LAB 6

SECTION I – PERIMETER SECURITY

1.1 ASA Active-Standby Failover on ASA1 and ASA2

Task
Configure ASA1 and ASA2 as Active-Standby Failover by completing the below tasks outline below.

1. ASA1 and ASA2 will be assign as the following interfaces. ASA1 should be primary and ASA2 should be
secondary.

INTERFACE Nameif Sec Level IP Address Standby IP Address

G0/0 inside 100 7.7.2.10/24 7.2.11/24
G0/1 dmz 50 19.19.3.10/24 19.19.3.11/24
G0/2 outside 0 19.19.4.10/24 19.19.4.11/24

2. Interface for failover and stateful communication

Name Failoverinterface
Interface g0/3
Primary IP Address 7.7.56.10/24
Standby IP Address 7.7.56.11/24

3. Verify yours solution by pinging from ASA1 as follow

ASA1#ping inside 7.7.2.1
ASA1#ping dmz 19.19.3.1
ASA1#ping outside 19.19.4.2

Route Table
Interface Network Next Hop
Inside 7.7.0.0/16 7.7.2.1
Inside 10.4.4.0/24 7.7.2.1
Inside 10.44.44.0/24 7.7.2.1
Inside 150.1.7.0/24 7.7.2.1
Dmz 19.19.6.0/24 19.19.3.1
Dmz 172.16.120.0/24 19.19.3.1
Dmz 172.16.110.0/24 19.19.3.1
Outside 19.19.7.0/24 19.19.4.2
Outside 19.19.19.0/24 19.19.4.2

Page | 1
LAB 6

ASA1
interface GigabitEthernet0
nameif inside
security-level 100
ip address 7.7.2.10 255.255.255.0 standby 7.7.2.11
!
interface GigabitEthernet1
nameif dmz
security-level 50
ip address 19.19.3.10 255.255.255.0 standby 19.19.3.11
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 19.19.4.10 255.255.255.0 standby 19.19.4.11
!
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/3
failover key 12345
failover link fover GigabitEthernet0/3
failover interface ip fover 7.7.56.10 255.255.255.0 standby 7.7.56.11
!
route inside 7.7.0.0 255.255.0.0 7.7.2.1 1
route inside 10.4.4.0 255.255.255.0 7.7.2.1 1
route inside 10.44.44.0 255.255.255.0 7.7.2.1 1
route dmz 19.19.6.0 255.255.255.0 19.19.3.1 1
route outside 19.19.7.0 255.255.255.0 19.19.4.2 1
route outside 19.19.19.0 255.255.255.0 19.19.4.2 1
route inside 150.1.7.0 255.255.255.0 7.7.2.1 1
route dmz 172.16.110.0 255.255.255.0 19.19.3.1 1
route dmz 172.16.120.0 255.255.255.0 19.19.3.1 1

On ASA2
!
failover
failover lan unit Secondary
failover lan interface fover GigabitEthernet3
failover link fover GigabitEthernet3
failover interface ip fover 7.7.56.10 255.255.255.0 standby 7.7.56.11

Page | 2
LAB 6

For Verification:
ASA1#ping inside 7.7.2.1
ASA1#ping dmz 19.19.3.1
ASA1#ping outside 19.19.4.2

1.2 Configure ASA3 in Multi-Context Firewall Mode

Initialize ASA3
ASA3 must be configure as a multi-context firewall. Use the following outputs to complete the initial
configuration.

Name Interface Configure URL

c1 G0/0, 0/1 c1.cfg
c2 G0/2,0/3 c2.cfg
admin Mgmt0 admin.cfg

 Ensure that Config-URL file should be saved on disk:0

 You can permit Internet Control Message Protocol (ICMP) traffic from any to any in both contexts.
 You can modify he Catalyst switch configuration to complete this task.
 When the task is completed, ensure that you are able to ping all major subnets within your
network, including the ISE1 150.1.7.20.
Use exact names and numbers as shown in the table,
 Context “c1” initialization Details:
ASA3/C1 interfaces Nameif Sec-level IP Address
Gi0/0 Inside 100 19.19.5.10/24
Gi0/1 Outside 0 19.19.7.10/24

 Context “c1” Routing Configuration Details:

ASA3/C1
Interfaces Networks Next Hop
inside Configure a static route for 19.19.5.2
4.4.4.0/24
inside Configure a static route for 19.19.5.2
19.19.4.0/24
outside 19.19.0.0/16 19.19.7.2

 Context “c2” initialization Details:

Page | 3
LAB 6

ASA3/C2 interfaces Nameif Sec-level IP Address

Gi0/2 inside 100 19.19.6.10/24
Gi0/3 outside 0 19.19.8.10/24

 Context “c2” Routing Configuration Details:

ASA3/C2
Interfaces Network Next Hop
inside Configure a static route for 19.19.6.2
outside 1.1.1.0/24 19.19.8.2
outside 106.10.6.0/24 19.19.8.2
outside 19.19.0.0/16 19.19.8.2

 Verify your solution by pinging from ASA3 as follow;

ASA/C1#ping inside 19.19.5.2
ASA/C1#ping inside 19.19.7.2
ASA/C2#ping inside 19.19.6.3
ASA/C2#ping inside 19.19.8.2

Page | 4
LAB 6

On ASA3
Mode multiple
Mac-address auto

interface GigabitEthernet0/0-4
no shutdown

admin-context admin
context Admin
config-url disk0:/Admin.cfg
allocate-interface Management0/0

context C1
config-url disk0:/c1.cfg
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1

context C2
config-url disk0:/c2.cfg
allocate-interface GigabitEthernet2
allocate-interface GigabitEthernet3

