WBCCIESecV6

WB
CCIE Security
By JasonBlack
Contents
1.1 Introduction .......................................................................................................................... 3

1.2 VPN Anyconnect IPSec IKEv2 ......................................................................................... 3
1.3 SSL-Clientless.................................................................................................................... 49
1.4 FMC-FTD Site-to-Site ........................................................................................................ 72
1.5 IOS FlexVPN ....................................................................................................................... 91
2.1 ASA1v/ASA11v – Failover Active/Standby ................................................................. 96
2.2 ASA2v/ASA22v – Failover Active/Standby ............................................................... 102
2.3 ASA1/ASA2 – Failover Active/Active Multi-Context ............................................... 107
2.4 ASA3/ASA4 – Cluster ..................................................................................................... 117
3.1 Cisco ISE 802.1x .............................................................................................................. 124
3.2 Cisco ISE MAB ................................................................................................................. 136
3.3 Dot1x SXP ......................................................................................................................... 150
3.4 Daynamic ARP Inspection (Troubleshooting R5/R12 and SW3 OSPF) ............ 174
3.5 Syslog ................................................................................................................................ 178
3.6 Connectivity issue .......................................................................................................... 180
4.1 FMC/NGIPS ....................................................................................................................... 181
4.2 WSA WCCP Redirect ...................................................................................................... 195
4.3 Cisco FireAMP Integration NGIPS .............................................................................. 215
4.4 DNAC / ISE Trustsec Integration ................................................................................. 229
4.5 ZBF - Engineering Server Daniel-of-Service Attack ............................................... 255
4.6 Stealthwatch ..................................................................................................................... 258
4.7 Network AMP RTC........................................................................................................... 284
4.8 Endpoint AMP RTC ......................................................................................................... 285
4.9 NetFlow/Stealthwatch .................................................................................................... 286
4.10 ESA ................................................................................................................................... 286
1.1 Introduction
1.2 VPN Anyconnect IPSec IKEv2
You have been asked to configure a remote VPN solution in the Internet
Edge 1 layer of the network to support traffic from the Sales and Finance
organizations. The requirements are follows:
• The last octet of the inside, outside, and management interface
address must be .1, .1, and .53 respectively.
• These interfaces must be named "inside", "outside", and "mgmt".
• Client must be able to establish remote VPN sessions with ASAs
using a Cisco Anyconnect IPsec IKEv2 tunnel with an idle timeout of
2 days.
• Cisco Anyconnect sessions from Sales and Finance PCs must be
authenticated By ISE using Active Directory as the external identify
source.
• If Active Directory is not available, then users must be authenticated
using the ISE internal database as a backup.
• Only traffic that is destined for the Sales server, NTP server, and the
172.16.1.0/24 network must be encrypted.
• For the Sales organization, the address must be assigned from the
block of 172.16.1.1 - 172.16.1.10/24.
• For the Finance organization, the address must be assigned from the
block of 172.16.1.11-172.16.1.20/24.
• Sales and Finance PCs must be synchronized with the HQ NTP server
using its FQDN.
Cisco Anyconnect sessions must be assigned dynamic ACLs that permit
traffic from any source to:
• Translated address of the Sales server at port 8080
• DNS server
• NTP server
• ICMP destined to the 172.16.1.0/24 network
Solution:
AD-DNS PC
route add 172.16.1.0 mask 255.255.255.0 150.1.7.249 -p /Maube

preconfigured
ASA1v
route inside 150.1.7.200 255.255.255.255 5.2.8.9

route inside 150.1.7.231 255.255.255.255 5.2.8.9
dns domain-lookup inside

dns name-server 150.1.7.200
domain-name cisco.com
http server enable
http 150.1.7.0 255.255.255.0 mgmt
Upload Anyconnect Client pkg to ASA1v & ASA11v
NOTE: There are two methods to upload PFG file, CLI and GUI. Sometimes,
ASA1v/ASA11v has already uploaded the PKG file, just check it.
The two methods area as follows:
CLI: ASA1v/ASA11v
!
File patch: Management PC----C:\TFTP-Root

Open the SolarWinds TFTP Server and click File > Configure
Turn off the firewall of Management PC
ASDM: ASA1v/ASA11v
!
Login ASDM laucher from IE or Firefox Browser in Management PC
After Download install dm-laucher.
Login ASA1v and ASA11v
ASA1v
crypto key generate rsa label cciekey modulus 1024

!
crypto ca trustpoint ccietrust
enrollment self
fqdn asa1.cisco.com
subject-name CN=asa1.cisco.com
keypair cciekey
!
crypto ca enroll ccietrust /*Confirmar certificado
!
Would you like to continue with this enrollment? [yes/no]: yes
!
Include the device serial number in the subject name? [yes/no]: no
!
Generate Self-Signed Certificate? [yes/no]: yes
!
webvpn
enable outside
anyconnect image disk0:/ancyonnect-win-4.2.xxxxx.pkg
anyconnect enable
tunnel-group-list enable
!
access-list sales standard permit host 19.16.1.1
access-list sales standard permit 172.16.1.0 255.255.255.0
access-list salesacl extended permit tcp any host 19.16.1.1 eq 8080
access-list salesacl extended permit udp any host 150.1.7.231 eq ntp
access-list salesacl extended permit udp any host 150.1.7.200 eq domain
access-list salesacl extended permit icmp any 172.16.1.0 255.255.255.0
access-list salesacl extended permit icmp any host 19.16.1.1
access-list finance standard permit host 19.16.2.1
access-list finance standard permit 172.16.1.0 255.255.255.0
access-list financeacl extended permit tcp any host 19.16.2.1 eq 8080
access-list financeacl extended permit udp any host 150.1.7.231 eq ntp
access-list financeacl extended permit udp any host 150.1.7.200 eq domain
access-list financeacl extended permit icmp any 172.16.1.0 255.255.255.0
access-list financeacl extended permit icmp any host 19.16.2.1
!
ip local pool salespool 172.16.1.1-172.16.1.10 mask 255.255.255.0
ip local pool financepool 172.16.1.11-172.16.1.20 mask 255.255.255.0
!
group-policy sales internal
group-policy sales attributes
dns-server value 150.1.7.200
vpn-idle-timeout 2880
vpn-filter value salesacl
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sales
default-domain value cisco.com
split-dns value cisco.com
address-pool value salespool
webvpn
anyconnect keep-installer installed
always-on-vpn profile-setting
!
group-policy finance internal
group-policy finance attributes
dns-server value 150.1.7.200
vpn-filter value financeacl
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value finance
default-domain value cisco.com
split-dns value cisco.com
address-pools value financepool
webvpn
anyconnect keep-staller installed
always-on-vpn profile-setting
!
aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.111
key cisco
!
tunnel-group sales type remote-access
tunnel-group sales general-attributes
authentication-server-group ISE
default-group-policy sales
tunnel-group sales webvpn-attributes
group-alias sales enable
!
tunnel-group finance type remote-access
tunnel-group finance general-attributes
default-group-policy finance
tunnel-grouo finance webvpn-attributes
group-alias finance enable
IKEv2
crypto ikev2 policy 10

