Professional Documents
Culture Documents
CCIE Security
By JasonBlack
Contents
You have been asked to configure a remote VPN solution in the Internet
Edge 1 layer of the network to support traffic from the Sales and Finance
organizations. The requirements are follows:
• The last octet of the inside, outside, and management interface
address must be .1, .1, and .53 respectively.
• These interfaces must be named "inside", "outside", and "mgmt".
• Client must be able to establish remote VPN sessions with ASAs
using a Cisco Anyconnect IPsec IKEv2 tunnel with an idle timeout of
2 days.
• Cisco Anyconnect sessions from Sales and Finance PCs must be
authenticated By ISE using Active Directory as the external identify
source.
• If Active Directory is not available, then users must be authenticated
using the ISE internal database as a backup.
• Only traffic that is destined for the Sales server, NTP server, and the
172.16.1.0/24 network must be encrypted.
• For the Sales organization, the address must be assigned from the
block of 172.16.1.1 - 172.16.1.10/24.
• For the Finance organization, the address must be assigned from the
block of 172.16.1.11-172.16.1.20/24.
• Sales and Finance PCs must be synchronized with the HQ NTP server
using its FQDN.
Cisco Anyconnect sessions must be assigned dynamic ACLs that permit
traffic from any source to:
• Translated address of the Sales server at port 8080
• DNS server
• NTP server
• ICMP destined to the 172.16.1.0/24 network
Solution:
AD-DNS PC
ASA1v
NOTE: There are two methods to upload PFG file, CLI and GUI. Sometimes,
ASA1v/ASA11v has already uploaded the PKG file, just check it.
The two methods area as follows:
CLI: ASA1v/ASA11v
!
IKEv2
ASA1v-First:
ASA11v-Second:
Step details:
ISE (Management PC):
GUI Login
Disable Profiling
Disable RADIUS Suppress Repeated
Join AD
Create Identity Source
Create Network Access Users "salesuser1" "financeusers1"
Create AAA Client/Network Devices
Create Authentication Policy
Create Authorization Profiles "salesprofile" "financeprofile"
Create Authorization Policy
Sales PC:
Connect with IE Browser at the first time, and install the AnyConnect Secure
Mobility Client manually
Finance PC: The same way to proceed
ASA1v:
!
group-policy sales attributes
vpn-tunnel-protocol ikev2
group-policy finance attributes
vpn-tunnel-protocol ikev2
!
wr
!
vpn-sessiondb logoff all
Sales PC:
Finance PC:
ASA1v:
Sales PC:
Https - - If there be DNS issue, open the CMD and try one or both the following
methods
Ipconfig /flushdns
Nslookup
Finance PC:
https - - If there be DNS issue, open the CMD and try one or both the following
methods
Ipconfig /flushdns
Nslookup
ASA1v:
!
same-security-traffic permit intra-interface
!
write memory
Finance PC-172.16.1.11 (Sales PC-172.16.1.1): Turn off the firewall of PCs
=============================================================
1.3 SSL-Clientless
You have been asked to deploy a remote VPN solution in the Internet Edge
2 layer of the network to support traffic that originates from a web browser.
The requirements are as follows:
• The last octet of the inside, outside, and management interface
address must be .1, .1, and .58 respectively.
• These interfaces must be named "inside, outside", and
"management".
• Marketing and Engineering PCs must be able to establish remote VPN
sessions using clientless SSL VPN tunnel with an idle timeout of 2
days (2880).
• The VPN sessions must be authenticated by ISE using Active
Directory as the external identify source.
• If Active Directory is not available, those users must be authenticated
using the ISE internal database as a backup.
• Only marketing and engineering clients can access their respective
servers using their FQDN.
Solution:
R15
!
ip route 19.16.3.1 255.255.255.255 5.2.15.1
ip route 19.16.4.1 255.255.255.255 5.2.15.1
ASA2v
!
route inside 19.16.3.1 255.255.255.255 5.2.16.15
route inside 19.16.4.1 255.255.255.255 5.2.16.15
route inside 150.1.7.200 255.255.255.255 5.2.16.15
!
aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.111
key cisco
!
dns domain-lookup inside
dns name-server 150.1.7.200
!
domain-name cisco.com
!
http server enable
!
http 150.1.7.0 255.255.255.0 mgmt
!
webvpn
enable outside
tunnel-group-list enable
!
access-list marketing webtype permit url https://marketingserver.cisco.com/*
access-list engineering webtype permit url https://engineeringserver.cisco.com/*
!
group-policy engineering internal
group-policy engineering attributes
vpn-idle-timeout 2880
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value engineering
!
group-policy marketing internal
group-policy marketing attributes
vpn-idle-timeout 2880
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value marketing
!
tunnel-group engineering type remote-access
tunnel-group engineering general-attributes
authentication-server-group ISE
default-group-policy engineering
tunnel-group engineering webvpn-attributes
group-alias engineering enable
!
tunnel-group marketing type remote-access
tunnel-group marketing general-attributes
authentication-server-group ISE
default-group-policy marketing
tunnel-group marketing webvpn-attributes
group-alias marketing enable
Test of connectivity:
Engineering PC: Connect with IE or Firefox Browser.