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 19.19.5.10 255.255.255.0
no shut

interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 19.19.7.10 255.255.255.0
no shut

route inside 4.4.4.0 255.255.255.0 19.19.5.2 1

route outside 19.19.0.0 255.255.0.0 19.19.7.2 1
route inside 19.19.4.0 255.255.255.0 19.19.5.2 1

C2 Context
interface GigabitEthernet0/2
nameif inside

Page | 5
LAB 6

security-level 100
ip address 19.19.6.10 255.255.255.0
no shut

interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 19.19.8.10 255.255.255.0
no shut

route outside 1.1.1.0 255.255.255.0 19.19.8.2 1

route outside 19.19.0.0 255.255.0.0 19.19.8.2 1
route inside 103.10.3.0 255.255.255.0 19.19.6.3 1
route outside 106.10.6.0 255.255.255.0 19.19.8.2 1

access-list OUT extended permit icmp any any

access-group OUT in interface outside

1.3 Configure on ASA1 NAT

Task

Configure ASA1 with network object NAT rules by completing the below tasks outlined below.
ASA1 will be assigned as the following IP address:
Inside Address Outside Address
7.7.22.4 4.4.4.4
7.7.23.0/24 19.19.4.15 - 19.19.4.19
Inside Address DMZ Address
7.7.2.1 1.1.1.1
150.1.7.4 150.1.7.4

NOTE : You may use “ Packet-tracer input ” command to check the translation rules

On ASA1
object network obj7.7.22.4
host 7.7.22.4
nat (inside,outside) static 4.4.4.4

object network obj7.7.2.1

host 7.7.2.1
nat (inside,dmz) static 1.1.1.1

Page | 6
LAB 6

object network obj150.1.7.4

host 150.1.7.4
nat (inside,dmz) static 150.1.7.4

object network dot23

subnet 7.7.23.0 255.255.255.0
exit

object network dot23out

range 19.19.4.15 19.19.4.19
nat (inside,outside) dynamic dot23 dot23out

VERIFICATIONS:
packet-tracer input inside tcp 7.7.22.4 23 19.19.4.2 80
packet-tracer input inside tcp 7.7.2.1 23 19.19.3.1 80
packet-tracer input inside tcp 150.1.7.4 23 19.19.6.1 80
packet-tracer input inside tcp 7.7.23.1 23 19.19.4.2 80

1.4 Configure Interface Redundancy on ASA4

Configure ASA4 for a redundant between Gi0/1 and Gi0/3 using name ‘reduntant1’ and betwee Gi0/0 and
Gi0/2 using name ‘redundant2’.
Interface Nameif Members
Redundant1 outside Gi0/1,0/3
Redundant2 inside Gi0/0,0/2

NOTE: ASA4 is preconfigured for transparent mode that should not be changed during the implementation
of this task.

Solution
On ASA4

interface Gi0/0
no nameif inside
!
interface Gi0/0
no nameif outside
!
interface Redundant-interface 1

Page | 7
LAB 6

nameif outside
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/3
!
interface Redundant2
nameif inside
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
!
Interface redundant 1 active-member gi0/1
Interface redundant 2 active-member gi0/0

1.5 Configure ZBF (Zone Based Firewall

Configure R4 for Zone Based Firewall using information given below

Security Zone Member Interface
Inside Fa0/1.1
Outside Fa0/1.2

Ensure that ICMP, HTTP should be directed from outside to inside and ICMP , UDP should be directed from
inside to outside.
NOTE : Any traffic that is not being inspected in this task should be dropped by the firewall and dropped
traffic information should be logged on the console.
Verify it using following command.
SW1# PING 150.1.7.20 source 7.7.23.4
SW1# ping 7.7.23.6 source 150.1.7.1

Solution:
On R4
class-map type inspect match-any OutIn
match protocol icmp
match protocol http
class-map type inspect match-any InOut
match protocol icmp
match protocol udp
!
policy-map type inspect InOut
class type inspect InOut

Page | 8
LAB 6

inspect
class class-default
drop log
policy-map type inspect OutIn
class type inspect OutIn
inspect
class class-default
drop log
!
zone security Inside
zone security Outside

zone-pair security InsideToOutside source Inside destination Outside

service-policy type inspect InOut
zone-pair security OutsideToInside source Outside destination Inside
service-policy type inspect OutIn
!
Interface fastEthernet0/1.1
Zone-member security inside
!
Interface fastEthernet0/1.2
Zone-member security outside

SW1# PING 150.1.7.20 source 7.7.23.4

SW1# ping 7.7.23.6 source 150.1.7.1

1.6 Web Connection Troubleshooting

your are unable to open an HTTP connection from Test-PC to a web server that runs on back SW6 at port
19000 . Fix the issue so that you are able to open HTTP connection from Test-PC using URL
http://7.7.22.6:19000.

HTTP login credentials:

Username: ccie

Password: ccie

Solution:
On R4

Page | 9
LAB 6

Access-list 1 permit 7.7.22.6

ip port-map http port tcp 19000 1

On SW6:
ip http port 19000

On SW1
Interface Fa1/0/3
Switchport access vlan 150

On ASA1
Access-list dmz permit tcp host 19.19.3.55 host 7.7.2.6 eq 19000
Access-group dmz in interface dmz

For Verification:

On Test-PC
http://7.7.22.6:19000

Note: sometime, the port number in switch was set with wrong pport number. So you must check it
out and fix it with correct port number (19000).

