Professional Documents
Culture Documents
1. ASA1 and ASA2 will be assign as the following interfaces. ASA1 should be primary and ASA2 should be
secondary.
Route Table
Interface Network Next Hop
Inside 7.7.0.0/16 7.7.2.1
Inside 10.4.4.0/24 7.7.2.1
Inside 10.44.44.0/24 7.7.2.1
Inside 150.1.7.0/24 7.7.2.1
Dmz 19.19.6.0/24 19.19.3.1
Dmz 172.16.120.0/24 19.19.3.1
Dmz 172.16.110.0/24 19.19.3.1
Outside 19.19.7.0/24 19.19.4.2
Outside 19.19.19.0/24 19.19.4.2
Page | 1
LAB 6
ASA1
interface GigabitEthernet0
nameif inside
security-level 100
ip address 7.7.2.10 255.255.255.0 standby 7.7.2.11
!
interface GigabitEthernet1
nameif dmz
security-level 50
ip address 19.19.3.10 255.255.255.0 standby 19.19.3.11
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 19.19.4.10 255.255.255.0 standby 19.19.4.11
!
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/3
failover key 12345
failover link fover GigabitEthernet0/3
failover interface ip fover 7.7.56.10 255.255.255.0 standby 7.7.56.11
!
route inside 7.7.0.0 255.255.0.0 7.7.2.1 1
route inside 10.4.4.0 255.255.255.0 7.7.2.1 1
route inside 10.44.44.0 255.255.255.0 7.7.2.1 1
route dmz 19.19.6.0 255.255.255.0 19.19.3.1 1
route outside 19.19.7.0 255.255.255.0 19.19.4.2 1
route outside 19.19.19.0 255.255.255.0 19.19.4.2 1
route inside 150.1.7.0 255.255.255.0 7.7.2.1 1
route dmz 172.16.110.0 255.255.255.0 19.19.3.1 1
route dmz 172.16.120.0 255.255.255.0 19.19.3.1 1
On ASA2
!
failover
failover lan unit Secondary
failover lan interface fover GigabitEthernet3
failover link fover GigabitEthernet3
failover interface ip fover 7.7.56.10 255.255.255.0 standby 7.7.56.11
Page | 2
LAB 6
For Verification:
ASA1#ping inside 7.7.2.1
ASA1#ping dmz 19.19.3.1
ASA1#ping outside 19.19.4.2
Initialize ASA3
ASA3 must be configure as a multi-context firewall. Use the following outputs to complete the initial
configuration.
ASA3/C1
Interfaces Networks Next Hop
inside Configure a static route for 19.19.5.2
4.4.4.0/24
inside Configure a static route for 19.19.5.2
19.19.4.0/24
outside 19.19.0.0/16 19.19.7.2
Page | 3
LAB 6
ASA3/C2
Interfaces Network Next Hop
inside Configure a static route for 19.19.6.2
outside 1.1.1.0/24 19.19.8.2
outside 106.10.6.0/24 19.19.8.2
outside 19.19.0.0/16 19.19.8.2
Page | 4
LAB 6
On ASA3
Mode multiple
Mac-address auto
interface GigabitEthernet0/0-4
no shutdown
admin-context admin
context Admin
config-url disk0:/Admin.cfg
allocate-interface Management0/0
context C1
config-url disk0:/c1.cfg
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
context C2
config-url disk0:/c2.cfg
allocate-interface GigabitEthernet2
allocate-interface GigabitEthernet3
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 19.19.5.10 255.255.255.0
no shut
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 19.19.7.10 255.255.255.0
no shut
C2 Context
interface GigabitEthernet0/2
nameif inside
Page | 5
LAB 6
security-level 100
ip address 19.19.6.10 255.255.255.0
no shut
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 19.19.8.10 255.255.255.0
no shut
Configure ASA1 with network object NAT rules by completing the below tasks outlined below.
ASA1 will be assigned as the following IP address:
Inside Address Outside Address
7.7.22.4 4.4.4.4
7.7.23.0/24 19.19.4.15 - 19.19.4.19
Inside Address DMZ Address
7.7.2.1 1.1.1.1
150.1.7.4 150.1.7.4
NOTE : You may use “ Packet-tracer input ” command to check the translation rules
On ASA1
object network obj7.7.22.4
host 7.7.22.4
nat (inside,outside) static 4.4.4.4
Page | 6
LAB 6
VERIFICATIONS:
packet-tracer input inside tcp 7.7.22.4 23 19.19.4.2 80
packet-tracer input inside tcp 7.7.2.1 23 19.19.3.1 80
packet-tracer input inside tcp 150.1.7.4 23 19.19.6.1 80
packet-tracer input inside tcp 7.7.23.1 23 19.19.4.2 80
Configure ASA4 for a redundant between Gi0/1 and Gi0/3 using name ‘reduntant1’ and betwee Gi0/0 and
Gi0/2 using name ‘redundant2’.