encryption aes-256
integrity sha256
group 2
!
crypto ipsec ikev2 ipsec-proposal VPN
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto dynamic-map DYN 10 set ikev2 ipsec-proposal VPN
crypto dynamic-map DYN 10 set reverse-route
crypto map MAP 65535 ipsec-isakmp dynamic DYN
crypto map MAP interface outside
!
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ccietrust
!
ssl trust-point ccietrust outside
ASDM (Management PC): Create Anyconnect client profiles
ASA1v-First:
ASA11v-Second:
Step details:
ISE (Management PC):
GUI Login
Disable Profiling
Disable RADIUS Suppress Repeated
Disable Admin Access Authentication Password Policy

Disable User Authentication Password Policy
Join AD
Create Identity Source
Create Network Access Users "salesuser1" "financeusers1"
Create AAA Client/Network Devices
Create Authentication Policy
Create Authorization Profiles "salesprofile" "financeprofile"
Create Authorization Policy
Sales PC:
Connect with IE Browser at the first time, and install the AnyConnect Secure
Mobility Client manually
Finance PC: The same way to proceed
ASA1v:
!
group-policy sales attributes
vpn-tunnel-protocol ikev2
group-policy finance attributes
vpn-tunnel-protocol ikev2
!
wr
!
vpn-sessiondb logoff all
Sales PC:
Finance PC:
ASA1v:
Sales PC:
Https - - If there be DNS issue, open the CMD and try one or both the following
methods
Ipconfig /flushdns
Nslookup
Finance PC:
https - - If there be DNS issue, open the CMD and try one or both the following
methods
Ipconfig /flushdns
Nslookup
ASA1v:
!
same-security-traffic permit intra-interface
!
write memory
Finance PC-172.16.1.11 (Sales PC-172.16.1.1): Turn off the firewall of PCs
=============================================================
1.3 SSL-Clientless
You have been asked to deploy a remote VPN solution in the Internet Edge
2 layer of the network to support traffic that originates from a web browser.
The requirements are as follows:
• The last octet of the inside, outside, and management interface
address must be .1, .1, and .58 respectively.
• These interfaces must be named "inside, outside", and
"management".
• Marketing and Engineering PCs must be able to establish remote VPN
sessions using clientless SSL VPN tunnel with an idle timeout of 2
days (2880).
• The VPN sessions must be authenticated by ISE using Active
Directory as the external identify source.
• If Active Directory is not available, those users must be authenticated
using the ISE internal database as a backup.
• Only marketing and engineering clients can access their respective
servers using their FQDN.
Solution:
R15
!
ip route 19.16.3.1 255.255.255.255 5.2.15.1
ip route 19.16.4.1 255.255.255.255 5.2.15.1
ASA2v
!
route inside 19.16.3.1 255.255.255.255 5.2.16.15
route inside 19.16.4.1 255.255.255.255 5.2.16.15
route inside 150.1.7.200 255.255.255.255 5.2.16.15
!
aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.111
key cisco
!
dns domain-lookup inside
dns name-server 150.1.7.200
!
domain-name cisco.com
!
http server enable
!
http 150.1.7.0 255.255.255.0 mgmt
!
webvpn
enable outside
tunnel-group-list enable
!
access-list marketing webtype permit url https://marketingserver.cisco.com/*
access-list engineering webtype permit url https://engineeringserver.cisco.com/*
!
group-policy engineering internal
group-policy engineering attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value engineering
!
group-policy marketing internal
group-policy marketing attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value marketing
!
tunnel-group engineering type remote-access
tunnel-group engineering general-attributes
default-group-policy engineering
tunnel-group engineering webvpn-attributes
group-alias engineering enable
!
tunnel-group marketing type remote-access
tunnel-group marketing general-attributes
default-group-policy marketing
tunnel-group marketing webvpn-attributes
group-alias marketing enable
Via ASDM (Management PC):
Create Bookmarks on ASA2v and ASA22v:

ASA2v and ASA22v:
!
Show run group-policy
ISE (Management PC):
Create Network Access Users "engineeringuser1" and "marketinguser1"

Create new authentication policy
Create new authorization policy
Test of connectivity:
Engineering PC: Connect with IE or Firefox Browser.
HTTPS: If there be DNS issue, open the CMD and try one or both the following
methods.
Ipconfig /flushdns
Nslookup
Marketing PC: Connect with IE or Firefox Browser.

HTTPS: If there be DNS issue, open the CMD and try one or both the fllowing
methods.
Ipconfig /flushdns
Nslookup
ASA3: Check the hits
Cisco ISE: Check the Logs
=============================================================
1.4 FMC-FTD Site-to-Site
You have been asked to secure Richardson branch traffic for the
Engineering server SSL access situated in HQ DC 2:
• Also, Branch PC must be synchronized with the HQ NTP server using
its FQDN.
• The secure communication must the site-to-site IPSEC VPN model
using Cisco Firepower Threat Defense.
• Your implementation must permit only specific protocols and ports to
allow connection from branch PCs to Engineering and NTP servers.
NOTE: You must use predefined objects to achieve this task.

Solution:
FMC-FTD (Management PC):

Add Routes-FTD2
Add Routes-FTD1
!
Configure Site-to-site VPN
Configure Access Control Policy FTD2:
Branch PC:
HTTPS: If there be DNS issue, open the CMD and try one or both the following
methods.
Ipconfig /flushdns
Nslookup
NTP for windows:
!
Logs FMC:
=============================================================
1.5 IOS FlexVPN
You have been asked to set up a secure link between the RTP branch and
HQ. The link will provide confidentiality and integrity for the traffic between
supplicants in 5.2.38.0/24 network and intranet address space in DC 3. The
requirements are as follows:
• FlexVPN VTI method must be used to establish security between R16
and R5.
• The secure tunnel must extend the 192.168.100.0/24 network between
SW7 and R4.
Technology:
https://www.cisco.com/c/pt_br/support/docs/security/flexvpn/116207-configure-
l2tpv3-00.html
Solution:
FlexVPN Configuration
R16
!
crypto ikev2 keyring default
peer R5
address 10.10.100.5
pre-shared-key cisco
!
crypto ikev2 profile default
match identity remote address 10.10.100.5 255.255.255.255
identity local address 10.10.100.16
authentication remote pre-share
authentication local pre-share
keyring local default
!
interface tunnel100
ip address 172.16.100.16 255.255.255.0
tunnel source 10.10.100.16
tunnel destination 10.10.100.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
!
pseudowire-class L2TP
encapsulation l2tpv3
ip local interface tunnel100
!
interface GigabitEthernet3
no ip address
xconnect 172.16.100.5 1001 encapsulation l2tpv3 pw-class L2TP
!
write
!
R5
!
crypto ikev2 keyring default
peer R16
address 10.10.100.16
pre-shared-key cisco
!
crypto ikev2 profile default
match identity remote address 10.10.100.16 255.255.255.255
identity local address 10.10.100.5
authentication remote pre-share
authentication local pre-share
keyring local default
!
interface tunnel100
ip address 172.16.100.5 255.255.255.0
tunnel source 10.10.100.5
tunnel destination 10.10.100.16
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
Pseudowire-class L2TP
encapsulation l2tpv3
ip local interface tunnel100
!
Interface GigabitEthernet4
no ip address
xconnect 172.16.100.16 1001 encapsulation l2tpv3 pw-class L2TP
!
end
!
write
R5
show crypto session