SECTION II – Intrusion Prevention and Content Security

2.1 Initialize the Cisco IPS Sensor Appliance

Initialize the Cisco IPS Sensor appliance as follow
Parameters Value
Hostname IPS
Management Configure the command and control Management0/0 interface in VLAN 4
Sensor IP address 7.7.23.100
Default gateway 7.7.23.1
Telnet Enable Telnet management
Secure Web (SSL) Enabled
Allowed Hosts- Networks 150.1.7.100,150.1.7.1,7.7.0.0/16

Verify the Cisco IPS sensor configuration using the following:

 The username and password for the Cisco IPS console are cisco and 123cisco123. Do NOT change them.
Use the console to initialize the Cisco IPS sensor appliance using the details in this table
 Ensure that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).
 Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
 Ensure that you should be able to Telnet IPS from SW1 and Test-PC

Page | 10
LAB 6

 Ensure that you should be able to make Secure Web connection from Test-PC to IPS.
IPS#ping 150.1.7.100

Solution:
On IPS
Service host
host-name IPS
host-ip 7.7.23.100/24,7.7.23.1
telnet-option enabled

access-list 150.1.7.1/32
access-list 150.1.7.100/32
access-list 7.7.0.0/16
exit
exit

Service web-server
Enable-tls true
Exit

On SW1
Interface FastEthernet0/12
Switchport mode access
Switchport access vlan 4
No shut

2.2 Deploy the Cisco IPS Sensor Using an In-Line

Interface Pair

Task

Configure the Cisco IPS appliance inline interface pair using these guidelines:
 Configure the Cisco IPS sensor appliance for the inline interface pair as shown in the Lab Topology diagram
as follow:
Parameters Value
Inline interfaces Gi0/0,Gi0/2
Inline Information Name IL
Associated Virtual Sensor VSIL

 You are allowed to modify the switch parameters as appropriate to aheve this task. Refer to the lab
diagram for the required information.

Page | 11
LAB 6

 You may access the IPS Manager GUI (IME) either from your Test-PC or your local Candidate PC to help
with the task. The IME password is Cisc0123. You are allowed to adjust any firewall and/or routing
configuration to ensure that this works.
R2# ping 19.19.7.10

Solution:
On IPS
service interface
Physical-interface gigabitEthernet0/0
Admin-state enabled
Physical-interface gigabitEthernet0/2
Admin-state enabled
!
Inline-interface IL
Interface1 GigabitEthernet0/0
Interface2 GigabitEthernet0/2
Exit
Service analysis-engine
Virtual-sensor VSIL
Signature-definition sig0
Logical-interface IL

2.3 Deploy the Cisco IPS Sensor Using an In-Line Vlan

Pair
Configure the Cisco IPS Sensor appliance for inline VLAN pair using these guidelines:
 Configure the Cisco IPS sensor appliance for the inline interface pair as shown in the Lab Topology diagram
as follow:

Parameters Value
Associated Physical Interface Gi0/
Associated SubInterface 1
VLAN Pair 8,10
Associated Virtual Sensor VSIV

 You are allowed to modify the switch parameters as appropriate to aheve this task. Refer to the lab
diagram for the required information.
 You may access the IPS Manager GUI (IME) either from your Test-PC or your local Candidate PC to help
with the task. The IME password is Cisc0123. You are allowed to adjust any firewall and/or routing
configuration to ensure that this works.
R2# ping 19.19.6.10

Page | 12
LAB 6

Solution:
On IPS

Service interface
Physical-interface GigabitEthernet0/3
Admin-state enabled
Subinterface-type inline-vlan-pair
Subinterface 1
Vlan1 8
Vlan2 10
Exit
Servie analysis-engine
Virtual-sensor VSIV
Physical-interface GigabitEthernet0/3 subinterface-number 1

2.4 Implement a Custom Signature on the Cisco IPS

Sensor
A custom signature 62000 is required on the Cisco IPS sensor as follow:
 Trigger – Create a signature for Telnet session when the traffic come from 103.10.3.3/24 as source to
106.10.6.6 as destination address.
 Event Action – Produce Verbose Alert
 Alert-severity – high
 Destination Port – 23

Note: you can use any signature engine to complete this task that satisfies the uestion requirements.

R3# telnet 106.10.6.6 /source-interface lo101

User Access Verification

Username: ccie
Password: cisco

IPS# show event alert high

Solution:
On IPS
Service signature-definition sig0
Signatures 62000 0

Page | 13
LAB 6

Alert-severity high
Engine atomic-ip
Event-action produce-verbose-alert
Specify-l4-protocol yes
L4-protocol tcp
Specify-dst-port yes
Dst-port 23
No tcp-flags
No tcp-mask
Specify-ip-addr-option yes
Ip-addr-options ip-addr
Specify-dst-ip-addr yes
Dst-ip-addr 106.10.6.6
Specify-src-ip-addr yes
Src-ip-addr 103.10.3.3
Exit
Sig-description
Sig-name TELNET

Verification:

R3#telnet 106.10.6.6 /source-interface lo101

User Access Verification
Username: ccie
Password: cisco
IPS#show event alert high

2.5 Implement IPS Device Blocking

Modify the IPS signature defined in Q2.4 to block the telnet session from 102.10.3.3 to 106.10.6.6 using
R2 as blocking device. To implement this task, use the information in the table.

 Event Actions – Produce Verbose Alert and Block Connection

 Blocking Device – R2
 Blocking Interface – G0/0.3
 Blocking device Communication Method – Telnet
 Blocking Device Login Credentials – Username: ccie , password: ccie

To Verify, using following command

R3#telnet 106.10.6.6 /source-interface lo103
trying 106.10.6.6 …..