Interface Nameif Members
Redundant1 outside Gi0/1,0/3
Redundant2 inside Gi0/0,0/2
NOTE: ASA4 is preconfigured for transparent mode that should not be changed during the implementation
of this task.
Solution
On ASA4
interface Gi0/0
no nameif inside
!
interface Gi0/0
no nameif outside
!
interface Redundant-interface 1
Page | 7
LAB 6
nameif outside
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/3
!
interface Redundant2
nameif inside
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
!
Interface redundant 1 active-member gi0/1
Interface redundant 2 active-member gi0/0
Ensure that ICMP, HTTP should be directed from outside to inside and ICMP , UDP should be directed from
inside to outside.
NOTE : Any traffic that is not being inspected in this task should be dropped by the firewall and dropped
traffic information should be logged on the console.
Verify it using following command.
SW1# PING 150.1.7.20 source 7.7.23.4
SW1# ping 7.7.23.6 source 150.1.7.1
Solution:
On R4
class-map type inspect match-any OutIn
match protocol icmp
match protocol http
class-map type inspect match-any InOut
match protocol icmp
match protocol udp
!
policy-map type inspect InOut
class type inspect InOut
Page | 8
LAB 6
inspect
class class-default
drop log
policy-map type inspect OutIn
class type inspect OutIn
inspect
class class-default
drop log
!
zone security Inside
zone security Outside
your are unable to open an HTTP connection from Test-PC to a web server that runs on back SW6 at port
19000 . Fix the issue so that you are able to open HTTP connection from Test-PC using URL
http://7.7.22.6:19000.
Username: ccie
Password: ccie
Solution:
On R4
Page | 9
LAB 6
On SW6:
ip http port 19000
On SW1
Interface Fa1/0/3
Switchport access vlan 150
On ASA1
Access-list dmz permit tcp host 19.19.3.55 host 7.7.2.6 eq 19000
Access-group dmz in interface dmz
For Verification:
On Test-PC
http://7.7.22.6:19000
Note: sometime, the port number in switch was set with wrong pport number. So you must check it
out and fix it with correct port number (19000).
Page | 10
LAB 6
Ensure that you should be able to make Secure Web connection from Test-PC to IPS.
IPS#ping 150.1.7.100
Solution:
On IPS
Service host
host-name IPS
host-ip 7.7.23.100/24,7.7.23.1
telnet-option enabled
access-list 150.1.7.1/32
access-list 150.1.7.100/32
access-list 7.7.0.0/16
exit
exit
Service web-server
Enable-tls true
Exit
On SW1
Interface FastEthernet0/12
Switchport mode access
Switchport access vlan 4
No shut
Task
Configure the Cisco IPS appliance inline interface pair using these guidelines:
Configure the Cisco IPS sensor appliance for the inline interface pair as shown in the Lab Topology diagram
as follow:
Parameters Value
Inline interfaces Gi0/0,Gi0/2
Inline Information Name IL
Associated Virtual Sensor VSIL
You are allowed to modify the switch parameters as appropriate to aheve this task. Refer to the lab
diagram for the required information.
Page | 11
LAB 6
You may access the IPS Manager GUI (IME) either from your Test-PC or your local Candidate PC to help
with the task. The IME password is Cisc0123. You are allowed to adjust any firewall and/or routing
configuration to ensure that this works.
R2# ping 19.19.7.10
Solution:
On IPS
service interface
Physical-interface gigabitEthernet0/0
Admin-state enabled
Physical-interface gigabitEthernet0/2
Admin-state enabled
!
Inline-interface IL
Interface1 GigabitEthernet0/0
Interface2 GigabitEthernet0/2
Exit
Service analysis-engine
Virtual-sensor VSIL
Signature-definition sig0
Logical-interface IL
Parameters Value
Associated Physical Interface Gi0/
Associated SubInterface 1
VLAN Pair 8,10
Associated Virtual Sensor VSIV
You are allowed to modify the switch parameters as appropriate to aheve this task. Refer to the lab
diagram for the required information.
You may access the IPS Manager GUI (IME) either from your Test-PC or your local Candidate PC to help
with the task. The IME password is Cisc0123. You are allowed to adjust any firewall and/or routing
configuration to ensure that this works.