!
Show crypto sockets

!
Show crypto ikev2 sa
!
Show xconnect all
R16
Show crypto session
!
Show crypto sockets

!
Show crypto ikev2 sa
!
Show xconnect all
SW7
Show ip interface brief

!
interface vlan 308

no shutdown
!
interface GigabitEthernet0/1
switchport host
switchport access vlan 308 /This command is only for testing right here,
which will be removed later in task 3.3/
!
wr
ping 172.10.1.1 source vlan 208
!
=============================================================
2.1 ASA1v/ASA11v – Failover Active/Standby
You have been asked to configure high availability for ASAs in the Internet
Edge 1 layer of the network. The requirements are as follows:
• The last octet of the active and standby management interface
addresses must be .53 and .54 respectively.
• The last octet of the active and standby non-management interface
address must be .1 and .2 respectively.
• The last octet of the failover link active and standby addresses must
be .1 and .2 respectively.
NOTE: ASA1v must be active in the pair when you have completed this task.
Solution:
ASA1v
!
configure terminal
!
no shutdown
!
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 5.2.9.1 255.255.255.0 standby 5.2.9.2
!
ASA11v
!
configure terminal
!
no shut
!
failover lan unit secondary
ASA1v
!
ping 5.2.9.2
!
!
failover
ASA11v
!
failover
ASA1v
!
show failover state
ASA1v
!
nameif outside
security-level 0
ip address 5.2.10.1 255.255.255.0 standby 5.2.10.2
no shutdown
!
nameif inside
security-level 100
no shutdown
!
interface Management0/0
nameif mgmt
security-level 100
ip add 150.1.7.53 255.255.255.0 standby 150.1.7.54
no shut
!
ping 5.2.8.2
ping 5.2.8.9
ping 5.2.10.2
ping 5.2.10.11
ping 150.1.7.111
!
!
ASA1v
!
Show failover
ASA1v
!
route outside 5.2.11.0 255.255.255.0 5.2.10.11
route outside 5.2.12.0 255.255.255.0 5.2.10.11
!
ping 5.2.11.2 (The Sales PC's firewall should be turned off)
ping 5.2.12.2 (The Finance PC's firewall should be turned off)
!
=============================================================
2.2 ASA2v/ASA22v – Failover Active/Standby
You have been asked to configure high availability for ASAs in the Internet
Edge 2 layer of the network. The requirements are as follows:
• The last octet of the failover link active and standby addresses must
be .1 and .2 respectively.
NOTE: ASA2v must be active in the pair when you have completed this task.
Solution:
ASA2v
!
configure terminal
!
no shutdown
!
ASA22v
!
configure terminal
!
no shutdown
!
ASA2v
!
ping 5.2.17.2
!
failover
ASA22v
!
failover
ASA2v
!
show failover state
ASA2v
!
nameif outside
security-level 0
no shut
!
nameif inside
security-level 100
no shutdown
!
nameif mgmt
security-level 100
no shutdown
!
write
!
ping 5.2.16.2
ping 5.2.16.15
ping 5.2.18.2
ping 5.2.18.3
ping 150.1.7.111
Show failover state
!
ASA2v
!
route outside 5.2.19.0 255.255.255.0 5.2.18.3
route outside 5.2.20.0 255.255.255.0 5.2.18.3
!
ping 5.2.19.2 (The Engineering PC's firewall should be turned off first)
ping 5.2.20.2 (The Marketing PC's firewall should be turned off first)
=============================================================
2.3 ASA1/ASA2 – Failover Active/Active Multi-Context
You have been asked to deploy high availability for ASAs in the Core-
Distribution layer of the network. The requirements are as follows:
• ASAs first, second, and third non-management interface must be in
the inside, DMZ, and outside zones respectively.
• The context "c1" and "c2" must route traffic for the Sales and Finance
organization respectively.
• The actual address of the Sales and Finance servers must be visible
to the clients as 19.16.1.1 and 19.16.2.1 respectively.
• The last octet of the active and standby LAN link interface addresses
must be .1 and .2 respectively.
• The last octet of the active and standby STATE link interface
• The c1 context interface must be named "inside_c1","outside_c1",
and "dmz_c1".
• The c2 context interface must be named "inside_c2","outside_c2",
and "dmz_c2".
NOTE: ASA1-c1 and ASA2-c2 must be active in the pair for the Sales and
Finance traffic respectively. Verify established sessions on the Sales and
Finance servers from Sales and Finance PCs respectively.
Solution:
ASA1
!
ASA1(config)# show mode /--single mode is pre-config--/
security context mode: single
ASA1(config)# mode multiple
ASA2
!
ASA2(config)# show mode /--single mode is pre-config--/
security context mode: single
ASA2(config)# mode multiple
ASA1-system
!
delete *.cfg
!
delete filename [*.cfg]? enter
!
delete disk0:/admin.cfg? [confirm] enter
!
delete disk0:/c1.cfg? [confirm] enter
!
!
no cluster interface-mode
!
no shutdown
!
no shutdown
!
no shutdown
!
no shutdown
!
no shutdown
!
no shutdown
!
interface GigabitEthernet1/1.1
vlan 2
!
vlan 3
!
vlan 4
!
vlan 5
!
vlan 6
!
vlan 7
!
failover group 1
primary
preempt
!
failover group 2
secondary
preempt
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
!
failover lan interface LAN GigabitEthernet1/4
failover link STATE GigabitEthernet1/5
failover interface ip LAN 5.2.201.1 255.255.255.0 standby 5.2.201.2
failover interface ip STATE 5.2.202.1 255.255.255.0 standby 5.2.202.2
ASA2-system:
!
delete *.cfg
!
delete filename [*.cfg]? enter
!
delete disk0:/admin.cfg? [confirm] enter
!
!
!
no cluster interface-mode
!
no shutdown
!
no shutdown
!
failover group 1
primary
preempt
!
failover group 2
secondary
preempt
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
!
context c2
!
failover lan interface LAN GigabitEthernet1/4
failover link STATE GigabitEthernet1/5
failover interface ip LAN 5.2.201.1 255.255.255.0 standby 5.2.201.2
failover interface ip STATE 5.2.202.1 255.255.255.0 standby 5.2.202.2
ASA1:
!
ping 5.2.201.2
ping 5.2.202.2
!
failover
ASA2
!
failover
ASA1
!
show failover state
ASA1-system:
!
admin-context admin
context admin
allocate-interface Management0/0
!
context c1
allocate-interface GigabitEthernet1/1.1 inside_c1
allocate-interface GigabitEthernet1/2.1 dmz_c1
allocate-interface GigabitEthernet1/3.1 outside_c1
!
context c2
allocate-interface GigabitEthernet1/1.2 inside_c2
allocate-interface GigabitEthernet1/2.2 dmz_c2
allocate-interface GigabitEthernet1/3.2 outside_c2
ASA1-admin
!
changeto c admin
!
username cisco password cisco privilege 15
!
enable password cisco
!
http server enable
!
http 150.1.7.0 255.255.255.0 management
!
nameif management
security-level 100
no shutdown
!interface Management0/0
nameif management
security-level 100
no shutdown
!
ASA1-c1
!
changeto c c1
!
interface inside_c1
nameif inside
security-level 100
!
interface dmz_c1
nameif DMZ
security-level 50
!
interface outside_c1
nameif outside
security-level 0
!
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
!
Show interface ip brief
!
!
Ping 5.2.2.6
Ping 5.2.4.7
Ping 5.2.6.9
object network sales_t