HTTPS: If there be DNS issue, open the CMD and try one or both the following
methods.
Ipconfig /flushdns
Nslookup
Test of connectivity:
Ipconfig /flushdns
Nslookup
ASA3: Check the hits
=============================================================
1.4 FMC-FTD Site-to-Site
You have been asked to secure Richardson branch traffic for the
Engineering server SSL access situated in HQ DC 2:
• Also, Branch PC must be synchronized with the HQ NTP server using
its FQDN.
• The secure communication must the site-to-site IPSEC VPN model
using Cisco Firepower Threat Defense.
• Your implementation must permit only specific protocols and ports to
allow connection from branch PCs to Engineering and NTP servers.
Branch PC:
HTTPS: If there be DNS issue, open the CMD and try one or both the following
methods.
Ipconfig /flushdns
Nslookup
NTP for windows:
!
Logs FMC:
=============================================================
1.5 IOS FlexVPN
You have been asked to set up a secure link between the RTP branch and
HQ. The link will provide confidentiality and integrity for the traffic between
supplicants in 5.2.38.0/24 network and intranet address space in DC 3. The
requirements are as follows:
• FlexVPN VTI method must be used to establish security between R16
and R5.
• The secure tunnel must extend the 192.168.100.0/24 network between
SW7 and R4.
Technology:
https://www.cisco.com/c/pt_br/support/docs/security/flexvpn/116207-configure-
l2tpv3-00.html
Solution:
FlexVPN Configuration
R16
!
crypto ikev2 keyring default
peer R5
address 10.10.100.5
pre-shared-key cisco
!
crypto ikev2 profile default
match identity remote address 10.10.100.5 255.255.255.255
identity local address 10.10.100.16
authentication remote pre-share
authentication local pre-share
keyring local default
!
interface tunnel100
ip address 172.16.100.16 255.255.255.0
tunnel source 10.10.100.16
tunnel destination 10.10.100.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
!
pseudowire-class L2TP
encapsulation l2tpv3
ip local interface tunnel100
!
interface GigabitEthernet3
no ip address
xconnect 172.16.100.5 1001 encapsulation l2tpv3 pw-class L2TP
!
write
!
R5
!
crypto ikev2 keyring default
peer R16
address 10.10.100.16
pre-shared-key cisco
!
crypto ikev2 profile default
match identity remote address 10.10.100.16 255.255.255.255
identity local address 10.10.100.5
authentication remote pre-share
authentication local pre-share
keyring local default
!
interface tunnel100
ip address 172.16.100.5 255.255.255.0
tunnel source 10.10.100.5
tunnel destination 10.10.100.16
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
Pseudowire-class L2TP
encapsulation l2tpv3
ip local interface tunnel100
!
Interface GigabitEthernet4
no ip address
xconnect 172.16.100.16 1001 encapsulation l2tpv3 pw-class L2TP
!
end
!
write
Test of connectivity:
R5
Test of connectivity:
R16
Show crypto session
!
SW7
Test of connectivity:
ping 172.10.1.1 source vlan 208
!
=============================================================
2.1 ASA1v/ASA11v – Failover Active/Standby
You have been asked to configure high availability for ASAs in the Internet
Edge 1 layer of the network. The requirements are as follows:
• The last octet of the active and standby management interface
addresses must be .53 and .54 respectively.
• The last octet of the active and standby non-management interface
address must be .1 and .2 respectively.
• The last octet of the failover link active and standby addresses must
be .1 and .2 respectively.
NOTE: ASA1v must be active in the pair when you have completed this task.
Solution:
ASA1v
!
configure terminal
!
interface GigabitEthernet0/2
no shutdown
!
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 5.2.9.1 255.255.255.0 standby 5.2.9.2
!
ASA11v
!
configure terminal
!
interface GigabitEthernet0/2
no shut
!
failover lan unit secondary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 5.2.9.1 255.255.255.0 standby 5.2.9.2
ASA1v
!
ping 5.2.9.2
!
!
failover
ASA11v
!
failover
Test of connectivity:
ASA1v
!
show failover state
ASA1v
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 5.2.10.1 255.255.255.0 standby 5.2.10.2
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 5.2.8.1 255.255.255.0 standby 5.2.8.2
no shutdown
!
interface Management0/0
nameif mgmt
security-level 100
ip add 150.1.7.53 255.255.255.0 standby 150.1.7.54
no shut
Test of connectivity:
!
ping 5.2.8.2
ping 5.2.8.9
ping 5.2.10.2
ping 5.2.10.11
ping 150.1.7.111
!