R2# ping 19.19.6.10
Page | 12
LAB 6
Solution:
On IPS
Service interface
Physical-interface GigabitEthernet0/3
Admin-state enabled
Subinterface-type inline-vlan-pair
Subinterface 1
Vlan1 8
Vlan2 10
Exit
Servie analysis-engine
Virtual-sensor VSIV
Physical-interface GigabitEthernet0/3 subinterface-number 1
Note: you can use any signature engine to complete this task that satisfies the uestion requirements.
Solution:
On IPS
Service signature-definition sig0
Signatures 62000 0
Page | 13
LAB 6
Alert-severity high
Engine atomic-ip
Event-action produce-verbose-alert
Specify-l4-protocol yes
L4-protocol tcp
Specify-dst-port yes
Dst-port 23
No tcp-flags
No tcp-mask
Specify-ip-addr-option yes
Ip-addr-options ip-addr
Specify-dst-ip-addr yes
Dst-ip-addr 106.10.6.6
Specify-src-ip-addr yes
Src-ip-addr 103.10.3.3
Exit
Sig-description
Sig-name TELNET
Verification:
Page | 14
LAB 6
Solution:
On R2
line vty 0 15
login local
On R6
line vty 0 15
login local
On IPS
service network-aacess
User-profiles R2PROF
Username ccie
Password <> // it will make you enter the password twice
ccie
ccie
exit
router-devices 19.19.7.2
block-interface GigabitEthernet0/0.2 out
profile-name R2PROF
communication telnet
response-capabilities block
exit
For Verification
On R3
telnet 106.10.6.6 /source-interface loopback 103
Trying 106.10.6.6 …
% Connection timed out; remote host not responding
Page | 15
LAB 6
Parameter Settings
WCCP Router 7.7.32.1/24
Service password ccie
Service ID 91
HTTP Service Port 19000
Note: In task 1 , You may find WSA preconfigured with incorrect parameters that you need to
change as part of initialization
Solution
Page | 16
LAB 6
On SW1
Inteface Fa1/0/11
switchport mode access
switchport access vlan 32
On R1
username cisco privilege 15 password cisco
On WSA
WSA>interfaceconfig
ip address 7.7.32.100
mask: 255.255.255.0
hostname: wsa.cisco.com
ESA>setgateway
7.7.32.1
Verification
SW1 # s ip wcdp 91 detail
WCCP Client information:
WCCCP Client ID : 7.7.32.100
protocol verification: 2.0
Page | 17
LAB 6
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 2hrs
Assignment: MASK
For Verification
Solution:
On R1
username cisco privilege 15 cisco
On Test-PC
Open 7.7.2.11:19000
Note:
Page | 19
LAB 6
Any traffic permission on the firewall in the path should be specific to the task implementation
On R4
access-list 101 permit ip 109.10.0.0 0.0.255.255 109.10.0.0 0.0.255.255
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 600
crypto isakmp key ccie address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto gdoi group GET-GROUP1
identity number 1
server local
rekey algorithm aes 256
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa R4.ccie.com
rekey transport unicast
sa ipsec 1
profile gdoi-p
match address ipv4 101
replay counter window-size 64
address ipv4 150.1.7.4
!
crypto gdoi group GET-GROUP2
identity number 2
server local
rekey algorithm aes 256
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa R4.ccie.com
rekey transport unicast
sa ipsec 1
profile gdoi-p
Page | 20
LAB 6
<Pre-configuration>
On R1
crypto keyring Site-1 vrf Site-1
pre-shared-key address 150.1.7.4 key ccie
crypto keyring Site-2 vrf Site-2
pre-shared-key address 150.1.7.4 key ccie
Page | 21
LAB 6
Interface Gi0/1.1
Crypto map Site-1
!
Interface Gi0/1.2
Crypto map Site-2
On ASA1
access-list dmz extended permit udp host 172.16.110.0 host 150.1.7.4 eq 848
access-list dmz extended permit udp host 172.16.120.0 host 150.1.7.4 eq 848
On R3
crypto keyring Site-1 vrf Site-1
pre-shared-key address 150.1.7.4 key ccie
Page | 22
LAB 6
Interface Gi0/0.1
Crypto map Site-1
Interface Gi0/0.2
Crypto map Site-2
For Verification:
R1#show crypto gdoi group GET-GROUP1
R1#show crypto gdoi group GET-GROUP2
Implement LAN TO LAN VPN using IKEV2 between R6 and ASA1, using information in the table
Encryption – AES-256
Integrity – SHA-256
Page | 23
LAB 6
Note:
1)Any parameters not provided in the table for the task implementation can be used by the candidate
2)Any traffic permission on the firewall in the path should be specific to the task implementation
3)You should verify your implementation by Switching ASA1 and ASA2 to Active/ Standby
!!!!!