host 19.16.1.1
!
object network sales
host 192.168.1.1
nat (dmz,outside) static sales_t
!
access-list sales extended permit tcp 172.16.1.0 255.255.255.0 host 192.168.1.1 eq 8080
access-list sales extended permit icmp 172.16.1.0 255.255.255.0 host 192.168.1.1 echo
access-group sales in inteface outside
!
router eigrp 1
network 5.2.2.0 255.255.255.0
network 5.2.4.0 255.255.255.0
network 5.2.6.0 255.255.255.0
!
ASA1-c2
!
changeto c c2
!
interface inside_c2
nameif inside
security-level 100
!
interface dmz_c2
nameif dmz
security-level 50
!
interface outside_c2
nameif outside
security-level 0
!
monitor-interface inside
monitor-interface dmz
monitor-interface outside
!
!
Show interface ip brief
!
Show nameif
!
Ping 5.2.3.6
Ping 5.2.5.8
Ping 5.2.7.9
object network finance_t
host 19.16.2.1
!
object network finance
host 192.168.2.1
nat (dmz,outside) static finance_t
!
access-list finance extended permit tcp 172.16.1.0 255.255.255.0 host 192.168.2.1 eq 8080
access-list finance extended permit icmp 172.16.1.0 255.255.255.0 host 192.168.2.1 echo
access-group finance in interface outside
!
router eigrp 2
network 5.2.3.0 255.255.255.0
network 5.2.5.0 255.255.255.0
network 5.2.7.0 255.255.255.0
!
changeto system
!
write memory all
ASA1v
!
Route inside 19.16.1.1 255.255.255.255 5.2.8.9
Route inside 19.16.2.1 255.255.255.255 5.2.8.9
!
Wr
R9
!
Ip route 19.16.1.1 255.255.255.255 5.2.6.1
Ip route 19.16.2.1 255.255.255.255 5.2.7.1
!
wr
=============================================================
2.4 ASA3/ASA4 – Cluster
You have been asked to deploy ASA3 and ASA4 as a single logical unit to
enhance traffic throughput. The requirements are as follows:
• The last octet of the management interface address must be .55 tied
with the address pool of 150.1.7.56 - 150.1.7.57/24.
• The management interface must be named "mgmt".
• The last octet of the non-management sub-interface addresses must
be .1.
• The non-management interfaces must be named "inside", "outside",
and "dmz".
• The actual addresses of the Marketing and Engineering servers must
be obscured for the remote VPN sessions and visible as 19.16.3.1 and
19.16.4.1 respectively.
• ASAs must be able to establish OSPF peering with the neighbors.
NOTE: ASA3 must be the master in the cluster. Verify established sessions
on the Engineering and Marketing servers from Engineering and Marketing
PCs respectively.
Solution:
ASA3:
!
no shutdown
!
interface mana0/0
no shut
!
!
cluster interface-mode spanned force
!
cluster group ccie
local-unit ASA3
cluster-interface GigabitEthernet1/3 ip 5.2.203.1 255.255.255.0
priority 1
!
mtu cluster 9000
!
write
!
reload
!
ASA4
!
no shutdown
!
interface mana0/0
no shut
!
cluster interface-mode spanned force
!
cluster group ccie
local-unit ASA4
cluster-interface GigabitEthernet1/3 ip 5.2.203.2 255.255.255.0
priority 2
!
mtu cluster 9000
!
write
!
reload
!
Enable Cluster ##########
ping 5.2.203.2
!
ASA3
!
cluster group ccie
enable
ASA4
!
cluster group ccie
enable as-slave
ASA3
ASA4
ASA3
!
interface port-channel 1
port-channel span-cluster
!
no shutdown
channel-group 1 mode active
!
no shutdown
SW2
!
vlan 13-15
!
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allow vlan 13-15
!
interface range GigabitEthernet1/0/1-2, GigabitEthernet1/0/4-5
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allow vlan 13-15
no shutdown
ASA3
!
ip local pool mgmt-pool 150.1.7.56-150.1.7.57 mask 255.255.255.0
!
interface management0/0
nameif mgmt
security-level 100
ip address 150.1.7.55 255.255.255.0 cluster-pool mgmt-pool
!
interface port-channel1.13
vlan 13
nameif inside
security-level 100
ip address 5.2.13.1 255.255.255.0
ospf priority 255
!
vlan 14
nameif dmz
security-level 50
ip address 5.2.14.1 255.255.255.0
ospf priority 255
!
vlan 15
nameif outside
security-level 0
ip address 5.2.15.1 255.255.255.0
ospf priority 255
!
router ospf 1
router-id 5.2.15.1
network 5.2.13.0 255.255.255.0 area 1
network 5.2.14.0 255.255.255.0 area 2
network 5.2.15.0 255.255.255.0 area 0
("clear ip ospf process" on the related routers R13/R14/R15)
object network Engineering_t