!
ASA1v
!
Show failover
ASA1v
!
route outside 5.2.11.0 255.255.255.0 5.2.10.11
route outside 5.2.12.0 255.255.255.0 5.2.10.11
Test of connectivity:
!
ping 5.2.11.2 (The Sales PC's firewall should be turned off)
ping 5.2.12.2 (The Finance PC's firewall should be turned off)
!
=============================================================
2.2 ASA2v/ASA22v – Failover Active/Standby
You have been asked to configure high availability for ASAs in the Internet
Edge 2 layer of the network. The requirements are as follows:
• The last octet of the active and standby management interface
address must be .58 and .59 respectively.
• The last octet of the active and standby non-management interface
address must be .1 and .2 respectively.
• The last octet of the failover link active and standby addresses must
be .1 and .2 respectively.
NOTE: ASA2v must be active in the pair when you have completed this task.
Solution:
ASA2v
!
configure terminal
!
interface GigabitEthernet0/2
no shutdown
!
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 5.2.17.1 255.255.255.0 standby 5.2.17.2
ASA22v
!
configure terminal
!
interface GigabitEthernet0/2
no shutdown
!
failover lan unit secondary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 5.2.17.1 255.255.255.0 standby 5.2.17.2
ASA2v
!
ping 5.2.17.2
!
failover
ASA22v
!
failover
ASA2v
!
show failover state
ASA2v
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 5.2.18.1 255.255.255.0 standby 5.2.18.2
no shut
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 5.2.16.1 255.255.255.0 standby 5.2.16.2
no shutdown
!
interface Management0/0
nameif mgmt
security-level 100
ip address 150.1.7.58 255.255.255.0 standby 150.1.7.59
no shutdown
!
write
Test of connectivity:
!
ping 5.2.16.2
ping 5.2.16.15
ping 5.2.18.2
ping 5.2.18.3
ping 150.1.7.111
Show failover state
!
ASA2v
!
route outside 5.2.19.0 255.255.255.0 5.2.18.3
route outside 5.2.20.0 255.255.255.0 5.2.18.3
Test of connectivity:
!
ping 5.2.19.2 (The Engineering PC's firewall should be turned off first)
ping 5.2.20.2 (The Marketing PC's firewall should be turned off first)
=============================================================
2.3 ASA1/ASA2 – Failover Active/Active Multi-Context
You have been asked to deploy high availability for ASAs in the Core-
Distribution layer of the network. The requirements are as follows:
• ASAs first, second, and third non-management interface must be in
the inside, DMZ, and outside zones respectively.
• The context "c1" and "c2" must route traffic for the Sales and Finance
organization respectively.
• The actual address of the Sales and Finance servers must be visible
to the clients as 19.16.1.1 and 19.16.2.1 respectively.
• The last octet of the active and standby management interface
address must be .51 and .52 respectively.
• The last octet of the active and standby non-management interface
addresses must be .1 and .2 respectively.
• The last octet of the active and standby LAN link interface addresses
must be .1 and .2 respectively.
• The last octet of the active and standby STATE link interface
addresses must be .1 and .2 respectively.
• The c1 context interface must be named "inside_c1","outside_c1",
and "dmz_c1".
• The c2 context interface must be named "inside_c2","outside_c2",
and "dmz_c2".
NOTE: ASA1-c1 and ASA2-c2 must be active in the pair for the Sales and
Finance traffic respectively. Verify established sessions on the Sales and
Finance servers from Sales and Finance PCs respectively.
Solution:
ASA1
!
ASA1(config)# show mode /--single mode is pre-config--/
security context mode: single
ASA1(config)# mode multiple
ASA2
!
ASA2(config)# show mode /--single mode is pre-config--/
security context mode: single
ASA2(config)# mode multiple
ASA1-system
!
delete *.cfg
!
delete filename [*.cfg]? enter
!
delete disk0:/admin.cfg? [confirm] enter
!
delete disk0:/c1.cfg? [confirm] enter
!
delete disk0:/c2.cfg? [confirm] enter
!
no cluster interface-mode
!
interface GigabitEthernet1/1
no shutdown
!
interface GigabitEthernet1/2
no shutdown
!
interface GigabitEthernet1/3
no shutdown
!
interface GigabitEthernet1/4
no shutdown
!
interface GigabitEthernet1/5
no shutdown
!
interface Management0/0
no shutdown
!
interface GigabitEthernet1/1.1
vlan 2
!
interface GigabitEthernet1/1.2
vlan 3
!
interface GigabitEthernet1/2.1
vlan 4
!
interface GigabitEthernet1/2.2
vlan 5
!
interface GigabitEthernet1/3.1
vlan 6
!
interface GigabitEthernet1/3.2
vlan 7
!
failover group 1
primary
preempt
!
