Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.
Secure Your Network With

Cisco ASA Second Generation's OS 9.x
Baldev Singh Deshwal, CCIE No. 37094
Page 2 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x

About the Authors
Baldev Singh Deshwal , CCIE No. 37094, is a Senior Network Security Engineer at Network Bulls.
His primary job responsibilities include configuring maintain & t-shoot NB network . As well as he
also provides corporate trainning & cisco certification Training.
Additional certifications include MCP, MCSA, MCTS, Certified.
Page 3 of 846

About the Technical Reviewers
Baldev Singh Deshwal CCIE Security Certified CCIE# 37094.
Page 4 of 846

Dedications
This book is dedicated to the only & only Almighty Lord Shiva. Who created such condition that I
could not stop myself to write this book.
Page 5 of 846

Special Thanks
My Special thanks to my students. Who helped me to write this book.
Sandeep Yadav, Vishwajeet Rathore, Ram Swaroop Yadav, & Aman Soni
Keshav Trivedi, Shivendra & Lab Administrator Chander Prakash.
Page 6 of 846

Contents At A Glance
Section I.
Firewall Overview
Chapter 1
Firewall Introduction
Chapter 2
ASA Introduction
Chapter 3
ASA Basics
Section II.
Routing on ASA
Chapter 4
Routing Introduction
Chapter 5
RIP
Chapter 6
EIGRP
Chapter 7
OSPF
Chapter 8
IPv6 Introduction
Chapter 9
SLA
Chapter 10
Multicasting
Section III.
Access-list & NAT
Chapter 11
Introduction of Access-list
Chapter 12
NAT on OS 8.0
Chapter 13
NAT on 9.2.2.4
Chapter 14
CTP
Section IV.
IPSec Introduction
Chapter 15
Overview of IPSec
Chapter 16
Site-Site VPN
Chapter 17
Remote Access VPN
Chapter 18
VPN Load balancing
Chapter 19
SSL VPN
Section V.
Advance Firewall Features
Chapter 20
Transparent Firewall
Chapter 21
Context
Page 7 of 846

Chapter 22
Failover
Chapter 23
MPF
Section VI.
OS 9.x Advance Features
Chapter 24
OSPFv3
Chapter 25
NAT on OS 9.2.x on IPv6
Chapter 26
Site-Site VPN on IPv6
Chapter 27
SSL VPN on IPv6
Chapter 28
BGP
Chapter 29
Dynamic Routing in Context
Chapter 30
Site-Site VPN in Context
Chapter 31
Clustering
Chapter 32
Management of ASA
Chapter 33
IPv6 Active-Standby FO
Chapter 34
IPv6 Active-Active FO
Page 8 of 846

Contents
Section I.
Chapter 1
Introduction of Firewall
Packet Filtering
Proxy Server
State Full Firewall
Chapter 2
Introduction of ASA
ASA Features
Proprietary Operating System (P)
State Full Firewall
User Based Authentication
Protocols & Application Inspection
Modular Policy Frame Work
Virtual Private Network
Virtual Firewall
Web Based Management
Statefull Failover (P)
IPv6
Clustering
VPN LoadBalancing (P)
Chapter 3
How to set Hostname
How to set enable password
How to assign IP address to interface
How to assign security-level
How to enable Telnet
How to enable SSH
How to enable HTTP
How to take Backup of ASA
How to Upgrade ASA
How to recover ASA password
Diagrams & Labs:Section II.
Chapter 4
Introduction of Routing
Routing Types
Static Routing
Default Routing
Dynamic Routing
Routing Protocols
Routed Protocols
IGP
EGP
AS
IGP Types
EGP Types
Distance Vector
Firewall Overview
ASA Introduction
ASA Basics
Routing on ASA
Routing Introduction
Page 9 of 846

Link State
Enhanced Distance Vector
Chapter 5
RIP
Introduction of RIP
RIP Versions
Difference between V1 & V2
RIP Timers
RIP Loop Avoidance Techniques
Route Poisoning
Poison Reverse
Split-Horizon
Diagrams & Labs:Chapter 6
EIGRP
Introduction of EIGRP
EIGRP Components
Protocol Dependent Module
Reliable Transport Protocols
Neighbour Discovery & Recovery
Diffusing Update Algorithm
EIGRP Messages
EIGRP Terminologies
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirements
Advertise Distance/Reported Distance
Input Event
Local Computation
Going Active
EIGRP Additional Features
Incremental Updates
Multicast Updates
Unequal Cost Load Balancing
EIGRP Tables
Neighbour Tables
Topology Table
Routing Table
EIGRP Neighbour ship Requirements
EIGRP Metric
EIGRP Modes
OSPF
Introduction of OSPF
Difference Between Distance vector & Link State
OSPF Tables
OSPF Messages
OSPF Hello Message Contents
OSPF Message Contents
OSPF States
OSPF Priority
DR & BDR
Page 10 of 846