Solution:
On ASA1
access-list ikev2 permit ip 10.4.4.0 255.255.255.0 192.168.6.0 255.255.255.0
Page | 24
LAB 6
object network R6
subnet 192.168.6.0 255.255.255.0
object netwrk ASA
subnet 10.4.4.0 255.255.255.0
On R6:
access-list ikev2 permit ip 192.168.6.0 255.255.255.0 10.4.4.0 255.255.255.0
interface Gi0/0.2
crypto map CMAP
Page | 25
LAB 6
On ASA3/C1:
Access-list out extended permit udp host 19.19.19.6 eq isakmp host 19.19.4.10 eq isakmp
Access-list out extended permit esp host 19.19.19.6 host 19.19.4.10
Access-group out in interface outside
On R6
ip route 10.4.4.0 255.255.255.0 19.19.19.66
On ASA1
route outside 192.168.6.0 255.255.255.0 19.19.4.2 1
On SW1:
Ip route 192.168.6.0 255.255.255.0 7.7.2.10
On ASA2
ASA2#failover active
ASA2#clear crypto session
On R6
R6#show crypto session
R6#clear crypto session
On ASA4
access-list in permit udp host R6 host 19.19.4.10 eq isakmp
access-list in permit esp host R6 host 19.19.4.10
access-list out permit udp host 19.19.4.10 host R6 eq isakmp
access-list out permit esp host 19.19.4.10 host R6
On ASA1
Use IKE version 1
Authentication pre-shared key – ccie
VPN Client Address – 192.168.1.1 – 192.168.1.10
Network allowed Through IPSEC Tunnel – 19.44.44.0/24
On Test-PC
Page | 26
LAB 6
Solution:
On ASA1
Page | 27
LAB 6
R6 and SW4 are unable to establish EIGRP neighborship. Find the issues and fix them so that R6 and
SW4 are able to exchange EIGRP routing updates.
Solution:
On R6
check “ip authentication mode eigrp 19 md5” with show run interface Gi0/0.1
Page | 28
LAB 6
On ASA4
check “show access-list”
Access-list 901 extended permit ip host 19.19.15.4 host 19.19.15.6
Access-list 109 extended permit ip any any
NOTE:
Any configuration on the firewall in the path to allow the traffic should be specific to that SSH session
R4# sh ssh
R6# ssh -l ccie -v 1 4.4.4.4
[Connection to 4.4.4.4 aborted : error status 0]
Solution:
R4:
ip domain-name cisco.com
crypto key generate rsa label R4.ccie.com mod 1024
!
aaa new-model
aaa authentication login VTY local
Page | 29
LAB 6
On ASA3/C1:
access-list OUT extended permit tcp host 19.19.19.6 host 4.4.4.4 eq ssh
access-group OUT in interface outside
ASA1:
access-list OUT extended permit tcp host 19.19.19.6 host 7.7.22.4 eq ssh
access-group OUT in interface outside
For Verification:
R6#shh -l ccie -v 2 4.4.4.4
R6#ssh -l ccie -v 1 4.4.4.4
R4#sh ssh
SW6#ssh -l ccie -v 2 7.7.22.4
This implantation is not working correctly and you must identify the configuration issues and fix them so that
HTTP inspection tracks GET request packets related to only AAA configuration commands
Page | 30
LAB 6
Note:
You must use remote access VPN connection as implemented in Q3.3 to verify the implementation of this
task from test-PC as shown in the verifications
Global policy
service-policy : global_policy
packets 0
class router-http
Solution
On ASA1
Class-map type HTTP
Class HTTP
Log
Match ACL
Class CISCO
Page | 31
LAB 6
Class-map CISCO
Parameters
Class class-urlfilter1
Drop log
Policy-map url-packet-filter
Class class-urlfilter1
On SW1
Ip route 192.168.1.0 255.255.255.0 7.7.2.10
Page | 32
LAB 6
For Verification
Global policy
Class-map inspection_default
Packets 0
Solution
On R3
Ip dhcp excluded-address 19.19.192.1 // input this command
On SW4
Ip arp inspection vlan 192 // input this command
Ip dhcp snooping
Interface Fa0/3
Page | 33
LAB 6
Spanning-tree portfast
On SW1
SW1#vlan 192 //input this VLAN
On R5
Interface Fa0/1.2
No shutdown
Note:
Page | 34
LAB 6
R3#ping 19.19.192.2
!!!!!