host 19.16.4.1
!
object network Engineering
host 192.168.4.1
nat (inside,outside) static Engineering_t
!
object network Marketing_t
host 19.16.3.1
!
object network Marketing
host 192.168.3.1
nat (dmz,outside) static Marketing_t
!
access-list servers extended permit tcp host 5.2.16.1 host 192.168.3.1 eq
https
access-list servers extended permit tcp host 5.2.16.1 host 192.168.4.1 eq
https
!
access-group servers in interface outside
!
=============================================================
3.1 Cisco ISE 802.1x
You have been asked to configure SW1 and ISE for the on-boarding of the
TAC PC Windows machine using 802.1X. The requirements are as follows:
• SW1 must provide the IP address, next hop, and DNS server to the
Windows machine.
• The SW1 port to which a supplicant is connected must be moved
dynamically to the relevant VLAN.
• The session authentication must be performed by ISE with Active
Directory as the external identity source.
• ISE internal database must server as a backup in case Active
Directory is not available.
The session DACL must only permit access from any source to:
• IP connection to Cisco FireAMP Cloud, TCP connection to the
Engineering server, DNS server (protocol and port-specific).
Solution:
ISE:
Create AAA Client/Network Device
Create Network Access Users "tacuser1"
Create new Downloadable ACLs "SW1-802.1x-DACL"

Permit ip any host 150.1.7.217
Permit tcp any host 192.168.4.1 eq 443
Permit udp any host 150.1.7.200 eq 53
Create new Authorization Profiles "SW1-802.1x-Profile"
Create new Authentication Policy

Create new Authorization Policy
SW1:
!
aaa new-model
!
aaa authentication login NO_AUTH none
!
line con 0
login authentication NO_AUTH
!
radius server ISE
address ipv4 150.1.7.111 auth-port 1812 acct-port 1813
key cisco
!
aaa group server radius ISE
server name ISE
!
aaa server radius dynamic-author
client 150.1.7.111 server-key cisco
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius-server vsa send authentication
radius-server vsa send accounting
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
ip radius source-interface GigabitEthernet0/0
!
ip dhcp pool VLAN207
network 5.2.207.0 255.255.255.0
default-router 5.2.207.1
dns-server 150.1.7.200
!
ip dhcp excluded-address 5.2.207.1
!
interface vlan207
no shutdown
!
dot1x system-auth-control
!
ip device tracking
!
switchport host
authentication port-control auto
authentication order dot1x
authentication priority dot1x
dot1x pae authenticator
shutdown
!
TAC PC:
check the status of 802.1x

Edit Ethernet1 adapter
Click OK in all windows
Disable Ethernet1 adapter

SW1
!
no shutdown
TAC PC:
Re-enable Ethernet1 adapter

SW1
Show authentication session interface gigabithernet0/1 details
!
TAC PC:
Https-- If there be DNS issue, open the CMD and try one or both the following
methods.
ipconfig /flushdns
Nslookup
SourceFire – AMP
SW1
Show ip access-list interface gigabitEthernet0/1
!
ISE
!
Live Logs
=============================================================
3.2 Cisco ISE MAB
Cisco Contractor PC Windows machine using MAB. The requirements are
as follows:
windows machine.
• The session authentication must be performed by ISE.
• The session switch port must be moved dynamically to the relevant
VLAN.
• Intranet server at the standard HTTP port
• DNS server (protocol and port-specific)
Solution:
ISE
Create AAA client/Network Devices
Add Endpoint (Ethernet1 Mac address of Contractor PC: 00-50-56-B1-44-0E)

Create new Downloadable ACLs "SW4 MAB DACL"
Permit tcp any host 172.10.1.1 eq 80
Permit udp any host 150.1.7.200 eq 53
Create new Authorization Profiles "SW4 MAB Profile"
Create new Authentication Policy
Create new Authorization Policy

SW4:
!
aaa new-model
!
!
line con 0
!
radius server ISE
key cisco
!
server name ISE
!
!
!
!
!
ip radius source-interfce GigabitEthernet0/0
!
network 5.2.35.0 255.255.255.0
!
!
interface VLAN305
no shutdown
!
!
ip device tracking
!
switchport host
authentication order mab
authentication priority mab
mab
shutdown
Contrator PC:
Disable Ethernet1 adapter
SW4
!
no shutdown
Contrator PC
Re-enable Ethernet1 adapter; Enable 802.1x first, and then disable it. just for
triggering.
SW4
!
show authentication session interface gigabitethernet 0/1 details
Contrator PC
HTTP-- If there be DNS issue, open the CMD and try one or both the following
methods.
ipconfig /flushdns
Nslookup
SW4
!
show ip access-list interface gigabitEthernet0/1
ISE
!
Live Logs
=============================================================
3.3 Dot1x SXP
QA PC Windows machine using 802.1x. The requirements are as follows:
• The Windows machine must validate the authentication server as part
of session authentication process.
supplicant.
• SW7 must be able to establish SXP peering with ISE.
• The session authentication must be performed by ISE with Active
Directory as the external identity source.
• ISE internal database must server as a backup in case Active
Directory is not available.
• The session switch port must be moved dynamically to the relevant
VLAN.
• The Intranet server must show an established session from the QA
PC.
• TCP protocol
• DNS server (protocol and port-specific)
Solution:
ISE:
Confirm function status of the services
Create AAA Client/Network Devices

Create Network Access Users "qauser1"
Create Downloadable ACLs "SW7_DACL"
permit tcp any any log
permit udp any host 150.1.7.200 eq 53 log
Create Authorization Profiles "SW7_802.1x_Profile"

Create Authentication Policy
Create Authorization Policy
SW7
!
!
aaa new-model
!
!
line console 0
!
radius server ISE
pac key cisco
!
server name ISE
!
!
!
aaa authorization network CTS group ISE
!
ip radius source-interface gigabitethernet0/0
!
cts authorization list CTS
cts role-based enforcement
cts role-based enforcement vlan-list 308
cts sxp default password cisco
cts sxp connectionn peer 150.1.7.111 source 150.1.7.37 password default
mode peer speaker
!
!
ip device tracking
!
!
network 5.2.38.0 255.255.255.0
!
interface gig0/1
no switchport access vlan 308
switchport host
authentication order dot1x
authentication priority dot1x
shutdown
!
ISE:
Add SXP Devices
SW7:
Clear cts credentials
cts credentials id SW7 password cisco
SW7
config t
!
cts sxp enable
!
cts refresh environment-data
!
show cts sxp connections brief
!
show cts environment-data
ISE:
Check the status of SXP Devices