OSPF Metric
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Virtual Links
OSPF Neighbours Requirements
Introduction of IPv6
IPv6 styles
Global Unicast
Unique Local
Link-local
Link-local Address
IPv6 Structure
IPv6 Routing Protocols
RIPng
IS-ISv6
OSPFv3
EIGRPv6
MP-BGP-4
Introduction of SLA
IP Addresses Style
Unicast
Broadcast
Multicast
Multicast Mac Structure
Multicast Address
IGMP
Version 1
Version 2
Version 3
IGMP Snooping
Multicast Routing Protocols
PIM
RPF
Distribution Tree
Source Tree
Shared Tree
PIM Modes
Dense Mode
Sparse Mode
Sparse-Dense-Mode
PIM versions
Diagrams & Labs:Section III.
IPv6 Introduction
SLA
Multicasting
Access-list & NAT
Page 11 of 846

Chapter 11
Introduction of Access-list & Types
Standards Access-list
Extended Access-list
Time Base Access-list
Object Group & Types
Network Object
Protocol Object
Service Object
ICMP Object
Practical of
Static NAT (8.0)
Dynamic NAT (8.0)
PAT (8.0)
Static PAT (8.0)
NAT Bypass (8.0)
Identity NAT (8.0)
NAT Exemption (8.0)
Policy NAT (8.0)
Practical of
Static NAT (8.4 & Later)
Dynamic NAT (8.4 & Later)
PAT (8.4 & Later)
Static PAT (8.4 & Later)
Identity NAT (8.4 & Later)
Twice NAT (8.4 & Later)
CTP Introduction
AAA
TACACS+
RADIUS
CTP Working
Diagrams & Labs:Section IV.
Chapter 15
IPSec Introduction
IPsec Features
Confidentiality
Integrity
Data Origin Authentication
Anti-Replay
IPSec Protocols
IKE
ESP
AH
IKE Mode
Introduction of Access-list
NAT on OS 8.0
NAT on OS 9.2.2.4
CTP
IPSec Introduction
Overview of IPSec
Page 12 of 846

Main Mode
Aggressive Mode
Quick Mode
IKE Phases
Phase 1
Phase 1.5
Phase 2
IPSec Mode
Transport Mode
Tunnel Mode
SA
SA Components
SAD
SPD
NAT-T
NAT-T Steps
NAT-T Support
NAT-T Detection
NAT-T Decision
ISAKMP
Chapter 16
Introduction
Working
Introduction
Modes
Client
Network Extension
Network Extension Plus
Introduction
Supported Protocols
Cluster
Master
Member
Load balancing
Virtual Cluster Agent
SSL Introduction
SSL Mode
Clientless
Thin-client
Thick-client
Requirements
Working
Diagrams & Labs:Section V.
Chapter 20
Site-Site VPN
Remote Access VPN
VPN Load balancing
SSL VPN
Advance Firewall Features

Page 13 of 846

Introduction of Transparent Firewall
ASA Mode Route & Transparent
Transparent Firewall Limitation
Context
Introduction of Context
System Area
Admin Context
Context Channing
Mac-Address Auto
Context Requirements
Context Limitations
Failover
Introduction of Failover
Failover Requirements
Failover Hardware Requirements
Failover Software Requirements
Failover Types
Stateless Failover
Hardware Failover
State Full Failover
Failover Implementation Types
Active-Standby
Active-Active
Failover Limitations
Information Don't replicate During Failover
Failover Monitoring
Failover Link
MPF
Introduction OF Modular Policy Framework
MPF Features
Inspection of Connection
Connection Restriction
Traffic Prioritization
Traffic Policing
MPF Components
Class-map
Policy-map
Service-policy
Default-inspected Protocols & applications
DCE
SUN RPC
ILS
NetBIOS
XDMCP
IPSec-Pass-Through
ICMP
FTP
SMTP
Page 14 of 846