Page | 14
LAB 6

Solution:
On R2
line vty 0 15
login local

username ccie privilege 15 password ccie

access-l blocktelnet deny tcp host 102.10.3.3 host 106.10.6.6 eq telnet

On R6
line vty 0 15
login local

On IPS
service network-aacess
User-profiles R2PROF
Username ccie
Password <> // it will make you enter the password twice
ccie
ccie
exit
router-devices 19.19.7.2
block-interface GigabitEthernet0/0.2 out
profile-name R2PROF
communication telnet
response-capabilities block
exit

service signature-definition sig0

signatures 62000 0
engine atomic-ip
event-action request-block-connection

For Verification

On R3
telnet 106.10.6.6 /source-interface loopback 103
Trying 106.10.6.6 …
% Connection timed out; remote host not responding

Page | 15
LAB 6

2.6 Initialize the Cisco WSA and Enable Transparent

Redirection
the Cisco WSA has been initialized wit an IP address of 7.7.32.100 and connected via SW1. Using
the Test-PC or Candidate PC, connect ti the WSA and complete the following tasks:

Connection information: http://7.7.32.100:8080 username:admin, Password:ironport

Parameter Settings
Hostname wsa.cisco.com
Interface Management(M1) to be used for data and management
IP address 7.7.32.100/24
Default gateway 7.7.32.1
System information Username:admin, password:ironport, email:foobar@cisco.com,
timezone:America/United State/Los Angeles
NTP server 7.7.32.1
DNS 150.1.7.10
L4 Traffic Monitoring Duplex TAP:T1(In/Out)

Configure WSA for Transparent Redirection using information in this table

Parameter Settings
WCCP Router 7.7.32.1/24
Service password ccie
Service ID 91
HTTP Service Port 19000

Note: In task 1 , You may find WSA preconfigured with incorrect parameters that you need to
change as part of initialization

To verify, use the following command.

SW1#show ip wccp 91 detail
SW1#sh run | include wccp | permit |list

WCCP client information:

WCCCP Client ID : 7.7.32.100
protocol verification: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 2hrs
Assignment: MASK

Solution

Page | 16
LAB 6

On SW1
Inteface Fa1/0/11
switchport mode access
switchport access vlan 32

interface vlan 150

ip wccp 91 redirect in

access-list 1 permit host 7.7.32.100

ip wccp 91 redirect-list redirect group-list 19 password ccie

sdm prefer routing

reload

On R1
username cisco privilege 15 password cisco

On WSA
WSA>interfaceconfig
ip address 7.7.32.100
mask: 255.255.255.0
hostname: wsa.cisco.com

ESA>setgateway
7.7.32.1

Next,Go to Test-PC and access http://7.7.4.100

Run system setup wizard

DNS 150.1.7.10
NTP 7.7.32.1
WCCP router-id 150.1.7.1
service password 123456
!
After you run setup wizard, go to transparent redirection add default web-cache router which and
set wccp router-id
Now on SW1 configure wccp web-cache

Verification
SW1 # s ip wcdp 91 detail
WCCP Client information:
WCCCP Client ID : 7.7.32.100
protocol verification: 2.0

Page | 17
LAB 6

State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 2hrs
Assignment: MASK

R3#telnet 106.10.6.6 /source-interface lo103

trying 106.10.6.6 …..

2.6 Troubleshoot HTTP Redirection

After the implementation of Q-2.6 , you will observe that redirection is not working when you
initiate an HTTP request from Test-PC using URL http://7.7.2.11:19000. Find the issue and fix them
so that SW1 redirects HTTP requests for port 19000 to WSA
Notes:
4. SW1 (7.7.32.1) WCCP router is preconfigured for redirection service
5. When resolving any issue, do not remove the configuration but fix it.
6. R1 (7.7.2.11) is preconfiguration to listen on HTTP port 19000
7. HTTP authentication credentials: username:cisco , password:cisco

For Verification

Access R1 on Test-PC using the URL http://7.7.2.11:19000

On R1 use following command to verify redirection is working:

R1#show ip http server history

HTTP server history:
77.2.11:19000 7.7.32.100:32764

Solution:
On R1
username cisco privilege 15 cisco

On Test-PC
Open 7.7.2.11:19000

SECTION III – Secure Access

Page | 18
LAB 6

3.1 Implement GETVPN

Implement Get vpn to protect the traffic between VPN Sites : "Site-1" and "Site2" using following
information ;

Use Isakmp Policy

Encryption – AES-256
Authentication Pre-shared Key – ccie
Group Number – 2
Life Time – 600
Use Data Protection Policy
Data Encryption – ESP-AES-256
Data Authentication – ESP-SHA-HMAC
Life Time – 600

See below table for each VPN sites configuration

VPN Site -1:

Group Name GET-GROUP1

Identity Number 1
Rekey Encryption AES 256
Rekey Life time 600
Rekey Transport Unicast
Protected Traffic Between 109.10.0.0/16 109.10.0.0/1
Key server 150 .1.7.4
Rekey authentication RSA key R4.ccie.com

VPN Site -2:

Group Name : GET-GROUP2

Identity Number : 2
Rekey Encryption : AES 256
Rekey Life time : 600
Rekey Transport : Unicast
Protected Traffic Between: 109.10.0.0/16 109.10.0.0/16
Key server : 150 .1.7.4
Rekey authentication RSA key : R4.ccie.com

Note:

1) R1 and R3 are preconfigured for VRF-Aware VPN

2)R1 and R3 should perform GDOI Registration using 172.16.x.x/29 onwards.
Any parameters not provided in the table for the task implementation can be issued by the candidate

Page | 19
LAB 6

Any traffic permission on the firewall in the path should be specific to the task implementation

To Verify, use following commands:

Ping VRF Site-1 109.10.2.5 source 109.10.1.1
!!!!!
Ping VRF Site-2 109.10.3.3 source 109.10.1.1
!!!!!

