require passive authentication, then ISE-PIC is
sufficient. However, for the SXP service used for the Scenario 3 Destination SGTs ISE is required. From the FMC configuration
perspective, ISE and ISE-PIC integration are identical.
ISE has many mechanisms to create IP-to-user mappings. In the pods, ISE is configured to receive IP-to-user mappings from two
sources.
• 802.1x
Because it is more time consuming to work with domain members, 802.1x is used in this scenario. ISE thinks that the Jumpbox is
a switch because a RADIUS simulator is run on the Jumpbox to send 802.1x login and logoff messages to ISE.
Perform migration
1. In the FMC UI, click on the cog in the upper right and, under Configuration, select Integration.
2. Select Identity Sources. Observe that the identity source is now the Cisco Firepower User Agent. Also, notice the warning
about deprecation of this agent.
3. Select the Identity Services Engine tab. There is no need to delete the user agent configuration.
b. For pxGrid Server CA, click the plus (+). Enter the name dCloud-CA. Click Browse. Navigate to the Certificates
folder on the Jumpbox desktop. Open the certificate called dCloud-CA. Click Save.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 23
Cisco dCloud
d. For FMC Server Certificate, click the plus (+). Enter the name FMC-pxGrid. For Certificate Data click Browse.
Open the certificate called FMC-pxGrid. For Key Data click Browse. Open the key called FMC-pxGrid.key. Click
dCloud: The Cisco Demo Cloud
Save.
e. Under Subscribe To:, leave the setting as is. You will enable the SXP topic in the next lab.
4. Click Test. In the Status pop-up, open Additional Logs. Quickly review the output.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 23
Cisco dCloud
1. On the Jumpbox desktop, open the folder RADIUS Simulator. Click StartSessions, TerminateSessions and then
dCloud: The Cisco Demo Cloud
StartSessions again. This will generate 802.1x log in and log out events to ISE. ISE will pass the information to the FMC.
2. In the FMC UI, navigate to Analysis > Users > User Activity. You should see login and logoff activity for dilbert, rita, ira
and harry.
3. On the Jumpbox desktop, open the folder Remote Desktop. Click on the icon named Wkst1.
4. There is an access control policy rule to block members of the HR group from using SSH. You will now test that rule.
a. On the Wkst1 desktop, open the folder Users. Open the folder called NGFW1 is your gateway. The scripts change
the IP of the primary NIC on Wkst1. This allows you to simulate different users.
b. Double-click Dilbert (Engineering). Dilbert should be allowed to use SSH. Confirm this by opening PuTTY and
clicking on any of the outside predefined session – the FTD will detect SSH on any port. You do not need to login,
bur you can as root, password C1sco12345, if you wish.
c. Double-click Harry (HR). Harry should not be allowed to use SSH. Confirm this by opening PuTTY and clicking on
any of the outside predefined session. FTD will detect SSH on any port. The connection should be reset.
Since ISE is now critical, you should enable ISE status monitoring on the FMC. This module is disabled by default.
1. In the FMC UI, click on the cog in the upper right and, under Health, select Policy.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 23
Cisco dCloud
3. For ISE Connection Status Monitor, change Enabled from Off to On. Click Save Policy and Exit.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 23
Cisco dCloud
1. On the Jumpbox, open the predefined PuTTY session to the ISE. Log in as admin, password C1sco12345. Type show
application status ise. Confirm that the SXP Engine Service is disabled.
NOTE: This is a useful command to monitor and troubleshoot the SXP service on ISE. By the end of this exercise, it should be
running.
2. Open a new tab in Firefox. Click the ISE bookmark from the bookmarks bar. The credentials (admin/C1sco12345) will
prepopulated. Log into ISE.
3. Navigate to Work Centers > TrustSec > Components and select IP SGT Static Mapping. The IP address 198.18.133.201
will be used in this scenario as the destination; 198.19.10.201 will be used as a source. You can add more tags and static
mappings, if you wish.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 23
Cisco dCloud
4. Navigate to Work Centers > TrustSec > SXP and select All SXP Mapping. Note that the static mappings have not been
published via SXP.
5. Navigate to Work Centers > TrustSec > Setting. Select SXP Settings. Check the Publish SXP bindings on PxGrid
checkbox. Click Save.
