CCIE Security v6 Technology Lab Guide

CCIE SECURITY V5
TABLE OF CONTENTS
Lab Guidelines ................................................................................................................................................................ 8
Lab Instructions .............................................................................................................................................................. 9
Lab Restrictions .............................................................................................................................................................. 9
About the Trainer......................................................................................................................................................... 12
Loading Initial Config .................................................................................................................................................. 12
Hardware and Software List ....................................................................................................................................... 13
Section 1 – ASA Firewall ............................................................................................................................... 14

Goal of the lab .............................................................................................................................................................. 14
Lab-1.1: - Basic of ASA Configuration........................................................................................................ 15

Lab-Setup ........................................................................................................................................................................ 15
Task-1 Configure the interface of ASA ............................................................................................................................ 17
Task-2 Configure the Telnet and SSH on ASA ................................................................................................................. 23
Task-3 Allow Ping and ICMP ............................................................................................................................................ 28
Task-4 Configure Banner on the ASA firewall ................................................................................................................. 32
Lab-1.2: - Dynamic Routing Protocol ........................................................................................................ 33

Task-1 Configure Eigrp between R1 and ASA1v .............................................................................................................. 33
Task-2 Configure OSPF between R2 and ASA1v.............................................................................................................. 37
Task-3 Configure Redistribution between Routing Protocols......................................................................................... 41
Lab-1.3: - ASA System Management ........................................................................................................ 45

Task-1 Configure ASDM for the GUI of ASA .................................................................................................................... 46
Lab-1.4: - ASA Address Translation and ACL .......................................................................................... 53

Lab-Setup ........................................................................................................................................................................ 54
Lab-Setup ........................................................................................................................................................................ 61
Task-1 Configure the Static Auto NAT on ASA1 for Web-Server1 .................................................................................. 63
Task-2 Configure the Static Auto PAT on ASA1 for Web-Server2 ................................................................................... 65
Task-3 Configure Static Manual NAT on ASA1 Between Web-Server3 and Inside-PC (Identity NAT) ............................ 66
Task-4 Configure Static Auto NAT on ASA1 Between DMZ network and DB Server ..................................................... 70
Task-5 Configure Static Manual NAT on ASA1 Between Outside-PC1 and Web-Server1 (Twice NAT) ......................... 73
Lab-1.5: - Context on the ASA firewall ...................................................................................................... 76

2
Nitiz Sharma
CCIE SEC/DC 48846
CCIE SECURITY V5
Lab-Setup ........................................................................................................................................................................ 76
Task1 Configure the ASAp1 with Multi-Context mode ................................................................................................... 79
Task2 Configure the class for the context....................................................................................................................... 83
Task3 Make sure from R7 to R5 and R8 to R6 Ping ......................................................................................................... 88
Lab-1.6: - Active/Standby failover (R3, R4, ASAv2 & ASAv3)................................................................ 97

Lab-Setup ........................................................................................................................................................................ 97
Task1 Configure ASA for Active/Standby ...................................................................................................................... 100
Lab-1.7: - Active/Active failover (R9, R10,R11,R12 ASAp2 & ASAp3) .................................................. 109
Lab-Setup ...................................................................................................................................................................... 110
Task1 Configure ASA for Active/Active failover ............................................................................................................ 115
Task2 Configure context on the ASAp2 ........................................................................................................................ 116
Task3 Address Translation ............................................................................................................................................ 118
Task4 Traffic Filtering .................................................................................................................................................... 118
Task4 Monitor Interface ............................................................................................................................................... 133
Lab-1.8: - ASA Clustering........................................................................................................................... 140

Task1 Configure ASA-C1 and ASA-c2 for clustering ...................................................................................................... 140
Lab-1.9: - ASA Firewall IP Services ........................................................................................................... 142

Task1 Configure NTP server and client on ASA1 and DC-Router .................................................................................. 142
Task2 Configure DNS on ASA1 ...................................................................................................................................... 145
Task3 Configure Logging on ASA1 ................................................................................................................................. 146
Section 2 – NGFW Firewall ........................................................................................................................ 148
Goal of the LAB ........................................................................................................................................... 148
Lab-2.1: - Setting Up the Lab Environment ............................................................................................ 149

Task1 Download FMC and FTD from the cisco.com ..................................................................................................... 149
Task2 Configure FMC/FTDv1/ftdv2 and ngips .............................................................................................................. 150
Task3 Cisco FMC- OFF Box Management for the Sensor .............................................................................................. 151
Task4 Smart Licencing ................................................................................................................................................... 152
Task5 FMC Database ..................................................................................................................................................... 153
Task6 Who is and Geolocation Search .......................................................................................................................... 153
Task7 Configure the Platform settings .......................................................................................................................... 153
Task8 Integration with AD............................................................................................................................................. 153
Lab-2.2: - FTD1/FTD2 and ngips Firewall Basic Configuration ........................................................... 154

Task1 Register the FTD1, FTD2 and NGIPS with FMC ................................................................................................... 154
3
CCIE SECURITY V5
Task2 Configure the FTD HA ......................................................................................................................................... 154

Task3 Configure the FTD Routing.................................................................................................................................. 155
Task4 Configure the NGIPS Rule ................................................................................................................................... 155
Task5 Deploy the configuration .................................................................................................................................... 155
Lab-2.3: - Connect the LAN user to DMZ .............................................................................................. 156

Task1 NAT policy ........................................................................................................................................................... 156
Task2 Testing connectivity to Servers ........................................................................................................................... 157
Task3 Configure the Access Policy with pre-filter rule ................................................................................................. 157
Task4 Configure the Access Policy with Allow rule for icmp ........................................................................................ 157
Task6 Configure the Access Policy with Allow rule for http ......................................................................................... 159
Task8 Configure the Access Policy with Allow rule for FTP .......................................................................................... 160
Task10 Configure the Access Policy with block rule for Geolocation of germany ........................................................ 160
Task11 Testing connectivity to Servers ......................................................................................................................... 161
........................................................................................................................................................................ 161
Lab-2.4: - Configure File and malware policy ....................................................................................... 161

Task1 Configure a new file policy with name “PDF-Malware” to block pdf file ........................................................... 162
Task2 use the same file policy with name “PDF-Malware” to block any malware....................................................... 162
Task3 Call the policy in access control policy................................................................................................................ 162
Lab-2.5: - Configure URL Filtering Policy ............................................................................................... 162

Task1 Block Gambling Content ..................................................................................................................................... 163
Task2 Block Social Media Content ................................................................................................................................ 163
Task3 Allow Facebook access for Client-PC .................................................................................................................. 164
Lab-2.6: - Configure SSL Policy ................................................................................................................ 164

Task1 Self Signed Certificate ......................................................................................................................................... 164
Task2 Create the SSL Policy ........................................................................................................................................... 165
Task3 Apply SSL Policy to ACP ....................................................................................................................................... 166
Task4 FMC Certificate ................................................................................................................................................... 166
Section 3 – VPN .......................................................................................................................................... 166
Goal of the LAB ........................................................................................................................................... 166
Lab-3.1: - Site to Site VPN ......................................................................................................................... 167

Lab-Setup ...................................................................................................................................................................... 167
4
CCIE SECURITY V5
Task1 Site to Site IPSec VPN (IOS-IOS) R51-R53............................................................................................................ 172

Task2 Site to Site IPSec VPN Aggressive Mode (IOS-IOS) R51-R53 ............................................................................... 201
Lab-Setup ...................................................................................................................................................................... 201
Lab-3.2: - Certificate Authority with crypto route ................................................................................. 207

Lab-Setup ...................................................................................................................................................................... 208
Task1 Configure NTP ..................................................................................................................................................... 214
Task2 IOS Certificate Authority ..................................................................................................................................... 217
Task3 Enroll with the CA - R53 and R54 ........................................................................................................................ 219
Task4 Configure the IPSec tunnel between R53 and R54 ............................................................................................. 224
Lab-3.3: - GRE ............................................................................................................................................. 229

Task1 GRE Tunnel .......................................................................................................................................................... 230
Task2 GRE Tunnel Over IPSec........................................................................................................................................ 236
Lab-3.4: - DMVPN ...................................................................................................................................... 247

Lab-Setup ...................................................................................................................................................................... 249
Task1 DMVPN Phase 1 Basic Configuration .................................................................................................................. 254
Task2 DMVPN Phase 1 with EIGRP ............................................................................................................................... 260
Task3 DMVPN Phase 1 Encrypt the Tunnel Using Ipsec ............................................................................................... 267
Task4 DMVPN Phase 2 with EIGRP ............................................................................................................................... 267
Task5 DMVPN Phase 3 with Eigrp ................................................................................................................................. 280
Lab-3.5: - SSL Clientless VPN ................................................................................................................... 293

Task1 Perform SSL Clientless VPN ................................................................................................................................. 293
Lab-3.6: - Cisco Anyconnect with IKEv2 ................................................................................................. 308

Task1 Perform Anyconnect Clientbased VPN ............................................................................................................... 309
Lab-3.7: - GetVPN with VRF Aware ......................................................................................................... 310

Task1 Perform GetVPN on Key Server and Group Member ........................................................................................ 311
Lab-3.8: - Flex VPN..................................................................................................................................... 352

Task-1 Configure the R14, R15 and R16 ........................................................................................................................ 352
Task-2 Site to Site with PSK - Flex VPN – IKEv2 ............................................................................................................. 354
Section 4 – ISE ............................................................................................................................................. 363

Goal of the lab ............................................................................................................................................................ 364
Lab-4.1: - ISE Installation (Optional) ........................................................................................................ 365

Task1 Access the Cisco ISE ............................................................................................................................................ 366
5
CCIE SECURITY V5
Task2 Check the application status ............................................................................................................................... 367

Task3 Check the NTP status .......................................................................................................................................... 368
Task4 Check the DNS lookup......................................................................................................................................... 369
Task5 Check the Application ......................................................................................................................................... 370
Task6 Check the ISE version, interface details and routing .......................................................................................... 370
Task7 Check the timezone and clock ............................................................................................................................ 373
Task8 Reset the Password for the GUI to Sanfran!1234............................................................................................... 374
Lab-4.2: - Administrative access to ISE ................................................................................................... 375

Task1 Setup an administrative access to ISE................................................................................................................. 375
Task2 Setup an Helpdesk user access to ISE ................................................................................................................. 382
Lab-4.3: - Integration with Active Directory .......................................................................................... 389

Task1 Setup an ISE with Active Directory ..................................................................................................................... 389
Task2 Setup an ISE with Active Directory ..................................................................................................................... 396
Lab-4.4: - Configure the DC-Router for SSH Authentication ............................................................. 399

Task Setup an Authorization and authentication on router ......................................................................................... 399
Lab-4.4: - Cisco TrustSec........................................................................................................................... 423

Task Configure CTS SXP relationship between TrustSec-ASA and SW_P ...................................................................... 423
Lab-4.5: - Configure ISE for MAB ............................................................................................................ 438

Task Configure Mac Authentication Bypass on Switch and use ISE as Authentication Server ..................................... 438
Lab-4.6: - Configure ISE for MAB VLAN Authorization ....................................................................... 454

Task Configure Mac Authentication Bypass on Switch and use ISE as Authorization Server ....................................... 454
Lab-4.7: - Configure MAB-PC to Access Server 3 and Server 4 ........................................................ 464
Lab-4.8: - Configure ISE and ASA for TrustSec Classification and Enforcement ............................ 469
Task1 Configure ISE SGT tag.......................................................................................................................................... 469
Task2 Configure ASA for ACL......................................................................................................................................... 475
Task3 Configure ISE for Trustsec ................................................................................................................................... 477
Lab-4.9: - Configure ISE for Dot1x ........................................................................................................... 486

Task1 Configure Dot1x user for authentication ............................................................................................................ 486
Task2 Configure 802.1x vlan assignment ...................................................................................................................... 510
Lab-4.10: - Configure WLC with AP......................................................................................................... 531

Task1 Configure Access point with the static ip ........................................................................................................... 532
Task2 Configure Switch for ap ...................................................................................................................................... 533
6
CCIE SECURITY V5
Task3 Configure WLC .................................................................................................................................................... 535

Task3 Authenticate the ap with ise with mab .............................................................................................................. 541
Lab-4.11: - Cisco Anyconnect with IKEv2 ................................................................................................ 549

Task1 Perform Anyconnect Clientbased VPN ............................................................................................................... 549
Section 5 – WSA.......................................................................................................................................... 555
Goal of the LAB ........................................................................................................................................... 555
Lab-5.1: - WSA Bootstrapping .................................................................................................................. 556

Task1 Perform WSA initial configuration CLI ................................................................................................................ 556
Task2 Perform WSA initial configuration GUI ............................................................................................................... 556
Lab-5.2: - WSA Integration with ad ......................................................................................................... 557
Lab-5.3: - WCCP configuration on the Router and WSA .................................................................... 557
Lab-5.4: - Creating URL list for allowing and blocking traffic ............................................................. 557
Lab-5.5: - Create the Quato based policies ........................................................................................... 557
Lab-5.6: - Creating the Identification profile for allowing Mozilla firefox......................................... 557
Lab-5.7: - Creating the Identification profile for Blocking Internet Explorer.................................... 557
Lab-5.8: - Access policies on WSA .......................................................................................................... 557
Section 6 – StealthWatch........................................................................................................................... 558
Lab-6.1: - Setup the stealthwatch appliance tool .................................................................................. 558
Lab-6.2: - Setup stealthwatch management console .......................................................................... 558
Lab-6.3: - Setup stealthwatch flow collector ......................................................................................... 558
Lab-6.4: - Adding flow collector to SMC ................................................................................................ 558
Lab-6.5: - Configuring netflow on Router, Switch, ASA ...................................................................... 558
Lab-6.6: - Organizing host and host groups ......................................................................................... 558
7
CCIE SECURITY V5
Lab-6.7: - Analyzing the flows .................................................................................................................. 558
Lab-6.8: - Creating custom policies ........................................................................................................ 559
Lab-6.9: - Setup stealthwatch flow collector ......................................................................................... 559
Lab-6.10: - Configuring backup ............................................................................................................... 559
LAB GUIDELINES
The following scenarios are practice labs designed to test your readiness for the Cisco Systems
CCIE Security Lab Exam. However, remember, these practice labs should be used as a learning tool.
Instead of rushing through the labs to complete all the configuration steps, take the time to research the
networking technology and gain a deeper understanding of the principles behind its operation. For
each lab of the CCIE Security Practice Labs Workbook, follow these guidelines:
 Read the entire lab before starting the configuration, and correlate tasks within a section to get a
complete overview of the lab objectives.
 There are dependencies between tasks of the same section and between tasks from different
sections. Carefully read throughout the lab to identify and make notes of it
 The lab consists of Seven sections that don't necessarily need to be completed in the presented
order. However, some tasks must be completed before others (such as initialization of ASA
firewalls).
 Some tasks present a set of requirements for implementing a technology, and some tasks present
outputs to be matched.
 Labs include both configuration and troubleshooting tasks; the number of faults relevant to each
troubleshooting task may or not be specified.
8
CCIE SECURITY V5
 Before starting, verify that all equipment is functional, powered up and that you can access it at the
console.
 Routers and switches are preconfigured, do not change it unless specifically allowed by the task.
On troubleshooting tickets, you may change any of the initial configurations.
 IPv4/IPv6 static and default routes are allowed to complete any task, but only if this is the only
available option, and unless otherwise stated in any task.
 Make sure you do not to lock yourself out of any device, because password recovery or device
reset is not available in the lab.
 At the end of the Lab, ensure that all devices are accessible at the console by using preconfigured
credentials or the ones from specific task requirements.
LAB INSTRUCTIONS
Before you begin, make sure that the initial configuration scripts for each lab have been applied.
If you have any questions related to the scenario solutions, send an email to our support team at
techlabs@netmetric-solutions.com. Refer to the attached physical and logical diagrams on each
lab for interface and protocol assignments. Upon lab completion, end-to-end IPv4 connectivity is
not a requirement unless specifically asked for, but you are required to meet task requirements
and restrictions
LAB RESTRICTIONS
Each lab scenario contains explicit general restrictions that you must conform to while configuring
the lab. These restrictions are defined in the introductory section for each scenario. Examples of
such restrictions include, but are not limited to, not adding additional IP addressing, not changing
the default authentication methods, etc. There may also be certain restrictions for particular tasks
within a lab scenario. Examples of these restrictions include, but are not limited to, not issuing a
particular configuration command, not using the legacy configuration for a technology, etc.
9
CCIE SECURITY V5
TIP
You may do whatever is necessary to complete a task unless the general requirements for the lab
scenario or the specific requirements for the task explicitly prohibit you from doing so. All routers
and switches are accessible at the console without requiring any authentication; do not change this.
To access other devices within the lab, use the following tables as a reference:
Device Username Password IP
Candidate-PC student username Sanfran@1234 150.1.7.20
CA-Server administrator Sanfran@1234 150.1.7.160
Esxi-Server root Sanfran@1234 150.1.7.161
SW_P (3850) admin Sanfran@1234 150.1.7.162
Enable password
Sanfran@1234
DC-Router admin Sanfran@1234 150.1.7.163
Enable password
Sanfran@1234
AD-DNS administrator Sanfran@1234 150.1.7.164
Client-PC administrator Sanfran@1234 150.1.7.165
ASA1 admin Sanfran@1234 150.1.7.166
FTP-Server admin Sanfran@1234 150.1.7.167
WLC admin Sanfran1234 150.1.7.168
10
CCIE SECURITY V5
TrustSec-ASA admin Sanfran@1234 (If 150.1.7.169

needed)
WSA-PC admin Sanfran@1234 150.1.7.170
MAB-PC mab Sanfran@1234 150.1.7.171
DOT1x-PC Dot1x Sanfran@1234 150.1.7.172
Eve-NG admin Sanfran1234 150.1.7.174
FMC admin Sanfran@1234 150.1.7.175
FTD1 admin Sanfran@1234 150.1.7.176
NGIPS admin Sanfran@1234 150.1.7.177
ISE-P admin Sanfran@1234 150.1.7.179
FTD2 admin Sanfran@1234 150.1.7.178
R100 admin Sanfran@1234 150.1.7.180
R200 admin Sanfran@1234 150.1.7.181
R300 admin Sanfran@1234 150.1.7.182
Guest-PC admin Sanfran@1234 150.1.7.183
R51 admin Sanfran@1234 150.1.7.184
R52 admin Sanfran@1234 150.1.7.185
R53 admin Sanfran@1234 150.1.7.186
R54 admin Sanfran@1234 150.1.7.187
WSA admin Sanfran@1234 150.1.7.188
ISE-S admin Sanfran@1234 150.1.7.189
11
CCIE SECURITY V5
StealthWatch-SMC admin Sanfran@1234 150.1.7.195
StealthWatch-Flow admin Sanfran@1234 150.1.7.196

Collector
Jumper-PC admin Sanfran@1234 150.1.7.199
ABOUT THE TRAINER
Nitiz Sharma
Senior Technical Instructor. Cisco 2 x CCIE # (DC/Sec)
Over 13 Years of experience in Cisco Network Technology. More than 6 years of proficiency in
CISCO Data Centre and Security Network Implementation, installation, configuration, support and
maintaining Cisco. Strong hands on experience on Cisco Devices like ASA, NGFW Firepower, ISE,
WSA, ESA, VPN, StealthWatch, Umbrella, SD-WAN, SDA, Cisco ACI, Nexus, UCS, Cloud Centre, as
well VMware 6.X
LOADING INITIAL CONFIG
12
CCIE SECURITY V5
All the devices can be loaded with the initial script, by logging into the ESXI Server with the
username and password mentioned in the reference sheet. Once login, revert the Base-config
Snapshot for all the device(VM) present in the server. How to revert the snapshot, you must be
received a video from techlabs@netmetric-solutions.com. If not, contact immediately, before doing
any experiment.
HARDWARE AND SOFTWARE LIST
 Virtual Machines
 Security Appliances
 Cisco Identity Services Engine (ISE): 2.4

 Cisco Web Security Appliance (WSA): 10.1 .0
 Cisco Wireless Controller (WLC): 8.2.130.0
 Cisco Firepower Management Center Virtual Appliance: 6.2.3
 Cisco Firepower NGIPSv: 6.2.3
 Cisco Firepower Threat Defense: 6.2.3
 Core Devices
 IOSv L2: 15.2

 IOSv L3: 15.5(2)T
 Cisco CSR 1000V Series Cloud Services Router: 3.16.02.S
 Cisco Adaptive Security Virtual Appliance (ASAv): 9.8(3)
 Others
 Test PC: Microsoft Windows 7

 Active Directory: Microsoft Windows Server 2012
13
CCIE SECURITY V5
 AnyConnect 4.2
 Physical Devices
 Cisco Catalyst Switch

 WS-C3850-24U 03.07.04E
 Cisco Adaptive Security Appliance

 5516-X: 9.8(2)4
 Cisco Aironet
 3500 Series
Section 1 – ASA Firewall
GOAL OF THE LAB
The most Common and effective way to implement a security domain is to place a firewall at the boundary
between the trusted and untrusted parts of a network.
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can
also protect inside networks from each other, for example, by keeping a human resources network separate
from a user network.
In this Section we will configure all the Firewall related labs and clear our concepts.
14
CCIE SECURITY V5
LAB-1.1: - BASIC OF ASA CONFIGURATION
LAB-SETUP
 Configure R1 and R2 with the IP mentioned in the table
 Configure the telnet on the respective routers using password “cisco”
Device Interface IP
R1 Fa0/0 10.1.1.10/24
Loopback0 1.1.1.1/24
R2 Fa0/0 20.1.1.10/24
15
CCIE SECURITY V5
Configuration of Router
R1:
hostname R1
interface f0/0
no shutdown
ip address 10.1.1.10 255.255.255.0
interface loop0
ip address 1.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
line vty 0 4
password cisco
transport input all
login
enable secret cisco
R2:
16
CCIE SECURITY V5
hostname R2
interface f0/0
no shutdown
ip address 20.1.1.10 255.255.255.0
interface loop0
ip address 2.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.1.1
line vty 0 4
password cisco
transport input all
login
enable secret cisco
TASK-1 CONFIGURE THE INTERFACE OF ASA
 Configure ASAv1 with the following settings:

o Hostname: ASAv1
17
CCIE SECURITY V5
o Interface: gi0/0 – name - outside – ip 20.1.1.1/24 – sec-level 0

o Interface: gi0/1 – name - inside – ip 10.1.1.1/24 – sec-level 100
o Configure ASA, with default route towards R2 and static route towards R1
o On R1 and R2, configure the default routes pointing to the ASA.
o Configure the Telnet on R1 and R2, use password “cisco”.
o Use enable secret password “cisco”
Verification
 Check the arp table on R1, R2 and ASAv-FW

 Ping 10.1.1.1 from R1
 Ping 20.1.1.1 from R2
 Check Telnet 20.1.1.10 from R1
 Check Telnet 2.2.2.2 /source lo0 from R1
 Ping 20.1.1.10 from R1
 Ping 10.1.1.10 from R2
 Telnet 10.1.1.10 from R2
Configuration of Firewall
ASAv1:
hostname ASAv1
18
CCIE SECURITY V5
interface g0/0
no shutdown
nameif outside
ip address 20.1.1.1 255.255.255.0
interface g 0/1
no shutdown
nameif inside
ip address 10.1.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 20.1.1.10
route inside 1.1.1.0 255.255.255.0 10.1.1.10
Verifications:
R1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
19
CCIE SECURITY V5
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/39/64 ms
R2#ping 20.1.1.1
!!!!!
ASAv1# show arp
outside 20.1.1.10 c202.5608.0000 34
inside 10.1.1.10 c201.5757.0000 187
R1#telnet 20.1.1.10
Trying 20.1.1.10 ... Open
User Access Verification
Password:
R2>
20
CCIE SECURITY V5
ASAv1# show conn
1 in use, 1 most used
TCP outside 20.1.1.10:23 inside 10.1.1.10:15427, idle 0:00:52, bytes 102, flags UIO
R1#telnet 2.2.2.2
Password:
R2>
ASAv1# show conn
R1#telnet 2.2.2.2 /source-interface loopback 0
Password:
R2>
ASAv1# show conn
21
CCIE SECURITY V5
R1#ping 2.2.2.2
.....
Success rate is 0 percent (0/5)
R1#ping 20.1.1.10
.....
R2#ping 1.1.1.1
22
CCIE SECURITY V5
.....
R2#ping 10.1.1.10
.....
R2#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Connection timed out; remote host not responding
R2#telnet 10.1.1.10
Trying 10.1.1.10 ...
TASK-2 CONFIGURE THE TELNET AND SSH ON ASA

23
CCIE SECURITY V5

o Create the object name as R1-loop and R2-loop for 1.1.1.1 & 2.2.2.2
o Create the object-group name as TELNET-SSH for telnet and ssh service
o Create the ACL with name OUT-IN
o We are allowed to add only one line access-list to allow the telnet and ssh
o Enable Telnet on ASA inside and outside interface
o Enable SSH on ASA inside and outside interface
o Make sure for SSH, user logged out after 10 mins of inactivity
o Create the username admin password cisco privilege 15 and create the rsa key with 1024
bits
o Use Domain-name cisco.com.
Verification
 Telnet 10.1.1.1 inside interface of ASA from R1

 Telnet 20.1.1.1 outside interface of ASA from R2
 SSH 10.1.1.1 inside interface of ASA from R1
 SSH 20.1.1.1 outside interface of ASA from R2
 telnet 1.1.1.1 from R2 with the source loopback 0
Configuration of ASA Firewall
24
CCIE SECURITY V5
ASAv1:
object network R1-loop
host 1.1.1.1
object network R2-loop
host 2.2.2.2
object-group service TELNET-SSH tcp
port-object eq telnet
port-object eq ssh
access-list OUT-IN extended permit tcp object R2-loop object R1-loop object-group
TELNET-SSH
access-group OUT-IN in interface outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
passwd cisco
domain-name cisco.com
crypto key generate rsa modulus 1024
25
CCIE SECURITY V5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
username admin password cisco privilege 15
aaa authentication ssh console LOCAL
Verifications:
R1#telnet 10.1.1.1
Password:
User enable_1 logged in to ASAv1
Logins over the last 1 days: 2. Last login: 11:05:33 UTC Aug 28 2018 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ASAv1>
R1#ssh -l admin 10.1.1.1
26
CCIE SECURITY V5
Password:
User admin logged in to ASAv1
Logins over the last 1 days: 1.
ASAv1>
R2#telnet 20.1.1.1
Trying 20.1.1.1 ...
“Telnet is not going to happen on the Outside interface of the ASA firewall”
R2#ssh -l admin 20.1.1.1
Password:
User admin logged in to ASAv1
Logins over the last 1 days: 2. Last login: 18:39:30 UTC Aug 28 2018 from 10.1.1.10
27
CCIE SECURITY V5
ASAv1>
Password:
R1>
ASAv1# show conn
TCP outside 2.2.2.2:11605 inside 1.1.1.1:23, idle 0:00:22, bytes 102, flags UIOB
TASK-3 ALLOW PING AND ICMP
 Configure ASAv1 with the following settings

o Ping is allowed from Inside to Outside
28
CCIE SECURITY V5
o Create the ACL with name i-o-icmp

o Ping is allowed from Outside to Inside
o Create the ACL with name o-i-icmp
o ACL should be Host or Network Specific.
Permit ICMP from R2 loopback to R1 Loopback
R2#ping 1.1.1.1 source loopback 0
Packet sent with a source address of 2.2.2.2
.....
ASAv1:
access-list OUT-IN extended permit icmp host 2.2.2.2 host 1.1.1.1 echo
29
CCIE SECURITY V5
!!!!!
Permit ICMP from R1 loopback to R2 loopback
***NOTE: In the previous task, we allowed the ICMP traffic only from R2 to R1
If R1 sends ICMP to R2 it would not be successful as the traffic is not allowed in ASAv1. ***
30
CCIE SECURITY V5
.....
ASAv1:
access-list OUT-IN extended permit icmp host 2.2.2.2 host 1.1.1.1 echo-reply
!!!!!
ASAv1# show conn
ICMP outside 2.2.2.2:0 inside 1.1.1.1:9, idle 0:00:00, bytes 19008, flags
31
CCIE SECURITY V5
TASK-4 CONFIGURE BANNER ON THE ASA FIREWALL

o Configure banner message so that it will display for successful remote connection via SSH.
o The banner should include the following message: 
o * 
o Welcome to Netmetric-Solutions
o Only authorized users are allowed to connect.
o *
ASAv1:
banner motd *
banner motd Welcome to Netmetric-Solutions
banner motd Only authorized users are allowed to connect
banner motd *
32
CCIE SECURITY V5
Verification:
ASA1(config)# show banner
motd:
Welcome to Netmetric-Solutions
Only authorized users are allowed to connect
LAB-1.2: - DYNAMIC ROUTING PROTOCOL
TASK-1 CONFIGURE EIGRP BETWEEN R1 AND ASA1V
33
CCIE SECURITY V5
 Remove the Default route from R1 and static route from ASA1v.
 Configure Eigrp AS 10 on R1 and ASA1v
 Addresses the Loopback and 10.1.1.0 network in AS
 Eigrp Messages should be authenticate using MD5 with key “CCNP” and key-id as 1 on ASAv1
 Create the Key chain and key string name as “CCNP” along with key 1 on R1.
Verification
 Check the Eigrp Neighbourship

 Check the routes on ASAv1 and R1
Configuration on Router
R1:
no ip route 0.0.0.0 0.0.0.0 10.1.1.1
R2:
no ip route 0.0.0.0 0.0.0.0 20.1.1.1
Configuration on ASA
ASAv1:
34
CCIE SECURITY V5
ASAv1(config)#show running-config route
route outside 0.0.0.0 0.0.0.0 20.1.1.10 1
route inside 1.1.1.0 255.255.255.0 10.1.1.10 1
ASAv1(config)# no route outside 0.0.0.0 0.0.0.0 20.1.1.10 1
ASAv1(config)# no route inside 1.1.1.0 255.255.255.0 10.1.1.10 1
R1-ASA:EIGRP
R1:
router eigrp 10
network 1.1.1.0 0.0.0.255
network 10.1.1.10 0.0.0.0
no auto-summary
key chain CCNP
key 1
key-string CCNP
35
CCIE SECURITY V5
interface FastEthernet0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 CCNP
ASAv1:
router eigrp 10
no auto-summary
network 10.1.1.1 255.255.255.255
interface GigabitEthernet0/1
authentication key eigrp 10 CCNP key-id 1
authentication mode eigrp 10 md5
Verification:
ASAv1#show eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
36
CCIE SECURITY V5
0 10.1.1.10 inside 13 00:01:12 21 200 0 3
ASAv1(config-if)# show route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
D 1.1.1.0 255.255.255.0 [90/130816] via 10.1.1.10, 00:01:02, inside
TASK-2 CONFIGURE OSPF BETWEEN R2 AND ASA1V
 Remove the Default route from R1 and static route from ASA1v.
 Configure OSPF Area 0 on the outside interface.
 Authenticate using the interface authentication with password of “CCNP” and key ID 1.
37
CCIE SECURITY V5
 Use 20.20.20.20 as OSPF Router ID on ASA1v

 Use 2.2.2.2. as a Router ID on R2.
Verification
 Check the OSPF Neighbourship
 Check the routes on ASAv1 and R2
ASAv1:
router ospf 1
router-id 20.20.20.20
network 20.1.1.1 255.255.255.255 area 0
ospf authentication message-digest
ospf message-digest-key 1 md5 CCNP

38
CCIE SECURITY V5
R2:
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 20.1.1.10 0.0.0.0 area 0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNP
Verifications:
ASAv1# show ospf neighbor
39
CCIE SECURITY V5
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 0:00:31 20.1.1.10 outside
ASAv1# show route ospf
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
o - ODR, P - periodic downloaded static route, + - replicated route
O 2.2.2.2 255.255.255.255 [110/11] via 20.1.1.10, 00:00:58, outside
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
40
CCIE SECURITY V5
20.20.20.20 1 FULL/DR 00:00:37 20.1.1.1 FastEthernet0/0
TASK-3 CONFIGURE REDISTRIBUTION BETWEEN ROUTING PROTOCOLS
 Configure the route redistribution between the OSPF and EIGRP.