failover group 2
secondary
preempt
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
config-url disk0:/c2.cfg
join-failover-group 2
!
failover lan unit primary
failover lan interface LAN GigabitEthernet1/4
failover link STATE GigabitEthernet1/5
failover interface ip LAN 5.2.201.1 255.255.255.0 standby 5.2.201.2
failover interface ip STATE 5.2.202.1 255.255.255.0 standby 5.2.202.2
ASA2-system:
!
delete *.cfg
!
delete filename [*.cfg]? enter
!
delete disk0:/admin.cfg? [confirm] enter
!
delete disk0:/c1.cfg? [confirm] enter
!
delete disk0:/c2.cfg? [confirm] enter
!
no cluster interface-mode
!
interface GigabitEthernet1/4
no shutdown
!
interface GigabitEthernet1/5
no shutdown
!
failover group 1
primary
preempt
!
failover group 2
secondary
preempt
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
config-url disk0:/c2.cfg
join-failover-group 2
!
failover lan unit secondary
failover lan interface LAN GigabitEthernet1/4
failover link STATE GigabitEthernet1/5
failover interface ip LAN 5.2.201.1 255.255.255.0 standby 5.2.201.2
failover interface ip STATE 5.2.202.1 255.255.255.0 standby 5.2.202.2
Test of connectivity:
ASA1:
!
ping 5.2.201.2
ping 5.2.202.2
!
failover
ASA2
!
failover
ASA1
!
show failover state
ASA1-system:
!
admin-context admin
context admin
allocate-interface Management0/0
!
context c1
allocate-interface GigabitEthernet1/1.1 inside_c1
allocate-interface GigabitEthernet1/2.1 dmz_c1
allocate-interface GigabitEthernet1/3.1 outside_c1
!
context c2
allocate-interface GigabitEthernet1/1.2 inside_c2
allocate-interface GigabitEthernet1/2.2 dmz_c2
allocate-interface GigabitEthernet1/3.2 outside_c2
ASA1-admin
!
changeto c admin
!
username cisco password cisco privilege 15
!
enable password cisco
!
http server enable
!
http 150.1.7.0 255.255.255.0 management
!
interface Management0/0
nameif management
security-level 100
ip address 150.1.7.51 255.255.255.0 standby 150.1.7.52
no shutdown
!interface Management0/0
nameif management
security-level 100
ip address 150.1.7.51 255.255.255.0 standby 150.1.7.52
no shutdown
!
ASA1-c1
!
changeto c c1
!
interface inside_c1
nameif inside
security-level 100
ip address 5.2.2.1 255.255.255.0 standby 5.2.2.2
!
interface dmz_c1
nameif DMZ
security-level 50
ip address 5.2.4.1 255.255.255.0 standby 5.2.4.2
!
interface outside_c1
nameif outside
security-level 0
ip address 5.2.6.1 255.255.255.0 standby 5.2.6.2
!
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
!
Show interface ip brief
!
Test of connectivity:
!
Ping 5.2.2.6
Ping 5.2.4.7
Ping 5.2.6.9
ASA1-c2
!
changeto c c2
!
interface inside_c2
nameif inside
security-level 100
ip address 5.2.3.1 255.255.255.0 standby 5.2.3.2
!
interface dmz_c2
nameif dmz
security-level 50
ip address 5.2.5.1 255.255.255.0 standby 5.2.5.2
!
interface outside_c2
nameif outside
security-level 0
ip address 5.2.7.1 255.255.255.0 standby 5.2.7.2
!
monitor-interface inside
monitor-interface dmz
monitor-interface outside
!
Test of connectivity:
!
Show interface ip brief
!
Show nameif
!
Ping 5.2.3.6
Ping 5.2.5.8
Ping 5.2.7.9
object network finance_t
host 19.16.2.1
!
object network finance
host 192.168.2.1
nat (dmz,outside) static finance_t
!
access-list finance extended permit tcp 172.16.1.0 255.255.255.0 host 192.168.2.1 eq 8080
access-list finance extended permit icmp 172.16.1.0 255.255.255.0 host 192.168.2.1 echo
access-group finance in interface outside
!
router eigrp 2
network 5.2.3.0 255.255.255.0
network 5.2.5.0 255.255.255.0
network 5.2.7.0 255.255.255.0
!
changeto system
!
write memory all
ASA1v
!
Route inside 19.16.1.1 255.255.255.255 5.2.8.9
Route inside 19.16.2.1 255.255.255.255 5.2.8.9
!
Wr
R9
!
Ip route 19.16.1.1 255.255.255.255 5.2.6.1
Ip route 19.16.2.1 255.255.255.255 5.2.7.1
!
wr
=============================================================
2.4 ASA3/ASA4 – Cluster
You have been asked to deploy ASA3 and ASA4 as a single logical unit to
enhance traffic throughput. The requirements are as follows:
• The last octet of the management interface address must be .55 tied
with the address pool of 150.1.7.56 - 150.1.7.57/24.