QA PC:
Check the status of 802.1x
Install ISE certificate: Login ISE GUI from QA PC and download the ISE
certificate.
Edit "Ethernet1" adapter
Disable “Ethernet1” adapter
SW7:
!
Interface GigabitEthernet0/1
No shutdown
!
QA PC:
Re-enable Ethernet1 adapter

SW7:
show authentication sessions interface gigabitethernet 0/1 details
QA PC:
HTTP-- If there be DNS issue, open the CMD and try one or both the following
methods.
ipconfig /flushdns
Nslookup
SW7:
show ip access-list interface gigabitethernet 0/1
ISE:
Live Logs
=============================================================
3.4 Daynamic ARP Inspection (Troubleshooting R5/R12 and SW3 OSPF)
It has been reported that R5 cannot reach a resource at 192.168.125.12. Find

and fix this issue.
NOTE: You are not allowed to use static routers or disable any security
features to resolve this issue.
Solution:
R12:
R5:
Ping 5.2.211.12
SW3:
R12:
R5:
SW3: DAI (Dynamic ARP Inspection) is preconfigured wrongly.
SW3:
!
config t
!
arp access-list r12
no permit ip host 5.2.211.5 mac host 0050.5601.0505
no permit ip host 5.2.211.12 mac host 0050.5602.1205
permit ip host 5.2.211.5 mac host 5000.0005.0004
permit ip host 5.2.211.12 mac host 5000.000c.0004
!
exit
!
interface range gigabitEthernet0/3, gigabitEthernet 1/0
shutdown
no shutdown
end
!
wr
R12:
R12# clear ip ospf process
!
Reset All OSPF processes? [no]: y
R5:
R5# clear ip ospf process
Reset ALL OSPF processes? [no]: y

!
!
ping 5.2.211.12
!
ping 192.168.125.12
!
=============================================================
3.5 Syslog
It has been reported there is no trace of debug messages from R13 on the
syslog server for the recent debugging of the ZBFW configuration. Also, an
incorrect origin tag is seen from R13 for the received messages; it was
supposed to be tagged as "CCIE_Lab_R13". Find and fix the issues.
Solution:
Management PC: Turn off the firewall.

R13:
R13
config terminal
!
no logging origin-id string Who_Am_I
!
Logging on
logging origin-id string CCIE_Lab_R13
logging console 7
logging trap debugging
logging host 150.1.7.201
end
!
ping 150.1.7.201
Management PC: Verify after Task 4.1 & Task 4.5 are done.
=============================================================
3.6 Connectivity issue

One of the servers at 10.10.1.1 hosted in the Internet cloud has an issue
reaching the company campus subnet of 5.2.35.0/24. This issue implies that
on-boarded client from SW4 cannot access services hosted by 10.10.1.1.
What is the issue?
You may access lab devices to answer this question.
o A route filtering issue has occurred on SW4.

o A route filtering issue has occurred on R10
o R10 is missing the SXP peer configuration.
o R12 is missing the SXP peer configuration.
o The VLAN assignment for G0/1 port on SW4 is incorrect.
o The VLAN assignment for G0/1 port on SW4 is incorrect.
o An EIGRP peering issue has occurred between R5 and R12.
o An EIGRP peering issue has occurred between R10 and R12.
o An EIGRP peering issue has occurred between R10 and SW4.
o The CTS role-based assignment is disabled on SW4
o The CTS role-based assignment is disabled on R12.
o The DACL assigned to contractor MAB session on SW4 is incorrect.
=============================================================
4.1 FMC/NGIPS
You have been asked to provision NGIPS and define access policies for the
traffic that is sourced from Windows machines on-boarded by SW1. The
requirements are as follows:
• IPS zones must be present in the access policy.
• Traffic that originated from a Windows machine must allow only
HTTPS connection to the Engineering server from the 5.2.207.0/24
network.
• Cisco FMC must display events for the defined access policy only at
the beginning of the connection.
NOTE: Required licenses have been provided on the Management PC

desktop in the file "FMC_Licenses"
• Verify an established session on the Engineering server from the TAC
PC.
Solution:
Management PC: Registration

!
SSH NGIPS
configure manager add 150.1.7.251 cisco

!
show managers
!
FMC Login
License for practice

Add Device
Wait about 1 minute
Edit the interfaces
Add Rule
Save and deploy
NGIPS
NOTE: If it is not showing "Completed", use command "configure manager

delete" to remove it and then re-add it.
TAC PC:
HTTPS
FMC/NGIPS
Logs/Events
=============================================================
4.2 WSA WCCP Redirect
You have been asked to implement policies for the traffic sourced from
Windows machines on-boarded by SW4. The requirements are as follows:
• WSA must be used as WCCP client.
• The traffic redirection point must be the campus devices adjacent to
SW4.
• Redirection must be only for the designed WCCP client.
• Only HTTP traffic at a standard port from windows machines network
to intranet address space should be redirected to implement policy.
• The redirection must be performed on the traffic ingress interface.
• As part of WSA policy, user with credentials "Username:
contractoruser1, Password: Cisc0123" must be authenticated by
Active Directory.
• The WSA policy must permit access only to the Intranet server page
that shows the history of the connections.
• The Intranet server must show an established redirection session.
Solution:
Management PC: Chrome browser
WAS Login
Add WCCP Service
Submit
Commit changes twice

Add Routes
Submit > Commit changes twice
R4
conf t
!
ip route 150.1.7.213 255.255.255.255 5.2.30.1
!
end
!
wr
R12:
conf t
!
ip route 150.1.7.213 255.255.255.255 5.2.33.10
!
end
!
wr
R10: WCCP
conf t
!
ip access-list standard WSA
permit 150.1.7.213
!
ip access-list extended RED
permit tcp 5.2.35.0 0.0.0.255 host 172.10.1.1 eq www
!
ip wccp web-cache radirect-list RED group-list WSA password
cisco
!
interface gig4
ip wccp web-chache redirect in
!
wr
WSA Add Realm

Add URL Category

Commig changes twice
Add Identification Profile
Add Access Policies
Contractor PC:
HTTP
R4:
R10:
=============================================================
4.3 Cisco FireAMP Integration NGIPS
You have been asked to enable endpoint protection on the TAC PC by

integrating it with Cisco FireAMP Cloud.
Also you must make sure that Cisco FMC can receive any activity detected
by the AMP Connector on the TAC PC.
A Windows supplicant must be part of the "Protect" policy defined on Cisco
FireAMP Cloud.
Solution:
FireAMP-Admin:
Integration
FMC/NGIPS: Integration
FireAMP Console: Integration Allow
FMC/NGIPS: Integration Done
FireAMP Console:
Login in TAC PAC with URL https://150.1.7.217 Quick Start
Set Up FireAMP Windows connector