 So that entire network gain the full reachability.
Configuration on Firewall
Redistribute OSPF --- EIGRP on ASAv1
ASAv1:
router eigrp 10
redistribute ospf 1 metric 10000 100 255 1 1500
router ospf 1
redistribute eigrp 10 subnets
41
CCIE SECURITY V5
Verification:
R1:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
o - ODR, P - periodic downloaded static route
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
D EX 2.2.2.2 [170/307200] via 10.1.1.1, 00:01:04, FastEthernet0/0
D EX 20.1.1.0 [170/307200] via 10.1.1.1, 00:01:04, FastEthernet0/0
42
CCIE SECURITY V5
C 10.1.1.0 is directly connected, FastEthernet0/0
R2:
R2#show ip route
O E2 1.1.1.0 [110/20] via 20.1.1.1, 00:02:32, FastEthernet0/0
C 2.2.2.0 is directly connected, Loopback0
O E2 10.1.1.0 [110/20] via 20.1.1.1, 00:02:32, FastEthernet0/0
43
CCIE SECURITY V5
!!!!!
Password:
R1>
44
CCIE SECURITY V5
!!!!!
Password:
R2>
LAB-1.3: - ASA SYSTEM MANAGEMENT
45
CCIE SECURITY V5
TASK-1 CONFIGURE ASDM FOR THE GUI OF ASA
 Use ASA1 and candidate-pc for this Task

 ASDM image is present on the candidate-pc c:/TFTP-Root folder.
 Push ASDM image to the ASA1 flash using TFTP server
 TFTP server is present on the desktop Solar Wind.
 Use the Management Interface for pushing the ASDM image to the ASA.
 Once the ASDM image is there in the flash, configure it before the first use.
Device Interface IP
ASA1 management 150.1.7.166
Nameif mgmt.
Security-level 100
Start by checking the flash of ASA1
ASA1# show flash:
--#-- --length-- -----date/time------ path
12 4096 Aug 13 2018 13:08:52 smart-log
16 7937 Aug 18 2018 10:02:14 smart-log/agentlog
46
CCIE SECURITY V5
7 4096 Aug 13 2018 13:07:52 log
9 500 Aug 17 2018 11:43:22 log/asa-appagent.log
10 4096 Aug 13 2018 13:08:56 coredumpinfo
11 58 Aug 13 2018 13:08:56 coredumpinfo/coredump.cfg
“C Drive, TFTP-Root folder the image of asdm-782-151.bin is present.”
“Check the IP address is configured on the ASA firewall”
ASA1# show int ip br
47
CCIE SECURITY V5
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down up
Management0/0 150.1.7.166 YES manual up up
ASA1# show nameif
Interface Name Security
Management0/0 mgmt 100
“Check the connectivity between the candidate PC and the ASA1 firewall”
ASA1# ping 150.1.7.20
48
CCIE SECURITY V5
!!!!!
Start copying the asdm image through the TFTP server.
ASA1# copy tftp://150.1.7.20/asdm-782-151.bin flash:
Address or name of remote host [150.1.7.20]? Enter
Source filename [asdm-782-151.bin]? Enter
Destination filename [asdm-782-151.bin]? Enter
Accessing tftp://150.1.7.20/asdm-782-151.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-782-151.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-782-151.bin...
26975568 bytes copied in 66.690 secs (408720 bytes/sec)
49
CCIE SECURITY V5
Verification: -
ASA1# show flash:
--#-- --length-- -----date/time------ path
12 4096 Aug 13 2018 13:08:52 smart-log
16 7937 Aug 18 2018 10:02:14 smart-log/agentlog
7 4096 Aug 13 2018 13:07:52 log
9 500 Aug 17 2018 11:43:22 log/asa-appagent.log
10 4096 Aug 13 2018 13:08:56 coredumpinfo
11 58 Aug 13 2018 13:08:56 coredumpinfo/coredump.cfg
93 26975568 Aug 23 2018 16:42:19 asdm-782-151.bin
After installing the ASDM to the flash, lets enable the ASDM feature for the ASA firewall
http server enable
http 150.1.7.0 255.255.255.0 mgmt
asdm image boot:/asdm-79150.bin
Once Done go to the desktop and double click on the ASDM icon and give the IP add
150.1.7.166
50
CCIE SECURITY V5
51
CCIE SECURITY V5
Once done the ASDM gui will open. You can explore the GUI for the moment.
52
CCIE SECURITY V5
LAB-1.4: - ASA ADDRESS TRANSLATION AND ACL
53
CCIE SECURITY V5
LAB-SETUP
 Configure R100, R200 and R300 as per the below mentioned addressing scheme.
 Configure Telnet on All the router, with the password “Sanfran@1234”
 Configure the default route on all the router, pointing towards ASA.
Device Interface IP Address
R100 Gi5 10.1.1.10/24

Loopback 1 12.12.12.12/24
Loopback 2 122.122.122.122/24
54
CCIE SECURITY V5
R200 Gi5 20.1.1.10/24

Loopback 1 4.4.4.4/24
Loopback 2 45.45.45.45/24
Loopback 3 55.55.55.55/24
R300 Gi5 30.1.1.10/24

Loopback 1 13.13.13.13/24
Loopback 2 133.133.133.133/24
R100:
int gi5
no sh
ip address 10.1.1.10 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 10.1.1.1
int lo0
55
CCIE SECURITY V5
ip address 2.2.2.2 255.255.255.0
description DB-Server
int lo1
ip address 12.12.12.12 255.255.255.0
description App-Server
int lo2
ip address 122.122.122.122 255.255.255.0
description Inside-PC
Verification: -
R100#show ip int br
GigabitEthernet1 unassigned YES TFTP up up
GigabitEthernet3 150.1.7.180 YES manual up up
GigabitEthernet4 unassigned YES unset up up
56
CCIE SECURITY V5
Loopback0 2.2.2.2 YES manual up up
R200:
int gi5
no sh
ip address 20.1.1.10 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 20.1.1.1
int lo0
ip add
ip address 8.8.8.8 255.255.255.0
description google.com
57
CCIE SECURITY V5
int lo1
ip address 4.4.4.4 255.255.255.0
int lo2
ip address 45.45.45.45 255.255.255.0
description Outside-PC1
int lo3
ip address 55.55.55.55 255.255.255.0
description Outside-PC2
Verification
R200#show ip int br
GigabitEthernet1 unassigned YES NVRAM administratively down down
GigabitEthernet4 unassigned YES unset administratively down down
58
CCIE SECURITY V5
R300:
int gi5
ip add
ip address 30.1.1.10 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 30.1.1.1
int lo0
ip address 3.3.3.3 255.255.255.0
description Web-Server1
int lo1
ip address 13.13.13.13 255.255.255.0
59
CCIE SECURITY V5
int lo2
ip address 133.133.133.133 255.255.255.0
Verification
R300#show ip int br
GigabitEthernet4 unassigned YES unset administratively down down
Configuration On R100,R200,R300
60
CCIE SECURITY V5
line vty 0 4
password Sanfran@1234
login
LAB-SETUP
 Configure ASA1 as per the below mentioned addressing scheme.
Device Interface IP
ASA1 Gi0/4 20.1.1.1
Nameif outside
ASA1 Gi0/5 10.1.1.1
Nameif inside
ASA1 Gi0/6 30.1.1.1
Nameif dmz
Sec-50
Configuration Firewall
ASA1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
61
CCIE SECURITY V5
ASA1# ping 10.1.1.10
?!!!!
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0
ASA1# ping 20.1.1.10
?!!!!
nameif dmz
62
CCIE SECURITY V5
security-level 50
ip address 30.1.1.1 255.255.255.0
ASA1# ping 30.1.1.10
?!!!!
TASK-1 CONFIGURE THE STATIC AUTO NAT ON ASA1 FOR WEB-SERVER1
 Configure ASA so that when someone from the outside (network segment behind ASA’s
OUTSIDE interface) tries to connect to IP address of 20.1.1.50 he/she will be pointed to Web-
Server1.
ASA1:
object network Web-Server1
host 3.3.3.3
nat (dmz,outside) static 20.1.1.50

63
CCIE SECURITY V5
access-list OUT-IN extended permit ip any host 3.3.3.3
route dmz 3.3.3.0 255.255.255.0 30.1.1.10
R200#telnet 20.1.1.50
Password:
R300>show users
Line User Host(s) Idle Location
2 vty 0 idle 00:09:07 150.1.7.20
* 3 vty 1 idle 00:00:00 20.1.1.10
ASA1# show nat
Auto NAT Policies (Section 2)
64
CCIE SECURITY V5
1 (dmz) to (outside) source static Web-Server1 20.1.1.50
translate_hits = 0, untranslate_hits = 1
ASA1# show conn
TCP outside 20.1.1.10:46594 dmz 3.3.3.3:23, idle 0:03:46, bytes 553, flags UIOB
TASK-2 CONFIGURE THE STATIC AUTO PAT ON ASA1 FOR WEB-SERVER2
 Configure ASA so that when someone from the outside (network segment behind ASA’s
OUTSIDE interface) tries to connect to IP address of 20.1.1.51 using TELNET he/she will be pointed
to Web-Server2.
ASA1:
host 13.13.13.13
nat (dmz,outside) static 20.1.1.51 service tcp 23 23

65
CCIE SECURITY V5
access-list OUT-IN extended permit tcp any host 13.13.13.13 eq 23
route dmz 13.13.13.0 255.255.255.0 30.1.1.10
Verification
R200#telnet 20.1.1.51

Password:
R300>show user
* 2 vty 0 idle 00:00:00 20.1.1.10
ASA1# show conn
TCP outside 20.1.1.10:23554 dmz 13.13.13.13:23, idle 0:01:42, bytes 466, flags UIOB
TASK-3 CONFIGURE STATIC MANUAL NAT ON ASA1 BETWEEN WEB-SERVER3

AND INSIDE-PC (IDENTITY NAT)
 Configure ASA so that when Inside-PC from the inside network tries to connect to Web-Server3,
the Inside-PC ip should change to mapped interface, and Web-Server3 ip should remain same
and intact.
 The translation must be enforced only for traffic going between Inside-PC and Web-Server3 only.
66
CCIE SECURITY V5
ASA1:
host 133.133.133.133
object network Inside-PC
host 122.122.122.122
nat (inside,dmz) source static Inside-PC interface destination static Web-Server3 Web-
Server3
route dmz 3.3.3.0 255.255.255.0 30.1.1.10 1

route inside 12.12.12.0 255.255.255.0 10.1.1.10 1
route dmz 13.13.13.0 255.255.255.0 30.1.1.10 1
route inside 122.122.122.0 255.255.255.0 10.1.1.10 1

route dmz 133.133.133.0 255.255.255.0 30.1.1.10 1
Verification:
R100#telnet 133.133.133.133
Trying 133.133.133.133 ... Open

Password:
R300>show user
67
CCIE SECURITY V5

2 vty 0 idle 00:06:59 150.1.7.20
* 3 vty 1 idle 00:00:00 10.1.1.10
As we can see that the it is using the interface ip of R100 instead of 122.122.122.122.
Verification:
ASA1# show nat
Manual NAT Policies (Section 1)

1 (inside) to (dmz) source static Inside-PC interface destination static Web-Server3 Web-
Server3

2 (dmz) to (outside) source static Web-Server2 20.1.1.51 service tcp telnet telnet
ASA1# show nat

Server3

68
CCIE SECURITY V5
ASA1# show xlate

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from dmz:3.3.3.3 to outside:20.1.1.50
flags s idle 19:07:32 timeout 0:00:00
TCP PAT from dmz:13.13.13.13 23-23 to outside:20.1.1.51 23-23
flags sr idle 18:45:55 timeout 0:00:00
NAT from inside:122.122.122.122 to dmz:30.1.1.1
flags sT idle 0:01:41 timeout 0:00:00
NAT from dmz:133.133.133.133 to inside:133.133.133.133
flags sIT idle 0:01:41 timeout 0:00:00
ASA1# show conn

TCP dmz 133.133.133.133:23 inside 122.122.122.122:47106, idle 0:02:14, bytes 540, flags
UIO
R100#telnet 133.133.133.133 /source-interface lo2
Trying 133.133.133.133 ... Open
Password:
R300>
R300>show users
69
CCIE SECURITY V5
* 2 vty 0 idle 00:00:00 30.1.1.1
TASK-4 CONFIGURE STATIC AUTO NAT ON ASA1 BETWEEN DMZ NETWORK AND
DB SERVER
 Configure ASA so that when someone from the DMZ network segment tries to connect to DB-
Server using port 2323, he/she will be redirected to DB-Server using port 23.
ASA1:
object network DB-Server
host 2.2.2.2
nat (inside,dmz) static interface service tcp telnet 2323
access-list DMZ-IN extended permit tcp any host 2.2.2.2 eq telnet
access-group DMZ-IN in interface dmz
route inside 2.2.2.0 255.255.255.0 10.1.1.10
70
CCIE SECURITY V5
R300#telnet 30.1.1.1 2323
Trying 30.1.1.1, 2323 ...
R300#telnet 30.1.1.1 2323
Trying 30.1.1.1, 2323 ... Open
Password:
R100>show users
* 3 vty 1 idle 00:00:00 30.1.1.10
ASA1# show nat
Server3
71
CCIE SECURITY V5
1 (inside) to (dmz) source static DB-Server interface service tcp telnet 2323
ASA1# show xlate
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside:2.2.2.2 23-23 to dmz:30.1.1.1 2323-2323
NAT from dmz:3.3.3.3 to outside:20.1.1.50
flags s idle 19:32:14 timeout 0:00:00
TCP PAT from dmz:13.13.13.13 23-23 to outside:20.1.1.51 23-23
NAT from inside:122.122.122.122 to dmz:30.1.1.1
72
CCIE SECURITY V5
NAT from dmz:133.133.133.133 to inside:133.133.133.133
flags sIT idle 0:16:12 timeout 0:00:00
ASA1# show conn
TCP dmz 30.1.1.10:57346 inside 2.2.2.2:23, idle 0:00:47, bytes 524, flags UIOB
TASK-5 CONFIGURE STATIC MANUAL NAT ON ASA1 BETWEEN OUTSIDE-PC1

AND WEB-SERVER1 (TWICE NAT)
 Configure ASA so that when someone from the Outside-PC1 try to do telnet to DMZ Web-Server1,
the Outside-PC1 identity should change to 20.1.1.100 and the Web-Server1 identity should change
to 30.1.1.100. (Twice NAT)
ASA1:
73
CCIE SECURITY V5
host 3.3.3.3
object network Outside-PC1
host 45.45.45.45
object network Mapped-Web-Server1
host 30.1.1.100
object network Mapped-Outside-PC1
host 20.1.1.100
nat (dmz,outside) source static Web-Server1 Mapped-Web-Server1 destination static

Mapped-Outside-PC1 Outside-PC1
route outside 0.0.0.0 0.0.0.0 20.1.1.10 1
access-list OUT-IN extended permit ip any host 3.3.3.3
Verification:
ASA1# show nat
1 (dmz) to (outside) source static Web-Server1 Mapped-Web-Server1 destination static

Mapped-Outside-PC1 Outside-PC1
74
CCIE SECURITY V5
ASA1# show conn
TCP outside 20.1.1.100(45.45.45.45):30210 dmz 3.3.3.3:23, idle 0:02:14, bytes 484, flags
UIOB
ASA1# show xlate
NAT from outside:45.45.45.45 to dmz:20.1.1.100
R200#telnet 30.1.1.100 /source-interface lo2
Trying 30.1.1.100 ... Open
Password:
R300>show users
* 2 vty 0 idle 00:00:00 20.1.1.100
75
CCIE SECURITY V5
LAB-1.5: - CONTEXT ON THE ASA FIREWALL
LAB-SETUP
 Configure R5, R6, R7 and R8 as per the below mentioned addressing scheme.
 Configure Telnet on All the router, with the password “cisco”
76
CCIE SECURITY V5
R5 Fa0/0 50.1.1.10/24
R6 Fa0/0 60.1.1.10/24
R7 Fa0/0 70.1.1.10/24
R8 Fa0/0 80.1.1.10/24
Note :- Diagram CNTX1 context instead of c1
R5:
interface f0/0
no shut
ip address 50.1.1.10 255.255.255.0
interface loopback 0
ip address 5.5.5.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 50.1.1.1
R6:
77
CCIE SECURITY V5
interface f0/0
no shut
ip address 60.1.1.10 255.255.255.0
ip address 6.6.6.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 60.1.1.1
R7:
interface f0/0
no shut
ip address 70.1.1.10 255.255.255.0
ip address 7.7.7.7 255.255.255.0
ip route 0.0.0.0 0.0.0.0 70.1.1.1
R8:
interface f0/0
no shut
ip address 80.1.1.10 255.255.255.0
78
CCIE SECURITY V5
ip address 8.8.8.8 255.255.255.0
ip route 0.0.0.0 0.0.0.0 80.1.1.1
TASK1 CONFIGURE THE ASAP1 WITH MULTI-CONTEXT MODE
 Configure the ASAp1 with the following

o Use the hostname ASAp1
o Change the mode of the firewall to multiple.
o Create context as per the below mentioned table
Context Name Interface IP Address
CNTX1 Eth2 – outside -visible 50.1.1.1/24

Eth0 – inside -invisible 70.1.1.1/24
Url :- CNTX1
CNTX2 Eth2 – outside -visible 60.1.1.1/24
Eth1 – inside –invisible 80.1.1.1/24

Url :- CNTX2
 Context information should be stored in the flash memory.

 Assigned interface should be named as given in the table.
79
CCIE SECURITY V5
ASAp1:
hostname ASAp1
mode multiple
interface Ethernet0
no shutdown
interface Ethernet1
no shutdown
interface Ethernet2
no shutdown
context CNTX1
Creating context 'CNTX1'... Done. (2)
allocate-interface Ethernet0 inside invisible
allocate-interface Ethernet2 outside visible
80
CCIE SECURITY V5
config-url disk0:/CNTX1.cfg
context CNTX2
Creating context 'CNTX2'... Done. (2)
allocate-interface Ethernet1 inside invisible
allocate-interface Ethernet2 outside visible
config-url disk0:/CNTX2.cfg
Verification
ASAp1(config)# show context
Context Name Class Interfaces Mode URL
*admin default Routed disk0:/admin.cfg
CNTX1 default Ethernet0,Ethernet2 Routed disk0:/CNTX1.cfg
CNTX2 default Ethernet1,Ethernet2 Routed disk0:/CNTX2.cfg
ASAp1(config)# show context detail
Context "system", is a system resource
81
CCIE SECURITY V5
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Ethernet0, Ethernet1, Ethernet2, Ethernet3,
Virtual254
Class: default, Flags: 0x00000819, ID: 0
Context "admin", has been created
Config URL: disk0:/admin.cfg
Real Interfaces:
Mapped Interfaces:
Real IPS Sensors:
Mapped IPS Sensors:
Context "CNTX1", has been created
Config URL: disk0:/CNTX1.cfg
Real Interfaces: Ethernet0, Ethernet2
Mapped Interfaces: inside, outside
Real IPS Sensors:
Mapped IPS Sensors:
82
CCIE SECURITY V5
Context "CNTX2", has been created
Config URL: disk0:/CNTX2.cfg
Real Interfaces: Ethernet1, Ethernet2
Mapped Interfaces: inside, outside
Real IPS Sensors:
Mapped IPS Sensors:
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Real IPS Sensors:
Mapped IPS Sensors:
TASK2 CONFIGURE THE CLASS FOR THE CONTEXT
 Configure the ASAp1 with the following resources
83
CCIE SECURITY V5
Context CNTX1Policy ASDM Connections 2

Connections 1500
SSH Sessions 3
Telnet Sessions 1
Xlate Objects 200
Context CNTX2 Policy ASDM Connections 4
Connections 2000
SSH Sessions 4
Telnet Sessions 1
Xlate Objects 300
ASAp1:
class CNTX1
limit-resource asdm 2
limit-resource conns 1500
limit-resource ssh 3
limit-resource telnet 1
limit-resource xlate 200
84
CCIE SECURITY V5
class CNTX2
limit-resource asdm 4
limit-resource conns 2000
limit-resource ssh 4
limit-resource telnet 1
limit-resource xlate 300
Verification: -
ASAp1# sh run all class
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
class CNTX1
limit-resource Conns 1500
85
CCIE SECURITY V5
limit-resource Xlates 200
class CNTX2
limit-resource Conns 2000
limit-resource Xlates 300
ASAp1# show class default
Class Name Members ID Flags
default All 1 0001
ASAp1# show class CNTX1
CNTX1 0 2 0000
CNTX2 0 3 0000
86
CCIE SECURITY V5
ASAp1(config)# context CNTX1
ASAp1(config-ctx)# member CNTX1
ASAp1(config-ctx)# context CNTX2
ASAp1(config-ctx)# member CNTX2
CNTX1 1 2 0000
CNTX2 1 3 0000
ASAp1(config)# changeto context CNTX1
ASAp1#show int ip brief
outside unassigned YES unset up up
87
CCIE SECURITY V5
inside unassigned YES unset up up
Check the difference between the output, with respect to visible and invisible interface.
Verification:
ASAp1/CNTX1(config)# show interface outside
Interface outside "", is up, line protocol is up
System name Ethernet2
Available but not configured via nameif
ASAp1/CNTX1(config)# show interface inside
Interface inside "", is up, line protocol is up
Available but not configured via nameif
TASK3 MAKE SURE FROM R7 TO R5 AND R8 TO R6 PING
88
CCIE SECURITY V5
 Ensure the ping from the Higher Security Level to Lower Security level from R7to R5 and R8 to R6.
 We are not allowed to configure any type of access list or address translation to make this ping
happen.
ASAp1
interface inside
nameif inside
security-level 100
ip address 70.1.1.1 255.255.255.0
interface outside
nameif outside
security-level 0
ip address 50.1.1.1 255.255.255.0
Verification:
89
CCIE SECURITY V5
ASAp1/CNTX1# ping 70.1.1.1
!!!!!
!!!!!
ASAp1/CNTX2# show nameif
inside inside 100
outside outside 0
ASAp1/CNTX2# show int ip b
90
CCIE SECURITY V5
inside 80.1.1.1 YES manual up up
outside 60.1.1.1 YES manual up up
!!!!!
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 m
policy-map global_policy
class inspection_default
inspect icmp
91
CCIE SECURITY V5
changeto context CNTX2
Allow the ICMP inspection on the ASA firewall
policy-map global_policy
class inspection_default
inspect icmp
Verification:
R7#ping 50.1.1.10
.....
R8#ping 60.1.1.10
.....
92
CCIE SECURITY V5
Interface outside "outside", is up, line protocol is up
MAC address 5000.001a.0002, MTU 1500
IP address 50.1.1.1, subnet mask 255.255.255.0
Traffic Statistics for "outside":
4 packets input, 130 bytes
8 packets output, 584 bytes
0 packets dropped
ASAp1/CNTX1(config)# changeto context CNTX2
Verification:
MAC address 5000.001a.0002, MTU 1500
93
CCIE SECURITY V5
0 packets dropped
Because of the shared interface, the mac address on both the context, for the outside
interface is same. To change the mac address on both the context we need to use either auto
or manual option.
ASAp1/CNTX2(config)# changeto system
ASAp1(config)# mac-address auto
Verification:
ASAp1(config)# changeto context CNTX1
MAC address a200.0000.0008, MTU 1500

94
CCIE SECURITY V5
16 packets dropped
ASAp1/CNTX1(config)# changeto context CNTX2
Verification:
MAC address a200.0000.0006, MTU 1500
26 packets dropped
Verification:
95
CCIE SECURITY V5
R7#ping 50.1.1.10
!!!!!
R8#ping 60.1.1.10
!!!!!
R7#telnet 50.1.1.10
Password:
R5>
R8#telnet 60.1.1.10
96
CCIE SECURITY V5
Password:
R6>
LAB-1.6: - ACTIVE/STANDBY FAILOVER (R3, R4, ASAV2 & ASAV3)
LAB-SETUP
 Configure R3 and R4 as per the below mentioned addressing scheme.