DNS
TFTP
HTTP
RSH
SQL.NET
SIP
SCCP
CTIQBE
MGCP
Diagrams & Labs:Section VI.
Chapter 24
Diagrams & Labs:Static
Dynamic
PAT
Static PAT
Identity NAT
Twice NAT
Chapter 26
Diagrams & Labs:Clientless
Thin-client
Chapter 28
BGP Introduction
BGP Messages
iBGP
eBGP
BGP States
BGP Terminology
Next-hop-self
Route-reflector-client
BGP-redistribute internal
Summarization or Aggregation
Diagrams & Labs:EIGRP
OSPF
Chapter 30
Introduction of Clustering
Clustering Terminology
Master
Slaves
Interface Types
OS 9.x Advance Features

OSPFv3

SSL VPN on IPv6
BGP

Clustering
Page 15 of 846

Load balancing in Clustering
Cluster Monitoring
Limitation of Clustering
Supported Features of Clustering
ASA as DHCP
ASA as DHCP Relay-Agent
Fragmentation
uRPF
EC
Redundent Interface
Diagrams & Labs:-
Management of ASA
Active-Standby IPv6 FO
Active-Active IPv6 FO
Page 16 of 846
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
Practicals Covered in this book

ASA_BASIC
ASA_Static_&_Default
ASA_RIP
ASA_EIGRP
ASA_OSPF
ASA_SLA
ASA_CTP
ASA_Multicasting
ASA_ACL_&_Objects
ASA_ipv6_static_default
ASA_NAT_8.0
ASA_NAT_9.2
How_To_Configure_2003_As_CA
How_To_Configure_IOS_As_CA
ASA_s2s_pre_8.0
ASA_s2s_rsa_8.0
ASA_s2s_overlapping_subnet
ASA_s2s_pre_ikev1
ASA_s2s_rsa_ikev1_2003_ca
ASA_s2s_pre_ikev2
ASA_s2s_rsa_ikev2_ios_Ca
ASA_s2s_rsa_ikev2_2012_Ca
ASA_ra_pre_8.0
ASA_ra_rsa_8.0
ASA_ra_ikev1_pre
ASA_ra_ikev1_rsa
ASA_ssl_8.0
ASA_ssl_9.2
ASA_vpn_load_balancing
ASA_Transparent_firewall
ASA_context
ASA_Inter_context_routing
ASA_active_standby_fo
ASA_active_active_fo
ASA_mpf
ASA_EC_RE
ASA9.x_bgp
ASA9.x_clustering
ASA9.x_dynamic_routing
ASA9.x_ospfv3
ASA9.x_s2s_in_context
ASA9.x_ssl
ASA9.x_ipv6_s2s
ASA9.x_ipv6_ nat
ASA9.x_ipv6_active_standby_fo
ASA9.x_ipv6_active_active_fo
To Be Continue...................................................
Page 17 of 846

Chapter 1
Introducing Firewall &

Firewall Techniques
After Reading this chapter you would be able to describe
Firewall
Firewall techniques
Packet Filtering
Proxy Server
State full Firewall
Page 18 of 846
Firewall a system or group of system. That manage access between two or more network.
Firewall Techniques
1. Packet Filtering
2. Proxy Server
3. State-full Firewall
4. Transparent Firewall
Packet Filtering
In Packet filtering packets are filtered using access-list. On Cisco IOS we can use Standard or
Extended access-list, Named access-list,Time Based access-list, Dynamic access-list,Reflexive accesslist, TCP Establish access-list to filter the traffic .
Advantages
Easy to implement
Cost- effective
Disadvantages
Not-scalable
Complex access-list are hard to create & maintain
Proxy Server
It works as an intermediate system b/w inside & outside world
It will not allow inside user to go outside directly vice-versa
Limitations
Single point of failure
It introduce delay
Stateful Firewall
As name tells us that State-full .it maintain the state of connection when packet is travelling through
the appliance. It maintain the state of connection in state table. After adding information in state
table it forwards the packet to the destination. When it receive the reply-packet it match the
packet's information to state-table if match packet is accepted otherwise drop.
Page 19 of 846
State table contents

Source IP
Destination IP
Source Port
Destination Port
Additional Information ( syn , syn-ack , ack)
It works at layer 2, or it forwards the frames based on destination Mac. But still it has capabilities to
filter the traffic from layer 2 to layer 7.
Page 20 of 846

Chapter 2
Cisco ASA Introduction

Cisco ASA
Cisco ASA Features
Page 21 of 846
What is Cisco ASA

Cisco adaptive security appliance it is a combination of state full firewall & VPN concentrator .
ASA Features
Proprietary Operating system