On R4
access-list 101 permit ip 109.10.0.0 0.0.255.255 109.10.0.0 0.0.255.255
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 600
crypto isakmp key ccie address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto gdoi group GET-GROUP1
identity number 1
server local
rekey algorithm aes 256
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa R4.ccie.com
rekey transport unicast
sa ipsec 1
profile gdoi-p
match address ipv4 101
replay counter window-size 64
address ipv4 150.1.7.4
!
crypto gdoi group GET-GROUP2
identity number 2
server local
rekey algorithm aes 256
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa R4.ccie.com
rekey transport unicast
sa ipsec 1
profile gdoi-p

Page | 20
LAB 6

match address ipv4 101

replay counter window-size 64
address ipv4 150.1.7.4
!
crypto ipsec profile gdoi-p
set transform-set myset
set security-association lifetime seconds 600
!
crypto key generate rsa module 1024 label R4.ccie.com

<Pre-configuration>
On R1
crypto keyring Site-1 vrf Site-1
pre-shared-key address 150.1.7.4 key ccie
crypto keyring Site-2 vrf Site-2
pre-shared-key address 150.1.7.4 key ccie

crypto isakmp policy 10

encr aes 256
authentication pre-share
group 2

crypto isakmp key ccie address 0.0.0.0

crypto isakmp profile Site-1

vrf Site-1
keyring Site-1
match identity address 150.1.7.4 255.255.255.255 Site-1

crypto isakmp profile Site-2

vrf Site-2
keyring Site-2
match identity address 150.1.7.4 255.255.255.255 Site-2

crypto gdoi group GET-GROUP1

identity number 1
server address ipv4 150.1.7.4

crypto gdoi group GET-GROUP2

identity number 2
server address ipv4 150.1.7.4

Page | 21
LAB 6

crypto map Site-1 isakmp-profile Site-1

crypto map Site-1 10 gdoi

set group GET-GROUP1

crypto map Site-2 isakmp-profile Site-2

crypto map Site-2 10 gdoi

set group GET-GROUP2

Interface Gi0/1.1
Crypto map Site-1
!
Interface Gi0/1.2
Crypto map Site-2

On ASA1
access-list dmz extended permit udp host 172.16.110.0 host 150.1.7.4 eq 848
access-list dmz extended permit udp host 172.16.120.0 host 150.1.7.4 eq 848

On R3
crypto keyring Site-1 vrf Site-1
pre-shared-key address 150.1.7.4 key ccie

crypto keyring Site-2 vrf Site-2

pre-shared-key address 150.1.7.4 key ccie

crypto isakmp policy 10

encr aes 256
authentication pre-share
group 2

crypto isakmp profile Site-1

vrf Site-1
keyring Site-1
match identity address 150.1.7.4 255.255.255.255 Site-1

crypto isakmp profile Site-2

vrf Site-2
keyring Site-2
match identity address 150.1.7.4 255.255.255.255 Site-2

Page | 22
LAB 6

crypto gdoi group GET-GROUP1

identity number 1
server address ipv4 150.1.7.4

crypto gdoi group GET-GROUP2

identity number 2
server address ipv4 150.1.7.4

crypto map Site-1 isakmp-profile Site-1

crypto map Site-1 10 gdoi

set group GET-GROUP1

crypto map Site-2 isakmp-profile Site-2

crypto map Site-2 10 gdoi

set group GET-GROUP2

Interface Gi0/0.1
Crypto map Site-1

Interface Gi0/0.2
Crypto map Site-2

For Verification:
R1#show crypto gdoi group GET-GROUP1
R1#show crypto gdoi group GET-GROUP2

R3#show crypto gdoi group GET-GROUP1

R3#show crypto gdoi group GET-GROUP2

3.2 Implement LAN-TO-LAN IKEV2

Implement LAN TO LAN VPN using IKEV2 between R6 and ASA1, using information in the table

Encryption – AES-256

Integrity – SHA-256

Authentication Pre-Shared Key – ccie

Use IPSEC Policy

Data encryption – ESP-AES 256

Page | 23
LAB 6

Data Authentication – ESP-SHA-HMAC

Protected Traffic Between – 192.168.6.0/24 10.4.4.0/24

Note:
1)Any parameters not provided in the table for the task implementation can be used by the candidate
2)Any traffic permission on the firewall in the path should be specific to the task implementation
3)You should verify your implementation by Switching ASA1 and ASA2 to Active/ Standby

To Verify, use the following command;

R6#ping 10.4.4.4 Source 192.168.6.6

!!!!!

Solution:

On ASA1
access-list ikev2 permit ip 10.4.4.0 255.255.255.0 192.168.6.0 255.255.255.0

crypto ikev2 policy 10

encryption aes-256
integrity sha256
group 5
prf sha
lifetime seconds 86400

crypto ikev2 enable outside

crypto ipsec ikev2 ipsec-proposal IKEV2

protocol esp encryption aes-256
protocol esp integrity sha-1

crypto map MAP 10 match address ikev2

crypto map MAP 10 set ikev2 ipsec-proposal IKEV2
crypto map MAP 10 set peer 19.19.19.6
crypto map MAP 10 reverse-route

tunnel-group 19.19.19.6 type ipsec-l2l

tunnel-group 19.19.19.6 ipsec-attributes
ikev2 local-authentication pre-shared-key ccie
ikev2 remote-authentication pre-shared-key ccie