• The management interface must be named "mgmt".
• The last octet of the non-management sub-interface addresses must
be .1.
• The non-management interfaces must be named "inside", "outside",
and "dmz".
• The actual addresses of the Marketing and Engineering servers must
be obscured for the remote VPN sessions and visible as 19.16.3.1 and
19.16.4.1 respectively.
• ASAs must be able to establish OSPF peering with the neighbors.
NOTE: ASA3 must be the master in the cluster. Verify established sessions
on the Engineering and Marketing servers from Engineering and Marketing
PCs respectively.
Solution:
ASA3:
!
interface GigabitEthernet1/3
no shutdown
!
interface mana0/0
no shut
!
!
cluster interface-mode spanned force
!
cluster group ccie
local-unit ASA3
cluster-interface GigabitEthernet1/3 ip 5.2.203.1 255.255.255.0
priority 1
!
mtu cluster 9000
!
write
!
reload
!
ASA4
!
interface GigabitEthernet1/3
no shutdown
!
interface mana0/0
no shut
!
cluster interface-mode spanned force
!
cluster group ccie
local-unit ASA4
cluster-interface GigabitEthernet1/3 ip 5.2.203.2 255.255.255.0
priority 2
!
mtu cluster 9000
!
write
!
reload
!
Enable Cluster ##########
Test of connectivity:
ping 5.2.203.2
!
ASA3
!
cluster group ccie
enable
ASA4
!
cluster group ccie
enable as-slave
ASA3
ASA4
ASA3
!
interface port-channel 1
port-channel span-cluster
!
interface GigabitEthernet1/1
no shutdown
channel-group 1 mode active
!
interface GigabitEthernet1/2
no shutdown
channel-group 1 mode active
SW2
!
vlan 13-15
!
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allow vlan 13-15
!
interface range GigabitEthernet1/0/1-2, GigabitEthernet1/0/4-5
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allow vlan 13-15
channel-group 1 mode active
no shutdown
ASA3
!
ip local pool mgmt-pool 150.1.7.56-150.1.7.57 mask 255.255.255.0
!
interface management0/0
nameif mgmt
security-level 100
ip address 150.1.7.55 255.255.255.0 cluster-pool mgmt-pool
!
interface port-channel1.13
vlan 13
nameif inside
security-level 100
ip address 5.2.13.1 255.255.255.0
ospf priority 255
!
interface port-channel1.14
vlan 14
nameif dmz
security-level 50
ip address 5.2.14.1 255.255.255.0
ospf priority 255
!
interface port-channel1.15
vlan 15
nameif outside
security-level 0
ip address 5.2.15.1 255.255.255.0
ospf priority 255
!
router ospf 1
router-id 5.2.15.1
network 5.2.13.0 255.255.255.0 area 1
network 5.2.14.0 255.255.255.0 area 2
network 5.2.15.0 255.255.255.0 area 0
=============================================================
3.1 Cisco ISE 802.1x
You have been asked to configure SW1 and ISE for the on-boarding of the
TAC PC Windows machine using 802.1X. The requirements are as follows:
• SW1 must provide the IP address, next hop, and DNS server to the
Windows machine.
• The SW1 port to which a supplicant is connected must be moved
dynamically to the relevant VLAN.
• The session authentication must be performed by ISE with Active
Directory as the external identity source.
• ISE internal database must server as a backup in case Active
Directory is not available.
The session DACL must only permit access from any source to:
• IP connection to Cisco FireAMP Cloud, TCP connection to the
Engineering server, DNS server (protocol and port-specific).
Solution:
ISE:
Create AAA Client/Network Device
SW1:
!
aaa new-model
!
aaa authentication login NO_AUTH none
!
line con 0
login authentication NO_AUTH
!
radius server ISE
address ipv4 150.1.7.111 auth-port 1812 acct-port 1813
key cisco
!
aaa group server radius ISE
server name ISE
!
aaa server radius dynamic-author
client 150.1.7.111 server-key cisco
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius-server vsa send authentication
radius-server vsa send accounting
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
ip radius source-interface GigabitEthernet0/0
!
ip dhcp pool VLAN207
network 5.2.207.0 255.255.255.0
default-router 5.2.207.1
dns-server 150.1.7.200
!
ip dhcp excluded-address 5.2.207.1
!
interface vlan207
no shutdown
!
dot1x system-auth-control
!
ip device tracking
!
interface GigabitEthernet0/1
switchport host
authentication port-control auto
authentication order dot1x
authentication priority dot1x
dot1x pae authenticator
shutdown
!
TAC PC:
Test of connectivity:
TAC PC:
TAC PC:
Https-- If there be DNS issue, open the CMD and try one or both the following
methods.
ipconfig /flushdns
Nslookup
SourceFire – AMP
SW1
Show ip access-list interface gigabitEthernet0/1
!