State-Full Firewall
User Base Authentication (CTP)
Protocol and application inspection
MPF
VPN
Virtual Firewalls
Web Base management
State Full Failover
IPV6
Clustering
VPN LoadBalancing
Proprietary Operating System

It mean that both hardware & software belongs to Cisco. It is not just like another vender they use
one company OS and another company hardware.
State full Firewall

As name tells us that State-full .it maintain the state of connection when packet is travelling for the
appliance. It maintain the state of connection in state table. After adding information in state table
it forwards the packet to the destination. When it receive the reply-packet it match the packet
information to state-table if match packet is accepted otherwise drop.
User Base Authentication

Using this feature we can authenticate the inbound or outbound request
Of telnet , http, https, ftp using AAA server.
Page 22 of 846
Protocol & Application Inspection

A part of MPF(Modular Policy Framework ) using Protocol and application inspection we can enable
deeper inspection of application layer protocols like ftp, smtp, dns, tftp, http, NetBIOS etc.
Modular Policy Framework

A approach to gain following features
Inspection of connection
Connection restriction
Traffic prioritization
Traffic policing
VPN
Cisco ASA support IPSec, SSL PPTP protocols for VPN
IPSec (site-site, & remote-access)
SSL (Clientless, Thin, Thick)
L2TP
Virtual Firewall
We can divide an appliance into many virtual appliances these virtual appliances are call virtual
firewall or security context.
Web Base Management

If some engineer feel complexity to configure an appliance using CLI
ASA has an option to configure it using GUI via ASDM
State full Failover

A Cisco Proprietary feature of Cisco ASA it provides uninterrupted network access, using redundant
appliances
It support active-standby & active-active failover.
Page 23 of 846
IPv6
Cisco ASA also support ipv6 routing. Like static, Dynamic, Default.
Clustering
A feature introduce in OS Version 9.0 it enables us to group multiple appliances as a single appliance.
VPN Load Balancing

A Cisco Proprieatry Feature of cisco firewall . It enable multiple remote vpn servers to appear as a
single server.
Page 24 of 846

Chapter 3
ASA Basic
After Reading this chapter you would be able to configure & Describe
Cisco asa Modes

Hostname
Enable Password
IP Address on interface
Security-level
Telnet
SSH
HTTP
Backup
Upgrade
Password Recovery
Page 25 of 846
ASA Basic LAB
How to set hostname.

How to set enable password
How to set IP add on an interface
How to enable TELNET
How to enable SSH
How to enable HTTP
How to take backup
How to upgrade an appliance
How to recover password
Diagram:-
ASA Mode
ciscoasa> (User mode)
ciscoasa> enable
Password:
ciscoasa# conf t (enable mode)
ciscoasa(config)# ! hostname (config-mode)
ciscoasa(config)# hostname ASA1
How To set Enable Password
ASA1(config)#
ASA1(config)# enable password shiva
ASA1(config)# exit
Logoff
Type help or '?' for a list of available commands.
ASA1> enable
Password: shiva
ASA1# conf t
ASA1(config)# ! remove enable password
ASA1(config)# enable password (just enter)
Page 26 of 846

How to Check Configuration
ASA1(config)# ! show run
ASA1(config)# sh running-config
: Saved
:
ASA Version 9.0(3)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
How to Check Interface Status
ASA1(config)# sh int ip brief
Interface
IP-Address OK? Method Status
Protocol
GigabitEthernet0/0
unassigned YES unset administratively down down
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
GigabitEthernet0/4
GigabitEthernet0/5
How to assign IP address & security-level to interface
ASA1(config)# ! set interface ip
ASA1(config)# int g0/0
ASA1(config-if)# no sh
ASA1(config-if)# ip add 192.168.101.1
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# int g0/1
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ! check
ASA1(config-if)# sh int ip br
ASA1(config-if)# sh int ip brief
Interface
GigabitEthernet0/0
192.168.101.1 YES manual up
GigabitEthernet0/1
PC2(config)#int fastEthernet 0/0
PC2(config-if)#no shutdown
PC2(config-if)#ip add 192.168.102.100 255.255.255.0
ASA1(config-if)# ping 192.168.101.1
Type escape sequence to abort.
Protocol
up
up
Page 27 of 846

Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
!!!!!
!!!!!
!!!!!
How to enable telnet
ASA1(config)# telnet 192.168.101.100 255.255.255.255 inside (for host)
ASA1(config)# telnet 192.168.101.0 255.255.255.0 inside (for n/w)
ASA1(config)# telnet 0.0.0.0 0.0.0.0 inside (wild card)
! default telnet pass is cisco till os 8.6
! but in os 9.0 & later default password removed
ASA1(config)# ! you have to set
ASA1(config)# sh ver
Cisco Adaptive Security Appliance Software Version 9.0(3)
ASA1(config)# passwd cisco
! verification on pc
Page 28 of 846

!How to enable SSH on Cisco ASA
ASA1(config)# domain-name cisco.com
ASA1(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA1(config)# ssh 0 0 inside
ASA1(config)# ssh 0 0 outside
ASA1(config)# username shiva password shiva privilege 15
ASA1(config)# aaa authentication ssh console LOCAL
! verification in pc
Page 29 of 846
! verification in pc2
PC2#ssh -l shiva 192.168.102.1
Password:
ASA1>
! you can't telnet to lowest security-level
ASA1(config)# telnet 0 0 outside
ASA1(config)# ssh 0 0 outside
PC2#telnet 192.168.102.1
Trying 192.168.102.1 ...
% Connection timed out; remote host not responding
PC2#ssh
PC2#ssh -l
PC2#ssh -l shiva 192.168.102.1
Page 30 of 846

Password:
! How to enable http server
ASA1(config)# sh flash
--#-- --length-- -----date/time------ path
146 0
Aug 29 2014 13:00:14 nat_ident_migrate
147 1422
Sep 23 2014 17:29:26 admin.cfg
148 2331
Sep 23 2014 17:29:26 old_running.cfg
22 4096
Sep 27 2013 10:55:54 coredumpinfo
23 59
Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096
Aug 29 2014 12:48:00 log
21 4096
Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096
Aug 29 2014 13:29:32 sdesktop
165 2082
Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009
Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333
Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096
Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg
4118732800 bytes total (3964596224 bytes free)
ASA1(config)# http server enable
ASA1(config)# http 0 0 inside
ASA1(config)# username shiva pass shiva pri 15
ASA1(config)# ! verification on client
Page 31 of 846
Note:if some wrong

please run these commands on asa
ASA1(config)# asdm image disk0:/asdm-66114.bin
initiate connection again.........................................
Page 32 of 846
Page 33 of 846
Page 34 of 846
Page 35 of 846
! ASA os Backup
ASA1(config)# sh fla
ASA1(config)# sh flash:
146 0
147 1422
Sep 23 2014 17:29:26 admin.cfg
148 2331
22 4096
23 59
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096
Aug 29 2014 12:48:00 log
21 4096
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096
Aug 29 2014 13:29:32 sdesktop
165 2082
166 2009
157 333
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096
Jan 01 1980 00:00:00 FSCK0001.REC
ASA1(config)# copy flash: tftp:
Source filename []? asa903-smp-k8.bin
Address or name of remote host []? 192.168.101.100
Destination filename [asa903-smp-k8.bin]?
Writing file tftp://192.168.101.100/asa903-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
36993024 bytes copied in 130.870 secs (284561 bytes/sec)
Page 36 of 846
ASA1(config)# ! ASA os Upgrade

ASA1(config)# ! Latest os is no PC1 FTP
ASA1(config)# copy ftp://192.168.101.100/asa922-4-smp-k8.bin flash:

Address or name of remote host [192.168.101.100]? enter
Source filename [asa922-4-smp-k8.bin]? enter
Destination filename [asa922-4-smp-k8.bin]? enter
Accessing ftp://192.168.101.100/asa922-4-smpk8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa922-4-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
52457472 bytes copied in 63.150 secs (832658 bytes/sec)
ASA1(config)# sh flash:
146 0
147 1422
Sep 23 2014 17:29:26 admin.cfg
148 2331
22 4096
23 59
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
Page 37 of 846

11 4096
Aug 29 2014 12:48:00 log
21 4096
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096
Aug 29 2014 13:29:32 sdesktop
165 2082
166 2009
157 333
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
168 52457472 Sep 28 2014 13:23:59 asa922-4-smp-k8.bin
160 4096
Jan 01 1980 00:00:00 FSCK0001.REC
! boot to latest os
ASA1(config)# boot system disk0:/asa922-4-smp-k8.bin
ASA1(config)# write
Building configuration...
Cryptochecksum: 23dfb1bc 85a02476 e2a94e9f 9626e623
2852 bytes copied in 0.750 secs
[OK]
ASA1(config)# sh running-config boot
boot system disk0:/asa922-4-smp-k8.bin
ASA1(config)# reload
Proceed with reload? [confirm]
ASA1(config)#
***
*** --- START GRACEFUL SHUTDOWN --***
*** --- SHUTDOWN NOW --Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa922-4-smp-k8.bin...
ASA1# sh version
Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 6.6(1)
Compiled on Tue 29-Jul-14 23:41 PDT by builders
System image file is "disk0:/asa922-4-smp-k8.bin"
Config file at boot was "startup-config"
ASA1 up 40 secs
Page 38 of 846