Install FireAMP
Run the “Scan Now”
Check the “Computers” in Management PC or TAC PC
============================================================
4.4 DNAC / ISE Trustsec Integration
The Trustsec policy on ISE must be centrally managed by DNA Center and
based on the traffic anomaly observed from the on-boarded clients, it has
been decided to allow only TCP traffic to the Intranet server from the QA PC
with SW7 as the policy enforcement point. The policy must be port specific
and be able to log packets on the console of SW7 when packets are
permitted or denied. Refer to the Lab Trustsec Components table.
Solution:
ISE:
Confirm the status of services
Fix ISE Certificate expiry issue (Check and confirm this first right after you get to the second
module when beign in exam, and the “Renew” action will take about 30 minutes to get it ready
again)
Create AAA client/Network Devices
Delete the IP SGT static mapping pre-config

Delete the pre-config of Security Groups “intranet” & “qa”
DNAC: Integration
Add AAA/ISE Server

ISE:
Approve the client “dnac_dnac_ndp”

DNAC:
Confirm the AAA/ISE Server status

Start migration
Create Scalable Groups “ccie_qa” “ccie_intranet”

Deploy
ISE:
Update the “SW7 802.1x” Authorization Policy (related to Task 3.3)
SW7:
!
shutdown
!
QA PC:
Disable “Ethernet1” adapter

SW7:
!
no shutdown
!
QA PC:
re-enable “Ethernet1” adapter

SW7:
!
show authentication sessions interface gigabitEthernet 0/1 details
Create Access Contract
Deploy
Create Policies
Deploy
ISE:
!
Confirm the following objects
SW7:
!
cts refresh policy
show cts role-based permissions
ISE:
Add IP SGT static mapping
SW7:
cts refresh policy
cts refresh environment-data
show cts environment-data

show cts rbacl
show cts sxp sgt-map (brief)

conf t
!
logging console 7
!
logging on
!
end
!
write
QA PC:
HTTP
SW7:
Logs
============================================================
4.5 ZBF - Engineering Server Daniel-of-Service Attack
To secure the Engineering server from any denial-of-service attack, you

have been asked to optimize IOS inspection of HTTPS sessions targeted to
the Engineering server on R13 so that at any given time the half open TCP
sessions remain in the windows of 1 - 5.
NOTE: You may simulate the attack on the Engineering server at TCP port
443 as follows:
1) Under the Management PC, open MPUTTY and click "Attack
Simulator".
2) At the prompt, run the hping3 192.168.4.1 -c 1000 -I eth1 -p 443 -S
-a 5.2.207.10 command
Solution
R13
!
config t
!
zone security Outside
!
interface range gigabitEthernet 1 - 5
zone-member security Outside
!
parameter-map type inspect ZBFW
alert on
max-incomplete low 1
max-incomplete high 5
log dropped-packets
!
ip access-list extended ZBFW-Engineering
permit tcp any host 192.168.4.1 eq 443
!
class-map type inspect match-all ZBFW-Out-Self-ClassMap
match access-group name ZBFW-Engineering
match protocol https
!
policy-map type inspect ZBFW-Out-Self-PolicyMap
class type inspect ZBFW-Out-Self-ClassMap
inspect ZBFW
exit
!
class class-default
pass
!
policy-map type inspect ZBFW-Self-Out-PolicyMap
class class-default
pass
!
zone-pair security ZBFW-Out-Self-ZonePair source Outside destination self
service-policy type inspect ZBFW-Out-Self-PolicyMap
!
zone-pair security ZBFW-Self-Out-ZonePair source self destination Outside
service-policy type inspect ZBFW-Self-Out-PolicyMap
!
end
write
Attack Simulator (Management PC):

hping3 192.168.4.1 -c 1000 -I eth1 -p 443 -S -a 5.2.207.10
R13: show tcp brief
=============================================================
4.6 Stealthwatch
You have been asked to optimize the availability of the Sales server by
throttling the ICMP traffic generate from the Sales PC for 5 minutes if the
Concern Index (CI) points of the traffic exceeds by 10 in 24 hours.
• The throttle point must still be in the Core-Distribution layer of the
network on a CSR1K but residing in the "Outside" zone of the ASAs.
• Netflow must be used on R9 to collect raw data so that Cisco SMC can
leverage it for the required throttling decision.
• Also, you must configure Netflow on the pertaining device for the
ICMP egress flow with respect to the traffic source.
Solution
R9
!
configure terminal
!
username cisco privilege 15 password cisco
!
enable password cisco
!
line vty 0 4
login local
transport input telnet
!
!
flow record RECORD
description NetFlow record format to send to FC
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
flow export EXPORTER
description Export NefFlow to FC
destination 161.1.7.23
source gigabitEthernet1
transport udp 2055
export-protocol ipfix
!
flow monitor MONITOR
export EXPORTER
record RECORD
cache timeout active 60
cache timeout inactive 60
!
interface GigabitEthernet2.1
ip flow monitor MONITOR output
!
interface GigabitEthernet1
shutdown
no shutdown
!
interface gigabitethernet2
shutdown
no shutdown
!
end
!
wr
FC (Management PC)
Check the registration status (FM might have not registered to SMC yet)
NOTE: If not, add it with the following steps
Configuration > Management System Configuration
SMC (Management PC): Client Installation

Client configuration
Check FlowCollectors (if not showing there, add it with following steps)
Add Host Groups
Add Role Policy
Click apply.
Add Mitigation Configuration (Probably preconfigured, then edit it the same as

below)
Sales PC:
SMC Client:
SMC:
R9:
=============================================================
4.7 Network AMP RTC

It has been requested to leverage existing networking components to
provide visibility and protection from a known suspicious file when it is
uploaded from the TAC PC to FTP server in DC 2 and the quarantine the
machine until remediation is performed. Which four configuration
components contribute to the desired solution? (Choose four.)
o NGIPS configuration for the access policy tied up with the identity policy to
detect the file upload.
o NGIPS configuration for the access policy that is tied up with file policy to
detect and block the file.
o NGIPS configuration for the correlation policy to unquarantined if user has
followed the remediation progress.
o Cisco FMC subscription for the ISE pxGrid services for ANC to trigger CoA
on SW1.
o Cisco FMC configuration for the correlation policy to trigger unquarantined
remediation if the TAC PC has followed the remediation progress.
o Cisco FMC configuration for the correlation policy to trigger quarantine
remediation if the TAC PC has tried to upload the file.
o Cisco FMC integration with ISE using pxGrid to trigger CoA on NGIPS for
the TAC PC to block the file transfer.
o Cisco FMC integration with ISE using the WMI protocol to trigger CoA for
the TAC PC.
o Cisco FMC integration with Cisco FireAMP Cloud to receive file events.
o Cisco Stealthwatch management cousole integration with Cisco FMC using
pxGrid for CoA on SW1 when the file is uploaded to the FTP server.
o Cisco Stealthwatch management console integration with Cisco FireAMP
Cloud to receive quarantine alerts from Cisco FMC for visibility.
o Cisco AMP for endpoint installation on SW1.
o Cisco AMP for endpoint installation on Active Directory for passive
authentication to facilitate the file disposition.
o Installation of remediation modules on ISE for “TAC PC” remediation.
=============================================================
4.8 Endpoint AMP RTC