ISE
!
Live Logs
=============================================================
3.2 Cisco ISE MAB
You have been asked to configure SW4 and ISE for the on-boarding of the
Cisco Contractor PC Windows machine using MAB. The requirements are
as follows:
• SW4 must provide the IP address, next hop, and DNS server to the
windows machine.
• The session authentication must be performed by ISE.
• The session switch port must be moved dynamically to the relevant
VLAN.
The session DACL must only permit access from any source to:
• Intranet server at the standard HTTP port
• DNS server (protocol and port-specific)
Solution:
ISE
Contrator PC:
SW4
!
interface GigabitEthernet0/1
no shutdown
Test of connectivity:
Contrator PC
Re-enable Ethernet1 adapter; Enable 802.1x first, and then disable it. just for
triggering.
SW4
!
show authentication session interface gigabitethernet 0/1 details
Test of connectivity:
Contrator PC
HTTP-- If there be DNS issue, open the CMD and try one or both the following
methods.
ipconfig /flushdns
Nslookup
SW4
!
show ip access-list interface gigabitEthernet0/1
ISE
!
Live Logs
=============================================================
3.3 Dot1x SXP
You have been asked to configure SW7 and ISE for the on-boarding of the
QA PC Windows machine using 802.1x. The requirements are as follows:
• The Windows machine must validate the authentication server as part
of session authentication process.
• SW7 must provide the IP address, next hop, and DNS server to the
supplicant.
• SW7 must be able to establish SXP peering with ISE.
• The session authentication must be performed by ISE with Active
Directory as the external identity source.
• ISE internal database must server as a backup in case Active
Directory is not available.
• The session switch port must be moved dynamically to the relevant
VLAN.
• The Intranet server must show an established session from the QA
PC.
The session DACL must only permit access from any source to:
• TCP protocol
• DNS server (protocol and port-specific)
Solution:
ISE:
SW7
!
!
aaa new-model
!
aaa authentication login NO_AUTH none
!
line console 0
login authentication NO_AUTH
!
radius server ISE
address ipv4 150.1.7.111 auth-port 1812 acct-port 1813
pac key cisco
!
aaa group server radius ISE
server name ISE
!
aaa server radius dynamic-author
client 150.1.7.111 server-key cisco
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send authentication
radius-server vsa send accounting
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network CTS group ISE
aaa accounting dot1x default start-stop group ISE
!
ip radius source-interface gigabitethernet0/0
!
cts authorization list CTS
cts role-based enforcement
cts role-based enforcement vlan-list 308
cts sxp default password cisco
cts sxp connectionn peer 150.1.7.111 source 150.1.7.37 password default
mode peer speaker
!
dot1x system-auth-control
!
ip device tracking
!
ip dhcp excluded-address 5.2.38.1
!
ip dhcp pool VLAN308
network 5.2.38.0 255.255.255.0
default-router 5.2.38.1
dns-server 150.1.7.200
!
interface gig0/1
no switchport access vlan 308
switchport host
authentication order dot1x
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
shutdown
!
ISE:
Add SXP Devices
SW7:
SW7
config t
!
cts sxp enable
!
cts refresh environment-data
!
show cts sxp connections brief
!
show cts environment-data
ISE:
QA PC:
QA PC:
HTTP-- If there be DNS issue, open the CMD and try one or both the following
methods.
ipconfig /flushdns
Nslookup
SW7:
ISE:
Live Logs
=============================================================
3.4 Daynamic ARP Inspection (Troubleshooting R5/R12 and SW3 OSPF)
NOTE: You are not allowed to use static routers or disable any security
features to resolve this issue.
Solution:
R12:
R5:
Ping 5.2.211.12
SW3:
R12:
R5:
SW3:
!
config t
!
arp access-list r12
no permit ip host 5.2.211.5 mac host 0050.5601.0505
no permit ip host 5.2.211.12 mac host 0050.5602.1205
permit ip host 5.2.211.5 mac host 5000.0005.0004
permit ip host 5.2.211.12 mac host 5000.000c.0004
!
exit
!
interface range gigabitEthernet0/3, gigabitEthernet 1/0
shutdown
no shutdown
end
!
wr
R12:
R12# clear ip ospf process
!
Reset All OSPF processes? [no]: y
R5:
!
ping 5.2.211.12
!
ping 192.168.125.12
!
=============================================================
3.5 Syslog
It has been reported there is no trace of debug messages from R13 on the
syslog server for the recent debugging of the ZBFW configuration. Also, an
incorrect origin tag is seen from R13 for the received messages; it was
supposed to be tagged as "CCIE_Lab_R13". Find and fix the issues.
Solution:
R13
config terminal
!
no logging origin-id string Who_Am_I
!