Page | 24
LAB 6

object network R6
subnet 192.168.6.0 255.255.255.0
object netwrk ASA
subnet 10.4.4.0 255.255.255.0

nat (inside,outside) source static ASA ASA destination static R6 R6

On R6:
access-list ikev2 permit ip 192.168.6.0 255.255.255.0 10.4.4.0 255.255.255.0

crypto ikev2 proposal ASA1

encryption aes-cbc-256
integrity sha256
group 2

crypto ikev2 policy ASA1

proposal ASA1

crypto ikev2 keyring ASA1

peer ASA1
address 19.19.4.10
pre-shared-key local ccie
pre-shared-key remote ccie

crypto ikev2 profile ccie

match identity remote address 19.19.4.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ASA1

crypto ipsec transform-set ASA1 esp-aes 256 esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 19.19.4.10
set transform-set ASA1
set ikev2-profile ASA1
match address ikev2

interface Gi0/0.2
crypto map CMAP

Page | 25
LAB 6

On ASA3/C1:
Access-list out extended permit udp host 19.19.19.6 eq isakmp host 19.19.4.10 eq isakmp
Access-list out extended permit esp host 19.19.19.6 host 19.19.4.10
Access-group out in interface outside

On R6
ip route 10.4.4.0 255.255.255.0 19.19.19.66

On ASA1
route outside 192.168.6.0 255.255.255.0 19.19.4.2 1

On SW1:
Ip route 192.168.6.0 255.255.255.0 7.7.2.10

On ASA2
ASA2#failover active
ASA2#clear crypto session

On R6
R6#show crypto session
R6#clear crypto session

R6#ping 10.4.4.4 source 192.168.6.6

On ASA4
access-list in permit udp host R6 host 19.19.4.10 eq isakmp
access-list in permit esp host R6 host 19.19.4.10
access-list out permit udp host 19.19.4.10 host R6 eq isakmp
access-list out permit esp host 19.19.4.10 host R6

3.3 Implement Remote Access VPN

Configure ASA1 for Remote Access VPN using the Information in the table, You will verify task
implementation from TEST-PC Using Cisco VPN Client

On ASA1
Use IKE version 1
Authentication pre-shared key – ccie
VPN Client Address – 192.168.1.1 – 192.168.1.10
Network allowed Through IPSEC Tunnel – 19.44.44.0/24

On Test-PC

Page | 26
LAB 6

NIC-2 ip address – 19.19.3.100/24

VPN Client Details – Username:cisco , Password:cisco
Note:
1)Any parameters not provided in the table for the task implementation can be used by the
candidate
2)Any traffic permission on the firewall in the path should be specific to the task implementation
3) Your implementation should break TEST-PC accordingly in management NIC1

Solution:
On ASA1

ip local pool POOL 192.168.1.1-192.168.1.10

!
access-list split standard permit ip 10.44.44.0 255.255.255.0
!
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
!
crypto dynamic-map map 1 set ikev1 transform-set set1
crypto dynamic-map map 1 set reverse-route
crypto map mymap 100 ipsec-isakmp dynamic map
crypto map mymap interface dmz
!
crypto ikev1 enable dmz
!
crypto ikev1 policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
group-policy remote internal
group-policy remote attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
!
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool POOL
default-group-policy remote
tunnel-group remote ipsec-attributes
ikev1 pre-shared-key cisco

Page | 27
LAB 6

SECTION IV – System Hardening and Availability

4.1 Troubleshoot EIGRP routing on R6

R6 and SW4 are unable to establish EIGRP neighborship. Find the issues and fix them so that R6 and
SW4 are able to exchange EIGRP routing updates.

After troubleshooting, verify the output using the following command;

R6# sh ip eigrp neighbour
H address interface
0 19.19.15.4 g0/0.1
1 19.19.20.5 g0/2.1

Solution:
On R6
check “ip authentication mode eigrp 19 md5” with show run interface Gi0/0.1

Page | 28
LAB 6

On ASA4
check “show access-list”
Access-list 901 extended permit ip host 19.19.15.4 host 19.19.15.6
Access-list 109 extended permit ip any any

you should add below commands on ASA4

access-list 901 permit eigrp host 19.19.15.4 host 224.0.0.10

access-group 109 in interface inside
access-group 901 in interface outside

4.2 Configure SSH on R4

Configure SSH on R4 as following requirements;
 Only accept SSH version 2 connection
 Connection Should be allowed only from host 19.19.19.6
 SSH key name should be R4.ccie.com
 R4 Should locally authenticate SSH connection for privilege level 15 using these credentials ;
username : ccie, password :cisco

NOTE:
Any configuration on the firewall in the path to allow the traffic should be specific to that SSH session

To verify, use the following command;

R6# ssh -l ccie -v 2 4.4.4.4

password: cisco

R4# sh ssh
R6# ssh -l ccie -v 1 4.4.4.4
[Connection to 4.4.4.4 aborted : error status 0]

Solution:

R4:
ip domain-name cisco.com
crypto key generate rsa label R4.ccie.com mod 1024
!
aaa new-model
aaa authentication login VTY local

Page | 29
LAB 6

aaa authorization exec VTY local

!
username ccie privilege 15 password ccie
access-list 15 permit host 19.19.19.6
!
Ip ssh version 2
Ip shh rsa keypair-name R4.ccie.com
!
Line vty 0 15
Access-class 15 in
authorization exec VTY
login authentication VTY
access-class 10 in
transport input ssh

access-list 10 permit host 19.19.19.6

On ASA3/C1:
access-list OUT extended permit tcp host 19.19.19.6 host 4.4.4.4 eq ssh
access-group OUT in interface outside

ASA1:
access-list OUT extended permit tcp host 19.19.19.6 host 7.7.22.4 eq ssh
access-group OUT in interface outside

For Verification:
R6#shh -l ccie -v 2 4.4.4.4
R6#ssh -l ccie -v 1 4.4.4.4
R4#sh ssh
SW6#ssh -l ccie -v 2 7.7.22.4

Section V – Threat Identification and Mitigation

5.1 Troubleshoot HTTP Inspect on ASA1 and ASA2

HTTP inspection for the Get request has been implemented on ASA1 so that it should match and log packet if
it is related to any AAA configuration command.