It has been requested to use the existing network infrastructure to
implement the detection of a known malware transferred from TAC PC to DC
2 and its mitigation when executed on the TAC PC.
The solution must use of management console to provide transfer and
mitigation events visibility and, to adjust the machine critical level based on
the reported events. Which five configuration components contribute to the
desired solution? (Choose five)
o NGIPS configuration for the access policy that is tied up with file policy to
detect the malware.
o NGIPS configuration for the access policy that is tied up with identity policy
to detect the malware.
o NGIPS configuration for the correlation polices to flag the TAC PC if
malware is executed and quarantined.
o Cisco FMC configuration for the correlation policy to set the TAC PC
critically to low if malware is quarantined and manually set IOC to resolved.
o Cisco FMC configuration for the correlation policy to set the TAC PC
critically to High if malware file is transferred across NGIPS.
o Cisco FMC integration with Cisco FireAMP Cloud to receive malware
events.
the port on which the TAC PC is connected when malware is executed.
the port on which the TAC PC is connected when malware transferred
across NGIPS.
o Cisco AMP For endpoint installation on Active Directory by downloading
the connector from Cisco FireAMP Cloud for the authenticated user
reporting to Cisco FMC.
o Cisco AMP for endpoint installation on “TAC PC” by downloading the
connector from Cisco FireAMP cloud for malware quarantine.
o ISE subscription to Cisco FMC pxGrid services so that ISE can receive a
malware event to trigger CoA on SW1.
o Cisco Stealthwatch management console integration with Cisco FMC using
pxGrid to trigger manual CoA on SW1 port Gi0/1 when malware is executed
on the TAC PC.
o Cisco Stealthwatch management console integration with Cisco FireAMP
Cloud to receive quarantine alerts from the TAC PC so that it can perform
manual mitigation.
=============================================================
4.9 NetFlow/Stealthwatch
Which four configuration components contribute to the desired solution?

(Choose four.)
You may access lab device to answer this question.
o The TAC PC configuration for CoA to dynamically download the quarantine

policy from ISE.
o NGIPS configuration for Active Directory realm to detect traffic anomaly on
the TAC PC for the authenticated user.
o NetFlow configuration on NGIPS to detect traffic deviation from baseline on
the TAC PC.
o NetFlow configuration on R13 that provide traffic data to Cisco SMC that
originated from the TAC PC.
o ISE configuration to receive the quarantine signal from Active Directory for
the authenticated user when the user generates malicious traffic.
o ISE configuration for ANC to trigger CoA on port Gi0/1 of SW1.
o ISE configuration for ANC to trigger CoA on port Gi0/2 of SW1.
o ISE configuration for pxGrid subscription with NGIPS to download traffic
pattern.
o ISE integration with Cisco AMP on the TAC PC to detect traffic anomaly.
o ISE subscription for Cisco FMC pxGrid services so that ISE can receive
malware event to trigger CoA on SW1.
o SW1 configuration for RADIUS CoA.
o Cisco SMC subscription for NGIPS pxGrid services to receive
authenticated session information for manual quarantine.
o Cisco SMC subscription for ISE pxGrid services to receive authenticated
session information for manual quarantine.
=============================================================
4.10 ESA
CCIE Contractor PC is being issue with sending emails to Cisco Contractor PC.
What is the root cause?
o DNS resolution is broken on the client side (Both NICs of CCIE Contractor
PC are missing DNS configuration)

WBCCIESecV6

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WBCCIESecV6

Uploaded by

Copyright:

Available Formats

WB

1.1 Introduction .......................................................................................................................... 3

1.2 VPN Anyconnect IPSec IKEv2

route add 172.16.1.0 mask 255.255.255.0 150.1.7.249 -p /Maube

route inside 150.1.7.200 255.255.255.255 5.2.8.9

dns domain-lookup inside

Upload Anyconnect Client pkg to ASA1v & ASA11v

File patch: Management PC----C:\TFTP-Root

crypto key generate rsa label cciekey modulus 1024

crypto ikev2 policy 10

ASDM (Management PC): Create Anyconnect client profiles

Disable Admin Access Authentication Password Policy

Via ASDM (Management PC):

Create Bookmarks on ASA2v and ASA22v:

Create Network Access Users "engineeringuser1" and "marketinguser1"

Create new authorization policy

Marketing PC: Connect with IE or Firefox Browser.

Cisco ISE: Check the Logs

NOTE: You must use predefined objects to achieve this task.

FMC-FTD (Management PC):

show crypto session

Show crypto sockets

Show crypto sockets

Show ip interface brief

interface vlan 308

object network sales_t

("clear ip ospf process" on the related routers R13/R14/R15)

object network Engineering_t

Create Network Access Users "tacuser1"

Create new Downloadable ACLs "SW1-802.1x-DACL"

Create new Authentication Policy

check the status of 802.1x

Disable Ethernet1 adapter

Re-enable Ethernet1 adapter

Create AAA client/Network Devices

Add Endpoint (Ethernet1 Mac address of Contractor PC: 00-50-56-B1-44-0E)

Create new Authorization Policy

Disable Ethernet1 adapter

Confirm function status of the services

Create AAA Client/Network Devices

Create Authorization Profiles "SW7_802.1x_Profile"

Create Authorization Policy

Clear cts credentials

cts credentials id SW7 password cisco

Check the status of SXP Devices

Re-enable Ethernet1 adapter

show ip access-list interface gigabitethernet 0/1

It has been reported that R5 cannot reach a resource at 192.168.125.12. Find

SW3: DAI (Dynamic ARP Inspection) is preconfigured wrongly.

R5# clear ip ospf process

Reset ALL OSPF processes? [no]: y

Management PC: Turn off the firewall.

3.6 Connectivity issue

You may access lab devices to answer this question.

o A route filtering issue has occurred on SW4.

NOTE: Required licenses have been provided on the Management PC

Management PC: Registration

configure manager add 150.1.7.251 cisco

License for practice

NOTE: If it is not showing "Completed", use command "configure manager

Management PC: Chrome browser

Commit changes twice

WSA Add Realm