97
CCIE SECURITY V5
R3 Fa0/0 10.1.1.10/24
R4 Fa0/0 20.1.1.10/24
R3:
hostname R3
interface f 0/0
no shut
ip address 10.1.1.10 255.255.255.0
98
CCIE SECURITY V5
ip address 3.3.3.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
R4:
hostname R4
interface f 0/0
no shut
ip address 20.1.1.10 255.255.255.0
ip address 4.4.4.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.1.1
99
CCIE SECURITY V5
TASK1 CONFIGURE ASA FOR ACTIVE/STANDBY
 Configure hostname as ASAv2 and ASAv3

 Configure ASAv3 device to back up ASAv2 in the event of failure
 Configure gi0/2 as the failover link
 Configure gi0/3 as the Stateful link
 Authenticate the failover control messages using a key “cisco”
Physical Interface Interface name Security Level IP Address
Gi0/0 Outside 0 Pri – 20.1.1.1/24

Sec – 20.1.1.2/24
Gi0/1 Inside 100 Pri- 10.1.1.1/24

Sec- 10.1.1.2/24
Gi0/2 FO Pri- 10.10.10.10/24

100
CCIE SECURITY V5
Sec – 10.10.10.11/24
Gi0/3 STATE Pri – 20.20.20.20/24

Sec- 20.20.20.21/24
ASAv2
hostname ASAv2
interface g 0/0
no shut
nameif outside
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
interface g0/1
no shut
nameif inside
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
101
CCIE SECURITY V5
interface g 0/2
no shut
description failover link
interface g0/3
no shut
description statefull link
route outside 0.0.0.0 0.0.0.0 20.1.1.10
route inside 3.3.3.0 255.255.255.0 10.1.1.10
Configure the failover
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover key cisco
failover link STATE GigabitEthernet0/3
failover interface ip FO 10.10.10.10 255.255.255.0 standby 10.10.10.11
failover interface ip STATE 20.20.20.20 255.255.255.0 standby 20.20.20.21
102
CCIE SECURITY V5
failover
ASAv3:
hostname ASAv3
interface g 0/2
no shut
interface g0/3
no shut
failover lan unit secondary
failover lan interface FO GigabitEthernet0/2
failover key cisco
failover link STATE GigabitEthernet0/3
failover interface ip FO 10.10.10.10 255.255.255.0 standby 10.10.10.11
failover
103
CCIE SECURITY V5
Start the failover
ASAv2
ASAv2(config)# failover
ASAv3(config)# failover
No Active mate detected
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
ASAv2(config)# prompt hostname state
ASAv3(config)# .
104
CCIE SECURITY V5
Detected an Active mate
Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.
ASAv2/stby#
Verifications: -
ASAv2/act# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
105
CCIE SECURITY V5
Standby Ready None
====Configuration State===
Sync Done
====Communication State===
Mac set
====VM Properties Compatibility===
vCPUs - This host: 1
Other host: 1
Memory - This host: 2048 Mhz
Other host: 2048 Mhz
Interfaces - This host: 7
Other host: 7
ASAv2/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
106
CCIE SECURITY V5
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9AND6971AK0, Mate 9ASDWDV3DE6
Last Failover at: 00:02:07 UTC Sep 1 2018
This host: Primary - Active
Active time: 177 (sec)
slot 0: empty
Interface outside (20.1.1.1): Normal (Monitored)
Interface inside (10.1.1.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Interface outside (20.1.1.2): Normal (Monitored)
Interface inside (10.1.1.2): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : STATE GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 23 0 22 0
107
CCIE SECURITY V5
sys cmd 22 0 22 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 1 0 0 0
108
CCIE SECURITY V5
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 192
Xmit Q: 0 37 184
LAB-1.7: - ACTIVE/ACTIVE FAILOVER (R9, R10,R11,R12 ASAP2 & ASAP3)
109
CCIE SECURITY V5
LAB-SETUP
 Configure R9, R10, R11 and R12 as per the below mentioned addressing scheme.
R9 Fa0/0 10.1.1.10/24
R10 Fa0/0 30.1.1.10/24
110
CCIE SECURITY V5
R11 Fa0/0 20.1.1.10/24
R12 Fa0/0 40.1.1.10/24
R9:
in f0/0
no shut
ip address 10.1.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
R10:
in f0/0
no shut
ip address 30.1.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 30.1.1.1
111
CCIE SECURITY V5
R11:
in f0/0
no shut
ip address 20.1.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.1.1
R12:
in f0/0
no shut
ip address 40.1.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 40.1.1.1
R9-11:
line vty 0 4
password cisco
login
112
CCIE SECURITY V5
Configuration on the Switch
SW4
vlan 20
vlan 40
interface range GigabitEthernet0/0-1
switchport trunk encapsulation dot1q
switchport mode trunk
no sh
no sh
switchport access vlan 20
switchport mode access
113
CCIE SECURITY V5
no sh
SW5
vlan 10
vlan 30
interface range GigabitEthernet0/2-3
switchport trunk encapsulation dot1q
switchport mode trunk
no sh
no sh
114
CCIE SECURITY V5
no sh
TASK1 CONFIGURE ASA FOR ACTIVE/ACTIVE FAILOVER
 Configure hostname as ASAp2 and ASAp3
 Your configuration should meet the following requirements:

o ASAp2‐ system
 Interface eth0.20
 vlan: 20
 vlan: 40
 vlan: 10
 vlan: 30
 Failover:
o Unit: Primary
o Lan Interface: eth2
o Primary‐ Standby:1.1.1.1-1.1.1.2/24
o Name: LAN
o Link Interfaces: eth3
o Primary‐ Standby:2.2.2.1-2.2.2.2
115
CCIE SECURITY V5
o Name: STATE
 Failover Group1: Primary
 Failover Group2: Secondary
 Failover:
o ASAp3‐ system
o Failover:
o Unit: Secondary
o Lan Interface: eth2
o Primary‐ Standby:1.1.1.1-1.1.1.2/24
o Name: LAN
o Link Interfaces: eth3

o Primary‐ Standby:2.2.2.1-2.2.2.2
o Name: STATE
 Failover Group1: Secondary
 Failover Group2: Primary
TASK2 CONFIGURE CONTEXT ON THE ASAP2
 Configure the Context on the ASAp2
 Name: c1
o Allocate Interfaces: eth0.20, eth1.10 and provide Labels Respectively: outside_c1, inside_c1
o Join Failover Group: 1
o URL: c1.cfg
o For Inside Interface -- Make it visible

o For Outside Interface - Make it invisible
 Name: c2
116
CCIE SECURITY V5
o Allocate Interfaces: eth0.40, eth1.30 Labels Respectively: outside_c2, inside_c2

o Join Failover Group:2
o URL: c2.cfg
o For Inside Interface -- Make it visible

o For Outside Interface - Make it invisible
 ASA1‐ c1
o Interface inside_c1:
o Address Primary‐ Standby:10.1.1.1-10.1.1.2
o Name: inside
o Interface outside_c1:
o Name: outside
 ASA1‐ c2
o Interface inside_c2:
o Name: inside
o Interface outside_c2:
o Name: outside
Context Name Interface
C1 Eth1.10 – inside -visible

Eth0.20 – outside-invisible
Url :- c1.cfg
C2 Eth1.30 – inside -visible
Eth0.40 – outside-invisible
Url :- c1.cfg
117
CCIE SECURITY V5
TASK3 ADDRESS TRANSLATION
 For c1 context
 R9 (10.1.1.10) should be accessible from outside using outside interface with NAT IP 50.50.50.50. Network
object used for the translation should be named "R9_c1". Use Auto NAT
 For c2 context
 R10 (30.1.1.10) should be accessible from outside using the outside interface with NAT IP 60.60.60.60. Use the
network object for the translation, can use any name. Use Manual NAT
TASK4 TRAFFIC FILTERING
 For c1context
 R9 should be accessible only from 20.1.1.10/24 network for the telnet traffic at port 23 and ICMP Echo
message.
 ACL for the traffic filtering should be named "O-I".

 ACL should be network and host specific.
 For c2 context
 R10 should be accessible only from 40.1.1.10/24 network for the telnet traffic at port 23 and ICMP Echo
message.
 ACL for the traffic filtering should be named "O-I".
 ACL should be network and host specific.
Configuration on the Firewall
ASA2p/ASA3p
118
CCIE SECURITY V5
Mode Multiple should be enabled if not, convert it into mode multiple
ASAp2 & ASAp3:
ASAp2# show mode
Security context mode: multiple
ASAp3# show mode
Security context mode: multiple
If not give global command
mode multiple
ASA2p
hostname ASAp2
interface Ethernet 0
no shut
119
CCIE SECURITY V5
no shut
no shut
no shut
interface Ethernet 0.20
vlan 20
vlan 40
vlan 10
vlan 30
Configuration on the Failover for ASAp2
failover lan unit primary
failover lan interface LAN e2
120
CCIE SECURITY V5
failover link STATE e3
failover interface ip LAN 1.1.1.1 255.255.255.0 standby 1.1.1.2
failover group 1
preempt
primary
failover group 2
preempt
secondary
Creating on the Context –ASAp2
context c1
allocate-interface ethernet0.20 outside_c1
allocate-interface ethernet1.10 inside_c1 visible
config-url c1.cfg
join-failover-group 1
121
CCIE SECURITY V5
context c2
allocate-interface ethernet0.40 outside_c2
allocate-interface ethernet1.30 inside_c2 visible
config-url c2.cfg
join-failover-group 2
Configuration on the Context
changeto context c1
interface inside_c1
nameif inside
ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2
no sh
interface outside_c1
nameif outside
ip add 20.1.1.1 255.255.255.0 standby 20.1.1.2
no sh
122
CCIE SECURITY V5
Configuration on the NAT
object network R9_c1
host 10.1.1.10
nat (inside,outside) static 50.50.50.50
Configuration on the Access-list
access-list O-I extended permit tcp 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 eq

23
access-list O-I extended permit icmp 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

echo
access-group O-I in interface outside
Configuration on the Context
changeto context c2
123
CCIE SECURITY V5
interface inside_c2
nameif inside
ip add 30.1.1.1 255.255.255.0 standby 30.1.1.2
no sh
interface outside_c2
nameif outside
ip add 40.1.1.1 255.255.255.0 standby 40.1.1.2
no sh
Configuration on the NAT
object network R10_c2
host 30.1.1.10
nat (inside,outside) static 60.60.60.60
Configuration on the Access-list
access-list O-I extended permit tcp 40.1.1.0 255.255.255.0 30.1.1.0 255.255.255.0 eq

23
124
CCIE SECURITY V5
access-list O-I extended permit icmp 40.1.1.0 255.255.255.0 30.1.1.0 255.255.255.0

echo
access-group O-I in interface outside
changeto system
Configuration on the Firewall
ASAp3:
interface e 2
no shut
interface e 3
no shut
Configuration on the Failover
125
CCIE SECURITY V5
failover lan unit secondary
failover lan interface LAN e2
failover link STATE e3
failover interface ip LAN 1.1.1.1 255.255.255.0 standby 1.1.1.2
failover group 1
preempt
secondary
failover group 2
preempt
primary
ASAp2 & ASAp3:
Enabling the failover
failover
126
CCIE SECURITY V5
Verifications:
ASAp2# show context
Context Name Class Interfaces Mode URL
*admin default Routed disk0:/admin.cfg
c1 default Ethernet0.20, Routed disk0:/c1.cfg
Ethernet1.10
c2 default Ethernet0.40, Routed disk0:/c2.cfg
Ethernet1.30
Total active Security Contexts: 3
ASAp2# show failover state
State Last Failure Reason Date/Time
This host - Primary
Group 1 Active None
Group 2 Standby Ready None
127
CCIE SECURITY V5
Other host - Secondary
Group 1 Standby Ready None
Group 2 Active None
====Configuration State===
Sync Done
====Communication State===
Mac set
R9#telnet 20.1.1.10
Password:
R11>show user
R11>show users
* 98 vty 0 idle 00:00:00 50.50.50.50
Interface User Mode Idle Peer Address
128
CCIE SECURITY V5
prompt context hostname state
c1/ASAp2/act(config)# show conn
c1/ASAp2/stby(config)# show conn
TCP outside 20.1.1.10:23 inside 10.1.1.10:57020, idle 0:00:13, bytes 474, flags U
c1/ASAp2/act(config)# show nat
1 (inside) to (outside) source static R9_c1 50.50.50.50
R10#telnet 40.1.1.10
129
CCIE SECURITY V5
Password:
R12>show user
* 98 vty 0 idle 00:00:00 60.60.60.60
Interface User Mode Idle Peer Addres
c2/ASAp2/act# show conn
c2/ASAp2/stby(config)# show conn
TCP outside 40.1.1.10:23 inside 30.1.1.10:25837, idle 0:00:15, bytes 340, flags U
c2/ASAp2/act# show nat
1 (inside) to (outside) source static R10_c2 60.60.60.60
130
CCIE SECURITY V5
R11#ping 50.50.50.50
!!!!!
R11#telnet 50.50.50.50
Trying 50.50.50.50 ... Open
Password:
R9>show user
0 con 0 idle 00:01:36
* 98 vty 0 idle 00:00:00 20.1.1.10
c1/ASAp2/act(config)# show conn
131
CCIE SECURITY V5
R12#ping 60.60.60.60
!!!!!
R12#telnet 60.60.60.60
Trying 60.60.60.60 ... Open
Password:
R10>show user
0 con 0 40.1.1.10 00:06:35
* 98 vty 0 idle 00:00:00 40.1.1.10
c2/ASAp2/act# show conn
132
CCIE SECURITY V5
TASK4 MONITOR INTERFACE
 Make sure that all the interfaces are being monitored for this failover implementation on both context.
Goto the system context and give command
ASAp2/act(config)# show failover
Failover On
Failover LAN Interface: LAN Ethernet2 (up)
Interface Policy 1
Version: Ours 9.1(5)16, Mate 9.1(5)16
Group 1 last failover at: 14:48:55 UTC Sep 17 2018
133
CCIE SECURITY V5
This host: Primary
Group 1 State: Active
Group 2 State: Standby Ready
c1 Interface inside (10.1.1.1): Normal (Not-Monitored)
c1 Interface outside (20.1.1.1): Normal (Not-Monitored)
Other host: Secondary
134
CCIE SECURITY V5
Link : STATE Ethernet3 (up)
General 211 0 204 0
sys cmd 197 0 197 0
up time 0 0 0 0
TCP conn 9 0 5 0
UDP conn 0 0 0 0
ARP tbl 2 0 2 0
IPv6 ND tbl 0 0 0 0
VPN SDI upd 0 0 0 0
SIP Session 0 0 0 0
135
CCIE SECURITY V5
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
IPv6 Route 0 0 0 0
Cur Max Total
Recv Q: 0 3 2502
Xmit Q: 0 3 2533
changeto context c1 on ASA2p
c1/ASAp2/act(config)# monitor-interface inside
c1/ASAp2/act(config)# monitor-interface outside
changeto context c2 on ASA3p
c2/ASAp2/act(config)# monitor-interface inside
c2/ASAp2/act(config)# monitor-interface outside
136
CCIE SECURITY V5
Verification
ASAp2/act# show failover
Failover On
Failover LAN Interface: LAN Ethernet2 (up)
Interface Policy 1
Version: Ours 9.1(5)16, Mate 9.1(5)16
This host: Primary
137
CCIE SECURITY V5
c1 Interface inside (10.1.1.1): Normal (Monitored)
c1 Interface outside (20.1.1.1): Normal (Monitored)
Other host: Secondary
Link : STATE Ethernet3 (up)

138
CCIE SECURITY V5
General 216 0 209 0

sys cmd 201 0 201 0
up time 0 0 0 0
TCP conn 10 0 6 0
UDP conn 0 0 0 0
ARP tbl 2 0 2 0
IPv6 ND tbl 0 0 0 0
VPN SDI upd 0 0 0 0
SIP Session 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
IPv6 Route 0 0 0 0
139
CCIE SECURITY V5

Cur Max Total
Recv Q: 0 3 2555
Xmit Q: 0 3 2587
LAB-1.8: - ASA CLUSTERING
TASK1 CONFIGURE ASA-C1 AND ASA-C2 FOR CLUSTERING
140
CCIE SECURITY V5
 Configure ASA-C1 and ASA-C2 with the following requirement

o Interface Mode : Spanned
o Interface Port channel ID : 1
o Sub Interface Po 1.10 : vlan: 10

o Sub Interface Po 1.20 : vlan: 20
o Interface for Po1 : eth1/eth2
o Cluster Group Name : ccnp
o CCL : eth3
o CCL IP ASA-C1 : 5.5.5.5/24

o CCL IP ASA-C2 : 5.5.5.6/24
o Master Unit : ASA-C1
o Management Pool : 150.1.7.159-150.1.7.160
o Management Pool Name : mgmt-pool

 Configure the interface of the ASA with the following requirements
o Interface Po1.10
 Nameif : Inside
 IP Add : 10.100.10.1/24
o Interface Po.1.20
 Nameif : Outside
 IP Add : 10.100.20.1/24
o Interface Mgmt
 Nameif : Management
 Ip Add : 150.1.7.158
 Sec-Level : 100
 Type : Management-Only
 Configure the Router
o Router R31
 Interface : fa0/0
 IP add : 10.100.10.10/24
 Default Route: 10.100.10.1
o Router R32
 Interface : fa0/0
141
CCIE SECURITY V5
 IP add : 10.100.20.20/24
 Default Route: 10.100.20.1
 Configure the Switch
o Switch-C
 Vlan : 10,20,150
 Po : Po1 - Trunk
 Interface : eth0/1-1/0-0/3-1/2
 Inteface : eth1/1 and eth1/3
 Vlan : 150 (Mgmt port towards ASA)

 SVI
 Vlan150 : 150.1.7.157/24
 Vlan 10 : 10.100.10.100/24
 Vlan 20 : 10.100.20.100/24

 Follow the Topology for the Links information.
LAB-1.9: - ASA FIREWALL IP SERVICES
TASK1 CONFIGURE NTP SERVER AND CLIENT ON ASA1 AND DC-ROUTER
 Configure DC-Router as NTP Server and ASA1 as the NTP client

 Both the devices should be in the same time zone of PST -8
 NTP protocol should uses MD5 authentication with the key-id 1and password of “cisco”
142
CCIE SECURITY V5
DC-Router:
clock timezone PST -8
clock set (hh:mm:ss)(DAY<1-31>)(MONTH)(YEAR) -> (privilege exec mode)  
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp master
ASA1:
ntp authenticate
ntp trusted-key 1
ntp server 150.1.7.163 key 1 prefer
clock timezone PST -8
Verification:
143
CCIE SECURITY V5
ASA1# show ntp status
Clock is synchronized, stratum 9, reference is 150.1.7.163
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is df3b53d3.7e7ba2d9 (23:20:51.494 PST Wed Sep 5 2018)
clock offset is -0.2000 msec, root delay is 1.74 msec
root dispersion is 15893.17 msec, peer dispersion is 15890.63 msec
ASA1# show ntp associations
address ref clock st when poll reach delay offset disp
*~150.1.7.163 127.127.1.1 8 2 64 3 1.9 -0.06 7890.7
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
ASA1# show ntp associations detail
150.1.7.163 configured, authenticated, our_master, sane, valid, stratum 8
ref ID 127.127.1.1, time df3b5408.4f5c29d0 (23:21:44.310 PST Wed Sep 5 2018)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 2.33, reach 3, sync dist 7893.951
delay 1.86 msec, offset -0.0642 msec, dispersion 7890.69
precision 2**10, version 3
org time df3b5413.7e76ca10 (23:21:55.494 PST Wed Sep 5 2018)
144
CCIE SECURITY V5
rcv time df3b5413.7eb87874 (23:21:55.495 PST Wed Sep 5 2018)
xmt time df3b5413.7e3d85cb (23:21:55.493 PST Wed Sep 5 2018)
filtdelay = 1.86 1.74 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = -0.06 -0.20 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 15.63 16.60 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
TASK2 CONFIGURE DNS ON ASA1
 Configure ASA1to perform dns lookup.

 The DNS Server ip is 150.1.7.164
 Domain Name is cisco.com and use MGMT Interface
ASA1:
dns domain-lookup mgmt
dns name-server 150.1.7.164
145
CCIE SECURITY V5
Verification:
ASA1# ping ISE-P.cisco.com
!!!!!
ASA1# show dns-hosts
Host Flags Age Type Address(es)
ISE-P.cisco.com (temp, OK) 0 IP 150.1.7.169
TASK3 CONFIGURE LOGGING ON ASA1
 Create a log filter list to send all IKE, IPSec, and VPN client warning messages to a syslog server at 10.1.1.101.
 
 Send only critical EIGRP and RIP messages to the buffer and change the buffer size to 32768. Messages
should be saved to the flash when the buffer gets full. 
 Send debug messages to the ASDM. The ASA should buffer 300 messages.  
146
CCIE SECURITY V5
Confuguration on Firewall
ASA1:
loggin enable
“Create logging Lists”
logging list IPSEC level warnings class vpn
logging list IPSEC level warnings class vpnc
logging list FAILOVER level errors class ha
Send the logs to syslog server
logging host dmzserver 150.1.7.164

logging trap IPSEC
Send logs buffer and change the buffer logging parameters
logging class rip buffered critical

logging class eigrp buffered critical
logging buffer-size 32768 
147
CCIE SECURITY V5
logging flash-bufferwrap
Section 2 – NGFW Firewall
GOAL OF THE LAB
The goal of this hands-on lab is to give a deployment engineer the skills necessary to
successfully install and configure Cisco’s latest version of Next Generation Firewall
(NGFW). You will deploy Firepower Management Center (FMC) and Firepower Threat
Defence (FTD) devices in a realistic network topology. Once the devices have a basic
configuration you will learn how to use some of the new features and benefits of the
integrated Firewall (FW) and Intrusion Prevention System (IPS). Though this lab is geared
to teach the basics of FTD, throughout this lab there are questions and roadblocks to help
you learn what should/shouldn’t (or can/can’t) be done. When approaching this lab
come with your thinking caps on and engaged.
148
CCIE SECURITY V5
LAB-2.1: - SETTING UP THE LAB ENVIRONMENT
TASK1 DOWNLOAD FMC AND FTD FROM THE CISCO.COM
 Download the FMC, NGIPS and FTD from the cisco.com, with the valid credentials.
 Once being downloaded, Install the OVF template on the VMware ESXI Server.
149
CCIE SECURITY V5
 Allocate the Logical Resources to the FMC, NGIPS and FTD.

 Power on all the Devices.
“The Firepower Threat Defence (FTD) devices are not configurable via their CLI beyond
setting up their Management Interfaces. In order to configure the data plane, you must
either use the Firepower Device Manager (a new feature in Firepower version 6.1) or the
Firepower Management Centre (FMC).”
For detail solution please refer to the “avi” file uploaded on the resource portal
TASK2 CONFIGURE FMC/FTDV1/FTDV2 AND NGIPS

 Configure the all devices
o Login to the NGFW, with the Username/pass – admin/Admin123

o After login change the password to Sanfran@1234
o Manage locally
o Use the IP Scheme as mentioned in the IP reference sheet
Interface Name IP
Default Gateway MGMT gateway 150.1.7.1/24
Mgmt. FMC 150.1.7.175/24
150
CCIE SECURITY V5
Mgmt. FTDv1 150.1.7.176/24
Mgmt. NGIPSv 150.1.7.177/24
Mgmt. FTDv2 150.1.7.178/24
Domain-name cisco.com 150.1.7.164
 For detail solution please refer to the “avi” file uploaded on the resource portal
The Firepower Threat Defense (FTD) devices are not configurable via their CLI beyond setting up their
Management Interfaces. In order to configure the data plane, you must either use the Firepower Device
Manager (a new feature in Firepower version 6.1) or the Firepower Management Center (FMC).
TASK3 CISCO FMC- OFF BOX MANAGEMENT FOR THE SENSOR
 Give the Management IP for the FMC 150.1.7.175/24
 Connecting the FMC for the First time to Administration Page.

o Change the password to Sanfran@1234
o Change the Time-Zone to Asia/Kolkata
o Primary DNS 8.8.8.8
o Secondary DNS 8.8.4.4
o Tertiary DNS 150.1.7.164

 Initial Task Setup
o Check the Access-list
o Enable the VMware Tools
o Process
o Login Banner
151
CCIE SECURITY V5
 Change it to “Welcome to the Netmetric NGFW Lab”

o HTTPS Certificate
o Management Interface
o Time Synchronization
 NTP Server :- 150.1.7.164
 Time Zone :- ASIA/Kolkatta
o Email Notification
o Check and Create a new users
 Bob : Network Access : Password – Sanfran@1234
TASK4 SMART LICENCING
 Activate the Evaluation Mode Licensing on the FMC
Notes: -
Here is a brief description of the licenses:
Base: A perpetual license that is automatically included. This license covers anything that isn’t considered an “optional
term license”. In other words, it covers everything but that which is discussed (covered) by the following term-based licenses.
Threat: A term-based license that analyzes network traffic for intrusions and exploits. It also has the ability to identify the
file type of files being sent through the FTD device, such as documents, executables, PDFs, etc.
Malware: A term-based license that allows file policies to check for malware. This license is required if the use of
Advanced Malware Protection (AMP) or AMP Threat Grid is desired.
152
URL: A term-based license that allows the use of categories and/or reputation-based URL filtering, such as gambling,
social media, or using a “5 star” reputation system to filter URLs.
CCIE SECURITY V5
TASK5 FMC DATABASE
 Product Update
 Rule Update
 Geolocation Update
TASK6 WHO IS AND GEOLOCATION SEARCH
 Check the respective ip address and check who owns it, and from what part of the world is it from
o 1.1.1.1
o 2.2.2.2
o 5.5.5.5
o 64.1.1.1
TASK7 CONFIGURE THE PLATFORM SETTINGS

 Create a new policy for “Threat Defence Settings” with the name “Test Platform”
o Add Banner : Welcome to Netmetric NGFW
o Secure Shell : Management interface
TASK8 INTEGRATION WITH AD

 Configure FMC, so that it will be integrated with the Active Directory.
 Username and Password are mentioned below

o Username : administrator
o Password : Sanfran@1234
153
CCIE SECURITY V5
LAB-2.2: - FTD1/FTD2 AND NGIPS FIREWALL BASIC CONFIGURATION
TASK1 REGISTER THE FTD1, FTD2 AND NGIPS WITH FMC
 FTD1, FTD2 and NGIPS should be managed from the FMC.

 The shared secret key used for the registration between the FTD1, FTD2 and NGIPS and FMC should be
cisco123
 Add a group name as HA for FTD1 and FTD2, and DMZ_NGIPS for NGIPS
 Name of the policy should be “HA_Base-Policy” and “NGIPS_Base-Policy”
 Default action should be “Block all traffic”

 Enable all the license option.
TASK2 CONFIGURE THE FTD HA
 Do the configuration as per the below mentioned table
Interface Name Zone IP
Gi0/0 ISP_Out Outside 150.1.7.190/24 – Secondary IP : 150.1.7.191
Gi0/1 LAN_Inside Inside 100.1.1.100/24 – Secondary IP : 100.1.1.101
Gi0/2 DMZ_Server DMZ 200.1.1.200/24 – Secondary IP : 200.1.1.101
Gi0/3 FO 10.10.10.10 – Secondary IP : 10.10.10.10
154
CCIE SECURITY V5
TASK3 CONFIGURE THE FTD ROUTING
 Configure the OSPF on the Inside and DMZ zone of the HA FTD.
 OFPF area should be 0 in ABR, use Topology to advertise the required network.
 R100 and R200 are already configured for the same.
TASK4 CONFIGURE THE NGIPS RULE
 Make the EIGRP Routing process up between R200 and R300 through NGIPS.
 R300 should in the Internal Zone of the NGIPS and R200 should be in the External Zone of the NGIPS.
 Enable the logging at the beginning of the connection
 Allow HTTP, ICMP and FTP traffic from Client-PC to the respective servers.
TASK5 DEPLOY THE CONFIGURATION
 Deploy and push all the configuration to the FTD.

 Verify all the configuration has been pushed or not.
 Check all the reachability to the devices.
 Verify & Test the configuration
155
CCIE SECURITY V5
LAB-2.3: - CONNECT THE LAN USER TO DMZ
TASK1 NAT POLICY
 Configure the Static NAT, with the DMZ as the “destination” interface and implementation should be
AUTO NAT, going from Inside Zone to DMZ Zone.
 Web Server1 (1.1.1.1) should be accessible through the ip of 50.50.50.50.
 Web Server2 (2.2.2.2) should be accessible through the ip of 60.60.60.60.
 FTP Server1 (3.3.3.3) should be accessible through the ip of 70.70.70.70.
A Note about Auto NAT and Manual NAT
Cisco recommends you use Auto NAT unless you need the extra features of Manual NAT. It is easier to configure and might
be more stable for services such as VoIP.
Comparing Auto NAT and Manual NAT. The main differences between these two NAT types are:
How you define the real addresses:
Auto NAT – The NAT rule becomes a parameter for a network object. The network object IP address serves as
the original (real) address.
Manual NAT – You identify a network object, or network group, for both the real and mapped addresses. In this case NAT
is not a parameter of the network object; the network object (or network group) is a parameter of the NAT configuration. The ability
to use a network object group for the real address means that manual NAT is more scalable.
How source and destination NAT is implemented: 156
Auto NAT – Each rule can apply to either the source or destination of the packet. So two rules might be used; one for
the source IP address and one for the destination IP address. These two rules cannot be tied together to enforce a specific
translation for a source/destination combination.
CCIE SECURITY V5
TASK2 TESTING CONNECTIVITY TO SERVERS

 Check the connectivity from the Client-PC.
 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70
Though your routing and interfaces are correct the Access Control Policy assigned to this FTD,
currently the Base Policy Access Control Policy, has no rules so it takes the Default Action rule which
is BLOCK All the Traffic.
TASK3 CONFIGURE THE ACCESS POLICY WITH PRE-FILTER RULE

 Pre-Filter Rule
 Create a New rule in Pre-Filter Policy
o Name :- Fastpath_Policy
o Action :- Fastpath
o Apply :- Base Policy of FTD
 Check the Connectivity now and ping 50.50.50.50, 60.60.60.60, 70.70.70.70
TASK4 CONFIGURE THE ACCESS POLICY WITH ALLOW RULE FOR ICMP
157
CCIE SECURITY V5
 Remove the previously created the Pre-filter policy and continue with the task.
 Create a New rule in Mandatory Category of the ACP base Policy.
o Name :- ICMP
o Insert :- Into Mandatory

o Action :- Allow
o Source Zone :- Inside
o Destination Zone :- DMZ
o Source Network :- Lan_Subnet :- 6.6.6.0/24
o Destination Network :- WebServer1 :- 1.1.1.1

o Destination Network :- FTPServer :- 3.3.3.3
o Port :- icmp
o Logging :- Beginning of the Connection
Notes :-
When you click the dropdown menu button notice all the options you have to choose from. A whole
lab could be created around implementing and testing all these combinations of options. In short
use the following list to get an idea of what each are for:
Allow: Permit through the Firewall but check it against the SNORT rules.
Trust: Check it against the Firewall rules but don’t check it against the SNORT rules.
Monitor: Send the traffic to SNORT for analysis and then determine whether to process through
the Firewall rules.
Block: Don’t allow through the Firewall (and thus don’t sent to SNORT either) and don’t send any
sort of acknowledgement back to the source that you are blocking.
Block with Reset: Don’t allow through the Firewall and let the source know its connection has
been terminated.
Interactive Block: Notify the user that the action that triggered this rule is recommended to be
blocked but that the user
can choose to continue with this action should they feel it is okay to proceed.
Interactive Block with reset: The same as the Interactive Block but this time, if the user chooses
to not proceed with their action send a reset to the source.
158
CCIE SECURITY V5

 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70
TASK6 CONFIGURE THE ACCESS POLICY WITH ALLOW RULE FOR HTTP

o Name :- HTTP
o Action :- Allow


o Port :- http 80

 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70
159
CCIE SECURITY V5
TASK8 CONFIGURE THE ACCESS POLICY WITH ALLOW RULE FOR FTP

o Name :- FTP
o Action :- Allow

o Destination Network :- FTPServer :- 3.3.3.3
o Port :- http 21

 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70
TASK10 CONFIGURE THE ACCESS POLICY WITH BLOCK RULE FOR GEOLOCATION OF
GERMANY
o Name :- Block Germany

o Action :- Block
160
CCIE SECURITY V5

o Destination Network :- Germany :- Europe Continent


 Ping 50.50.50.50, 60.60.60.60, 70.70.70.70
Here is a quick reference list of the different actions and some of their extended options:
Detect = checks first 1460 Bytes, determines the type of file and generates a log
Block = blocks the file based on first 1460 Bytes
Malware Cloud Lookup = Sends the SHA-256 hash of a file to the cloud for analysis and depending on the answer
generates a log if the file is bad. Optionally, msexe files can be sent to cloud for Dynamic Analysis and/or SPERO
analysis.
Block Malware = Sends the SHA-256 hash of a file to the cloud for analysis and depending on the answer blocks it if the
f ile is bad. Optionally, msexe files can be sent to cloud for Dynamic Analysis and/or SPERO analysis.
Spero analysis = checks apart from SHA-256 also some other parameters (e.g. DLLs that are called etc)
Dynamic analysis = sends the file to the cloud for analysis. This can take 20-30 minutes
LAB-2.4: - CONFIGURE FILE AND MALWARE POLICY
161
CCIE SECURITY V5
TASK1 CONFIGURE A NEW FILE POLICY WITH NAME “PDF-MALWARE” TO BLOCK