! password recovery
ASA1(config)# enable password asdasdwwqek89geuqbdqweqw
ASA1(config)# wr
ASA1(config)# write
ASA1# ex
Logoff
ASA1> reset manually...the appliance......
At the time of boot....................
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 9 seconds.
Press (Use BREAK or ESC to interrupt boot) on key borad.........
Use ? for help.
rommon #0> confreg 0x41
Update Config Register (0x41) in NVRAM...
rommon #1> reset
ciscoasa> en
ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)# copy startup-config running-config
Destination filename [running-config]?
.
Cryptochecksum (unchanged): 3968c06d 20751a6b 73f37918 d875d53d
ASA1(config)#
ASA1(config)# enable password enter
ASA1(config)# config-register 0x01
System config has been modified. Save? [Y]es/[N]o: y
Page 39 of 846

Cryptochecksum: 3f5ee47a 0fe39be7 24974ec3 28f97b3b
Proceed with reload? [confirm] enter
ASA1(config)#
***
*** --- START GRACEFUL SHUTDOWN --ASA1> en
ASA1> enable
Password: (now no password)
ASA1#
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# pin
ASA1(config)# ping 192.168.102.100
!!!!!
Page 40 of 846

Chapter 4
Routing on Cisco ASA
Routing
Routing rules
Types of routing
Static Routing
Routing Protocols
Routed Protocols
IGP
EGP
Distance Vector
Link State
Enhanced Distance Vector
Page 41 of 846
Routing
A process of transferring a packet from one network to another is called routing.
Routing Rules
1. If the destination is in the same subnet or network then a device directly forwards a packet to
destination.
Note:- ARP request is used to find out destination Mac-address.
2. If the destination is not in the same subnet or network then a device directly forwards a packet to
default gateway.
Note:- ARP request is used to find out default gateway Mac-address
Routing Types
Static
Default
Dynamic
Static Routing
In static routing we define route manually with appropriate next-hop.
In static routing we always define indirectly connected network.
Advantages
Easy to implement
Less CPU-overload
Less bandwidth consumption
Disadvantages
Not scale-able
Default Routing
It is used on stub router or network. A stub router has only one entry or exit point. It can be used to
reduce the size of routing table
Limitation
It can cause of loop in the network.
Page 42 of 846
Dynamic Routing
In dynamic routing we use routing protocol. They dynamically learn about route & do send route
information to the neighbours routers.
Routed Protocols
They are those protocol which have capabilities to send data from one device to another device.
Like IP,IPX, Apple Talk
Routing Protocols Types
IGP
EGP
Interior Gateway Protocol

They are those protocols which are designed to work within AS.
IGP Types
Distance Vector
Link State
Enhanced DV (Hybrid)
AS (Autonomous System)
A collection of router managed by single Organization.
Exterior Gateway Protocol

They are designed to work over AS. BGP is only EGP Protocol.
Note EGP was a protocol itself in past
Distance Vector
A Distance Vector routing protocol selects the route based on distance
That is called hop count.
Hop Count
When a packet across a router that is called one hop
Page 43 of 846

A Distance Vector routing protocol select that route which provides a network at least hop.
Examples:- RIP, IGRP.
Link State
As name tells us link state a link state routing protocol sends update based in the state of link. When
a link comes up & goes down it sends update.
It sends update with a sequence number. 0x80000001 goes till 0xFFFFFFFF.
Examples:- OSPF,IS-IS.
Enhance DV
EIGRP is an Enhanced DV routing protocol based in distance vector algorithm. & sends incremental
update like link state i.e. Some people called it hybrid . But Cisco called it Enhanced DV.
Diagram:-
Page 44 of 846

Initial-config
hostname R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
Page 45 of 846

int l6
ip add 172.30.6.1 255.255.255.0
R4
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
Routing
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
ASA1(config)# interface gigabitEthernet 0/0
ASA1(config-if)# interface g0/1
ASA1(config-if)# nameif dmz1
INFO: Security level for "dmz1" set to 0 by default.
ASA1(config-if)# security-level 60
ASA1(config-if)# interface gigabitEthernet 0/2
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
Protocol
up
up
up
Page 46 of 846