Logging on
logging origin-id string CCIE_Lab_R13
logging console 7
logging trap debugging
logging host 150.1.7.201
end
!
ping 150.1.7.201
Management PC: Verify after Task 4.1 & Task 4.5 are done.
=============================================================
=============================================================
4.1 FMC/NGIPS
You have been asked to provision NGIPS and define access policies for the
traffic that is sourced from Windows machines on-boarded by SW1. The
requirements are as follows:
• IPS zones must be present in the access policy.
• Traffic that originated from a Windows machine must allow only
HTTPS connection to the Engineering server from the 5.2.207.0/24
network.
• Cisco FMC must display events for the defined access policy only at
the beginning of the connection.
TAC PC:
HTTPS
FMC/NGIPS
Logs/Events
=============================================================
4.2 WSA WCCP Redirect
You have been asked to implement policies for the traffic sourced from
Windows machines on-boarded by SW4. The requirements are as follows:
• WSA must be used as WCCP client.
• The traffic redirection point must be the campus devices adjacent to
SW4.
• Redirection must be only for the designed WCCP client.
• Only HTTP traffic at a standard port from windows machines network
to intranet address space should be redirected to implement policy.
• The redirection must be performed on the traffic ingress interface.
• As part of WSA policy, user with credentials "Username:
contractoruser1, Password: Cisc0123" must be authenticated by
Active Directory.
• The WSA policy must permit access only to the Intranet server page
that shows the history of the connections.
• The Intranet server must show an established redirection session.
Solution:
WAS Login
Add WCCP Service
Submit
R4
conf t
!
ip route 150.1.7.213 255.255.255.255 5.2.30.1
!
end
!
wr
R12:
conf t
!
ip route 150.1.7.213 255.255.255.255 5.2.33.10
!
end
!
wr
R10: WCCP
conf t
!
ip access-list standard WSA
permit 150.1.7.213
!
ip access-list extended RED
permit tcp 5.2.35.0 0.0.0.255 host 172.10.1.1 eq www
!
ip wccp web-cache radirect-list RED group-list WSA password
cisco
!
interface gig4
ip wccp web-chache redirect in
!
wr
HTTP
R4:
R10:
=============================================================
4.3 Cisco FireAMP Integration NGIPS
FireAMP-Admin:
Integration
FMC/NGIPS: Integration
FireAMP Console: Integration Allow
FMC/NGIPS: Integration Done
FireAMP Console:
Login in TAC PAC with URL https://150.1.7.217 Quick Start
============================================================
4.4 DNAC / ISE Trustsec Integration
The Trustsec policy on ISE must be centrally managed by DNA Center and
based on the traffic anomaly observed from the on-boarded clients, it has
been decided to allow only TCP traffic to the Intranet server from the QA PC
with SW7 as the policy enforcement point. The policy must be port specific
and be able to log packets on the console of SW7 when packets are
permitted or denied. Refer to the Lab Trustsec Components table.
Solution:
ISE:
Fix ISE Certificate expiry issue (Check and confirm this first right after you get to the second
module when beign in exam, and the “Renew” action will take about 30 minutes to get it ready
again)
Create AAA client/Network Devices
SW7:
!
interface GigabitEthernet0/1
shutdown
!
QA PC:
QA PC:
Create Policies
Deploy
ISE:
!
Confirm the following objects
SW7:
!
cts refresh policy
ISE:
Add IP SGT static mapping
SW7:
QA PC:
HTTP
SW7:
Logs
============================================================
4.5 ZBF - Engineering Server Daniel-of-Service Attack
NOTE: You may simulate the attack on the Engineering server at TCP port
443 as follows:
1) Under the Management PC, open MPUTTY and click "Attack
Simulator".
2) At the prompt, run the hping3 192.168.4.1 -c 1000 -I eth1 -p 443 -S
-a 5.2.207.10 command
Solution
R13
!
config t
!
zone security Outside
!
interface range gigabitEthernet 1 - 5
zone-member security Outside
!
parameter-map type inspect ZBFW
alert on
max-incomplete low 1
max-incomplete high 5
log dropped-packets
!
ip access-list extended ZBFW-Engineering
permit tcp any host 192.168.4.1 eq 443
!
class-map type inspect match-all ZBFW-Out-Self-ClassMap
match access-group name ZBFW-Engineering
match protocol https
!
policy-map type inspect ZBFW-Out-Self-PolicyMap
class type inspect ZBFW-Out-Self-ClassMap
inspect ZBFW
exit
!
class class-default
pass
!
policy-map type inspect ZBFW-Self-Out-PolicyMap
class class-default
pass
!
zone-pair security ZBFW-Out-Self-ZonePair source Outside destination self
service-policy type inspect ZBFW-Out-Self-PolicyMap
!
zone-pair security ZBFW-Self-Out-ZonePair source self destination Outside
service-policy type inspect ZBFW-Self-Out-PolicyMap
!
end
write
=============================================================
4.6 Stealthwatch
You have been asked to optimize the availability of the Sales server by
throttling the ICMP traffic generate from the Sales PC for 5 minutes if the
Concern Index (CI) points of the traffic exceeds by 10 in 24 hours.