PDF FILE
 Create and add new Rule
o Application Protocol :- Any

o Direction of Transfer :- Download
o Action :- Block Files
o File Type Categorries :- PDF
o File Type :- All types in selected Categories
TASK2 USE THE SAME FILE POLICY WITH NAME “PDF-MALWARE” TO BLOCK ANY
MALWARE
 Create and add new Rule
o Application Protocol :- Any
o Direction of Transfer :- Download

o Action :- Block Malware
o Options :- Spero Analysis for MSEXE, Local Malware Analysis
o File Type Categorries :- All

o File Type :- All types in selected Categories
TASK3 CALL THE POLICY IN ACCESS CONTROL POLICY

 Add the above created “PDF-Malware” policy into the access control policy, which we created in the TASK
8.
LAB-2.5: - CONFIGURE URL FILTERING POLICY
162
CCIE SECURITY V5
TASK1 BLOCK GAMBLING CONTENT
 Create the general block rule, so that the user cannot open the Gambling sites.
 Create the Rule

o Name :- No Gambling For You!!
o Insert :- Into Gambling
o Action :- Block

o Destination Zone :- Outside
o URL :- Gambling

 HTTP Response should be used as System Provided for Block Response Page.
 Verify and Test URL filtering
TASK2 BLOCK SOCIAL MEDIA CONTENT
 Create the general block rule, so that the user cannot open the Social Media sites.
 Create the Rule
o Name :- Block Social Media

o Insert :- Into Social Media
o Action :- Block

o URL :- Social Network
163
CCIE SECURITY V5

TASK3 ALLOW FACEBOOK ACCESS FOR CLIENT-PC

 Create the general Allow rule, so that the user can open the Facebook site.
 Create the Rule

o Name :- Permit Facebook
o Insert :- Into Social Media

o Action :- Allow
o URL :- www.facebook.com
LAB-2.6: - CONFIGURE SSL POLICY
TASK1 SELF SIGNED CERTIFICATE

164
CCIE SECURITY V5
 Generate the Self Signed Certificate:

o Name :- FMC_CA
o Country :- IN
o State :- KR
o City :- Bangalore
o Org :- Netmetric
o Dep :- Training
o Comman Name :- FMC as CA
 Download the Certificate into the Client-PC and Use password as Sanfran1234.
 Associate the SSL Policy to the ACP and Deploy the configuration
TASK2 CREATE THE SSL POLICY
 Generate the Self Signed Certificate:

o Name :- SSL MITM Policy
o Default Action :- Do not decrypt
 Add Rule as follows

o Name :- MITM
o Action :- Decrypt-Resign
o With :- FMC_CA
o Zone :- Source – Inside

o Zone :- Destination – Outside
o Network :- Source – Lab_Subnet
o Logging :- At the beginning of the connection
165
CCIE SECURITY V5
TASK3 APPLY SSL POLICY TO ACP
 Edit the SSL Policy to ACP and save the configuration then Deploy.
 Edit the SSL Policy to ACP and save the configuration then Deploy.
TASK4 FMC CERTIFICATE
 Install the FMC CA certificate into the Client-PC
 Trust the FMC as the Certificate Authority CA within your browser

 Verify the end to end connectivity
Section 3 – VPN
GOAL OF THE LAB
166
CCIE SECURITY V5
Virtual Private Networks is intended to help you master the VPN technologies that are available on IOS
and the ASA. You will be configuring Site-to-Site, Remote Access, DMVPN, GetVPN, CA and Flex VPNs
along with some advanced features related to these technologies.
It is recommended that you create your own diagram at the beginning of each lab so any potential
information you find useful during your preparations can be reflected on this drawing, making it much
easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
General Rules: - This lab will focus strictly on the Virtual Private Networks. You will need to pre-configure
the network with the base configuration files.
LAB-3.1: - SITE TO SITE VPN
LAB-SETUP
 Configure R51, R53 & R52(ISP) with the IP mentioned in the table
167
CCIE SECURITY V5

 For the Internet, the Default routes on R51 and R53 with the next hop as corresponding interface IP of R52.
Device Interface IP
R51 Gi1 20.1.14.1/24

Loopback0 14.14.14.14/24
R53 Gi1 20.1.15.1/24

Loopback0 15.15.15.15/24
R52 Gi1 20.1.14.2/24

Gi3 20.1.15.2/24
Configuration on Router: -
R51:
hostname R51
interface gi1
no shut
ip address 20.1.14.1 255.255.255.0

168
CCIE SECURITY V5
interface loop 0
ip address 14.14.14.14 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.14.2
R53:
hostname R53
interface gi1
no shut
ip address 20.1.15.1 255.255.255.0
interface loop 0
ip address 15.15.15.15 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.15.2
R52:
hostname R52
169
CCIE SECURITY V5
interface gi1
no shut
ip address 20.1.14.2 255.255.255.0
interface gi3
no shut
ip address 20.1.15.2 255.255.255.0
Verifications:
R51#show ip int br
R51#show ip route static
170
CCIE SECURITY V5
S* 0.0.0.0/0 [1/0] via 20.1.14.2
R53#show ip interface brief
FastEthernet0/0 20.1.15.1 YES manual up up
R53#show ip route static
S* 0.0.0.0/0 [1/0] via 20.1.15.2
R52#show ip interface brief
171
CCIE SECURITY V5
R51#ping 20.1.15.1
!!!!!
R53#ping 20.1.14.1
!!!!!
TASK1 SITE TO SITE IPSEC VPN (IOS-IOS) R51-R53
 Configure basic Site to Site IPSec VPN in Main Mode to protect traffic between IP addresses 14.14.14.14 and
15.15.15.15 using the following policy:
ISAKMP Policy IPSec Policy
Authentication: Pre-share Encryption: esp-aes

Encryption: AES
172
CCIE SECURITY V5
Hash: SHA Hash: SHA

DH Group: 5
Lifetime: 1800
R51:
crypto isakmp policy 10
encryption aes
authentication pre-share
hash sha
group 5
lifetime 1800
crypto isakmp key cisco address 20.1.15.1
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
ip access-list extended VPN
173
CCIE SECURITY V5
permit ip 14.14.14.0 0.0.0.255 15.15.15.0 0.0.0.255
crypto map CMAP 10 ipsec-isakmp
set transform-set TS
set peer 20.1.15.1
match address VPN
interface gi1
crypto map CMAP
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol, port 500) for establishing
ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec tunnel.
R53:
encryption aes
hash sha
group 5
174
CCIE SECURITY V5
lifetime 1800
crypto isakmp key cisco address 20.1.14.1
mode tunnel
permit ip 15.15.15.0 0.0.0.255 14.14.14.0 0.0.0.255
set peer 20.1.14.1
match address VPN
interface gi1
crypto map CMAP
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol, port 500) for establishing
ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec tunnel.
175
CCIE SECURITY V5
R51#debug crypto isakmp
Crypto ISAKMP debugging is on
R51#ping 15.15.15.15 source loop 0
“The first ICMP packet triggers ISAKMP process as this is our interesting traffic matching our ACL. Before actually start
sending IKE packets to the peer the router first checks if there is any local SA (Security Association) matching that traffic.
Note that this check is against IPSec SA not IKE SA. OK, no SA means there must be IKE packet send out.”
*Mar 1 00:19:47.067: ISAKMP:(0): SA request profile is (NULL)
“The router has tried to find any IPSec SA matching outgoing connection but no valid SA has been found in Security
Association Database (SAD) on the router. “
*Mar 1 00:19:47.067: ISAKMP: Created a peer struct for 20.1.15.1, peer port 500
*Mar 1 00:19:47.071: ISAKMP: New peer created peer = 0x66B340CC peer_handle =

0x80000002
*Mar 1 00:19:47.071: ISAKMP: Locking peer struct 0x66B340CC, refcount 1 for

isakmp_initiator
176
CCIE SECURITY V5
*Mar 1 00:19:47.071: ISAKMP: local port 500, remote port 500
*Mar 1 00:19:47.071: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:19:47.087: insert sa successfully sa = 666BB04C
*Mar 1 00:19:47.087: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
“The router has started IKE Main Mode (it is a default)”
*Mar 1 00:19:47.087: ISAKMP:(0):found peer pre-shared key matching 20.1.15.1
“Pre-shared key for remote peer has been found. ISAKMP will use it to authenticate the peer during one of the last stages
of IKE Phase 1. “
*Mar 1 00:19:47.091: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 00:19:47.091: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 00:19:47.095: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:19:47.095: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:19:47.095: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 00:19:47.099: ISAKMP:(0): sending packet to 20.1.15.1 my_port 500 peer_port 500
(I) MM_NO_STATE
177
CCIE SECURITY V5
“The router initiating IKE exchange is called “the initiator”. The router responding to IKE request is called “the
responder”. The initiator (R1) has sent ISAKMP policy along with vendor specific IDs which are a part of IKE packet
payload. MM_NO_STATE indicates that ISAKMP SA has been created, but nothing else has happened yet. “
*Mar 1 00:19:47.099: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 00:19:47.503: ISAKMP (0:0): received packet from 20.1.15.1 dport 500 sport 500
Global (I) MM_NO_STATE
“The responder (R2) has responded with IKE packet that contains negotiated ISAKMP policy along with its vendor specific
IDs. Note that the IKE Main Mode state is still MM_NO_STATE. “
*Mar 1 00:19:47.515: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:19:47.515: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 00:19:47.523: ISAKMP:(0): processing SA payload. message ID = 0.!!!!
R14#
*Mar 1 00:19:47.523: ISAKMP:(0): processing vendor id payload
*Mar 1 00:19:47.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 1 00:19:47.523: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 1 00:19:47.527: ISAKMP:(0): local preshared key found
*Mar 1 00:19:47.527: ISAKMP : Scanning profiles for xauth ...
*Mar 1 00:19:47.527: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

178
CCIE SECURITY V5
*Mar 1 00:19:47.531: ISAKMP: encryption AES-CBC
*Mar 1 00:19:47.531: ISAKMP: keylength of 128
*Mar 1 00:19:47.531: ISAKMP: hash SHA
*Mar 1 00:19:47.531: ISAKMP: default group 5
*Mar 1 00:19:47.531: ISAKMP: auth pre-share
*Mar 1 00:19:47.531: ISAKMP: life type in seconds
*Mar 1 00:19:47.535: ISAKMP: life duration (basic) of 1800
*Mar 1 00:19:47.535: ISAKMP:(0):atts are acceptable. Next payload is 0
“The router is processing ISAKMP parameters that have been sent as the reply. Vendor IDs are processed to determine
if peer supports e.g. NAT- Traversal, Dead Peer Detection feature. ISAKMP policy is checked against policies defined
locally.
“atts are acceptable” indicates that ISAKMP policy matches with remote peer. Remember that comparing the policy that
has been obtained from remote peer with locally defined polices starting from the lowest index (number) of policy
defined in the running config. “
*Mar 1 00:19:47.535: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 00:19:47.535: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 00:19:47.535: ISAKMP:(0):Basic life_in_seconds:1800
*Mar 1 00:19:47.539: ISAKMP:(0):Returning Actual lifetime: 1800
*Mar 1 00:19:47.539: ISAKMP:(0)::Started lifetime timer: 1800.
“The lifetime timer has been started. Note that default value of “lifetime” is used (86400 seconds). This is lifetime for
ISAKMP SA. Note that IPSEC SAs have their own lifetime parameters which may be defined as number of seconds or
kilobytes of transmitted traffic.”
179
CCIE SECURITY V5
*Mar 1 00:19:47.543: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
“IKE Phase 1 (Main Mode) message 3 The third message is sent out containing KE (Key Exchange)
information for DH (Diffie-Hellman) secure key exchange process. “
(I) MM_SA_SETUP
*Mar 1 00:19:47.591: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
4th message has been received from the peer. This message contains KE payload and base on that
information both peers can generate a common session key to be used in securing further
communication. The pre-shared key configured locally for the peer is used in this
calculation. After receiving this message peers can also be able to determine if there is a NAT
along the path.
Global (I) MM_SA_SETUP

180
CCIE SECURITY V5
“MM_SA_SETUP” idicates that the peers have agreed on parameters for the ISAKMP SA.
*Mar 1 00:19:48.051: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 00:19:48.399: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 00:19:48.407: ISAKMP:(1001): vendor ID is Unity
*Mar 1 00:19:48.407: ISAKMP:(1001): vendor ID is DPD
*Mar 1 00:19:48.411: ISAKMP:(1001): speaking to another IOS box!
*Mar 1 00:19:48.411: ISAKMP:received payload type 20
*Mar 1 00:19:48.411: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE
“IKE Phase 1 (Main Mode) message 5 Fifth message is used for sending out authentication
information the peer. This information is transmitted under the protection of the common shared
secret. “
181
CCIE SECURITY V5
*Mar 1 00:19:48.419: ISAKMP:(1001):Send initial contact
*Mar 1 00:19:48.423: ISAKMP:(1001):SA is doing pre-shared key authentication using id

type ID_IPV4_ADDR
*Mar 1 00:19:48.423: ISAKMP (0:1001): ID payload
next-payload : 8
type :1
address : 20.1.14.1
protocol : 17
port : 500
length : 12
*Mar 1 00:19:48.423: ISAKMP:(1001):Total payload length: 12
*Mar 1 00:19:48.427: ISAKMP:(1001): sending packet to 20.1.15.1 my_port 500 peer_port

500 (I) MM_KEY_EXCH
“MM_KEY_EXCH” indicates that the peers have exchanged Diffie-Hellman public keys and have generated a shared
secret. The ISAKMP SA remains unauthenticated. Note that the process of authentication has been just started.

IKE_PROCESS_COMPLETE
182
CCIE SECURITY V5
IKE Phase 1 (Main Mode) message 6 The peer identity is verified by the local router and SA is
established. This message finishes ISAKMP Main Mode (Phase I) and the status is changed to
IKE_P1_COMPLETE.
Global (I) MM_KEY_EXCH
“Note that the process of peer authentication is still in progress (MM_KEY_EXCH). Remember that there is also one IKE
Main Mode state which is not visible in the debug output. It is “MM_KEY_AUTH” which indicates that the ISAKMP SA has
been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode
exchange begins. “
*Mar 1 00:19:48.471: ISAKMP:(1001): processing ID payload. message ID = 0
next-payload : 8
type :1
address : 20.1.15.1
protocol : 17
port : 500
length : 12
*Mar 1 00:19:48.471: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 00:19:48.475: ISAKMP:(1001): processing HASH payload. message ID = 0
*Mar 1 00:19:48.475: ISAKMP:(1001):SA authentication status:
authenticated
183
CCIE SECURITY V5
*Mar 1 00:19:48.479: ISAKMP:(1001):SA has been authenticated with 20.1.15.1
*Mar 1 00:19:48.479: ISAKMP: Trying to insert a peer 20.1.14.1/20.1.15.1/500/, and

inserted successfully 66B340CC.
“The peer has been authenticated now. Note that SA number has been generated and inserted into SADB along with the
information relevant to the peer which has been agreed during IKE Main Mode.”


*Mar 1 00:19:48.495: ISAKMP:(1001):Old State = IKE_I_MM6 New State =

IKE_P1_COMPLETE
*Mar 1 00:19:48.499: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of -

1496356104
*Mar 1 00:19:48.503: ISAKMP:(1001):QM Initiator gets spi

500 (I) QM_IDLE
184
CCIE SECURITY V5
*Mar 1 00:19:48.507: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_INTERNAL,

IKE_INIT_QM
*Mar 1 00:19:48.511: ISAKMP:(1001):Old State = IKE_QM_READY New State =

IKE_QM_I_QM1

IKE_PHASE1_COMPLETE
*Mar 1 00:19:48.511: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State =

IKE_P1_COMPLETE
IKE Phase 2 (Quick Mode) message 2 Second QM message is a response from the peer. It contains
IPSec policy chosen by the peer and peer’s proxy ID. This is a next place where something can go
wrong if the Proxy IDs are different on both sides of the tunnel. The router cross-checks if its Proxy
ID is a mirrored peer’s Proxy ID.
Global (I) QM_IDLE
“The state of IKE is “QM_IDLE”. This indicates that the ISAKMP SA is idle. It remains authenticated with its peer and may
be used for subsequent quick mode exchanges. It is in a quiescent state. “
*Mar 1 00:19:48.563: ISAKMP:(1001): processing HASH payload. message ID = -1496356104
*Mar 1 00:19:48.567: ISAKMP:(1001): processing SA payload. message ID = -1496356104
*Mar 1 00:19:48.567: ISAKMP:(1001):Checking IPSec proposal 1
*Mar 1 00:19:48.567: ISAKMP: transform 1, ESP_AES
185
CCIE SECURITY V5
*Mar 1 00:19:48.567: ISAKMP: attributes in transform:
*Mar 1 00:19:48.567: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 00:19:48.571: ISAKMP: SA life type in seconds
*Mar 1 00:19:48.571: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:19:48.571: ISAKMP: SA life type in kilobytes
*Mar 1 00:19:48.571: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:19:48.575: ISAKMP: authenticator is HMAC-SHA
*Mar 1 00:19:48.575: ISAKMP: key length is 128
*Mar 1 00:19:48.575: ISAKMP:(1001):atts are acceptable.
“The routers are negotiating parameters for IPSec tunnel which will be used for traffic transmission. These parameters
are defined by “crypto ipsec transform-set” command. Note that lifetime values of IPSec SA are visible at this moment.
You are able to set it both: globally or in the crypto map entry. “Attr are acceptable” indicates that IPSec parameters
defined as IPSec transform-set match at the both sides. “
*Mar 1 00:19:48.579: ISAKMP:(1001): processing NONCE payload. message ID = -

1496356104
*Mar 1 00:19:48.579: ISAKMP:(1001): processing ID payload. message ID = -1496356104
*Mar 1 00:19:48.587: ISAKMP:(1001): Creating IPSec SAs
*Mar 1 00:19:48.587: inbound SA from 20.1.15.1 to 20.1.14.1 (f/i) 0/ 0
(proxy 15.15.15.0 to 14.14.14.0)
*Mar 1 00:19:48.591: has spi 0x56923AE3 and conn_id 0

186
CCIE SECURITY V5
*Mar 1 00:19:48.591: lifetime of 3600 seconds
*Mar 1 00:19:48.591: lifetime of 4608000 kilobytes
*Mar 1 00:19:48.591: outbound SA from 20.1.14.1 to 20.1.15.1 (f/i) 0/0
(proxy 14.14.14.0 to 15.15.15.0)
*Mar 1 00:19:48.591: has spi 0x1BCBC824 and conn_id 0
The IPSec SA have been created and inserted in the router’s security associations database (SADB). SAs are distinguished
by SPI values which are also used to differentiate many tunnels terminated on the same router. Note that two SPI values
are generated for one tunnel: one SPI for inbound SA and one SPI for outbound SA. SPI value is inserted in the ESP header
of the packet leaving the router. At the second side of the tunnel, SPI value inserted into the ESP header enables the
router to reach parameters and keys which have been dynamically agreed during IKE negotiations or session key
refreshment in case of lifetime timeout. The SPI value is an index of entities in the router’s SADB.

500 (I) QM_IDLE
*Mar 1 00:19:48.599: ISAKMP:(1001):deleting node -1496356104 error FALSE reason "No

Error"
*Mar 1 00:19:48.599: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_FROM_PEER,

IKE_QM_EXCH
*Mar 1 00:19:48.603: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State =

IKE_QM_PHASE2_COMPLETE
All the negotiations have been completed. The tunnel is up and ready to pass the traffic.
187
CCIE SECURITY V5
R53#debug crypto isakmp
Crypto ISAKMP debugging is on
Global (N) NEW SA
*Mar 1 00:16:09.375: ISAKMP: Created a peer struct for 20.1.14.1, peer port 500
*Mar 1 00:16:09.375: ISAKMP: New peer created peer = 0x66EBF3DC peer_handle =

0x80000002
*Mar 1 00:16:09.375: ISAKMP: Locking peer struct 0x66EBF3DC, refcount 1 for

crypto_isakmp_process_block
*Mar 1 00:16:09.375: ISAKMP: local port 500, remote port 500
*Mar 1 00:16:09.379: insert sa successfully sa = 661E8044
*Mar 1 00:16:09.391: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 1 00:16:09.395: ISAKMP:(0): processing SA payload. message ID = 0
188
CCIE SECURITY V5
*Mar 1 00:16:09.403: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 00:16:09.407: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 1 00:16:09.411: ISAKMP:(0): local preshared key found
*Mar 1 00:16:09.411: ISAKMP : Scanning profiles for xauth ...
*Mar 1 00:16:09.411: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 1 00:16:09.411: ISAKMP: encryption AES-CBC
*Mar 1 00:16:09.415: ISAKMP: keylength of 128
*Mar 1 00:16:09.415: ISAKMP: hash SHA
*Mar 1 00:16:09.415: ISAKMP: default group 5
*Mar 1 00:16:09.415: ISAKMP: auth pre-share
*Mar 1 00:16:09.415: ISAKMP: life type in seconds
*Mar 1 00:16:09.415: ISAKMP: life duration (basic) of 1800
*Mar 1 00:16:09.419: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 00:16:09.419: ISAKMP:(0):Acceptable atts:actual life: 0
189
CCIE SECURITY V5
*Mar 1 00:16:09.419: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 00:16:09.419: ISAKMP:(0):Basic life_in_seconds:1800
*Mar 1 00:16:09.423: ISAKMP:(0):Returning Actual lifetime: 1800
*Mar 1 00:16:09.423: ISAKMP:(0)::Started lifetime timer: 1800.
*Mar 1 00:16:09.427: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 00:16:09.435: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 00:16:09.439: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 1 00:16:09.447: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
190
CCIE SECURITY V5
(R) MM_SA_SETUP
*Mar 1 00:16:09.451: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Global (R) MM_SA_SETUP
*Mar 1 00:16:09.759: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 00:16:10.127: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 00:16:10.135: ISAKMP:(1001): vendor ID is Unity
*Mar 1 00:16:10.135: ISAKMP:(1001): vendor ID is DPD
*Mar 1 00:16:10.139: ISAKMP:(1001): speaking to another IOS box!
191
CCIE SECURITY V5


500 (R) MM_KEY_EXCH

Global (R) MM_KEY_EXCH
*Mar 1 00:16:10.567: ISAKMP:(1001): processing ID payload. message ID = 0
next-payload : 8
type :1
address : 20.1.14.1
protocol : 17
port : 500
192
CCIE SECURITY V5
length : 12
*Mar 1 00:16:10.567: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 00:16:10.567: ISAKMP:(1001): processing HASH payload. message ID = 0
*Mar 1 00:16:10.567: ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 661E8044
authenticated
*Mar 1 00:16:10.567: ISAKMP:(1001):SA has been authenticated with 20.1.14.1
authenticated
*Mar 1 00:16:10.571: ISAKMP:(1001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 20.1.15.1 remote 20.1.14.1 remote port
500
*Mar 1 00:16:10.571: ISAKMP: Trying to insert a peer 20.1.15.1/20.1.14.1/500/, and

inserted successfully 66EBF3DC.

*Mar 1 00:16:10.575: ISAKMP:(1001):SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR
next-payload : 8
193
CCIE SECURITY V5
type :1
address : 20.1.15.1
protocol : 17
port : 500
length : 12
*Mar 1 00:16:10.575: ISAKMP:(1001):Total payload length: 12

500 (R) MM_KEY_EXCH

*Mar 1 00:16:10.575: ISAKMP:(1001):Old State = IKE_R_MM5 New State =

IKE_P1_COMPLETE

IKE_PHASE1_COMPLETE
*Mar 1 00:16:10.583: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State =

IKE_P1_COMPLETE
Global (R) QM_IDLE
*Mar 1 00:16:10.655: ISAKMP: set new node -1496356104 to QM_IDLE
*Mar 1 00:16:10.659: ISAKMP:(1001): processing HASH payload. message ID = -1496356104
194
CCIE SECURITY V5
*Mar 1 00:16:10.659: ISAKMP:(1001): processing SA payload. message ID = -1496356104
*Mar 1 00:16:10.659: ISAKMP:(1001):Checking IPSec proposal 1
*Mar 1 00:16:10.659: ISAKMP: transform 1, ESP_AES
*Mar 1 00:16:10.663: ISAKMP: attributes in transform:
*Mar 1 00:16:10.663: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 00:16:10.663: ISAKMP: SA life type in seconds
*Mar 1 00:16:10.663: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:16:10.663: ISAKMP: SA life type in kilobytes
*Mar 1 00:16:10.663: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:16:10.667: ISAKMP: authenticator is HMAC-SHA
*Mar 1 00:16:10.667: ISAKMP: key length is 128
*Mar 1 00:16:10.667: ISAKMP:(1001):atts are acceptable.
*Mar 1 00:16:10.667: ISAKMP:(1001): processing NONCE payload. message ID = -

1496356104
*Mar 1 00:16:10.675: ISAKMP:(1001):QM Responder gets spi

IKE_QM_EXCH
*Mar 1 00:16:10.675: ISAKMP:(1001):Old State = IKE_QM_READY New State =

IKE_QM_SPI_STARVE
*Mar 1 00:16:10.683: ISAKMP:(1001): Creating IPSec SAs
195
CCIE SECURITY V5
*Mar 1 00:16:10.683: inbound SA from 20.1.14.1 to 20.1.15.1 (f/i) 0/ 0
(proxy 14.14.14.0 to 15.15.15.0)
*Mar 1 00:16:10.683: has spi 0x1BCBC824 and conn_id 0
*Mar 1 00:16:10.683: outbound SA from 20.1.15.1 to 20.1.14.1 (f/i) 0/0
(proxy 15.15.15.0 to 14.14.14.0)
*Mar 1 00:16:10.683: has spi 0x56923AE3 and conn_id 0

500 (R) QM_IDLE
*Mar 1 00:16:10.687: ISAKMP:(1001):Node -1496356104, Input = IKE_MESG_INTERNAL,

IKE_GOT_SPI
*Mar 1 00:16:10.687: ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE New State =

IKE_QM_R_QM2
Global (R) QM_IDLE
*Mar 1 00:16:10.707: ISAKMP:(1001):deleting node -1496356104 error FALSE reason "QM

done (await)"

IKE_QM_EXCH
196
CCIE SECURITY V5
Verification:
R51#show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
20.1.15.1 20.1.14.1 QM_IDLE 1001 0 ACTIVE
This is the normal state of established IKE tunnel.
R51#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 20.1.14.1 20.1.15.1 ACTIVE aes sha psk 5 00:27:45

Engine-id:Conn-id = SW:1

Negotiated ISAKMP policy is visible. This command is useful to figure out which policy has been used for establishing
the IKE tunnel when there are several polices matching at the both sides.
R51#show crypto ipsec sa
interface: FastEthernet0/0
197
CCIE SECURITY V5
This command shows information regarding the interfaces and defined crypto.
Crypto map tag: CMAP, local addr 20.1.14.1
protected vrf: (none)

local ident (addr/mask/prot/port): (14.14.14.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer 20.1.15.1 port 500
The proxies (source and destination of interesitng traffic) are displayed. “0/0” after IP address and netmask indicates
that IP protocol is transported in the tunnel.
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
Very important output usefull for the IPSec debugging and troubleshooting. This indicates that outgoing packets are:
encapsulated by ESP, encrypted and digested (the hash has been made to discover any alterations). The second marked
line indicates that incomming packets are: decapsulated (the IPSec header have been extracted), decrypted and
hash/digest has been verified.
#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 20.1.14.1, remote crypto endpt.: 20.1.15.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x1BCBC824(466339876)
inbound esp sas:

spi: 0x56923AE3(1452423907)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: CMAP
198
CCIE SECURITY V5
sa timing: remaining key lifetime (k/sec): (4496797/3459)

IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
This output contains useful information relevant to unidirectional SA. This shows the following: used IPSec protocol
(ESP), SPI value, used transform-set (encryption algorithm along with hash function), ESP mode (tunnel or transport),
connection ID, crypto map and lifetime values in second and kilobytes which remains to session key refreshment
(tunnel will be terminated instead of key refreshment if no packets need to be transported via tunnel when SA expired).
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x1BCBC824(466339876)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R51#show crypto ipsec sa address

fvrf/address: (none)/20.1.14.1
protocol: ESP
spi: 0x56923AE3(1452423907)
199
CCIE SECURITY V5

IV size: 16 bytes
Status: ACTIVE
fvrf/address: (none)/20.1.15.1
protocol: ESP
spi: 0x1BCBC824(466339876)
IV size: 16 bytes
Status: ACTIVE
R51#show crypto engine connections active

Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address

1 Fa0/0 IPsec AES+SHA 0 4 20.1.14.1
2 Fa0/0 IPsec AES+SHA 4 0 20.1.14.1
1001 Fa0/0 IKE SHA+AES 0 0 20.1.14.1
R51#show crypto engine connections dh

Number of DH's pregenerated = 2
DH lifetime = 86400 seconds
Software Crypto Engine:

Conn Status Group Time left
1 Used Group 5 1544
200
CCIE SECURITY V5
2 Pregen Group 5 --
The Diffie-Hellman group and the time that remains to next DH key generation.
Verification performed on The responder.
Refer the Same in R51 also
TASK2 SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) R51-R53
LAB-SETUP
 Configure R51, R54 & R52(ISP) with the IP mentioned in the table
 For the Internet, configure the Default routes on R51 and R53 with the next hop as corresponding interface
IP of R52.
Device Interface IP
R51 Gi2 20.1.144.1/24
201
CCIE SECURITY V5
Loopback0 14.14.14.14/24
R54 Gi1 20.1.16.1/24