GigabitEthernet0/3
up
ASA1(config-if)# sh nameif
Interface
Name
Security
GigabitEthernet0/0
inside
100
GigabitEthernet0/1
dmz1
60
GigabitEthernet0/2
outside
0
GigabitEthernet0/3
dmz2
50
!!!!!
!!!!!
!!!!!
!!!!!
Static & Default Routing Commands on ASA
ASA1(config)# route inside 172.10.1.0 255.255.255.0 192.168.1.1
ASA1(config)# route dmz1 172.20.1.0 255.255.255.0 192.168.2.1
ASA1(config)# route outside 0 0 192.168.3.1 (Default Route)
ASA1(config)# ping 172.10.1.1
Page 47 of 846

!!!!!
!!!!!
!!!!!
!!!!!
!!!!!
!!!!!
!!!!!
!!!!!
ASA1(config)# sh route inside
S
172.10.1.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S
172.10.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S
172.10.3.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S
172.10.4.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S
172.10.5.0 255.255.255.0 [1/0] via 192.168.1.1, inside
S
172.10.6.0 255.255.255.0 [1/0] via 192.168.1.1, inside
ASA1(config)# sh route dmz1
S
172.20.1.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S
172.20.2.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S
172.20.3.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S
172.20.4.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
S
172.20.5.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
Page 48 of 846

S
172.20.6.0 255.255.255.0 [1/0] via 192.168.2.1, dmz1
ASA1(config)# sh route outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
ASA1(config)# sh route dmz2
S
172.40.1.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S
172.40.2.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S
172.40.3.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S
172.40.4.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S
172.40.5.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
S
172.40.6.0 255.255.255.0 [1/0] via 192.168.4.1, dmz2
ASA allow higher-level to lower default of not working problem access-list

Only TCP & UDP is allowed
ASA deny lower-level to higher default if you want apply access-list
R1#telnet
*Sep 28 08:38:34.207: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 172.20.1.1
Trying 172.20.1.1 ... Open
Password required, but none set
[Connection to 172.20.1.1 closed by foreign host]
R1#telnet 172.30.1.1
Trying 172.30.1.1 ... Open
R1#telnet 172.40.1.1
Trying 172.40.1.1 ... Open
But.........................
R2#telnet 172.10.1.1
Trying 172.10.1.1 ...
% Connection timed out; remote host not responding
R2#telnet 172.30.1.1
Trying 172.30.1.1 ... Open
R2#telnet 172.40.1.1
Trying 172.40.1.1 ... Open
If you want
Apply Access-list on ASA................
ASA1(config)# access-list dmz1 permit ip 172.20.0.0 255.255.0.0 172.10.0.0 255.255.0.0
ASA1(config)# access-group dmz1 in interface dmz1
R2#ping 172.10.1.1 source loopback 1
Page 49 of 846

Packet sent with a source address of 172.20.1.1
!!!!!
R2#ping 172.10.6.1 source loopback 1
!!!!!
R2#telnet 172.30.1.1 /source-interface loopback 1
Trying 172.30.1.1 ...
% Connection refused by remote host
it is due to access-list...............
If you want in acl permit R3 lan & R4 lan
Page 50 of 846

Chapter 5
RIP
RIP
RIP Version
RIP Timers
RIP Loop avoidance Techniques
Route Poisoning
Poisoning Reverse
Split-Horizon
Page 51 of 846
Routing Information Protocol

It is an interior gateway distance vector routing protocol.
It use UDP Port no. 520. It has 2 version.
Version 1
Class-full
DV
AD 120
Metric Hop count
Max-hop 15
Broadcast Update
255.255.255.255
Default
Send v1
Receive v1&v2
No authentication
Class-full
Version 2
Class-less
DV
AD 120
Metric Hop count
Max-hop 15
Multicast Update
224.0.0.9
Manual
Send v2
Receive v2
Support authentication
Classless
Class Full Routing Protocols

A Class-full routing protocol doesn't send subnet mask information to neighbour router. Examples:RIPv1 & IGRP.
Class Less Routing Protocols