6. When warned about the SXP service restarting, click Yes. You can monitor the restart on the ISE CLI if you with.
7. One requirement for publishing with SXP is the existence of an SXP device. But such a device requires a PSN that is running
an SXP service. This is a stand-alone ISE deployment, so ISE is the PSN.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 23
Cisco dCloud
d. Click Save.
8. Now you will create an SXP device. The device does not exist, but at least one SXP device must be configured.
NOTE: The need for an SXP device configuration to publish IP-to-SXP mappings is a known ISE defect CSCvg26624.
a. Navigate to Work Centers > TrustSec > SXP and select SXP Devices.
b. Click + Add.
c. For name enter Dummy. For IP enter 1.1.1.1. For Connected PSNs, select ise. Set Password Type to NONE.
d. Click Save.
9. If the status of the SXP device is UNKNOW, wait until it changes to OFF.
NOTE: The is usually fast. But occasionally can take a few minutes. If you are concerned about time, jump ahead and perform
Scenario 4 SLA Monitor for FDM. Then return and complete this scenario.
10. Navigate to All SXP Mapping. Note that the static mappings have been published via SXP.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 23
Cisco dCloud
1. In the FMC UI, click on the cog in the upper right and select Integration. Select Identity Sources.
dCloud: The Cisco Demo Cloud
2. Under Subscribe To:, check the SXP Topic checkbox.
3. Click Test. In the Status pop-up, open Additional Logs. Observe that the bulk download of IP-to-SGT mapping succeeded.
3. Add a rule named Block Contractors, above the first rule, to block with reset any traffic from to IP addresses with SGT
Contractors to IP addresses with SGT Development_Servers. Enable logging for this rule.
2. On the Jumpbox, if it is not already open, open the predefined PuTTY session to the Inside Linux Server. Log in as root,
password C1sco12345. We will use Wget to make HTTP requests. It is similar to cURL. Run the following 3 Wget commands.
You should use the up-arrow to avoid retyping anything but the last character.
wget --bind-address=198.19.10.201 198.18.133.200
wget --bind-address=198.19.10.201 198.18.133.201
wget --bind-address=198.19.10.201 198.18.133.202
The first and last commands should succeed, but second command should fail.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 23
Cisco dCloud
3. You will now add a new IP SGT static mapping on ISE. It should immediately propagate to the FMC and take effect on
NGFW1.
a. Navigate to Work Centers > TrustSec > Components and select IP SGT Static Mapping. dCloud:
Click Add.
The Cisco Demo Cloud
5. Navigate to Work Centers > TrustSec > SXP and select All SXP Mapping. Confirm that the new static mapping has been
published via SXP.
7. In the FMC, navigate to Analysis > Connections > Events. Click on Table View of Connection Events. Scroll to the right.
Observe that source and destination SGTs are included in the default view.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 23
Cisco dCloud
The objective of this scenario is to configure route tracking on with the FDM.
1. On the Jumpbox, if it is not already open, open the predefined PuTTY session to the Inside Linux Server. Log in as root,
password C1sco12345.
a. Type the command netstat -rn. Note that traffic to the 1.2.3.0/24 network is directed to NGFW2 (192.19.10.2).
2. On the Jumpbox open the predefined PuTTY session to the CSR. Log in as admin, password C1sco12345.
a. Type the following commands.
config t
int g1
shut
Observe that the pings from the Inside Linux server to 1.2.3.4 stop. Wait a few seconds, the ping does not resume.
b. On the CSR, type the command no shut. Observe that the pings from the Inside Linux server to 1.2.3.4 resume.
3. On the Jumpbox, open a new tab in Firefox, and click the NGFW2 (FDM) bookmark from the bookmarks bar. The credentials
(admin/C1sco12345) will prepopulated. Log into NGFW2.
a. Under Routing, click View Configuration. Note that there are two routes to the 1.2.3.0/24 network. The lower cost
route uses 198.18.133.111 (GW123_1) as the next hop. This is the CSR.
b. Open the FDM console, and type show route. Observe that only this lower cost route has been inserted into the
RIB. Type show track. Observer that no route tracking is configured.
1. In the FDM, navigate to Objects > SLA Monitors. Click CREATE SLA MONITOR.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 23
Cisco dCloud
f. Click OK.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 23
Cisco dCloud
c. Click OK.
a. Type show route. Observe that the route to 1.2.3.0/24 is still 198.18.133.111.