Solution
On SW4
Ip source bindig <MAC Address> vlan 192.19.19.193 interface Fa1/0/3
R3#ping 19.19.192.2
On SW4
Ip source binding <MAC Address> vlan 192.19.19.192 1 interface Fa1/0/1
SW1;
TACACS server IP address in 150.1.7.30
Should source TACACS packet from vlan 150
If TACACS server is not available, authentication should fall back to the local Database
Use method lists “Admin” to implement this task. Default method are not allowed
ACS:
Device configuration
Network device “SW1” should be reached y ACS using address 150.1.7.1
Shared secreat key between ACS and SW1 be “cisco”
Network device “SW1” should be associated with location “Inside_Zone” and Devices type
“Switches” under network device group.
Page | 35
LAB 6
User Configuration:
Telnet session User Details Should be Username :ccie password :cisco
User “ccie “ should be internal user and belong to identity group Admin Policies:
-User “ccie” should be assigned Privilige-15 if autheniated
-User “ccie” should be allowed to exsiccate only the following exact and config Level
cmmands if authenticated
Rules:
Access service by the name of “telnet”should be defined for implementation of the Task
Rule-1
Authentication request should meet the following identification conditions
Request should be from NDG location “Inside_Zone”
Request should be from NDG device type (SWITCHES)
Request should be recived from device ip add “150.1.7.1 . If this conditions are not match then result
would be perform user lookup in internal user
Rule -2
If this condition are match then the session should be assigned policy of privilege Level and command
authorization as defined in one of the previous steps
Note :
R3#telnet 1.1.1.1
Page | 36
LAB 6
Username : ccie
Password: cisco
SW1#show priv
Solution
On SW1
Aaa new-model
Tacacs-server directed-request
Line vty 0 15
Password cisco
Page | 37
LAB 6
On ASA1
Access-list dmz permit tcp host 19.19.6.3 host 7.7.2.1 eq 23
On ASA4
Access-list out permit tcp host 19.19.6.3 host 1.1.1.1 eq 23
On ACS
Click network Resources -> Network Devices and AAA clients
Click create
Add the deviced information per the question .IP,tacacs+ key, location,device type (create location and
device type if necessary)
Click submit
Policy Elements -> Autorization and Permissions-> Device Administrations->Command Sets->Create Permit
Show version
Show running-config
Show privilege
Configure terminal
Interface
Shutdown
Page | 38
LAB 6
No shutdown
ISE is 150.1.7.30
You are not allowed to define TEST PC Mac address statically for MAB
Authenocation rule should provide default network access
Authorization rule should download ACL “TEST-PC _Allow_Telnet” if the SW6 is classified to the network
Device Group Type “Switch” and Network Device Group Location “Inside”
Download ACL “TEST-PC_Allow_TELNET” should permit a Telnet session from any source to any
Destination and all other traffic should be denied
SW6 should assigned TEST-Pc address from the address pool 99.99.99.0/24 network
Note:
1. Make sure Test-Pc has only one default route that points to 150.1.7.254
2. Any information not specified to implement this task can be assumed by the canidate
3. f you cannot login to ISE due to password expiration error then you need to reset the password
“Ccie123” using CLI . YOU may SSH to ISE from TEST-PC for the ClI access using
Username “admin”password “Cisc0123”
SW6#ping 99.99.99.1
!!!!!
Solution
On SW6
Aaa new-model
Aaa authentication dot1x default group radius
Aaa authorization network default group radius
Ip device tracking
Page | 39
LAB 6
Exit
Interface Fa1/0/1
Mab
Exit
Note:
The completion of this Task depends upon the correct implenmentation of Q6.2 Verification
Solution
On SW6
Aaa new-model
Page | 40
LAB 6
Ip device tracking
Dot1x system-auth
Interface gi1/0/1
Authentication periodic
Mab
dot1xpae authenticator
spanning-tree portfast
Interface vlan 99
Ip helper-address 150.1.7.20
Exit
For ISE
Go to Administration > System > deployment > ISE > General Setting
Page | 41
LAB 6
Ip address : 150.1.7.20
Go to Administration > System > deployment > ISE > profiling Configuration
DHCP
Interface : GigabitEthernet0
Port: 67
Description: DHCP
Save
Page | 42