Loopback0 16.16.16.16/24
R52 Gi2 20.1.144.2/24

Gi5 20.1.16.2/24
 Configure basic Site to Site IPSec VPN in Aggressive Mode to protect traffic between IP addresses 14.14.14.14
and 16.16.16.16 using the following policy:
ISAKMP Policy IPSec Policy
Policy : 20 Transform-set : TSET

Authentication: Pre-share (cisco) Encryption: esp-aes
Encryption: 3des Hash: SHA
Hash: md5
DH Group: 2
Lifetime: 1800
R51:
202
CCIE SECURITY V5
hostname R51
interface gi2
no shut
ip address 20.1.144.1 255.255.255.0
interface loop 0
ip address 14.14.14.14 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.144.2
R54:
hostname R54
interface gi1
no shut
ip address 20.1.16.1 255.255.255.0
interface loop 0
ip address 16.16.16.16 255.255.255.0
203
CCIE SECURITY V5
ip route 0.0.0.0 0.0.0.0 20.1.16.2
R52:
hostname R52
interface gi2
no shut
ip address 20.1.144.2 255.255.255.0
interface gi5
no shut
ip address 20.1.16.2 255.255.255.0
Verification
R51#ping 20.1.16.1
!!!!!
204
CCIE SECURITY V5
Configuration on Routers:
R51:
encr 3des
hash md5
group 2
lifetime 1800
crypto isakmp peer address 20.1.16.1
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address 20.1.16.1
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
ip access-list extended VPN2
permit ip 14.14.14.0 0.0.0.255 16.16.16.0 0.0.0.255
205
CCIE SECURITY V5
crypto map MAP 10 ipsec-isakmp
set peer 20.1.16.1
set transform-set TSET
match address VPN2
crypto map MAP
R54:
encr 3des
hash md5
group 2
lifetime 1800
crypto isakmp peer address 20.1.144.1
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address 20.1.144.1
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
206
CCIE SECURITY V5
ip access-list extended VPN2
permit ip 16.16.16.0 0.0.0.255 14.14.14.0 0.0.0.255
crypto map MAP 10 ipsec-isakmp
set peer 20.1.144.1
set transform-set TSET
match address VPN2
crypto map MAP
LAB-3.2: - CERTIFICATE AUTHORITY WITH CRYPTO ROUTE
207
CCIE SECURITY V5
LAB-SETUP
 Configure R51[CA], R53, R54, R52[ISP] with the IP mentioned in the table
 For the Internet, the BGP configuration should be as follows.
o R51 is in the BGP AS 3


o Peer all the sites with the ISP using BGP
o Use the BGP authentication password as “cisco” [without quotes] and encrypt using md5
Device Interface IP
R51 Gi1 20.13.13.1/24

Loopback0 192.168.13.1/24
R53 Gi1 20.14.14.1/24

Loopback1 192.168.14.1/24
R54 Gi1 20.15.15.1/24

Loopback1 192.168.15.1/24
R52 Gi3 20.14.14.2/24

Gi5 20.15.15.2/24
Gi1 20.13.13.2/24
208
CCIE SECURITY V5
Configuration on Routers:
R51(CA):
interface gi1
no shut
ip address 20.13.13.1 255.255.255.0
interface loop 0
ip address 192.168.13.1 255.255.255.0
router bgp 3
bgp router-id 3.3.3.3
nei 20.13.13.2 remote-as 345
network 192.168.13.0 mask 255.255.255.0
network 20.13.13.0 mask 255.255.255.0
R53:
interface gi1
209
CCIE SECURITY V5
no shut
ip address 20.14.14.1 255.255.255.0
interface loop 1
ip address 192.168.14.1 255.255.255.0
router bgp 4
nei 20.14.14.2 remote-as 345
network 192.168.14.0
network 20.14.14.0 mask 255.255.255.0
R54:
interface gi1
no shut
ip address 20.15.15.1 255.255.255.0
interface loop 1
210
CCIE SECURITY V5
ip address 192.168.15.1 255.255.255.0
router bgp 5
nei 20.15.15.2 remote-as 345
network 192.168.15.0
network 20.15.15.0 mask 255.255.255.0
R52(ISP):
interface gi3
no shut
ip address 20.14.14.2 255.255.255.0
interface gi5
no shut
ip address 20.15.15.2 255.255.255.0
interface gi1
no shut
ip address 20.13.13.2 255.255.255.0
211
CCIE SECURITY V5
interface loop0
ip address 192.168.16.1 255.255.255.0
router bgp 345
nei 20.14.14.1 remote-as 4
network 192.168.16.0 mask 255.255.255.0
Verification:
R51#ping 20.15.15.1
!!!!!
R51#ping 20.14.14.1
212
CCIE SECURITY V5
!!!!!
R51#ping 20.13.13.1
!!!!!
R52#show ip bgp summary
BGP router identifier 17.17.17.17, local AS number 345
BGP table version is 9, main routing table version 9
4 network entries using 992 bytes of memory
5 path entries using 600 bytes of memory
4/4 BGP path/bestpath attribute entries using 1024 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2688 total bytes of memory
BGP activity 4/0 prefixes, 7/2 paths, scan interval 60 secs
213
CCIE SECURITY V5
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
20.13.13.1 4 3 18 21 9 0 0 00:11:54 2
20.14.14.1 4 4 17 21 9 0 0 00:11:57 1
20.15.15.1 4 5 10 15 9 0 0 00:04:58 1
TASK1 CONFIGURE NTP
 To ensure all devices in the network have the same time configure NTP server on R51.
 The server should authenticate the clients with a password of “cisco”.
 Configure rest of devices as NTP clients to the R51 as NTP source.
 Make sure the time zone for all the device is PST with zone name as ccnp.
R51:
ntp authenticate
ntp trusted-key 1
ntp source GigabitEthernet4
ntp master 1
214
CCIE SECURITY V5
clock timezone ccnp -8
clock set 14:15:00 9 Sep 2018 change to the curent date
R53 & 54:
ntp server 150.1.7.184 key 1
ntp authenticate
ntp trusted-key 1
clock timezone ccnp -8
Verification
R51#show ntp status
Clock is synchronized, stratum 1, reference is .LOCL.
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 93000 (1/100 of seconds), resolution is 4000
reference time is DF401A24.218937A8 (14:16:04.131 ccnp Sun Sep 9 2018)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 439.67 msec, peer dispersion is 438.64 msec
215
CCIE SECURITY V5
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 4 sec ago.
R51#show ntp associations
*~127.127.1.1 .LOCL. 0 15 16 377 0.000 0.000 1.204
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
*~150.1.7.184 .LOCL. 1 53 64 1 3.000 4.500 7938.4
216
CCIE SECURITY V5
*~150.1.7.184 .LOCL. 1 46 64 1 3.000 3.500 7938.4
TASK2 IOS CERTIFICATE AUTHORITY
 Configure IOS Certificate Authority server on R51
o RSA key :- R51

o PKI Server :- caserver
 The server should have self-signed certificate with a lifetime of 5 years and grant certificates to the clients
with a lifetime of 3 years.
 The server should service all certificate requests automatically.
R51:
crypto key generate rsa label R51 modulus 1024
ip http server
217
CCIE SECURITY V5
crypto pki server caserver
database level complete
grant auto
issuer-name CN=r51, O=cisco.com
lifetime certificate 1095
lifetime ca-certificate 1825
no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: Sanfran@1234
Re-enter password: Sanfran@1234
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Verification
R51#show crypto pki server
Certificate Server caserver:
218
CCIE SECURITY V5
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=netmetric, O=cisco.com
CA cert fingerprint: E25DD56A 609047F7 05EF50A8 72EEB2B4
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 14:26:48 ccnp Sep 8 2023
CRL NextUpdate timer: 20:26:51 ccnp Sep 9 2018
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
TASK3 ENROLL WITH THE CA - R53 AND R54
 On both devices enrol a certificate for IPSec peer authentication.
 Certificate uses for IPSec authentication should have at least 1024 bytes keys with rsa key as r53 and r54
 Configure trustpoint with name trustr53 & trustr54
 Configure domain name of cisco.com and name server as 150.1.7.164 (AD/DNS)
R53:
219
CCIE SECURITY V5
Ip http server
ip domain-name cisco.com
ip name-server 150.1.7.164
crypto key generate rsa label r53 modulus 1024
crypto pki trustpoint trustr53
enrollment url http://192.168.13.1:80
revocation-check none
rsakeypair r53
crypto pki authenticate trustr53
Certificate has the following attributes:
Fingerprint MD5: ED8C3F90 A4D0AB86 DD12AFA0 92EA3C55
Fingerprint SHA1: 61A9CC05 C7C4CD74 A07723DB 4AA0943E B6A951A0
% Do you accept this certificate? [yes/no]: yes
220
CCIE SECURITY V5
crypto pki enroll trustr53
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R53.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 91H57NEE1UA
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]:
% Skipping IP address
221
CCIE SECURITY V5
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose trustr53' command will show the
fingerprint.
R54:
Ip http server
crypto key generate rsa label r54 modulus 1024
crypto pki trustpoint trustr54
enrollment url http://192.168.13.1:80
revocation-check none
rsakeypair r54
crypto pki authenticate trustr54
Certificate has the following attributes:

222
CCIE SECURITY V5
Fingerprint MD5: ED8C3F90 A4D0AB86 DD12AFA0 92EA3C55
Fingerprint SHA1: 61A9CC05 C7C4CD74 A07723DB 4AA0943E B6A951A0
% Do you accept this certificate? [yes/no]: yes
crypto pki enroll trustr54
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R54.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
223
CCIE SECURITY V5
% The serial number in the certificate will be: 9EO5P38C3QA
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose trustr54' command will show the
fingerprint.
TASK4 CONFIGURE THE IPSEC TUNNEL BETWEEN R53 AND R54
 On both devices secure the traffic for 192.168.15.1 and 192.168.14.1
 Use the pre-share key cisco for the isakmp
Configuration on Route
R53
encr aes
authentication rsa-sig
group 2
crypto ipsec transform-set ts esp-aes esp-sha-hmac
224
CCIE SECURITY V5
mode tunnel
permit ip 192.168.14.0 0.0.0.255 192.168.15.0 0.0.0.255
set peer 20.15.15.1
set transform-set ts
match address VPN
reverse-route static
int gi1
crypto map CMAP
R54:
encr aes
authentication rsa-sig
group 2
crypto ipsec transform-set ts esp-aes esp-sha-hmac
mode tunnel
permit ip 192.168.15.0 0.0.0.255 192.168.14.0 0.0.0.255
225
CCIE SECURITY V5
set peer 20.14.14.1
set transform-set ts
match address VPN
int gi1
crypto map CMAP
Verification
R53#ping 192.168.15.1 source 192.168.14.1
.!!!!
226
CCIE SECURITY V5
dst src state conn-id status
20.15.15.1 20.14.14.1 QM_IDLE 1001 ACTIVE
interface: GigabitEthernet1
227
CCIE SECURITY V5
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xB76F1473(3077510259)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x23EFC520(602916128)
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: CMAP
IV size: 16 bytes
Status: ACTIVE(ACTIVE)
inbound ah sas:
228
CCIE SECURITY V5
inbound pcp sas:
outbound esp sas:
spi: 0xB76F1473(3077510259)
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: CMAP
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
LAB-3.3: - GRE
229
CCIE SECURITY V5
TASK1 GRE TUNNEL
 Configure GRE Point to Point tunnel between R18 and R19.
 The tunnel should pass EIGRP AS 100

 The multicast packets exchanging information about Loopback0 networks.
 Use 192.168.189.x/24 as tunnel IP addresses.
 R21 being ISP.

 Point simple default routes from R18 and R19 towards the R21.
 Configure using the below mentioned table:
Device Interface IP
R18 F0/0 20.18.18.1/24

Loopback0 192.168.18.18/24
Tunnel 0 192.168.189.18/24
R19 Fa0/0 20.19.19.1/24

Loopback0 192.168.19.19/24
Tunnel 0 192.168.189.19/24
R21 Fa0/0 20.18.18.2/24
230
CCIE SECURITY V5
Fa0/1 20.19.19.2/24
Configuration on Routers
R18:
hostname R18
interface f 0/0
no shut
ip address 20.18.18.1 255.255.255.0
interface loop 0
ip address 192.168.18.18 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.18.18.2
interface tunnel 0
tunnel source f0/0
tunnel destination 20.19.19.1
231
CCIE SECURITY V5
ip address 192.168.189.18 255.255.255.0
router eigrp 100
no auto-summary
network 192.168.189.0
network 192.168.18.0
R19:
hostname R19
interface f 0/0
no shut
ip address 20.19.19.1 255.255.255.0
interface loop 0
ip address 192.168.19.19 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.19.19.2
232
CCIE SECURITY V5
interface tunnel 0
tunnel source f0/0
ip address 192.168.189.19 255.255.255.0
router eigrp 100
no auto-summary
network 192.168.189.0
network 192.168.19.0
R21:
hostname R21
interface f 0/0
no shut
ip address 20.18.18.2 255.255.255.0
interface f 0/1
no shut
ip address 20.19.19.2 255.255.255.0
233
CCIE SECURITY V5
Verifications:
R18#ping 20.19.19.1
!!!!!
R19#ping 20.18.18.1
!!!!!
R18#show ip interface brief | exclude unassigned
234
CCIE SECURITY V5
Tunnel0 192.168.189.18 YES manual up up
-------------------------------------------------------------------------------------------------------------------------
R19#show ip interface brief | exclude unassigned
Tunnel0 192.168.189.19 YES manual up up
R18#ping 192.168.189.19
!!!!!
R19#ping 192.168.189.18
235
CCIE SECURITY V5
!!!!!
-------------------------------------------------------------------------------------------------------------------------
R18#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
(sec) (ms) Cnt Num
0 192.168.189.19 Tu0 11 00:00:35 1049 5000 0 3
R19#show ip eigrp neighbors
(sec) (ms) Cnt Num
0 192.168.189.18 Tu0 13 00:01:07 163 5000 0 5
TASK2 GRE TUNNEL OVER IPSEC
236
CCIE SECURITY V5
 Protect the tunnel we configured on the previous task and ensure the traffic passing by the tunnel is
encrypted. Use the following parameters for IPSec protocol:
 ISAKMP Parameters
o Authentication : Pre-shared
o Group :5
o Encryption : AES
o Hash : SHA
o Lifetime : 1800
o Key : Netmetric
 IPSec Parameters
o Encryption : ESP-AES
o Authentication : ESP-SHA-HMAC
o Lifetime : 1800
Configuration on Routers
R18:
encryption aes
hash sha
group 5
237
CCIE SECURITY V5
lifetime 1800
crypto isakmp key Netmetric address 20.19.19.1
mode transport
crypto ipsec security-association lifetime seconds 1800
crypto ipsec profile GRE
interface tunnel 0
tunnel protection ipsec profile GRE
R19:
encryption aes
hash sha
238
CCIE SECURITY V5
group 5
lifetime 1800
crypto isakmp key Netmetric address 20.18.18.1
mode transport
crypto ipsec security-association lifetime seconds 1800
crypto ipsec profile GRE
interface tunnel 0
tunnel protection ipsec profile GRE
Verifications:
239
CCIE SECURITY V5
20.19.19.1 20.18.18.1 QM_IDLE 1002 0 ACTIVE
240
CCIE SECURITY V5
R18#ping 192.168.19.19 source loopback 0 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.18.18.1
241
CCIE SECURITY V5
current outbound spi: 0x93BAD181(2478494081)
inbound esp sas:
spi: 0x9C392EFD(2620993277)
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: Tunnel0-head-0
IV size: 16 bytes
Status: ACTIVE
242
CCIE SECURITY V5
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x93BAD181(2478494081)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
243
CCIE SECURITY V5
20.18.18.1 20.19.19.1 QM_IDLE 1001 0 ACTIVE
244
CCIE SECURITY V5
R19#ping 192.168.18.18 source loopback 0 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.19.19.1
245
CCIE SECURITY V5
current outbound spi: 0x9C392EFD(2620993277)
inbound esp sas:
spi: 0x93BAD181(2478494081)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
246
CCIE SECURITY V5
inbound pcp sas:
outbound esp sas:
spi: 0x9C392EFD(2620993277)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
LAB-3.4: - DMVPN
247
CCIE SECURITY V5
Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by Cisco in late 2000. This technology has
been developed to address needs for automatically created VPN tunnels when dynamic IP addresses on the spokes are
in use.
In GRE over IPSec (described in the previous lab) both ends of the connection must have static/unchangeable IP address.
It is possible however, to create many GRE Site-to-Site tunnels from company’s branches to the Headquarters. This is
pure Hub-and-Spoke topology where all branches may communicate with each other securely through the Hub.
In DMVPN may have dynamic IP addresses on the spokes, but there must be static IP address on the Hub. There is also
an additional technology used to let the hub know what dynamic IP addresses are in use by the spokes. This is NHRP
(Next Hop Resolution Protocol) which works like ARP but for layer 3. All it does is building a dynamic database stored on
the hub with information about spokes’ IP addresses. Now the Hub knows IPSec peers and can build the tunnels with
them.
The Hub must be connected to many spokes at the same time so there was another issue to solve: how to configure the
Hub to not have many Tunnel interfaces (each for Site-to-Site tunnel with spoke). The answer is: use GRE multipoint type
of tunnel, where we do not need to specify the other end of the tunnel statically.
That being said, there are three DMVPN mutations called phases: 
Phase 1: simple Hub and Spoke topology were dynamic IP addresses on the spokes may be used 
Phase 2: Hub and Spoke with Spoke to Spoke direct communication allowed 
Phase 3: Hub and Spoke with Spoke to Spoke direct communication allowed with better scalability using NHRP
Redirects 
All above phases will be described in more detail in the next few labs.
248
CCIE SECURITY V5
LAB-SETUP
 Configure R18 (HUB), R19 (Spoke1), R20 (Spoke2), R21 (ISP) with the IP mentioned in the table
 For the Internet, the BGP configuration should be as follows.

o Peer all the sites with the ISP using BGP

o Use the BGP authentication password as “cisco” [without quotes] and encrypt using md5
Device Interface IP
R18 gi0/0 18.18.18.18/24

Loopback0 192.168.18.1/24
R19 gi0/0 19.19.19.19/24

Loopback1 192.168.19.1/24
R20 gi0/0 20.20.20.20/24

Loopback1 192.168.20.1/24
R21 gi0/0 18.18.18.21/24

gi0/1 19.19.19.21/24
gi0/2 20.20.20.21/24
Note: Erase the configuration of Basic GRE from R18 & R19
249
CCIE SECURITY V5
R18:
Hostname HUB
interface gi0/0
no shut
ip address 18.18.18.18 255.255.255.0
interface loop 0
ip address 192.168.18.1 255.255.255.0
router bgp 3
neighbor 18.18.18.21 remote-as 345
network 18.18.18.0 mask 255.255.255.0
R19:
Hostname Spoke1
interface gi0/0
no shut
ip address 19.19.19.19 255.255.255.0

250
CCIE SECURITY V5
interface loop 0
ip address 192.168.19.1 255.255.255.0
router bgp 4
network 19.19.19.0 mask 255.255.255.0
R20:
Hostname Spoke2
interface gi0/0
no shut
ip address 20.20.20.20 255.255.255.0
interface loop 0
ip address 192.168.20.1 255.255.255.0
router bgp 5
network 20.20.20.0 mask 255.255.255.0
251
CCIE SECURITY V5
R21(ISP):
Hostname ISP
interface gi0/0
no shut
ip address 18.18.18.21 255.255.255.0
interface gi0/1
no shut
ip address 19.19.19.21 255.255.255.0
interface gi0/2
no shut
ip address 20.20.20.21 255.255.255.0
router bgp 345
252
CCIE SECURITY V5
Verification
ISP#show ip bgp summary
BGP router identifier 20.20.20.21, local AS number 345
BGP table version is 7, main routing table version 7
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
4/3 BGP path/bestpath attribute entries using 496 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1116 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
18.18.18.18 4 3 5 7 7 0 0 00:00:12 1
19.19.19.19 4 4 4 6 7 0 0 00:00:31 1
20.20.20.20 4 5 4 6 7 0 0 00:00:40 1
253
CCIE SECURITY V5
TASK1 DMVPN PHASE 1 BASIC CONFIGURATION
 Configure Hub-and-Spoke GRE tunnels between R18, R19 and R20, where R18
is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted securely via the Hub to the
other spokes.
 Use the following settings when configuring tunnels

o Tunnel Parameters:
 IP address : 1.1.1.0/24
 IP MTU : 1400
 Tunnel Authentication Key : 12345
o NHRP Parameters
 NHRP ID : 12345
 NHRP Authentication key : DMVPN
 NHRP Hub : R18

 NHRP Holdtime : 5 Minutes
254
CCIE SECURITY V5
Configuration on Routers:-
R18 (HUB):
interface tunnel 1
ip address 1.1.1.1 255.255.255.0
tunnel source gi0/0
tunnel mode gre multipoint
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp authentication DMVPN
tunnel key 12345
ip nhrp holdtime 300
ip mtu 1400
R19 (Spoke1):
interface tunnel 1
255
CCIE SECURITY V5
ip address 1.1.1.2 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp map multicast 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source gi0/0
tunnel key 12345
ip mtu 1400
R20 (Spoke2):
interface tunnel 1
ip address 1.1.1.3 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
256
CCIE SECURITY V5
ip nhrp nhs 1.1.1.1
tunnel source gi0/0
tunnel key 12345
ip mtu 1400
Verification:
HUB#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
257
CCIE SECURITY V5
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 19.19.19.19 1.1.1.2 UP 00:00:33 D
1 20.20.20.20 1.1.1.3 UP 00:00:06 D
Spoke1#traceroute ip 1.1.1.3 source 1.1.1.2
Tracing the route to 1.1.1.3
1 1.1.1.1 16 msec 36 msec 20 msec
2 1.1.1.3 52 msec 36 msec *
HUB#show ip nhrp
258
CCIE SECURITY V5
1.1.1.2/32 via 1.1.1.2
Tunnel1 created 00:01:01, expire 00:03:58
Type: dynamic, Flags: unique registered nhop
NBMA address: 19.19.19.19
1.1.1.3/32 via 1.1.1.3
Type: dynamic, Flags: unique registered nhop
HUB#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
-------------- Interface Tunnel1 info: --------------
Intf. is up, Line Protocol is up, Addr. is 1.1.1.1
Source addr: 18.18.18.18, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:
259
CCIE SECURITY V5
Type:Hub, NBMA Peers:2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 19.19.19.19 1.1.1.2 UP 00:16:21 D 1.1.1.2/32
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 20.20.20.20 1.1.1.3 UP 00:06:56 D 1.1.1.3/32
Pending DMVPN Sessions:
TASK2 DMVPN PHASE 1 WITH EIGRP
 Routing Protocol Parameters

o EIGRP 1
o Use split horizon rule
Configuration on the Router
R18(HUB) :
260
CCIE SECURITY V5
router eigrp 1
network 1.1.1.0 0.0.0.255
network 192.168.18.0
no auto-summary
R19:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 192.168.19.0
no auto-summary
R20:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 192.168.20.0
no auto-summary
Verification:
261
CCIE SECURITY V5
HUB#show ip route eigrp
D 192.168.20.0/24 [90/297372416] via 1.1.1.3, 00:00:29, Tunnel1
D 192.168.19.0/24 [90/297372416] via 1.1.1.2, 00:01:30, Tunnel1
HUB#show ip route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 1.1.1.0/24 is directly connected, Tunnel1
L 1.1.1.1/32 is directly connected, Tunnel1
C 18.18.18.0/24 is directly connected, GigabitEthernet0/0
L 18.18.18.18/32 is directly connected, GigabitEthernet0/0
262
CCIE SECURITY V5
B 19.19.19.0 [20/0] via 18.18.18.21, 00:04:09

B 20.20.20.0 [20/0] via 18.18.18.21, 00:04:09
C 192.168.18.0/24 is directly connected, Loopback0
L 192.168.18.1/32 is directly connected, Loopback0
D 192.168.19.0/24 [90/27008000] via 1.1.1.2, 00:01:14, Tunnel1
D 192.168.20.0/24 [90/27008000] via 1.1.1.3, 00:01:08, Tunnel1
Spoke1#show ip route eigrp
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:03:07, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:02:33, Tunnel1
EIGRP is a distance vector routing protocol so we have split horizon issues. The spoke routers don’t see each other’s
networks. Let’s fix this for now:
int tunnel1
no ip split-horizon eigrp 1
Since we use EIGRP between the Hub and the Spokes, we need to disable Split Horizon for that protocol to be able to
send routes gathered from one Spoke to the other Spoke. The Split Horizon rule says: “information about the routing is
never sent back in the direction from which it was received”. This is basic rule for loop prevention.
263
CCIE SECURITY V5
D 192.168.20.0/24 [90/310172416] via 1.1.1.1, 00:00:10, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:04:44, Tunnel
Spoke1#show ip route
264
CCIE SECURITY V5
B 18.18.18.0 [20/0] via 19.19.19.21, 00:06:33
B 20.20.20.0 [20/0] via 19.19.19.21, 00:06:33
D 192.168.19.0/24 [90/310172416] via 1.1.1.1, 00:00:30, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:04:04, Tunnel1
Spoke1#ping 192.168.20.1 source loopback 0
!!!!!
265
CCIE SECURITY V5
Spoke1#show ip cef 192.168.20.1
192.168.20.0/24
nexthop 1.1.1.1 Tunnel1

The CEF entries displayed for Spoke loopback network. This indicates an IP address of next hop which have to be used for
reaching 192.168.20.0/24.
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
Tunnel1 created 00:06:50, never expire
Type: static, Flags:
Spoke1#traceroute 192.168.20.1 source loopback 0
1 1.1.1.1 36 msec 24 msec 20 msec
2 1.1.1.3 20 msec 28 msec *
266
CCIE SECURITY V5
TASK3 DMVPN PHASE 1 ENCRYPT THE TUNNEL USING IPSEC

o ISAKMP Parameters:
 Authentication : Pre-Shared
 Encryption : 3DES
 Hashing : SHA
 DH Group :2
 Pre-Shared Key : cisco
o IPSec Parameters
 Encryption : ESP-aes
 Authentication : ESP-SHA-HMAC