3. On the CSR, type the command shut. Observe that the pings from the Inside Linux server to 1.2.3.4 are interrupted for a few
seconds, but then resume.
a. Type show route. Observe that the route to 1.2.3.0/24 is now via 198.18.133.200.
6. Wait a few seconds. In the FDM console, run the following commands.
a. Type show route. Observe that the route to 1.2.3.0/24 is now via 198.18.133.111.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 23
Cisco dCloud
• Create an LDAP attribute map to give members of the IT group unlimited access to the Corporate LAN. All other AnyConnect
users will be restricted to the corporate webservers.
• Confirm that group policy assignment depends on the AD group of the AnyConnect user.
1. In the Remote Desktops folder on the Jumpbox desktop, click on the Wkst2 (Outside PC) link. This will connect you via
RDP to a Windows server outside the NGFW2 firewall.
2. Open the AnyConnect client on the bottom right of the desktop. Connect to NGFW2. Log in as harry, password
C1sco12345. Harry is not a member of the IT group.
3. You will be presented with a banner that says you now have access to the corporate webservers. Click Accept.
4. Open Firefox. Using the three bookmarks on the bookmark tab, confirm that you can browse the three corporate webservers.
6. In the FDM console, run the command show vpn-sessiondb anyconnect. Confirm that Harry has been assigned the group
policy WebserverGP.
7. On Wkst2, disconnect AnyConnect. Reconnect to NGFW2. Log in as rita, password C1sco12345. Rita is a member of the
IT group.
8. You will again be presented with a banner that says you now have access to the corporate webservers. Click Accept. Your
goal in this exercise it to give Rita unlimited access to the corporate network.
9. In the FDM console, run the command show vpn-sessiondb anyconnect again. Confirm that Rita has also been assigned
the group policy WebserverGP. The goal of this exercise is to give Rita a different group policy.
10. In the FDM console, run the command show running-config all aaa-server. Note that the second to the last line of output
indicates that there is no associated LDAP attribute map.
b. Confirm that the group policy associated to this connection profile is WebserverGP.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 23
Cisco dCloud
5. Edit ITaccessGP and WebserverGP. Observe that the only difference is that WebserverGP has a traffic filter.
dCloud: The Cisco Demo Cloud
1. In Firefox, open a new tab. Click on the NGFW2 (API Explorer) bookmark.
3. On the Jumpbox desktop, open the file LDAPattributeMap.txt. Above the dashed line is the LDAP attribute map. Inspect the
JSON. You should see that it will assign the group policy ITaccessGP to any user who’s memberOf attribute contains the IT
group. Below the dashed line is a snippet of JSON that will be added to the realm configuration.
4. Copy the text above the dashed line and paste into the body text field I the Parameters section.
3. Copy the response body and past into the text file you have open. Save this to help with the next task.
a. Copy the object ID (“id”) value near the bottom of the modified JSON and paste into the objId field In the
Parameters section.
b. Copy the modified JSON for the realm and paste into the body field In the Parameters section.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 23
Cisco dCloud
3. Reconnect to NGFW2. Log in as rita, password C1sco12345. Rita is a member of the IT group.
4. You will be presented with a banner that says you now have unlimited access to the corporate LAN. Click Accept.
5. Ping the AD server at 198.19.10.100. It should succeed. You should be able to ping any corporate IP.
6. In the FDM console, run the command show vpn-sessiondb anyconnect. Confirm that Rita has been assigned the group
policy ITaccessGP.
8. You will be presented with a banner that says you now have access to the corporate webservers. Click Accept.
10. In the FDM console, run the command show vpn-sessiondb anyconnect. Confirm that Harry has been assigned the group
policy WebserverGP.
11. In the FDM console, run the command show running-config all aaa-server. Note that the second to the last line of output
indicates that there is the associated LDAP attribute map is ITaccessAM.
NOTE: You cannot use the JSON you retrieved from your previous ActiveDirectoryRealm GET. The version number is different.
3. Copy the response body and past into the text file you have open. Save this to help with the next task.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 23
Cisco dCloud
a. Copy the “id” near the bottom of the modified JSON and paste into the objId field In the Parameters section.
b. Copy the modified JSON for the realm and paste into the body field In the Parameters section.
5. Near the bottom of response body, copy the object ID (“id”) value.
7. Paste the object ID value into the objId text field in the parameters section.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 23