This implantation is not working correctly and you must identify the configuration issues and fix them so that
HTTP inspection tracks GET request packets related to only AAA configuration commands

Page | 30
LAB 6

Note:

You must use remote access VPN connection as implemented in Q3.3 to verify the implementation of this
task from test-PC as shown in the verifications

To verify, use the following command;

http://10.44.44.44 [//On Test-Pc]

ASA1#sh service-policy inspect http

Global policy

service-policy : global_policy

class-map inspection _default

Inspection: http http_policy,packets 10,fail 1 , drop 1 protocol violations

packets 0

class router-http

log. packets 1 ( counter should be >0 )

Solution
On ASA1
Class-map type HTTP

Request method get

Policy map type HTTP

Class HTTP

Log

Class map CISCO

Match ACL

Policy map PMAP

Class CISCO

Inspect http http-policy map

Page | 31
LAB 6

Service policy PMAP in outside

Access-1 testlist extended permit tcp x.x.x.x any

Class-map type inspect http match-all class-urlfilter1

Match request method get

Class-map CISCO

Match class-list testlist

Policy-map type inspect http policy-urlfilter1

Parameters

Class class-urlfilter1

Drop log

Policy-map url-packet-filter

Class class-urlfilter1

Inspect http policy-urlfilter1

Service-policy url-packet-filter interface outside

On SW1
Ip route 192.168.1.0 255.255.255.0 7.7.2.10

You should check the status with following commands:

ASA1#show run regex

ASA1#show run class-map

ASA1#show run policy-map

After then, you can open http://10.44.44.44 on Test-PC

Page | 32
LAB 6

For Verification

ASA1#show service-policy inspect http

Global policy

Service-policy: global _policy

Class-map inspection_default

Inspection: http http_policy,packteks 10,fail 1 ,drop 1 protocol violations

Packets 0

Class router-http log.

Packets 1 (counter should be> 0 )

5.2 Troubleshoot DHCP on R5

R5 is Unable to DHCP address on interface f0/1.2 from R3 acting an as DHCP Server. Find the breaks and fix
the Issue so that R5 is able to DHCP IP Address from R3. Also SW4 should have binding information of the
assigned IP Address as part of DHCP snooping implementation

To verify, use the following command;

SW4# show ip dhcp snooping binding

R5# show ip interface b| in f0/1.2

Solution
On R3
Ip dhcp excluded-address 19.19.192.1 // input this command

On SW4
Ip arp inspection vlan 192 // input this command

Ip dhcp snooping vlan 192

No ip dhcp snooping information option

No ip dhcp snooping verify mac-address

Ip dhcp snooping

Interface Fa0/3

Switchport access vlan 192

Page | 33
LAB 6

Switchport mode access

Spanning-tree portfast

Ip dhcp snooping limit rate 24

Ip dhcp snooping trust // input this command

Ip arp inspection trust // input this command

Arp access-list Filter

Permit ip host 192.168.192.3 mac host

Ip arp inspection filter Filter vlan 192

On SW1
SW1#vlan 192 //input this VLAN

On R5
Interface Fa0/1.2

No shutdown

After then, do check out the status of dhcp binding

R5#show ip interface brief

R5#sh ip interface brief |in f0/1.2

SW4#show ip dhcp snooping binding

5.3 Troubleshoot Link Connectivity between R3 and R5

After the correct implementation of Q5.2. you will be unable to ping the ip address that has been DHCP by
the R5 F 0/1.2 interface . Find and Fix the issue . so that from R3 you are able to ping R5 F0/1.2 interface ,

Note:

Your Implementation should not break Q-5.2

To verify, use the Following command;

Page | 34
LAB 6

R3#ping 19.19.192.2

!!!!!

Solution
On SW4
Ip source bindig <MAC Address> vlan 192.19.19.193 interface Fa1/0/3

After then, check it out with below command.

R3#ping 19.19.192.2

SW4#show run | include arp

Other Fault Patterns

On SW4
Ip source binding <MAC Address> vlan 192.19.19.192 1 interface Fa1/0/1

 It should be changed to below command.

Ip souce binding <MAC Address > vlan 192.19.19.192 3 interface Fa 1/0/3

SECTION VI – Identity Management

6.1 Configure Authentication and Authorization Using

ACS
Configure ACS and SW1 for the Telnet Session Authentication and Authorization
Using TACACS+. This implementation should meet these requirements.

SW1;
 TACACS server IP address in 150.1.7.30
 Should source TACACS packet from vlan 150
 If TACACS server is not available, authentication should fall back to the local Database
 Use method lists “Admin” to implement this task. Default method are not allowed

ACS:
Device configuration
 Network device “SW1” should be reached y ACS using address 150.1.7.1
 Shared secreat key between ACS and SW1 be “cisco”
 Network device “SW1” should be associated with location “Inside_Zone” and Devices type
“Switches” under network device group.

Page | 35
LAB 6

User Configuration:
 Telnet session User Details Should be Username :ccie password :cisco
 User “ccie “ should be internal user and belong to identity group Admin Policies:
-User “ccie” should be assigned Privilige-15 if autheniated
-User “ccie” should be allowed to exsiccate only the following exact and config Level
cmmands if authenticated

Below is allowed exact commands

- show version
- show running-config
- show ip int br
- show priv

Below is allowed Config commands

- config terminal
- interface
- shut
- no shut

Rules:
Access service by the name of “telnet”should be defined for implementation of the Task

Rule-1
Authentication request should meet the following identification conditions
 Request should be from NDG location “Inside_Zone”
 Request should be from NDG device type (SWITCHES)
 Request should be recived from device ip add “150.1.7.1 . If this conditions are not match then result
would be perform user lookup in internal user

Rule -2

Authentication request should meet the following Authorization conditions

 Commination protocol should be “TACACS”