267
CCIE SECURITY V5
 is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted securely directly
to the other spokes.
 You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.
 Tunnel Parameters:
o IP address : 1.1.1.0/24
o IP MTU : 1400
o Tunnel Authentication Key : 12345
 NHRP Parameters
o NHRP ID : 12345
o NHRP Authentication key : DMVPN
o NHRP Hub : R18
o NHRP Holdtime : 5 Minutes
The difference is in routing protocol behaviour. The DMVPN Phase 2 allows for direct Spoke to Spoke communication.
Hence, one spoke must send the traffic to the other spoke using its routing table information. In DMVPN Phase 1 the
spoke sends all traffic up to the Hub and uses the Hub for Spoke to Spoke communication. However, in DMVPN Phase 2
a spoke must point to the other spoke directly.
This is achieved by changing the routing protocol behaviour. The EIGRP changes next hop in the routing update when
sending it further. So that, the Hub changes the next hop to itself when sending down the routing updates to the Spokes.
This behaviour can be changed by the command “no ip next-hop-self eigrp AS”.
Configuration on Routers: -
268
CCIE SECURITY V5
R18 (HUB):
Same configuration as of Phase 1 with few changes
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
tunnel source FastEthernet0/0
tunnel key 12345
end
The EIGRP changes next hop in the routing update when sending it further. So that, the Hub changes the next hop to itself
when sending down the routing updates to the Spokes. This behaviour can be changed by the command “no ip next-hop-
self eigrp AS”
269
CCIE SECURITY V5
R19 (Spoke1)
Show run int tun 1
interface tunnel 1
ip address 1.1.1.2 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source f0/0
ip mtu 1400
tunnel key 12345
Remove the tunnel destination command
int tunnel 1
no tunnel destination 18.18.18.18
270
CCIE SECURITY V5
R20 (Spoke2):
Show run int tunnel 1
interface tunnel 1
ip address 1.1.1.3 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source f0/0
ip mtu 1400
tunnel key 12345
Remove the tunnel destination command
271
CCIE SECURITY V5
int tunnel 1
no tunnel destination 18.18.18.18
Verification
HUB# show ip route
C 1.1.1.0 is directly connected, Tunnel1
272
CCIE SECURITY V5
B 19.19.19.0 [20/0] via 18.18.18.21, 01:43:04
B 20.20.20.0 [20/0] via 18.18.18.21, 01:43:04
D 192.168.20.0/24 [90/297372416] via 1.1.1.3, 00:13:39, Tunnel1
D 192.168.19.0/24 [90/297372416] via 1.1.1.2, 00:13:55, Tunnel1
HUB#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 19.19.19.19 1.1.1.2 UP never D
1 20.20.20.20 1.1.1.3 UP never D
273
CCIE SECURITY V5
HUB#ping 1.1.1.2
!!!!!
HUB#ping 1.1.1.3
!!!!!
HUB#show ip nhrp
1.1.1.2/32 via 1.1.1.2, Tunnel1 created 00:14:22, expire 00:03:57
Type: dynamic, Flags: unique registered
274
CCIE SECURITY V5
HUB#show ip eigrp neighbors
(sec) (ms) Cnt Num
1 1.1.1.3 Tu1 10 00:14:35 137 5000 0 14
0 1.1.1.2 Tu1 12 00:14:53 92 5000 0 18
275
CCIE SECURITY V5
C 1.1.1.0 is directly connected, Tunnel1
B 18.18.18.0 [20/0] via 19.19.19.21, 01:44:24
B 20.20.20.0 [20/0] via 19.19.19.21, 01:44:24
D 192.168.20.0/24 [90/310172416] via 1.1.1.3, 00:14:58, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:15:16, Tunnel1
Spoke1#show ip route 192.168.20.1
Routing entry for 192.168.20.0/24
Known via "eigrp 1", distance 90, metric 310172416, type internal
Redistributing via eigrp 1
Last update from 1.1.1.3 on Tunnel1, 00:16:01 ago
Routing Descriptor Blocks:
* 1.1.1.3, from 1.1.1.1, 00:16:01 ago, via Tunnel1
276
CCIE SECURITY V5
Route metric is 310172416, traffic share count is 1
Total delay is 1005000 microseconds, minimum bandwidth is 9 Kbit
Reliability 255/255, minimum MTU 1400 bytes
Loading 1/255, Hops 2
192.168.20.0/24
1.1.1.0/24
attached to Tunnel1
20.20.20.0/24
nexthop 19.19.19.21 GigabitEthernet0/0
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
277
CCIE SECURITY V5
Type: static, Flags: used
1.1.1.2/32 via 1.1.1.2
Type: dynamic, Flags: router unique local
(no-socket)
1.1.1.3/32 via 1.1.1.3
Type: dynamic, Flags: router used nhop
Spoke1#show adjacency tunnel 1 detail
Protocol Interface Address
IP Tunnel1 1.1.1.1(11)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 28
4500000000000000FF2F718513131313
278
CCIE SECURITY V5
121212122000080000003039
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0, addr 19.19.19.21
IP Tunnel1 1.1.1.3(11)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 28
4500000000000000FF2F6D8113131313
141414142000080000003039
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0, addr 19.19.19.21
Spoke1#traceroute 192.168.20.1 source loopback 0
1.1.1.3 16 msec 48 msec *
279
CCIE SECURITY V5
 is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted securely directly
to the other spokes.
 You must use EIGRP dynamic routing protocol to let other spokes know about protected networks.
 You must ensure that every traffic is CEF switched.
o Tunnel Parameters:
 IP address : 1.1.1.0/24
 IP MTU : 1400
 Tunnel Authentication Key : 12345
o NHRP Parameters
 NHRP ID : 12345
 NHRP Authentication key : DMVPN
 NHRP Hub : R18
 NHRP Holdtime : 5 Minutes
DMVPN Phase 3 is the latest method of configuration. It was introduced by Cisco to fix some disadvantages of Phase 2
like: 
- Scalability: Phase 2 allows Hubs daisy-chaining, OSPF single area, limited number of hubs due to OSPF DR/BDR
election
- Scalability: Phase 2 does not allow route summarization on the Hub, all prefixes must be distributed to
all spokes to be able to set up  direct spoke to spoke tunnels.  
280
CCIE SECURITY V5
- Performance: Phase 2 sends first packets through the Hub using  process-switching (not CEF) causing
CPU spikes. DMVPN Phase 3 uses two NHRP “hacks” to make it happen:  
- NHRP Redirect (HUB) – a new messages send from the Hub to the Spoke to let the Spoke know that
there is a better path to the other spoke than through the Hub  
- NHRP Shortcut – a new way of changing (overwriting) CEF information on the Spoke  In DMVPN Phase
3 all Spokes must point to the Hub for the networks behind the other spokes (just like it was in Phase 1).  
 Packet is sent from Spoke’s 19 network to Spoke’s 20 network via Hub (according to routing table)
 Hub routes packet to Spoke2 but in parallel sends back the NHRP Redirect message to Spoke19
containing information about suboptimal path to Spoke20 and tunnel IP of Spoke2
 Spoke19 then issues the NHRP Resolution request of Spoke’s 20 NBMA IP address to NHS with
destination IP of Spoke’s 2 tunnel, this NHRP Resolution request is sent targeted to Spoke20 via
NHS (according to routing table) – it is normal hop by hop NHRP forwarding process
 Spoke2 after receiving resolution request including NBMA IP of Spoke19 sends the NHRP Resolution
reply directly to Spoke19 – Reply does not traverse the Hub!
 Spoke19 after receiving correct NBMA IP of Spoke2 rewrites the CEF entry for destination prefix – this
procedure is called NHRP Shortcut
 Spokes don’t trigger NHRP by glean adjacencies but NHRP replies updates the CEF
R18 (HUB):
Same configuration on the HUB, but some additional commands
interface Tunnel1
281
CCIE SECURITY V5
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
tunnel key 12345
ip nhrp redirect
NHRP Redirect is a special NHRP message sent by the Hub to the spoke to tell the spoke that there is a better path to the
remote spoke than through the Hub. All it does is enforces the spoke to trigger an NHRP resolution request to IP destination.
The “ip nhrp redirect” command should be configured on the Hub only!
R19 (Spoke1):
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
282
CCIE SECURITY V5
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel key 12345
ip nhrp shortcut
end
The only difference on the spoke is that the spoke has NHRP Shortcut configured. This will work together with NHRP Redirect
on the Hub to send a new Resolution Request NHRP message and overwrite CEF entry to use direct spoke to spoke tunnel
instead of the Hub. This command should be configured on spokes only.
R20 (Spoke2):
interface Tunnel1
ip address 1.1.1.3 255.255.255.0
no ip redirects
283
CCIE SECURITY V5
ip mtu 1400
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
ip nhrp shortcut
tunnel key 12345
end
HUB#show ip eigrp neighbors
(sec) (ms) Cnt Num
1 1.1.1.3 Tu1 13 00:00:20 50 5000 0 23
0 1.1.1.2 Tu1 14 00:00:27 837 5000 0 28
284
CCIE SECURITY V5
HUB#show ip route
B 19.19.19.0 [20/0] via 18.18.18.21, 00:20:52
285
CCIE SECURITY V5
B 20.20.20.0 [20/0] via 18.18.18.21, 00:20:52
D 192.168.19.0/24 [90/27008000] via 1.1.1.2, 00:01:05, Tunnel1
D 192.168.20.0/24 [90/27008000] via 1.1.1.3, 00:01:03, Tunnel1
HUB#show ip nhrp
Before PING
286
CCIE SECURITY V5
B 18.18.18.0 [20/0] via 19.19.19.21, 00:21:49
B 20.20.20.0 [20/0] via 19.19.19.21, 00:21:49
D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:02:01, Tunnel1
287
CCIE SECURITY V5
D 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:01:56, Tunnel1
192.168.20.0/24
Before PING
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
Spoke1#ping 192.168.20.1 source lo0
!!!!!
288
CCIE SECURITY V5
192.168.20.0/24
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
1.1.1.2/32 via 1.1.1.2
(no-socket)
1.1.1.3/32 via 1.1.1.3
Type: dynamic, Flags: router nhop rib
192.168.19.0/24 via 1.1.1.2
289
CCIE SECURITY V5
(no-socket)
192.168.20.0/24 via 1.1.1.3
Type: dynamic, Flags: router used rib nho
The NHRP datatbase shows new dynamic entries for the remote spoke and the “local” entry for Spoke which is created
when sending an NHRP resolution reply.
290
CCIE SECURITY V5
H 1.1.1.3/32 is directly connected, 00:01:21, Tunnel1
B 18.18.18.0 [20/0] via 19.19.19.21, 00:30:13
B 20.20.20.0 [20/0] via 19.19.19.21, 00:30:13
D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:10:25, Tunnel1
D % 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:10:20, Tunnel1
Spoke1#show ip route next-hop-override
291
CCIE SECURITY V5
H 1.1.1.3/32 is directly connected, 00:00:02, Tunnel1
B 18.18.18.0 [20/0] via 19.19.19.21, 00:37:29
292
CCIE SECURITY V5
B 20.20.20.0 [20/0] via 19.19.19.21, 00:37:29
D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:17:41, Tunnel1
D % 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:17:36, Tunnel1
[NHO][90/255] via 1.1.1.3, 00:00:02, Tunnel1
LAB-3.5: - SSL CLIENTLESS VPN
TASK1 PERFORM SSL CLIENTLESS VPN

293
CCIE SECURITY V5
 Your configuration should meet the following requirements on ASA1:

 VPN access credentials should be username: cisco password: cisco.
 Connection banner should be Welcome to Netmetric.
 Group alias should be named ccnp
 The Ca trustpoint should be configured as follows:
 Name : trust
 Enrollement : self 
 RSA key : ccnp 
 Session idle time 24 hours
 Idle Time out 24 hours
 The web ACL implementation should only allow the following URLs:
 http://server1.cisco.com:8080
 http://server2.cisco.com:8080
 The bookmarks for the above servers should appear in the server portal as server1 and server2
respectively.
 Make sure that even when you close the RDP connection to client_pc that should not tear down
the established VPN session.
 The DNS server is at 150.1.7.164
 Note: Any information not provided for this task can be assumed by the candidate.
ASA1v
int gi0/0
nameif outside
ip address 20.1.1.1 255.255.255.0
no sh
294
CCIE SECURITY V5
int gi0/1
nameif inside
ip add 10.1.10.1 255.255.255.0
no sh
router eigrp 1
network 10.1.10.0 255.255.255.0
ASA1# show int ip br
GigabitEthernet0/0 20.1.1.1 YES manual up up
GigabitEthernet0/1 10.1.10.1 YES manual up up
ASA1# show nameif
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
ASA1# show eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
295
CCIE SECURITY V5
(sec) (ms) Cnt Num
0 10.1.10.10 inside 14 00:00:14 10 200 0 6
ASA1# show route
D 1.1.1.0 255.255.255.0 [90/130816] via 10.1.10.10, 00:01:25, inside
D 2.2.2.0 255.255.255.0 [90/130816] via 10.1.10.10, 00:01:25, inside
C 10.1.10.0 255.255.255.0 is directly connected, inside
L 10.1.10.1 255.255.255.255 is directly connected, inside
C 20.1.1.0 255.255.255.0 is directly connected, outside
L 20.1.1.1 255.255.255.255 is directly connected, outside
dns domain-lookup mgmt
dns name-server 150.1.7.164
crypto key generate rsa label ccnp modulus 1024
crypto ca trustpoint trust
enrollment self
keypair ccnp
296
CCIE SECURITY V5
subject-name CN=asa1.cisco.com
ASA1(config)# crypto ca enroll trust
% The fully-qualified domain name in the certificate will be: ASA1.cisco.com
% Include the device serial number in the subject name? [yes/no]: yes
Generate Self-Signed Certificate? [yes/no]: yes
access-list webacl webtype permit url http://server1.cisco.com:8080
access-list webacl webtype permit url http://server2.cisco.com:8080
group-policy ccnp internal
group-policy ccnp attributes
banner value Welcome to Netmetric
vpn-idle-timeout 1440
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-clientless
webvpn
filter value webacl
exit
tunnel-group ccnp type remote-access
tunnel-group ccnp general-attributes
297
CCIE SECURITY V5
default-group-policy ccnp
tunnel-group ccnp webvpn-attributes
group-alias ccnp enable
webvpn
enable outside
tunnel-group-list enable
username admin password cisco privilege 15
ssl trust-point trust outside
Repeat Task 1.3 for ASDM image as, we cannot create the bookmarks from the CLI.
copy tftp://150.1.7.20/asdm-782-151.bin flash:
http server enable
http 150.1.7.0 255.255.255.0 mgmt
asdm image boot:/asdm-79150.bin
298
CCIE SECURITY V5
299
CCIE SECURITY V5
300
CCIE SECURITY V5
301
CCIE SECURITY V5
Click on the Assign
302
CCIE SECURITY V5
303
CCIE SECURITY V5
from the client-pc open the internet explorer and give https://20.1.1.1
username and password admin/cisco
304
CCIE SECURITY V5
305
CCIE SECURITY V5
username and password admin/cisco
306
CCIE SECURITY V5
ASA1# show vpn-sessiondb webvpn
Session Type : WebVPN
Username : admin Index : 3
Public IP : 20.1.1.6
Protocol : Clientless
License : AnyConnect Premium

307
CCIE SECURITY V5
Encryption : Clientless : (1)AES256 Hashing : Clientless: (1)SHA1
Bytes Tx : 314701 Bytes Rx : 40457
Group Policy : ccnp Tunnel Group : ccnp
Login Time : 14:39:56 UTC Sat Aug 18 2018
Duration : 0h:02m:18s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 960107a6000030005b782fbc
Security Grp : none
LAB-3.6: - CISCO ANYCONNECT WITH IKEV2
308
CCIE SECURITY V5
TASK1 PERFORM ANYCONNECT CLIENTBASED VPN
 Configure the ASA1 with the following IP address and nameif mentioned in the above diagram
 Use Eigrp as the routing protocol between the ASA1 and DC-Router and advertise the 10.1.10.0/24
network with AS 1.
 Your configuration should meet the following requirements on ASA1V: 
 The tunnel should negotiate IKEv2 policy and IPsec proposal for AES-256 encryption.
 The tunnel should only secure traffic for server1 and server2. 
 The client address pool should be 100.10.1.1-100.10.1.10/24. 
 The session tunnel should remain connected for 24 hours even without any activity.
 The connection profile name should be “ConnectionP”
 The group alias for the session should be “ccnpprofile”.
 The trustpoint for the implementation should be named “trust” using RSA key pair “ccnp”
 ASA should authenticate the session locally for Credential :- username cisco password cisco.
 Use the FireFox browser to test your connectivity with server1 and server2 Any information not
provided for this task can be assumed by the candidate.
Configuration on ASA1: -
NOTE: - Use Gi0/0 instead of Fa0/0 on R29 and R30
R27(KS):
Ip vrf mgmt
309
CCIE SECURITY V5
rd 20:20
LAB-3.7: - GETVPN WITH VRF AWARE
GET VPN is a technology used to encrypt traffic going through unsecured networks. It leverages
IPSec protocol suite to enforce Integrity and Confidentiality of data. Typical GET deployment
consists a router called Key Server (KS) and a couple of routers called Group Members (GMs). The
KS is used to create, maintain and send a “policy” to GMs. The policy is an information what traffic
should be encrypted by GM and what encryption algorithms must be used. The most important
function of KS is generation of encryption keys. There are two keys used:
TEK – Transport Encryption Key – used by GM to encrypt the data KEK – Key Encryption Key –
used to encrypt information between KS and GM A very important aspect of GET is that it does
310
CCIE SECURITY V5
not set up any IPSec tunnels between GMs! It is NOT like DMVPN. Every GM has the policy (what
to encrypt, what encryption algorithm to use, what key is used by the encryption algorithm) and
just encrypt every packet conforming its policy and sends it out to the network using ESP
(Encapsulated Security Payload). Note that it uses original IP addresses to route the packet out
(this is called IP Header Preservation mechanism), hence the packet can be routed towards every
other router in the network as long as the routing table has such information.
TASK1 PERFORM GETVPN ON KEY SERVER AND GROUP MEMBER
 VRF for SITE_A should be site_a  

 VRF for SITE_B should be site_b
 Registration link between the KS and GM should be in vrf mgmt.
 Pre-shared key between the sites should be “cisco” 
 ISAKMP policy should have encryption aes and DH Group 5
 Identity number for site_a should be 10
 Identity number for site_b should be 20
 Re-keyring authentication should use RSA key “ccnpkey” for both sites
 Rekey Algorithm should be aes and transport Unicast.
 The implementation should secure traffic site_a between 192.168.29.0/24 and 192.168.30.0/24
networks. 
 The implementation should secure traffic site_b between 192.168.29.0/24 and 192.168.30.0/24
networks.
 EIGRP routing process for site_a and site_b should be authenticated using mode MD5 and password
ccnp
 Notes: Prefer to the topology for addressing VLAN and EIGRP routing information. SW_GET is
preconfigured for this task. 
311
CCIE SECURITY V5
NOTE: - Use Gi0/0 instead of Fa0/0 on R29 and R30
R27(KS):
Ip vrf mgmt
rd 20:20
Interface fa0/0
 ip vrf forwarding mgmt 
ip address 20.1.20.3 255.255.255.0

no shutdown 
First we need RSA keys to be used by our KS for Rekey process. The KS must send out a new TEK (and KEK) before TEK is
expired (default is 3600 seconds). It does this in so-called Rekey phase. This phase is authenticated and secured by ISAKMP
SA which is established between KS and GM. This ISAKMP uses GDOI messages (think of this like a mutation of IKE) to build
SA and encrypt GM registration. The GDOI uses UDP/848 instead of UDP/500 like IKE does. The RSA keys are used to
authenticated the KS to GM in the Rekey process. Remember that to generate new RSA keys you must have Hostname and
Domain-name configured on the router.
crypto key generate rsa label ccnp modulus 2048
312
CCIE SECURITY V5
Then we need ISAKMP parameters, just like in regular IPSec configuration. Pre-shared key must be specified on both KS and
GM to be able to authenticate. This will be used to establish ISAKMP SA to secure further GDOI messages.
Crypto isakmp policy 10
encryption aes
group 5
exit
crypto keyring mgmt vrf mgmt 
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
The IPSec parameters must be configured on KS. These parameters are not used by KS itself. They are part of policy that will
be send down to the GMs. The IPSec profile tells the GM what encryption algorithm use.
crypto ipsec profile IPSPROFILE

Now it’s time to configure KS. To do that we need to specify The Group. One KS may have many groups and each group may
have different security policy.
crypto gdoi group site_a

identity number 10
server local
313
CCIE SECURITY V5
Here we need to specify Rekey parameters. The Rekey phase can be performed in two ways:
- Unicast Rekey – when we do not have multicast support in our infrastructure (may be a case when ISP
does not support multicast in its IP VPN cloud). The KS sends down a Rekey packet to every GM it knows of.  
- Multicast Rekey – when we have multicast ready infrastructure, then we can enable multicast Rekey and
the KS generates only one packet and sends it down to all GMs at one time  
rekey algorithm aes 256

rekey authentication mypubkey rsa ccnp
rekey transport unicast 
Now it’s time to configure policy for our GMs. Encryption policy is created by IPSec Profile configured earlier. To tell the
GMs what packets they should encrypt, we need another ACL (extended this time). Our ACL is named site_a. The last
parameter important is KS’s IP address. This parameter must as well be send don to the GMs as KS may be run on different
IP address (like Loopback).
sa ipsec 1
profile IPSPROFILE
match address ipv4 site_a
address ipv4 20.1.20.3
Same for Site_b

crypto gdoi group site_b
identity number 20
server local
314
CCIE SECURITY V5
rekey algorithm aes 256

 rekey authentication mypubkey rsa ccnp
rekey transport unicast 
sa ipsec 1
profile IPSPROFILE
match address ipv4 site_b
address ipv4 20.1.20.3
ip access-list extended site_a

 permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
ip access-list extended site_b 
permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
R29(GM):
Hostname R29
int gi0/0
no sh
315
CCIE SECURITY V5
ip vrf mgmt
rd 20:20
ip vrf site_a
rd 100:100
ip vrf site_b
rd 200:200
key chain ccnp

key 1
key-string ccnp
interface Loopback100
ip vrf forwarding site_a
ip address 192.168.29.29 255.255.255.255
interface Loopback200 
ip vrf forwarding site_b
ip address 192.168.29.29 255.255.255.255
interface gi0/0.20
encapsulation dot1Q 20
316
CCIE SECURITY V5
ip address 20.1.20.29 255.255.255.0
interface gi0/0.100
 ip vrf forwarding site_a 
ip address 20.1.45.29 255.255.255.0

 ip authentication mode eigrp 505 md5
 ip authentication key-chain eigrp 505 ccnp
interface gi0/0.200
 ip vrf forwarding site_b
ip address 20.1.45.29 255.255.255.0

router eigrp 55
address-family ipv4 vrf site_a autonomous-system 505
network 20.1.45.0 0.0.0.255

network 192.168.29.0
exit-address-family 
317
CCIE SECURITY V5
address-family ipv4 vrf site_b autonomous-system 505

network 20.1.45.0 0.0.0.255 
network 192.168.29.0
exit-address-family
R30(GM):
Hostname R30
int gi0/0
no sh
ip vrf mgmt
rd 20:20
ip vrf site_a
rd 100:100
ip vrf site_b
rd 200:200
key chain ccnp
318
CCIE SECURITY V5
key 1
key-string ccnp
ip vrf forwarding site_a
ip address 192.168.30.30 255.255.255.255
interface Loopback200 
ip vrf forwarding site_b

 ip address 192.168.30.30 255.255.255.255
interface gi0/0.20
ip address 20.1.20.30 255.255.255.0
interface gi0/0.100
 ip vrf forwarding site_a 
ip address 20.1.45.30 255.255.255.0

319
CCIE SECURITY V5
interface gi0/0.200
 ip vrf forwarding site_b
ip address 20.1.45.30 255.255.255.0

router eigrp 55
address-family ipv4 vrf site_a autonomous-system 505

network 20.1.45.0 0.0.0.255
network 192.168.30.0
exit-address-family 
address-family ipv4 vrf site_b autonomous-system 505

network 20.1.45.0 0.0.0.255 
network 192.168.30.0
exit-address-family
Verification:
R29#show ip route vrf site_a eigrp
Routing Table: site_a

320
CCIE SECURITY V5




D 192.168.30.30
[90/130816] via 20.1.45.30, 00:00:23, GigabitEthernet0/0.100
R29#show ip route vrf site_b eigrp
Routing Table: site_b


321
CCIE SECURITY V5


D 192.168.30.30
[90/130816] via 20.1.45.30, 00:01:16, GigabitEthernet0/0.200
R29# ping vrf site_a 192.168.30.30 source loopback 100

!!!!!
R29#ping vrf site_b 192.168.30.30 source loopback 200

322
CCIE SECURITY V5

!!!!!
R29#ping vrf mgmt 20.1.20.3 source gi0/0.20


!!!!!
Now Configure The GM to download the policy from the KS
Configuration on R29: -
R29 is our first GM. We need the following to be configured on every GM:
- ISAKMP policy and pre-shared key (in case of PSK) - the Group to which the GM needs to be registered to - (optional) ACL
to exclude some traffic from encryption
- crypto map type GDOI
323
CCIE SECURITY V5
encryption aes
group 5
exit
pre-shared-key address 20.1.20.3 key cisco

identity number 10
 server address ipv4 20.1.20.3
 client registration interface gi0/0.20

identity number 20
crypto map site_a 10 gdoi

324
CCIE SECURITY V5
set group site_a

crypto map site_b 10 gdoi
set group site_b
int gi0/0.100
crypto map site_a
int gi0/0.200
crypto map site_b
Configuration on R30:
encryption aes
group 5
exit
pre-shared-key address 20.1.20.3 key cisco
325
CCIE SECURITY V5

identity number 10

identity number 20
crypto map site_a 10 gdoi

set group site_a
crypto map site_b 10 gdoi
set group site_b
int gi0/0.100
crypto map site_a
int gi0/0.200
crypto map site_b
326
CCIE SECURITY V5
KS#show crypto gdoi group site_a
Group Name : site_a (Unicast)
Group Identity : 10
Group Members :2
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86224 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts :2
Group Retransmit
IPSec SA Number :1
IPSec SA Rekey Lifetime : 3600 secs
Profile Name : IPSPROFILE
Replay method : Count Based
Replay Window Size : 64
SA Rekey

327
CCIE SECURITY V5
ACL Configured : access-list site_a
Group Server list : Local
KS#show crypto gdoi group site_b
Group Name : site_b (Unicast)
Group Identity : 20
Group Members :2
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts :2
Group Retransmit
IPSec SA Number :1
IPSec SA Rekey Lifetime : 3600 secs

Profile Name : IPSPROFILE
Replay method : Count Based
Replay Window Size : 64
328
CCIE SECURITY V5
SA Rekey
ACL Configured : access-list site_b
Group Server list : Local

KS#show crypto gdoi ks policy
Key Server Policy:
For group site_a (handle: 2147483650) server 20.1.20.3 (handle: 2147483650):
# of teks : 1 Seq num : 0
KEK POLICY (transport type : Unicast)
spi : 0x26778C2AF4A83B1747C42DAC7CEA8D6
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 32
orig life(sec) : 86400 remaining life(sec) : 86165
sig hash algorithm : enabled sig key length : 294
sig size : 256
sig key name : ccnp
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xD17F4FD5 access-list : site_a

329
CCIE SECURITY V5
# of transforms :0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
alg key size : 16 sig key size : 20
tek life(sec) : 3600 elapsed time(sec) : 234
antireplay window size : 64
Key Server Policy:
For group site_b (handle: 2147483651) server 20.1.20.3 (handle: 2147483651):
# of teks :1 Seq num : 0
KEK POLICY (transport type : Unicast)
spi : 0x91BA0BFE365FEBEB1CF752BBD5C726ED
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 32
sig hash algorithm : enabled sig key length : 294
sig size : 256
sig key name : ccnp
330
CCIE SECURITY V5
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xD4615608 access-list : site_b
# of transforms :0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
alg key size : 16 sig key size : 20
tek life(sec) : 3600 elapsed time(sec) : 232
antireplay window size: 64
See both keys: TEK and KEK. KEK – for Rekey encryption, default lifetime 24 hours, default enrytpion algorithm 3DES TEK
– for traffic encryption between GMs, default lifetime 1 hour, encryption elgorith depends on configured policy (no
defaults).
KS# show crypto gdoi ks acl
Group Name: site_a
Configured ACL:
access-list site_a permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list site_a permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
331
CCIE SECURITY V5
Group Name: site_b
Configured ACL:
access-list site_b permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list site_b permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
KS#show crypto gdoi ks members
Group Member Information:
Number of rekeys sent for group site_a :0
Group Member ID : 20.1.20.29
Group ID : 10
Group Name : site_a
Key Server ID : 20.1.20.3
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
Rekey Acks missed :0
332
CCIE SECURITY V5
Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0
Group ID : 10
Group Name : site_a
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
Number of rekeys sent for group site_b :0
Group ID : 20
Group Name : site_b
333
CCIE SECURITY V5
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
Group ID : 20
Group Name : site_b
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
KS# show crypto gdoi ks rekey

334
CCIE SECURITY V5
Group site_a (Unicast)
Number of Rekeys sent :0
Number of Rekeys retransmitted :0
KEK rekey lifetime (sec) : 86400
Remaining lifetime (sec) : 85978
Retransmit period : 10
Number of retransmissions :2
IPSec SA 1 lifetime (sec) : 3600
Group site_b (Unicast)
Number of Rekeys sent :0
Number of Rekeys retransmitted :0
KEK rekey lifetime (sec) : 86400
Retransmit period : 10
Number of retransmissions :2
IPSec SA 1 lifetime (sec) : 3600
We have configured that for Rekey phase. It is very important for Unicast Rekey that KS will retransmit Rekey message if it
335
CCIE SECURITY V5
didn’t receive ACK from the GM.
KS#show crypto isakmp sa
20.1.20.3 20.1.20.29 GDOI_IDLE 1001 0 ACTIVE
20.1.20.3 20.1.20.30 GDOI_IDLE 1002 0 ACTIVE
Note that ISAKMP SA is established between KS and GMs only. There is no ISAKMP SA between GMs.
KS#show crypto ipsec sa
No SAs found
There are no IPSec SA between KS and GMs. All is done using ISAKMP SA. After IKE Phase 1 establishes the SA, the GDOI
protocol uses it for GM Registration and Rekey.
The same bunch of commands are on GMs.
On R29
R29#show crypto gdoi gm
336
CCIE SECURITY V5
Group Member Information For Group site_a:
ACL Received From KS : gdoi_group_site_a_temp_acl
Group member : 20.1.20.29 vrf: mgmt
Local addr/port : 20.1.20.29/848
Remote addr/port : 20.1.20.3/848
fvrf/ivrf : mgmt/mgmt
Version : 1.0.17
Registration status : Registered
Registered with : 20.1.20.3
Re-registers in : 2845 sec
Succeeded registration :1
Attempted registration :1
Last rekey from : 0.0.0.0
Last rekey seq num :0
Unicast rekey received :0
Rekey ACKs sent :0
Rekey Received : never
DP Error Monitoring : OFF
IPSEC init reg executed :0
337
CCIE SECURITY V5
IPSEC init reg postponed :0
Active TEK Number :1
SA Track (OID/status) : disabled
Group Member Information For Group site_b:
ACL Received From KS : gdoi_group_site_b_temp_acl
Group member : 20.1.20.29 vrf: mgmt
Local addr/port : 20.1.20.29/848
Remote addr/port : 20.1.20.3/848
fvrf/ivrf : mgmt/mgmt
Version : 1.0.17
Registration status : Registered
Registered with : 20.1.20.3
Re-registers in : 2874 sec
Succeeded registration :1
Attempted registration :1
Last rekey from : 0.0.0.0
Last rekey seq num :0
Unicast rekey received :0
338
CCIE SECURITY V5
Rekey ACKs sent :0
Rekey Received : never
DP Error Monitoring : OFF
IPSEC init reg executed :0
IPSEC init reg postponed :0
Active TEK Number :1
SA Track (OID/status) : disabled
R29#show crypto gdoi gm acl
Group Name: site_a
ACL Downloaded From KS 20.1.20.3:
access-list permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
ACL Configured Locally:
ACL of default bypass policy for group-key management traffic:
GigabitEthernet0/0.100: None (registration/rekey occurs via vrf mgmt)
Group Name: site_b
ACL Downloaded From KS 20.1.20.3:

339
CCIE SECURITY V5
ACL Configured Locally:
ACL of default bypass policy for group-key management traffic:
GigabitEthernet0/0.200: None (registration/rekey occurs via vrf mgmt)
dst src state conn-id status
20.1.20.3 20.1.20.29 GDOI_IDLE 1001 ACTIVE
interface: GigabitEthernet0/0.100
Crypto map tag: site_a, local addr 20.1.45.29
protected vrf: site_a
340
CCIE SECURITY V5
Group: site_a
PERMIT, flags={}
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.100
current outbound spi: 0xD17F4FD5(3514781653)
inbound esp sas:
spi: 0xD17F4FD5(3514781653)
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: site_a
341
CCIE SECURITY V5
sa timing: remaining key lifetime (sec): 2722
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD17F4FD5(3514781653)
IV size: 16 bytes
342
CCIE SECURITY V5
outbound ah sas:
outbound pcp sas:
Group: site_a
PERMIT, flags={}
current outbound spi: 0xD17F4FD5(3514781653)
343
CCIE SECURITY V5
inbound esp sas:
spi: 0xD17F4FD5(3514781653)
IV size: 16 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD17F4FD5(3514781653)
344
CCIE SECURITY V5
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
Crypto map tag: site_b, local addr 20.1.45.29
protected vrf: site_b
Group: site_b
PERMIT, flags={}
345
CCIE SECURITY V5
current outbound spi: 0xD4615608(3563148808)
inbound esp sas:
spi: 0xD4615608(3563148808)
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: site_b
IV size: 16 bytes
346
CCIE SECURITY V5
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD4615608(3563148808)
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
347
CCIE SECURITY V5
Group: site_b
PERMIT, flags={}
current outbound spi: 0xD4615608(3563148808)
inbound esp sas:
spi: 0xD4615608(3563148808)
348
CCIE SECURITY V5
IV size: 16 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD4615608(3563148808)
IV size: 16 bytes
349
CCIE SECURITY V5
outbound ah sas:
outbound pcp sas:
R29#ping vrf site_a 192.168.30.30 source loopback 100
!!!!!
Crypto map tag: site_a, local addr 20.1.45.29
Group: site_a
350
CCIE SECURITY V5
PERMIT, flags={}
R29#ping vrf site_b 192.168.30.30 source loopback 200
!!!!!
Crypto map tag: site_b, local addr 20.1.45.29
Group: site_b
351
CCIE SECURITY V5
PERMIT, flags={}
LAB-3.8: - FLEX VPN
TASK-1 CONFIGURE THE R14, R15 AND R16
 Configure the routes according to the topology
Configuration of Routers: -
Note Use GIGA ethernet instead fastethernet in all the routers
R14:
hostname R14
interface gi0/0
352
CCIE SECURITY V5
ip address 1.1.1.1 255.255.255.0

no sh
interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.10
R15:
hostname R15
ip address 2.2.2.2 255.255.255.0

no sh
interface Loopback1
ip address 192.168.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 2.2.2.10
353
CCIE SECURITY V5
R16:
ip address 1.1.1.10 255.255.255.0
no sh
ip address 2.2.2.10 255.255.255.0

no sh
TASK-2 SITE TO SITE WITH PSK - FLEX VPN – IKEV2
 Configure the IKEv2 proposal, policy, profile and keyring for the secure communication between
the 192.168.1.1 and 192.168.2.2 device on R14 and R15 respectively.
Configuration of Routers
R14: -
crypto ikev2 proposal ccnp-pro

encryption aes-cbc-128
354
CCIE SECURITY V5
integrity md5
group 2
crypto ikev2 policy ccnp-policy

proposal ccnp-pro
crypto ikev2 keyring ccnp-key

peer r15
address 2.2.2.2
pre-shared-key cisco
crypto ikev2 profile ccnp-profile

match identity remote address 2.2.2.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local ccnp-key

mode tunnel

355
CCIE SECURITY V5
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

set peer 2.2.2.2
set ikev2-profile ccnp-profile

match address VPN
int gi0/0
crypto map CMAP
R15: -
crypto ikev2 proposal ccnp-pro
encryption aes-cbc-128
integrity md5
group 2
crypto ikev2 policy ccnp-policy
proposal ccnp-pro
356
CCIE SECURITY V5
crypto ikev2 keyring ccnp-key

peer r14
address 1.1.1.1
pre-shared-key cisco
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto ikev2 profile ccnp-profile

match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local ccnp-key

mode tunnel
set peer 1.1.1.1

set ikev2-profile ccnp-profile
match address VPN

357
CCIE SECURITY V5
int gi0/0
crypto map CMAP
R14#ping 192.168.2.2 source 192.168.1.1


.!!!!
R14#show crypto ikev2 proposal
IKEv2 proposal : ccnp-pro

Encryption : AES-CBC-128
Integrity : MD596
PRF : MD5
DH Group : DH_GROUP_1024_MODP/Group 2
IKEv2 proposal : default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5
358
CCIE SECURITY V5
DH_GROUP_1024_MODP/Group 2
R14#show crypto ikev2 policy

IKEv2 policy : ccnp-policy
Match fvrf : global
Match address local : any

Proposal : ccnp-pro
IKEv2 policy : default

Match fvrf : any
Match address local : any
Proposal : default
R14#show crypto ikev2 profile
IKEv2 profile : ccnp-profile
Ref Count :2
Match criteria:
Fvrf : global
359
CCIE SECURITY V5
Local address/interface : none

Identities : address 2.2.2.2 255.255.255.255
Certificate maps : none
Local identity : none

Remote identity : none
Local authentication method : pre-share
Remote authentication method(s) : pre-share

EAP options : none
Keyring : ccnp-key
Trustpoint(s) : none
Lifetime : 86400 seconds
DPD : disabled
NAT-keepalive : disabled
Ivrf : none
Virtual-template : none
mode auto : none
AAA AnyConnect EAP authentication mlist : none
AAA EAP authentication mlist : none
AAA Accounting : none

AAA group authorization : none
AAA user authorization : none
360
CCIE SECURITY V5
R14#show crypto ikev2 sa

IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status

1 1.1.1.1/500 2.2.2.2/500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: MD5, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth
verify: PSK
Life/Active Time: 86400/523 sec
IPv6 Crypto IKEv2 SA
interface: GigabitEthernet0/0


361
CCIE SECURITY V5



plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2BDF8145(736067909)
inbound esp sas:
spi: 0xF0070CCE(4026993870)
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: CMAP
IV size: 16 bytes

inbound ah sas:
362
CCIE SECURITY V5
inbound pcp sas:
outbound esp sas:
spi: 0x2BDF8145(736067909)
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: CMAP

IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
Section 4 – ISE
363
CCIE SECURITY V5
GOAL OF THE LAB

Implementing and Configuring Cisco Identity Services Engine v2.4 (SISE) is an identity and access control
policy platform that provides a single policy plane across the entire organization, combining multiple
services into a single context-aware identity-based platform. You will learn how to configure and administer
many of the services, including authentication, authorization and accounting (AAA), posture, profiling, and
guest management. You will also learn the knowledge and skills to enforce security posture compliance
for wired and wireless endpoints and enhance infrastructure security using the Cisco ISE. After completing
this course, you should be able to:
Describe Cisco ISE architecture, installation, and distributed deployment options  Configure Network
Access Devices (NADs), policy components, and basic authentication and authorization policies in Cisco
ISE - Implement Cisco ISE web authentication and guest services  Deploy Cisco ISE profiling, posture and
client provisioning services  Describe administration, monitoring, troubleshooting, and TrustSec SGA
security 
364
CCIE SECURITY V5
LAB-4.1: - ISE INSTALLATION (OPTIONAL)
 Verify the Cisco ISE with the following IP address and setup using CLI
365
CCIE SECURITY V5
Device Interface IP
ISE-P MGMT NIC 150.1.7.179
ISE-S MGMT NIC 150.1.7.189
ASAv MGMT 150.1.7.166
R1 MGMT 150.1.7.163
AD-DNS MGMT 150.1.7.164
CA-Server MGMT 150.1.7.160
Activity Procedure
Complete these steps:
Output of the commands will take some time. Have patience
TASK1 ACCESS THE CISCO ISE
Step 1: - Access the Cisco ISE console according to your lab access procedures provided by
your instructor
Step 2: - At the login prompt, enter a username of admin and password of Sanfran@1234
Step 3: - You should see the following prompt:
Netmetric-ISE/admin#
366
CCIE SECURITY V5
TASK2 CHECK THE APPLICATION STATUS
Step 1: -Enter the following command and observe the following output and the status of
the services.
Netmetric-ISE/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------------------------------
Database Listener running 19567
Database Server running 53 PROCESSES
Application Server running 24839
Profiler Database running 22668
ISE Indexing Engine running 25304
AD Connector running 26091
M&T Session Database running 22576
M&T Log Collector running 25872
M&T Log Processor running 25775
Certificate Authority Service running 25610
EST Service running 25732
SXP Engine Service disabled
TC-NAC Docker Service disabled
TC-NAC MongoDB Container disabled
367
CCIE SECURITY V5
TC-NAC RabbitMQ Container disabled
TC-NAC Core Engine Container disabled
VA Database disabled
VA Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
If there is any other state than “is running” it means that there is something wrong with a
particular ISE subsystem/process. To fix that you can try to restart ISE application using
“application stop ise” and then “application start ise”. Be patient as it is going to take some
time.
TASK3 CHECK THE NTP STATUS
Step 1: - Verify NTP synchronization. At the command prompt, type the following command:
ISE-P/admin# show ntp
Configured NTP Servers:

time.nist.gov
150.1.7.164
synchronised to NTP server (150.1.7.164) at stratum 3
368
CCIE SECURITY V5
time correct to within 156 ms

polling server every 1024 s
remote refid st t when poll reach delay offset jitter

===========================================================================
127.127.1.0 .LOCL. 10 l 96h 64 0 0.000 0.000 0.000
*150.1.7.164 133.243.238.163 2u 130 1024 377 1.120 -14.943 18.948
* Current time source, + Candidate , x False ticker
Warning: Output results may conflict during periods of changing synchronization.
TASK4 CHECK THE DNS LOOKUP
Step 1: - Observe the following output paying attention to the * at the beginning of the line
and the text above indicating “synchronized to NTP Server...”
Step 2: - Verify DNS Name Resolution. At the command prompt enter the following
command:
ISE-P/admin# nslookup ISE-P.cisco.com

Trying "ISE-P.cisco.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62683
369
CCIE SECURITY V5
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ISE-P.cisco.com. IN ANY
;; ANSWER SECTION:
ISE-P.cisco.com. 3600 IN A 150.1.7.179
Received 49 bytes from 150.1.7.164#53 in 1 ms
TASK5 CHECK THE APPLICATION
Step 1: - Verify the Netmetric-ISE is properly Installed
Cisco ISE is an application installed on underlying operating system called as Cisco ADE. Once
your connected with the ADE we must check what applications are installed. Then we can
use application name
Netmetric-ISE/admin# show application
<name> <Description>
ise Cisco Identity Services Engine
TASK6 CHECK THE ISE VERSION, INTERFACE DETAILS AND ROUTING
370
CCIE SECURITY V5
Step 1: - Check ISE version
ISE-P/admin# show application version ise
Cisco Identity Services Engine
---------------------------------------------
Version: 2.4.0.357
Build Date: Wed May 25 04:34:43 2016
Install Date: Mon Dec 3 12:27:05 2018
“The main version is 2.4 and the patch level is 357. The build depends on the development
stage. By default, the ISE is in Evaluation mode of 90 days. You can install production license
or use the evaluation license. We do not need to provide any license file for ISE to be
working.”
Step 2: - Check interface configuration
ISE-P/admin# show interface
GigabitEthernet 0
flags=4163<UP, BROADCAST, RUNNING, MULTICAST> mtu 1500
inet 150.1.7.179 netmask 255.255.255.0 broadcast 150.1.7.255
inet6 fe80::20c:29ff:fe11:61bf prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:11:61:bf txqueuelen 1000 (Ethernet)
RX packets 736959 bytes 69764199 (66.5 MiB)
RX errors 0 dropped 763 overruns 0 frame 0
TX packets 393432 bytes 523838004 (499.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
GigabitEthernet 1
flags=4098<BROADCAST, MULTICAST> mtu 1500
ether 00:0c:29:11:61:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
371
CCIE SECURITY V5
TX packets 0 bytes 0 (0.0 B)

GigabitEthernet 2
ether 00:0c:29:11:61:d3 txqueuelen 1000 (Ethernet)
GigabitEthernet 3
ether 00:0c:29:11:61:dd txqueuelen 1000 (Ethernet)
lo: flags=73<UP, LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 7783302 bytes 2956650886 (2.7 GiB)
TX packets 7783302 bytes 2956650886 (2.7 GiB)
Make sure that we see RX and TX packet and no error counters increasing. This is the first
indicator that something can be wrong with connectivity. If we do not see giga0 interface
that usually means the interface is down. We may see more interfaces depending on ISE
installation. Some interfaces may be used for profiling services.
Step 3: - Check routing table and default gateway.

372
CCIE SECURITY V5
ISE-P/admin# show ip route
Destination Gateway Interface
----------- ------- -----
default 150.1.7.1 eth0
150.1.7.0/24 0.0.0.0 eth0
Step 4: - Check the name server and domain configuration. Verify if the DNS works asking to
resolve the FQDN of Netmetric-ISE.cisco.com
ISE-P/admin# show running-config | inc name
hostname Netmetric-ISE
--
--
--
username admin password hash
$5$JRiHrdLV$EryTJHf3UBEhVNIb.SWSTvmaGApOkXNJc.0B6HU
QQm0 role admin
TASK7 CHECK THE TIMEZONE AND CLOCK
Step 1: - Check the time-zone and the clock
ISE-P /admin# show clock

Tue Dec 11 07:52:00 UTC 2018
373
CCIE SECURITY V5
ISE-P /admin# show timezone

UTC
Activity Verification
You have completed this task when you obtain the following results:
Successfully observed Cisco ISE services status  
Successfully observed NTP synchronization  
Successfully performed a nslookup to verify proper name resolution  
Step 2: - Connect through the GUI and check the license. Open up the web browser (IE or FF)
and enter the following URL https://150.1.7.189 or https://netmetric-ise.cisco.com
 Authenticate as admin/Sanfran@1234
 Login to the GUI
TASK8 RESET THE PASSWORD FOR THE GUI TO SANFRAN!1234
Step 1: - From the CLi
ISE-P /admin# application reset-passwd ISE admin
And Give the new Password
374
CCIE SECURITY V5
LAB-4.2: - ADMINISTRATIVE ACCESS TO ISE
TASK1 SETUP AN ADMINISTRATIVE ACCESS TO ISE
 Configure the following settings for administrative access to ISE

o Access is allowed from the Candidate-PC (150.1.7.20) only.
o Idle session timeout will be 30 mins.
o The admin account should not be disable automatically.
o Login banner should be “Welcome to Netmetric Lab”
Activity Procedure
Connect the GUI with the url https://150.1.7.179 from the Candidate-PC
Connect the GUI with the url https://150.1.7.179 from AD-DNS so that later in the task
we can check, whether the GUI opens from Candidate-PC only.
375
CCIE SECURITY V5
From the Menu Bar,

o Administration
 System
 Admin Access
376
CCIE SECURITY V5
377
CCIE SECURITY V5
From the Admin Access,

o Settings
 Access
 Sessions
From the Session,

o Change the Banner
From the IP Access
o Change the IP to 150.1.7.20
378
CCIE SECURITY V5
379
CCIE SECURITY V5
380
CCIE SECURITY V5

o Settings
 Sessions
 Session Timeout
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Verification
Go Back to Active-Directory and check the ISE gui
381
CCIE SECURITY V5
TASK2 SETUP AN HELPDESK USER ACCESS TO ISE
 Create the helpdesk administrative user name “Help_User”with the password Help123, with
“Helpdesk”group and access to operations menu only. You can pre-configured user settings.
 Set the following password policy for all the accounts created on the ISE:
o Minimum password length is 6 characters.
o Password must not contain the admin name nor words like “cisco”or “test”.
o Password must contain at least one lowercase alphabetic character and one numeric
382
CCIE SECURITY V5
character.
Activity Procedure

o Authentication
 Password Policy

o Authentication
 Password Policy
383
CCIE SECURITY V5

o Administrators
 Admin Users
 Add the new user
384
CCIE SECURITY V5
From the Add,

o Create an Admin User
From the User,

o Name
 Password
 Admin Group
385
CCIE SECURITY V5
386
CCIE SECURITY V5
Check the User

o You can add the description also, if you want.
387
CCIE SECURITY V5
388
CCIE SECURITY V5
Check the User options for the Menu

o Explore for the required fields.
LAB-4.3: - INTEGRATION WITH ACTIVE DIRECTORY
TASK1 SETUP AN ISE WITH ACTIVE DIRECTORY
 Configure ISE to join Active Directory domain of cisco.com. Use AD user credentials as
administrator/Sanfran@1234 to join the AD domain.
o Use the AD name as “ad-ccnp”with domain as “cisco.com”
o Check the user credentials bob and password as Sanfran@1234 on ISE, by retrieving the
group called as Lab_Netmetric.

389
CCIE SECURITY V5
Activity Procedure
From the Administration

o External Identity Sources
From the Active Directory

o Add the Join Point Name
390
CCIE SECURITY V5
Credentials
 Username: administrator
391
CCIE SECURITY V5
 Password: Sanfran@1234
Joint Operation Status

o Completed should be there and in Operational
Test the USER

o By clicking the test user
392
CCIE SECURITY V5
Test the USER

o By clicking on the test user
 Username : bob
 Password : As mentioned in the question
o It should be Successful
393
CCIE SECURITY V5
Test the Administration

o Go to Identity Source Sequences
 All_User_ID_Stores
 Send the ad-ccnp to the Selected option
o Save
394
CCIE SECURITY V5
395
CCIE SECURITY V5
TASK2 SETUP AN ISE WITH ACTIVE DIRECTORY
 Configure new Identity Source Sequence with the name “ccnp_iss”and call the newly added
active directory into this Source Sequence.
Activity Procedure
396
CCIE SECURITY V5
Go the Administration > Identity Management

o Go to Identity Source Sequences
 Add the new Identity Source Sequence
Identity Source Sequence

o New Name “ccnp-iss”
 Add the selected ad-ccnp
 Chose if want to, the description
397
CCIE SECURITY V5
Verification
398
CCIE SECURITY V5
LAB-4.4: - CONFIGURE THE DC-ROUTER FOR SSH AUTHENTICATION
TASK SETUP AN AUTHORIZATION AND AUTHENTICATION ON ROUTER

 The authentication request should be forwarded to RADIUS server ISE. 
 ISE should check SSH user in the Active Directory database.
 Active Directory is preconfigured and being integrated in the previous task.
 For SSH user credentials bob/Sanfran@1234.  Make sure that user “bob” belongs to user
group Lab_Netmetric in ISE. 
 To authorize the session ISE should check SSH user belongs to Lab_Netmetric and the NAS IP
address DC-Router. 
 The user bob should be assigned privilege level 15 on successful authorization. 
 The session should not timeout for 24 hours even without any activity.
 You need to test the SSH from candidate PC where dc-router.cisco.com connection profile has
been created putty client. 
DC-Router
ip domain name cisco.com

crypto key generate rsa modulus 1024
aaa new-model
aaa authentication login NOISE line none

line con 0
login authentication NOISE
radius server ccnp 
399
CCIE SECURITY V5
address ipv4 150.1.7.189 auth-port 1812 acct-port 1813

key cisco
aaa group server radius ISE

server name ccnp
aaa authentication login SSH group ISE

aaa authorization exec SSH group ISE
line vty 0 98 

transport input ssh 
login authentication SSH
authorization exec SSH
session-timeout 1440
exec-timeout 1440
Open the ISE

o Add the NAD device
 Administration >Network Resources > Network Devices
400
CCIE SECURITY V5
Network Devices
o Add the NAD device
Name : DC-Router
o IP Address : 150.1.7.163
 Radius Authentication Password : cisco
401
CCIE SECURITY V5
Add the Groups

o Administration > Identity Management
 Groups
402
CCIE SECURITY V5
User Identity Group

o Click on Add
403
CCIE SECURITY V5
Name : Lab_Netmetric
o Add Description as Per your Choice
Add the Identities

o Identity Management
404
CCIE SECURITY V5
Users
o Click on Add for the New User
405
CCIE SECURITY V5
Name : bob
o Password Type : ad-ccnp
Name : bob
o Password Type : ad-ccnp
 Group : Lab_Netmetric
406
CCIE SECURITY V5
407
CCIE SECURITY V5
Check the User

o Can add the Description as per your choice
Create the Authentication Policy

o Policy
 Authentication
408
CCIE SECURITY V5
Click on Edit
o Insert new row above
Select Attribute
o Select Existing Condition from Library
409
CCIE SECURITY V5
Radius Nas-Port-type –{61}

o Equals
 Virtual
Select Network Access

o Allowed Protocol
 Default Network Access
410
CCIE SECURITY V5
411
CCIE SECURITY V5
Check the Authentication Policy

o Save it
Create the Authorization Profile

o Policy Results
Results
o Authorization Profile
 Add
412
CCIE SECURITY V5
Name : SSH
o Web Authentication For privilege level 15
Advance Attribute Settings

o Idle timeout 28
413
CCIE SECURITY V5

o Idle timeout 28
 86400
414
CCIE SECURITY V5
Standard Authorization Profiles

o SSH
 Description as per the choice
415
CCIE SECURITY V5

o Idle timeout 28
 86400
 Description : Will be used for Task 4.3 for SSH
Policy
o Authorization
416
CCIE SECURITY V5
Policy
o Authorization Policy
 Edit
417
CCIE SECURITY V5
Policy
o Authorization Policy
 Edit
 Inset New Rule Above or Below
Rule Name : SSH

o Any Group : User Identity Group
 Lab_Netmetric
418
CCIE SECURITY V5
Rule Name : SSH

o Any Group : User Identity Group
 Lab_Netmetric
Condition
 Create New Condition
419
CCIE SECURITY V5
Radius: Nas-IP-Address
 Equals
 150.1.7.163
Permissions
o Call the SSH Authorization Profile
420
CCIE SECURITY V5
From the Candidate PC

421
CCIE SECURITY V5
 Ping dc-router.cisco.com
Putty on the Desktop

 Open dc-router.cisco.com
 Username : bob
422
CCIE SECURITY V5
ISE Live Logs from Operation tabs

o Explore for more understanding
LAB-4.4: - CISCO TRUSTSEC
TASK CONFIGURE CTS SXP RELATIONSHIP BETWEEN TRUSTSEC-ASA AND SW_P

 Enable the SXP service between the ASA FW and Switch.
 Session should be authenticated with password ccnp.
423
CCIE SECURITY V5
 Download the CTS Pac on ASA for environmental data from ISE.
o Download the environment data in every 1 hr
o Re-Authenticate every 4 hr.
o Device-ID password ccnpccnp.
o Encryption Key ccnpccnp.
o Pac time-to-live 1 Day.
 Switch will receive the Authentication and Authorization request.
 Configure TrustSec-ASA with the following settings:
o Hostname: TrustSec-ASA
o Interface: mg0/0- name - mgmt. - ip 150.1.7.169/24 - sec-level 100
o Interface: gi0/1 – name - dmz – ip 10.100.10.100/24 – sec-level 50
o Interface: gi0/0 – name–inside – ip 10.100.8.100/24 – sec-level 100
 Configure the SW_P with the following settings:
o VLAN id (Data) - 80
o VLAN id (Mgmt) - 1
o Int VLAN 80 - 10.100.8.80/24
o Use interface - Gi1/0/2
Configuration on SW_P: -
vlan 80
int vlan 80
Ip add 10.100.8.80 255.255.255.0
no sh
Int gi1/0/2
sw mode trunk
424
CCIE SECURITY V5
no sh
cts sxp enable

cts sxp default source-ip 10.100.8.80
cts sxp default password ccnp
cts sxp connection peer 10.100.8.100 source 10.100.8.80 password default mode peer
listener
Configuration on TrustSec-ASA: -
hostname Trustsec-ASA
interface Management0/0
management-only
nameif mgmt
security-level 100
ip address 150.1.7.169 255.255.255.0
no sh
nameif inside
security-level 100
ip address 10.100.8.100 255.255.255.0
no sh
nameif dmz
security-level 50
ip address 10.100.10.100 255.255.255.0
no sh
cts sxp enable

cts sxp default source-ip 10.100.8.100
425
CCIE SECURITY V5
cts sxp default password ccnp

cts sxp connection peer 10.100.8.80 source 10.100.8.100 password default mode peer
speaker
Verification:-
TrustSec-ASA# ping 150.1.7.189

!!!!!
TrustSec-ASA# ping 10.100.8.80

!!!!!
TrustSec-ASA# show cts sxp connections brief

SXP : Enabled
Highest version :3
Default password : Set
Default local IP : 10.100.8.100
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections :1
Total number of SXP connections shown :1
---------------------------------------------------------------------------------------------------------------
Peer IP Local IP Conn Status Duration (dd:hr:mm:sec)
---------------------------------------------------------------------------------------------------------------
426
CCIE SECURITY V5
10.100.8.80 10.100.8.100 On 0:00:00:19
Add the NAD in Cisco ISE and Generate the PAC file. Once done download the pac file
to the TrustSec-ASA.
Add the NAD device,

o Go to Administration
 Network Resources
 Network Devices
o Click on Add
Name :- TrustSec-ASA >

o IP – 150.1.7.169 >
 Radius Password : ccnpccnp
427
CCIE SECURITY V5
Step 3 : Change the field in Advance TrustSec Settings > TrustSec Pass ccnpccnp
428
CCIE SECURITY V5
Step 4 : Generate the PAC with password> ccnpccnp
Step 5 :- Add the required Field
Step 6 :- It will be Saved in your Browser
Step 7 :- Make sure you Submit the NAD device

429
CCIE SECURITY V5
Step 8 :- Once the PAC is downloaded, Put it into the C Drive : TFTP-Root folder. Make
sure previous present Pac file should not be there, if there please delete and copy the
new one which is downloaded from the Browser.
Step 9 :- Make sure the TFTP Server is running. It should be Start and before importing
the pac make sure check the ping test with 150.1.7.169
430
CCIE SECURITY V5
431
CCIE SECURITY V5
Step 11 :- Configure Firewall with Radius Commands
aaa-server ISE protocol radius

aaa-server ISE (mgmt) host 150.1.7.189
key cisco 
cts server-group ISE 
Step 12 :- Import the PAC file on ASA
TrustSec-ASA# copy tftp://150.1.7.20/TrustSec-ASA.pac flash:
Address or name of remote host [150.1.7.20]?
Source filename [TrustSec-ASA.pac]?
Destination filename [TrustSec-ASA.pac]?
Accessing tftp://150.1.7.20/TrustSec-ASA.pac...!!!
Writing file disk0:/TrustSec-ASA.pac...
!
360 bytes copied in 0.170 secs
TrustSec-ASA# show cts pac
432
CCIE SECURITY V5
PAC-Info:
Valid until: May 27 2019 19:37:12
AID: 7e556b3865dc073012f8d9ce8e29514c
I-ID: TrustSec-ASA
A-ID-Info: ISE
PAC-type: Cisco Trustsec
PAC-Opaque:
000200b800030001000400107e556b3865dc073012f8d9ce8e29514c0006009c00030
100410404a4c36b74fead87b867cfa77d38000000135ce2a26f00093a80e5b06361d8d
f9613bf15b1d1b526cdb2df15c8ea18a6cc3eee42fc1df762054e15925fcb31319e3694
eb10bf0db93e772f225e884b74412afd550e6d74c39cb0a8ad6b10137d08aa1df33594
b0903958f7450a937a77fc5286eb0005ef613be81ce01d459766939922b07e469af0dd
06b104d754e13d3a2244fd1508
WARNING: The PAC will expire in less than 7 days
Trustsec-ASA# show cts environment-data

CTS Environment Data
=====================================================
Status : Active
Last download attempt : Successful
Environment Data Lifetime : 86400 secs
Last update time : 15:53:51 UTC May 27 2019
Env-data expires in : 0:23:59:50 (dd:hr:mm:sec)
Env-data refreshes in : 0:23:49:50 (dd:hr:mm:sec)
Step 13 :- In case it not uploading from the CLI, use ASDM to import the pac
433
CCIE SECURITY V5
o Goto the Configuration option on the TOP Left.

 Click on Firewall Bottom Left
 Click on Identify by TrustSec
 And Import PAC
434
CCIE SECURITY V5
435
CCIE SECURITY V5
436
CCIE SECURITY V5
437
CCIE SECURITY V5
LAB-4.5: - CONFIGURE ISE FOR MAB
TASK CONFIGURE MAC AUTHENTICATION BYPASS ON SWITCH AND USE ISE AS

AUTHENTICATION SERVER
 Authenticate the MAB-PC (Windows 7 host) using the MAC address on SW_P port 2/0/47 in a group of
“NetMetric-Workstation”.
 Configure the SW_P to authenticate the MAB-PC on its MAC address.
 Enable the Radius authentication, authorization and accounting.

 Use ISE ports UDP 1812/1813 with a secret key “cisco” and use radius server name as “ccnp”and
group name as “ISE”
 Sourcing the Radius packets from VLAN 1 interface
 Add SW_P as the NAD device in the ISE.