• The throttle point must still be in the Core-Distribution layer of the
network on a CSR1K but residing in the "Outside" zone of the ASAs.
• Netflow must be used on R9 to collect raw data so that Cisco SMC can
leverage it for the required throttling decision.
• Also, you must configure Netflow on the pertaining device for the
ICMP egress flow with respect to the traffic source.
Solution
R9
!
configure terminal
!
username cisco privilege 15 password cisco
!
enable password cisco
!
line vty 0 4
login local
transport input telnet
!
!
flow record RECORD
description NetFlow record format to send to FC
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow export EXPORTER
description Export NefFlow to FC
destination 161.1.7.23
source gigabitEthernet1
transport udp 2055
export-protocol ipfix
!
flow monitor MONITOR
export EXPORTER
record RECORD
cache timeout active 60
cache timeout inactive 60
!
interface GigabitEthernet2.1
ip flow monitor MONITOR output
!
interface GigabitEthernet1
shutdown
no shutdown
!
interface gigabitethernet2
shutdown
no shutdown
!
end
!
wr
FC (Management PC)
Check the registration status (FM might have not registered to SMC yet)
NOTE: If not, add it with the following steps
Configuration > Management System Configuration
SMC Client:
SMC:
R9:
=============================================================
o NGIPS configuration for the access policy tied up with the identity policy to
detect the file upload.
o NGIPS configuration for the access policy that is tied up with file policy to
detect and block the file.
o NGIPS configuration for the correlation policy to unquarantined if user has
followed the remediation progress.
o Cisco FMC subscription for the ISE pxGrid services for ANC to trigger CoA
on SW1.
o Cisco FMC configuration for the correlation policy to trigger unquarantined
remediation if the TAC PC has followed the remediation progress.
o Cisco FMC configuration for the correlation policy to trigger quarantine
remediation if the TAC PC has tried to upload the file.
o Cisco FMC integration with ISE using pxGrid to trigger CoA on NGIPS for
the TAC PC to block the file transfer.
o Cisco FMC integration with ISE using the WMI protocol to trigger CoA for
the TAC PC.
o Cisco FMC integration with Cisco FireAMP Cloud to receive file events.
o Cisco Stealthwatch management cousole integration with Cisco FMC using
pxGrid for CoA on SW1 when the file is uploaded to the FTP server.
o Cisco Stealthwatch management console integration with Cisco FireAMP
Cloud to receive quarantine alerts from Cisco FMC for visibility.
o Cisco AMP for endpoint installation on SW1.
o Cisco AMP for endpoint installation on Active Directory for passive
authentication to facilitate the file disposition.
o Installation of remediation modules on ISE for “TAC PC” remediation.
=============================================================
o NGIPS configuration for the access policy that is tied up with file policy to
detect the malware.
o NGIPS configuration for the access policy that is tied up with identity policy
to detect the malware.
o NGIPS configuration for the correlation polices to flag the TAC PC if
malware is executed and quarantined.
o Cisco FMC configuration for the correlation policy to set the TAC PC
critically to low if malware is quarantined and manually set IOC to resolved.
o Cisco FMC configuration for the correlation policy to set the TAC PC
critically to High if malware file is transferred across NGIPS.
o Cisco FMC integration with Cisco FireAMP Cloud to receive malware
events.
o Cisco FMC integration with ISE using the WMI protocol to trigger CoA for
the port on which the TAC PC is connected when malware is executed.
o Cisco FMC integration with ISE using the WMI protocol to trigger CoA for
the port on which the TAC PC is connected when malware transferred
across NGIPS.
o Cisco AMP For endpoint installation on Active Directory by downloading
the connector from Cisco FireAMP Cloud for the authenticated user
reporting to Cisco FMC.
o Cisco AMP for endpoint installation on “TAC PC” by downloading the
connector from Cisco FireAMP cloud for malware quarantine.
o ISE subscription to Cisco FMC pxGrid services so that ISE can receive a
malware event to trigger CoA on SW1.
o Cisco Stealthwatch management console integration with Cisco FMC using
pxGrid to trigger manual CoA on SW1 port Gi0/1 when malware is executed
on the TAC PC.
o Cisco Stealthwatch management console integration with Cisco FireAMP
Cloud to receive quarantine alerts from the TAC PC so that it can perform
manual mitigation.
=============================================================
4.9 NetFlow/Stealthwatch
=============================================================
4.10 ESA
CCIE Contractor PC is being issue with sending emails to Cisco Contractor PC.
What is the root cause?
You may access lab devices to answer this question.
o DNS resolution is broken on the client side (Both NICs of CCIE Contractor
PC are missing DNS configuration)