 User should be part of Identity group “Admin”

If this condition are match then the session should be assigned policy of privilege Level and command
authorization as defined in one of the previous steps

Note :

1) User is pre defined on switch one for local database fallback

2) Telnet session need’s to be initiated from R3.
3) Any configuration on Firewall in the part t allow the traffic should be specific to the telnet session

To verify, use the following commands;

R3#telnet 1.1.1.1

Page | 36
LAB 6

Username : ccie

Password: cisco

SW1#show priv

Solution
On SW1
Aaa new-model

Aaa authorization login Admin grouop tacacs+ local

Aaa authorization exec group tacacs+ local

Aaa authorization config-commands

Aaa authorization commands 1 Admin group tacacs+ local

Aaa authorization commands 15 Admin group tacacs+ local

Tacacs-server host 150.1.7.30 key cisco

Tacacs-server directed-request

Privilege configure level 15 interface

Privilege configure level 15 no shutdown

Privilege configure level 15 shutdown

Privilege configure level 15 show version

Privilege configure level 15 show privilege

Privilege configure level 15 show ip int br

Privilege configure level 15 configure terminal

Privilege configure level 15 show running-config

Ip tacacs source-interface vlan 150

Line vty 0 15

Password cisco

Authorization command 1 Admin

Authorization commands 15 Admin

Authorization exec Admin

Page | 37
LAB 6

Login authentication Admin

Transport input telnet

On ASA1
Access-list dmz permit tcp host 19.19.6.3 host 7.7.2.1 eq 23

Access-group dmz in interface dmz

On ASA4
Access-list out permit tcp host 19.19.6.3 host 1.1.1.1 eq 23

On ACS
Click network Resources -> Network Devices and AAA clients

Click create

Add the deviced information per the question .IP,tacacs+ key, location,device type (create location and
device type if necessary)

Click submit

Click Users and Identity stores->Identity groups

Create identity group “Admin Policies”

Policy Elements -> Autorization and Permissions-> Device Administrations->Command Sets->Create Permit

Show version

Show running-config

Show ip interface brief

Show privilege

Configure terminal

Interface

Shutdown

Page | 38
LAB 6

No shutdown

6.2 Implement MAB for TEST-PC Using ISE

Configure MAB on SW6 to authorize TEST PC on port GI1/0/1 using ISE.

Use the information below to accomplish this task

 ISE is 150.1.7.30
 You are not allowed to define TEST PC Mac address statically for MAB
 Authenocation rule should provide default network access
 Authorization rule should download ACL “TEST-PC _Allow_Telnet” if the SW6 is classified to the network
 Device Group Type “Switch” and Network Device Group Location “Inside”
 Download ACL “TEST-PC_Allow_TELNET” should permit a Telnet session from any source to any
 Destination and all other traffic should be denied
 SW6 should assigned TEST-Pc address from the address pool 99.99.99.0/24 network

Note:
1. Make sure Test-Pc has only one default route that points to 150.1.7.254
2. Any information not specified to implement this task can be assumed by the canidate
3. f you cannot login to ISE due to password expiration error then you need to reset the password
“Ccie123” using CLI . YOU may SSH to ISE from TEST-PC for the ClI access using
Username “admin”password “Cisc0123”

TO verify, use the following commands ;

SW6#ping 99.99.99.1
!!!!!

Solution
On SW6
Aaa new-model
Aaa authentication dot1x default group radius
Aaa authorization network default group radius

Radius-server host 150.1.7.20 auth-port 1812 acct-port 1813 key cisco

Ip radius source-interface vlan 22

Radius-server vsa-send authentication

Ip device tracking

Ip dhecp pool POOL

Page | 39
LAB 6

Network 99.99.99.0 255.255.255.0

Exit

Interface Fa1/0/1

Switchport mode access

Switchport access vlan 99

Mab

Authentication host-mode multi-auth

Authentication port-control auto

Exit

After then, do ping 150.1.7.20

6.3 Implement Profiling Using ISE

Enable automatic Profiling for the TEST-Pc so that TEST-PC MAC address should be profiled as “MICROSOFT-
WORKSTATION” as an endpoints. Also make sure that TEST-PC MAC address should appear under
“MICROSOFT-WORKSTATION” in the Endpoint Identity Groups”

Note:

The completion of this Task depends upon the correct implenmentation of Q6.2 Verification

Solution
On SW6
Aaa new-model

Aaa authentication dot1c default group radius

Aaa authorization network default group radius

Aaa accounting dot1x default start-stop group radius

Aaa server radius dynamic-author

Client 150.1.7.20 server-key-cisco

Page | 40
LAB 6

Ip device tracking

Dot1x system-auth

Ip radius source-interface vlan7

Radius-server attribute 6 on-for-login-auth

Radius-server attribute 8 include-in-access-req

Radius-server attribute 25 access-request include

Radius-server vsa send accounting

Radius-server vsa send authentication

Radius-server host 150.1.7.20 auth-port 1812 acct-port 1813 key cisco

Interface gi1/0/1

Switchport access vlan 99

Switchport mode access

Authentication host-mode multi-auth

Authentication order mab

Authentication priority mab

Authentication port-control auto

Authentication periodic

Mab

dot1xpae authenticator

spanning-tree portfast

Interface vlan 99

Ip helper-address 150.1.7.20

Exit

For ISE

Go to Administration > System > deployment > ISE > General Setting

Page | 41
LAB 6

Ip address : 150.1.7.20

Node Type : ISE

Go to Administration > System > deployment > ISE > profiling Configuration

DHCP

Interface : GigabitEthernet0

Port: 67

Description: DHCP

Go to The Administration > System> Setting

CoA Type: Reauth

Save

Page | 42