 Create the Authentication Policy for “wired_mab”and allow only PEAP protocol.
 After authentication, MAB-PC should get the IP from the DHCP pool name as “DATA” from SW_P in
vlan 80 network.
 Make sure your implementation of AAA should not impact the console of the SW_P.
Configuration on SW_P: -
Step 1 :- Configure SW_P for the AAA commands and Dot1x configuration
Vlan 80
interface Vlan80
438
CCIE SECURITY V5
ip address 10.100.8.80 255.255.255.0
ip dhcp excluded-address 10.100.8.100
ip dhcp excluded-address 10.100.8.80
ip dhcp pool data
network 10.100.8.0 255.255.255.0
default-router 10.100.8.100
aaa new-model
aaa authentication login NOISE line none
line console 0
login authentication NOISE
radius server ccnp
address ipv4 150.1.7.189 auth-port 1812 acct-port 1813
key cisco
aaa group server radius ISE
server name ccnp
ip radius source vlan 1
439
CCIE SECURITY V5
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication
ip routing
ip device tracking
dot1x system-auth-control
interface GigabitEthernet2/0/47
authentication host-mode multi-auth
440
CCIE SECURITY V5
authentication port-control auto
mab
no sh
---------------------------------------------------------------------------------------
---------------------
MAB-PC – Check the MAC address of the MAB-PC 00-50-56-AF-47-0E
---------------------------------------------------------------------------------------
---------------------
Go to the ISE add the mac address/groups

441
CCIE SECURITY V5
442
CCIE SECURITY V5
Click on the Mac Address and Edit
443
CCIE SECURITY V5
Add the NAD device as SW_P
444
CCIE SECURITY V5
Now do the Authentication Policy
445
CCIE SECURITY V5
Select the Existing Condition from the Library
Compound Condition
Select Wired MAB
446
CCIE SECURITY V5
Select Network Access – Allowed Protocols- Default Network Access
447
CCIE SECURITY V5
And Use Internal Endpoints for MAB Authentication
Save it.
Goto the MAB PC and enable Disable the NIC Adapter
448
CCIE SECURITY V5
Once Done Go to the ISE - Operations  Radius Live Logs
Check the detail Report of the ISE
449
CCIE SECURITY V5
SW2_P#show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FB967A7ABAE
Session count = 1
Key to Session Events Blocked Status Flags:
450
CCIE SECURITY V5
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
SW2_P#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
10.100.8.1 0100.5056.af47.0e May 22 2019 06:09 AM Automatic Active Vlan80
SW2_P#show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
451
CCIE SECURITY V5
Global IP Device Tracking Probe Delay Interval = 0
------------------------------------------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
------------------------------------------------------------------------------------------------------------------------
10.100.8.1 0050.56af.470e 80 GigabitEthernet2/0/47 30 ACTIVE ARP
Total number interfaces enabled: 1
Enabled interfaces:
Gi2/0/47
452
CCIE SECURITY V5
453
CCIE SECURITY V5
LAB-4.6: - CONFIGURE ISE FOR MAB VLAN AUTHORIZATION
TASK CONFIGURE MAC AUTHENTICATION BYPASS ON SWITCH AND USE ISE AS

AUTHORIZATION SERVER
 Once the MAB-PC is authenticated in the previous question, create an Authorization Profile “MAB”
allowing it to access in VLAN 80.
 ISE should do the authorization on the basis of the NAS-IP-Address of the Switch and with proper Internal
Endpoint Group of Workstation.

 ISE should push the DACL to permit ip traffic from any source to any destination.
454
CCIE SECURITY V5
455
CCIE SECURITY V5
456
CCIE SECURITY V5
457
CCIE SECURITY V5
458
CCIE SECURITY V5
459
CCIE SECURITY V5
Go to SW_P and remove the vlan and put the port in shut status
460
CCIE SECURITY V5
int gi2/0/47
no switchport access vlan 80
sh
no sh
461
CCIE SECURITY V5
462
CCIE SECURITY V5
Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FBD67C1BD8C
Session count = 1
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
SW2_P#show authentication sessions interface gigabitEthernet 2/0/47 details
Interface : GigabitEthernet2/0/47
IIF-ID : 0x1070D8000000093
MAC Address : 0050.56af.470e
IPv6 Address : Unknown
IPv4 Address : 10.100.8.1
User-Name : 00-50-56-AF-47-0E
Status : Authorized
463
CCIE SECURITY V5
Domain : DATA
Oper host mode : multi-auth
Oper control dir : both
Session timeout : N/A
Restart timeout : N/A
Common Session ID: 960107A200000FBD67C1BD8C
Acct Session ID : 0x00000FA3
Handle : 0x0200000D
Current Policy : POLICY_Gi2/0/47
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy : Should Secure
Security Status : Link Unsecure
Server Policies:
Vlan Group : Vlan: 80
ACS ACL : xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
Method status list:
Method State
mab Authc Success
LAB-4.7: - CONFIGURE MAB-PC TO ACCESS SERVER 3 AND SERVER 4
 Create the ISE-Router with HTTP services to access the Server 3 and Server 4 and create user/password
“cisco/cisco”privledge 15
464
CCIE SECURITY V5
 Give the static route towards next hop

 Create the Loopback 100 for Server 3 and loopback 200 for server 4, IP 192.168.1.1 and 192.168.2.2
respectively
 Configure fa0/0 with 10.100.10.200/24.

 Configure ASA with the Static Route to access the Server 3 and Server 4
Configuration on ISE-Router
Hostname ISE-Router
ip address 10.100.10.200 255.255.255.0
no sh
ip address 192.168.1.1 255.255.255.0
ip address 192.168.2.2 255.255.255.0
ip http server
ip http authentication local
ip http secure-server
username cisco privilege 15 password cisco
ip route 10.100.8.0 255.255.255.0 10.100.10.100
465
CCIE SECURITY V5
Configuration on TrustSec-ASA
route dmz 192.168.1.1 255.255.255.255 10.100.10.200
route dmz 192.168.2.2 255.255.255.255 10.100.10.200
Open the MAB-PC and Browse http://192.168.1.1 and http://192.168.2.2
466
CCIE SECURITY V5
Click on 15 in Monitor the router
467
CCIE SECURITY V5
Repeat the same for Server 4
468
CCIE SECURITY V5
LAB-4.8: - CONFIGURE ISE AND ASA FOR TRUSTSEC CLASSIFICATION AND

ENFORCEMENT
TASK1 CONFIGURE ISE SGT TAG
 Create the Security Group Name for the MAB-PC with the name “MAB_CCNP”
469
CCIE SECURITY V5
 Assign the static Security Group Tag of 16/0016.
470
CCIE SECURITY V5
471
CCIE SECURITY V5
472
CCIE SECURITY V5
473
CCIE SECURITY V5
Trustsec-ASA# show cts environment-data sg-table
Security Group Table:
Valid until: 15:53:51 UTC May 28 2019
Showing 18 of 18 entries
SG Name SG Tag Type
------- ------ -------------

474
CCIE SECURITY V5
ANY 65535 unicast
Auditors 9 unicast
BYOD 15 unicast
Contractors 5 unicast
Developers 8 unicast
Development_Servers 12 unicast
Employees 4 unicast
Guests 6 unicast
MAB_CCNP 16 unicast
Network_Services 3 unicast
PCI_Servers 14 unicast
Point_of_Sale_Systems 10 unicast
Production_Servers 11 unicast
Production_Users 7 unicast
Quarantined_Systems 255 unicast
Test_Servers 13 unicast
TrustSec_Devices 2 unicast
Unknown 0 unicast
In Case the TAG is not showing make sure give this command
Trustsec-ASA# cts refresh environment-data
TASK2 CONFIGURE ASA FOR ACL
 Create the SGFW acl for the MAB-PC.

 Server3 192.168.1.1 should be accessible only from security-group name MAB_CCNP for the HTTP traffic
at port 80.
 Create the Object-Group with name MAB_CCNP.
475
CCIE SECURITY V5
 Name of the Access-List should be server1-2
object-group security MAB_CCNP
security-group name MAB_CCNP
access-list server3-4 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www
access-group server3-4 in interface inside
Trustsec-ASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list server3-4; 1 elements; name hash: 0x672bf53c
access-list server3-4 line 1 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www (hitcnt=0) 0xe5300721
access-list server3-4 line 1 extended permit tcp security-group name MAB_CCNP(tag=16) 10.100.8.0
255.255.255.0 host 192.168.1.1 eq www (hitcnt=0) 0x99daeb4c
Check
Trustsec-ASA# show cts sgt-map detail
Trustsec-ASA# show cts sgt-map brief

476
CCIE SECURITY V5
TASK3 CONFIGURE ISE FOR TRUSTSEC

 Call the Security Tag created in the ISE, into the authorization Profile of the MAB
477
CCIE SECURITY V5
478
CCIE SECURITY V5
479
CCIE SECURITY V5
SW2_P#clear authentication sessions
480
CCIE SECURITY V5
Have patience over here, it can take appro 2-3 mins to come up.
Interface MAC Address Method Domain Status Session ID
Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FC2878B25CC
SW2_P#show authentication sessions interface gi2/0/47 details
----------------------------------------
481
CCIE SECURITY V5
Interface : GigabitEthernet2/0/47
IIF-ID: 0x104F38000000097
MAC Address: 0050.56af.470e
IPv6 Address: Unknown
IPv4 Address: 10.100.8.1
User-Name: 00-50-56-AF-47-0E
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Common Session ID: 960107A200000FC2878B25CC
Acct Session ID: 0x00000FA5
Handle: 0xCA000011
Current Policy: POLICY_Gi2/0/47
Local Policies:
Security Policy: Should Secure
Security Status: Link Unsecure
482
CCIE SECURITY V5
Server Policies:
Vlan Group: Vlan: 80
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
SGT Value: 16
Method status list:
Method State
mab Authc Success
Trustsec-ASA# show cts sgt-map brief
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 1
Total number of active bindings = 1
Total number of shown bindings = 1
Trustsec-ASA# show cts sgt-map detail
Active IP-SGT Bindings Information
483
CCIE SECURITY V5
IP Address Security Group Source
================================================================
10.100.8.1 16:MAB_CCNP SXP
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 1
Total number of active bindings = 1
Total number of shown bindings = 1
484
CCIE SECURITY V5
Trustsec-ASA# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list server1-2; 1 elements; name hash: 0x672bf53c
access-list server1-2 line 1 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www (hitcnt=8) 0xe5300721
485
CCIE SECURITY V5
access-list server1-2 line 1 extended permit tcp security-group name MAB_CCNP(tag=16)

10.100.8.0 255.255.255.0 host 192.168.1.1 eq www (hitcnt=8) 0x99daeb4c
Check the HITCOUNTS on the Access-list.
LAB-4.9: - CONFIGURE ISE FOR DOT1X
TASK1 CONFIGURE DOT1X USER FOR AUTHENTICATION

 Authenticate Windows PC Dot1x host connected to gi2/0/47, same port of MAB PC.
 Configure Dot1x PC to use the native supplicant with PEAP/MS-CHAPv2 only.
 User name should be “dot1x_ccnp”with password Cisco123 belongs to group “Dot1x”present in the
Internal Database
 Upon successful authentication the user and machine should get full access to the network
 Enable 802.1x low impact mode on the port and allow only DHCP, DNS, TFTP and ICMP traffic
 Ensure the following order

o 802.1x
o MAB
 The switch should time out 802.1x authentication method after 15 seconds.
Configuration on SW_P
ip access-list extended DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark TFTP
permit udp any any eq tftp

486
CCIE SECURITY V5
remark PING
permit icmp any any
check the previous configuration on port gi2/0/47
mab
end
Now do the necessary changes
Int gi2/0/47
Ip access-group DEFAULT in
authentication open
authentication order dot1x mab
dot1x timeout tx-period 15
dot1x pae authenticator
spanning-tree portfast
487
CCIE SECURITY V5
Final commands on gi2/0/47
ip access-group DEFAULT in
authentication open
mab
end
488
CCIE SECURITY V5
489
CCIE SECURITY V5
490
CCIE SECURITY V5
491
CCIE SECURITY V5
492
CCIE SECURITY V5
493
CCIE SECURITY V5
494
CCIE SECURITY V5
495
CCIE SECURITY V5
496
CCIE SECURITY V5
497
CCIE SECURITY V5
498
CCIE SECURITY V5
499
CCIE SECURITY V5
500
CCIE SECURITY V5
501
CCIE SECURITY V5
502
CCIE SECURITY V5
503
CCIE SECURITY V5
504
CCIE SECURITY V5
505
CCIE SECURITY V5
506
CCIE SECURITY V5
507
CCIE SECURITY V5
508
CCIE SECURITY V5
509
CCIE SECURITY V5
Gi2/0/47 0050.56af.470e mab DATA Auth 960107A2000010158AF8B288
Gi2/0/47 0050.56af.5649 dot1x DATA Auth 960107A2000010148AF8B288
TASK2 CONFIGURE 802.1X VLAN ASSIGNMENT

 Configure ISE so that it authorizes user dot1x_ccnp to vlan 80.
 Nas-Ip address should be from the Switch by which it is wired connected.
510
CCIE SECURITY V5
 Make sure after the connection is established you can browse to “server2.cisco.com” and not
“server1.cisco.com” from “dot1x_pc”.
 Re-authentication should be there in every 6 minutes.
Current configuration on SW_P
SW2_P#show run int gi2/0/47
Building configuration...
Current configuration : 297 bytes
authentication open
mab
end
511
CCIE SECURITY V5
Add the commands on the interface
int gi2/0/47
authentication periodic
authentication timer reauthenticate server
512
CCIE SECURITY V5
513
CCIE SECURITY V5
514
CCIE SECURITY V5
515
CCIE SECURITY V5
516
CCIE SECURITY V5
517
CCIE SECURITY V5
518
CCIE SECURITY V5
519
CCIE SECURITY V5
520
CCIE SECURITY V5
SW2_P(config)#int gi2/0/47
SW2_P(config-if)#shut
SW2_P#clear authentication sessions
SW2_P#clear ip dhcp binding *
SW2_P#clear ip device tracking all
521
CCIE SECURITY V5
shutdown
authentication open
authentication periodic
authentication timer reauthenticate server
mab
end
SW2_P(config)#int gi2/0/47
SW2_P(config-if)#no sh
522
CCIE SECURITY V5
523
CCIE SECURITY V5
524
CCIE SECURITY V5
Gi2/0/47 0000.0000.0003 N/A UNKNOWN Unauth 960107A2000010228BAAF858
Gi2/0/47 0050.56af.5649 dot1x DATA Auth 960107A2000010258BAAFF1A
Gi2/0/47 0050.56af.470e mab DATA Auth 960107A2000010238BAAF858
525
CCIE SECURITY V5
SW2_P#show authentication sessions int gigabitEthernet 2/0/47 details
Interface: GigabitEthernet2/0/47
IIF-ID: 0x1035FC0000000FA
MAC Address: 0050.56af.5649
IPv4 Address: 10.100.8.9
User-Name: dot1x_ccnp
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Session timeout: 360s (server), Remaining: 201s
Timeout action: Reauthenticate
Common Session ID: 960107A2000010258BAAFF1A
Acct Session ID: 0x00000FCC
Handle: 0x41000074

526
CCIE SECURITY V5
Local Policies:
Server Policies:
ACS ACL: xACSACLx-IP-Dot1x_ACL-5ced14f0
Method status list:
Method State
dot1x Authc Success
make sure on the Trustsec-ASA give an acl which permit all TCP connections
Trustsec-ASA(config)# access-list server1-2 extended permit tcp any any eq www
Trustsec-ASA# show run access-list
access-list server1-2 extended permit tcp object-group-security MAB_CCNP 10.100.8.0

255.255.255.0 host 192.168.1.1 eq www
access-list server1-2 extended permit tcp any any eq www
527
CCIE SECURITY V5
Trustsec-ASA# show run access-group
access-group server1-2 in interface inside
From the Dot1x PC
528
CCIE SECURITY V5
529
CCIE SECURITY V5
530
CCIE SECURITY V5
LAB-4.10: - CONFIGURE WLC WITH AP
531
CCIE SECURITY V5
TASK1 CONFIGURE ACCESS POINT WITH THE STATIC IP

 Configure the Cisco Access Point with capwap protocol
532
CCIE SECURITY V5
o Hostname : ccnpap
o IP : 10.100.202.100
o Default Gateway : 10.100.202.1
o Primary Controller : ccnp_wlc
o Controller Ip : 10.100.202.1
o Username : cisco
o Password : Cisco
o Enable Password : Cisco
capwap ap controller ip address 10.100.202.1
capwap ap hostname ccnpap
capwap ap ip address 10.100.202.100 255.255.255.0
capwap ap ip default-gateway 10.100.202.1
capwap ap primary-base ccnp_wlc 10.100.202.1
ccnpap#show capwap ip config
LWAPP Static IP Configuration
IP Address 10.100.202.100
IP netmask 255.255.255.0
Default Gateway 10.100.202.1
Primary Controller 10.100.202.1
TASK2 CONFIGURE SWITCH FOR AP

533
CCIE SECURITY V5
 Configure the Switch for AP on the port gi2/0/7

o Vlan : 202
o Interface : gi2/0/7
o Mode : Access
o Int vlan : 10.100.202.11/24
Create the Vlan
vlan 202
!Create the SVI
int vlan 202
ip add 10.100.202.11 255.255.255.0
no sh
Configure Port 2/0/7
int gi2/0/7
sw mode access
sw access vlan 202
no sh
SW2_P#show ip int br
Vlan1 150.1.7.162 YES manual up up

534
CCIE SECURITY V5
SW2_P#ping 10.100.202.100
.!!!!
If ping not working go back to AP and check it should be up and running, not in booting
phase.
TASK3 CONFIGURE WLC

 Re-initialize the WLC if required by using the Recover-config command from the CLI.
Initialize the WLC based on the following parameters:
o Hostname : WLC  
o Admin Username : admin  

o Admin Password : Sanfran@1234 
o Service Interface IP Address : 150.1.7.168  
o Subnet Mask : 255.255.255.0
o Management Interface IP Address   : 10.100.202.1
o Default Gateway : 10.100.202.22

o Management VLAN : 202 
o Management DHCP Server : 10.100.202.22 

o Virtual-IP : 1.1.1.1  
o Mobility Group : Netmetric_Group  
o Network Name (SSID) : ccnp
o DHCP Bridging Mode : No
535
CCIE SECURITY V5
o Allow Static IP : Yes

o Radius Server : No  
o Country : US  
o Radio : Enable all Radio  

o Auto RF : Yes  
o NTP Server : Yes- 150.1.7.164 
o Polling interval : 3600.  
Open the WLCv Console from the vSphere client
Enter the wlc with the username and password mentioned in the reference sheet
Reset the controller with the command reset, Hit enter and then system. We can give
one command also reset system also.
Once done, the system will reboot and once the wlcv is up give the username as
Recover-Config
Once the system will come’s up again after the reboot star giving the details from the
task.
Ignore the messages coming in between: Give the system name as WLC
536
CCIE SECURITY V5
Provide the username and password
Give the service interface detail
Give the management interface detail
Configure the remaining options as per the task
Configure the Radio related stuff and NTP
537
CCIE SECURITY V5
Save the configuration in the last and no IPv6 configuration
Configure the WLC so that we can take the GUI of the WLC
(Cisco Controller) >config network webmode enable
(Cisco Controller) >config network secureweb enable 
Restart the wlc after giving these commands
538
CCIE SECURITY V5
Click on Advance, Right corner

539
CCIE SECURITY V5
We will see the Main Login Page of the WLC Controller
540
CCIE SECURITY V5
TASK3 AUTHENTICATE THE AP WITH ISE WITH MAB

 Authenticate the AP with ISE and provide the access vlan 202 from the ISE.
 Use the MAC address of the AP for MAB authentication
 Do Enable the Cisco AP Profiling in ISE.
Check the mac address of the AP from the switch
SW_P#show mac address-table dynamic interface gi2/0/7
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
541
CCIE SECURITY V5
---- --------------------- ---------- -----
202 c89c.1d1b.0bba DYNAMIC Gi2/0/7
Total Mac Addresses for this criterion: 1
542
CCIE SECURITY V5
543
CCIE SECURITY V5
end
Remove the vlan 202 and add the mab commands on the interface
544
CCIE SECURITY V5
mab
end
After giving the commands on the switch, have patience, AP take a while to come up.
Go to the ISE again
545
CCIE SECURITY V5
546
CCIE SECURITY V5
Once Done go back to switch and bounce the interface gi2/0/7. Once done check the
authentication sessions
SW_P#show authentication sessions
Gi2/0/7 c89c.1d1b.0bba mab DATA Auth 960107A200000FEE3DDA0FE2
Gi2/0/47 0050.56af.5649 dot1x DATA Auth 960107A200000FEA3D01EFC2
Gi2/0/47 0050.56af.470e mab DATA Auth 960107A200000FEB3D021ABA

547
CCIE SECURITY V5
SW_P#show authentication sessions interface gigabitEthernet 2/0/7 details
Interface: GigabitEthernet2/0/7
IIF-ID: 0x1041B00000000C1
MAC Address: c89c.1d1b.0bba
IPv4 Address: 10.100.202.100
User-Name: C8-9C-1D-1B-0B-BA
Status: Authorized
Domain: DATA
Oper host mode: single-host
Session timeout: N/A
Common Session ID: 960107A200000FEF3DE2AB66
Acct Session ID: 0x00000FC5
Handle: 0xD2000036
Local Policies:

548
CCIE SECURITY V5
Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
Method status list:
Method State
mab Authc Success
LAB-4.11: - CISCO ANYCONNECT WITH IKEV2
TASK1 PERFORM ANYCONNECT CLIENTBASED VPN
 Configure the ASA1 with the following IP address and nameif mentioned in the above diagram
 Use Eigrp as the routing protocol between the ASA1 and DC-Router and advertise the 10.1.10.0/24
network with AS 1.
 Your configuration should meet the following requirements on ASA1V: .
 The tunnel should only secure traffic for server1 and server2. 
 The client address pool should be 172.16.1.1-172.16.1.20/24. 
 The session tunnel should remain connected for 24 hours even without any activity.
 The connection profile name should be “CP”
 The group alias for the session should be “CP”.
 The trustpoint for the implementation should be named “trust” using RSA key pair “ccnp”
549
CCIE SECURITY V5
 ASA should authenticate the session from radius server ISE (150.1.7.189) for Credential :- username
bob password Sanfran@1234.
 Use the FireFox browser to test your connectivity with server1 and server2 Any information not
provided for this task can be assumed by the candidate.
550
CCIE SECURITY V5
551
CCIE SECURITY V5
552
CCIE SECURITY V5
553
CCIE SECURITY V5
554
CCIE SECURITY V5
Section 5 – WSA
GOAL OF THE LAB
The Web Security appliance is a robust, secure, efficient device that protects corporate networks
against web-based malware and spyware programs that can compromise corporate security and
555
CCIE SECURITY V5
expose intellectual property. The Web Security appliance includes protection for standard
communication protocols, such as HTTP, HTTPS, and FTP.
LAB-5.1: - WSA BOOTSTRAPPING
TASK1 PERFORM WSA INITIAL CONFIGURATION CLI
 Configure WSA installation and bootstrapping. Provide the following information during the
installation process.
o Username/Password :- Admin/ironport
o Hostname :- WSA.cisco.com
o Inteface :- M1
o IP :- 150.1.7.188/24
o Management Access :- HTTP/8081, HTTPS/8443, SSH/22, FTP/21
o Gateway :- 150.1.7.1
TASK2 PERFORM WSA INITIAL CONFIGURATION GUI

 Configure WSA initial setup wizard from the GUI. Provide the following information during the
installation process.
o DNS :- 150.1.7.164
o NTP server :- 150.1.7.164
o Upstream Proxy :- No Available
o Network interface :- M1 Already Configured
o Default Gateway :- Already configured (150.1.7.1)
o Transparent Setting :- Leave Blank will be done later task
o Administrator Password :- Sanfran@1234
556
CCIE SECURITY V5
o Email Alert :- admin@cisco.com

o Security Settings :- Leave all Option Default
LAB-5.2: - WSA INTEGRATION WITH AD

 Create the NTLMSSP type of connection between the WSA and AD. Use the Domain controller ip
as 150.1.7.164, and user credentials as “administrator/Sanfran@1234.
 Make sure the FQDN of all the hosts in cisco.com is resolved using DNS server 150.1.7.164
LAB-5.3: - WCCP CONFIGURATION ON THE ROUTER AND WSA
LAB-5.4: - CREATING URL LIST FOR ALLOWING AND BLOCKING TRAFFIC
LAB-5.5: - CREATE THE QUATO BASED POLICIES
LAB-5.6: - CREATING THE IDENTIFICATION PROFILE FOR ALLOWING MOZILLA

FIREFOX
LAB-5.7: - CREATING THE IDENTIFICATION PROFILE FOR BLOCKING INTERNET

EXPLORER
LAB-5.8: - ACCESS POLICIES ON WSA
557
CCIE SECURITY V5
Section 6 – StealthWatch
LAB-6.1: - SETUP THE STEALTHWATCH APPLIANCE TOOL
LAB-6.2: - SETUP STEALTHWATCH MANAGEMENT CONSOLE
LAB-6.3: - SETUP STEALTHWATCH FLOW COLLECTOR
LAB-6.4: - ADDING FLOW COLLECTOR TO SMC
LAB-6.5: - CONFIGURING NETFLOW ON ROUTER, SWITCH, ASA
LAB-6.6: - ORGANIZING HOST AND HOST GROUPS
LAB-6.7: - ANALYZING THE FLOWS
558
CCIE SECURITY V5
LAB-6.8: - CREATING CUSTOM POLICIES
LAB-6.9: - SETUP STEALTHWATCH FLOW COLLECTOR
LAB-6.10: - CONFIGURING BACKUP
559
CCIE SECURITY V5
560
CCIE SECURITY V5
561

CCIE Security v6 Technology Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE Security v6 Technology Lab Guide

Uploaded by

Copyright:

Available Formats

CCIE SECURITY V5

Section 1 – ASA Firewall ............................................................................................................................... 14

Lab-1.1: - Basic of ASA Configuration........................................................................................................ 15

Lab-1.2: - Dynamic Routing Protocol ........................................................................................................ 33

Lab-1.3: - ASA System Management ........................................................................................................ 45

Lab-1.4: - ASA Address Translation and ACL .......................................................................................... 53

Lab-1.5: - Context on the ASA firewall ...................................................................................................... 76

Lab-1.6: - Active/Standby failover (R3, R4, ASAv2 & ASAv3)................................................................ 97

Lab-1.8: - ASA Clustering........................................................................................................................... 140

Lab-1.9: - ASA Firewall IP Services ........................................................................................................... 142

Section 2 – NGFW Firewall ........................................................................................................................ 148

Goal of the LAB ........................................................................................................................................... 148

Lab-2.1: - Setting Up the Lab Environment ............................................................................................ 149

Lab-2.2: - FTD1/FTD2 and ngips Firewall Basic Configuration ........................................................... 154

Task2 Configure the FTD HA ......................................................................................................................................... 154

Lab-2.3: - Connect the LAN user to DMZ .............................................................................................. 156

Lab-2.4: - Configure File and malware policy ....................................................................................... 161

Lab-2.5: - Configure URL Filtering Policy ............................................................................................... 162

Lab-2.6: - Configure SSL Policy ................................................................................................................ 164

Section 3 – VPN .......................................................................................................................................... 166

Goal of the LAB ........................................................................................................................................... 166

Lab-3.1: - Site to Site VPN ......................................................................................................................... 167

Task1 Site to Site IPSec VPN (IOS-IOS) R51-R53............................................................................................................ 172

Lab-3.2: - Certificate Authority with crypto route ................................................................................. 207

Lab-3.3: - GRE ............................................................................................................................................. 229

Lab-3.4: - DMVPN ...................................................................................................................................... 247

Lab-3.5: - SSL Clientless VPN ................................................................................................................... 293

Lab-3.6: - Cisco Anyconnect with IKEv2 ................................................................................................. 308

Lab-3.7: - GetVPN with VRF Aware ......................................................................................................... 310

Lab-3.8: - Flex VPN..................................................................................................................................... 352

Section 4 – ISE ............................................................................................................................................. 363

Lab-4.1: - ISE Installation (Optional) ........................................................................................................ 365

Task2 Check the application status ............................................................................................................................... 367

Lab-4.2: - Administrative access to ISE ................................................................................................... 375

Lab-4.3: - Integration with Active Directory .......................................................................................... 389

Lab-4.4: - Configure the DC-Router for SSH Authentication ............................................................. 399

Lab-4.4: - Cisco TrustSec........................................................................................................................... 423

Lab-4.5: - Configure ISE for MAB ............................................................................................................ 438

Lab-4.6: - Configure ISE for MAB VLAN Authorization ....................................................................... 454

Lab-4.7: - Configure MAB-PC to Access Server 3 and Server 4 ........................................................ 464

Lab-4.9: - Configure ISE for Dot1x ........................................................................................................... 486

Lab-4.10: - Configure WLC with AP......................................................................................................... 531

Task3 Configure WLC .................................................................................................................................................... 535

Lab-4.11: - Cisco Anyconnect with IKEv2 ................................................................................................ 549

Section 5 – WSA.......................................................................................................................................... 555

Goal of the LAB ........................................................................................................................................... 555

Lab-5.1: - WSA Bootstrapping .................................................................................................................. 556

Lab-5.2: - WSA Integration with ad ......................................................................................................... 557

Lab-5.3: - WCCP configuration on the Router and WSA .................................................................... 557

Lab-5.5: - Create the Quato based policies ........................................................................................... 557

Lab-5.8: - Access policies on WSA .......................................................................................................... 557

Section 6 – StealthWatch........................................................................................................................... 558

Lab-6.1: - Setup the stealthwatch appliance tool .................................................................................. 558

Lab-6.2: - Setup stealthwatch management console .......................................................................... 558

Lab-6.3: - Setup stealthwatch flow collector ......................................................................................... 558

Lab-6.4: - Adding flow collector to SMC ................................................................................................ 558

Lab-6.5: - Configuring netflow on Router, Switch, ASA ...................................................................... 558

Lab-6.6: - Organizing host and host groups ......................................................................................... 558

Lab-6.7: - Analyzing the flows .................................................................................................................. 558

Lab-6.8: - Creating custom policies ........................................................................................................ 559

Lab-6.9: - Setup stealthwatch flow collector ......................................................................................... 559

Lab-6.10: - Configuring backup ............................................................................................................... 559

Device Username Password IP

Candidate-PC student username Sanfran@1234 150.1.7.20