A Classless routing protocol do send subnet mask information to neighbour router
Examples:-Ripv2,EIGRP,OSPF,IS-IS,BGP.
Rip Loop Avoidance Techniques
Route Poisoning
Poison Reverse
Split-Horizon
Page 52 of 846
Route Poisoning
Rip separate the bad news with a special type of metric that is infinite-metric i.e.16. When rip
advertise a route with 16 metric that is called Route Poisoning.
Route Poisoning
Router1>>>>> 101.0=16>>>>>>>>>Router2
Poison Reverse
When a router receive Route Poisoning update it accept is and updates it routing table, and it sends
same update to the neighbour.
(Router1>>>>> 101.0=16>>>>>>>>>Router2 )
(Router1<<<<< 101.0=16<<<<<<<<<Router2) is Poison Reverse
Split Horizon
A rule in distance vector routing protocol. It doesn't allow a routing protocol to send an information
on an interface which was receive from same interface.
RIP Timers
Update
Invalid
Hold
Flush
30sec
180sec
180sec
240sec
Page 53 of 846

Diagram:-
Initial-config
hostname R1
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
Page 54 of 846

ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
Page 55 of 846

Interface
Protocol
GigabitEthernet0/0
up
GigabitEthernet0/1
up
GigabitEthernet0/2
up
GigabitEthernet0/3
up
Interface
Name
Security
GigabitEthernet0/0
inside
100
GigabitEthernet0/1
dmz1
60
GigabitEthernet0/2
outside
0
GigabitEthernet0/3
dmz2
50
!!!!!
!!!!!
!!!!!
!!!!!
R1
router rip
no au
ver 2
net 0.0.0.0
Page 56 of 846

R2
router rip
no au
ver 2
net 0.0.0.0
R3
router rip
no au
ver 2
net 0.0.0.0
R4
router rip
no au
ver 2
net 0.0.0.0
ASA1
router rip
no au
ver 2
net 0.0.0.0
ASA1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside

172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:26, inside
172.20.1.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
172.20.2.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
172.20.3.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
172.20.4.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
172.20.5.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
172.20.6.0 255.255.255.0 [120/1] via 192.168.2.1, 00:00:22, dmz1
172.30.1.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:17, outside
172.30.2.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:17, outside
172.30.3.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
172.30.4.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
172.30.5.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
172.30.6.0 255.255.255.0 [120/1] via 192.168.3.1, 00:00:22, outside
172.40.1.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
Page 57 of 846

R
R
R
R
R
172.40.2.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2

172.40.3.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
172.40.4.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
172.40.5.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
172.40.6.0 255.255.255.0 [120/1] via 192.168.4.1, 00:00:25, dmz2
! Disabling Updates on a Particuler Interface

ASA1(config)# router rip
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface inside
ASA1(config-router)# no passive-interface dmz1
ASA1(config-router)# no passive-interface outside
ASA1(config-router)# route outside 0 0 192.168.3.1
!Redistribution in RIP
ASA1(config-router)# router rip
ASA1(config-router)# !redistribute
ASA1(config-router)# redistribute static metric 1
! Verification on Routers
R1#sh ip route rip
R* 0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:24, FastEthernet0/0
R2#sh ip route rip
R4#sh ip route rip
ASA1(config-router)# no redistribute static metric 1
! Default route Orgination via default-information orginate command
ASA1(config-router)# default-information originate
ASA1(config)# sh running-config route
! Verification on Routers
R1#sh ip route rip on R2, R3, R4
ASA1# sh route inside
R
172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R
172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R
172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R
172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R
172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
R
172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:05, inside
C
192.168.1.0 255.255.255.0 is directly connected, inside
L
Page 58 of 846

! Route Filtering in RIP on ASA
ASA1(config)# access-list 10 permit 172.10.1.0 255.255.255.0
ASA1(config)# router rip
ASA1(config-router)# distribute-list 10 in interface inside
! Verification on ASA
ASA1(config-router)# sh route inside
R
172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R
172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R
172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:20, inside
R
172.10.4.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
R
172.10.5.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
R
172.10.6.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:13, inside
C
L
ASA1# clear route all
R
172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
R
172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
R
172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:00:01, inside
C
L
! Enabling RIP Authentication on ASA
ASA1(config-router)# interface gigabitEthernet 0/0
ASA1(config-if)# rip authentication mode md5
ASA1(config-if)# rip authentication key shiva key_id 100
! Verification & Effect on Authentication
R
R
R
C
L
172.10.1.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside

172.10.2.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside
172.10.3.0 255.255.255.0 [120/1] via 192.168.1.1, 00:01:07, inside
Page 59 of 846

! RIP Authentication on Router
R1(config)#key chain trust
R1(config-keychain)#key 100
R1(config-keychain-key)#key-string shiva
R1(config-keychain-key)#int f0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain trust
! Verification on Router
R1#sh ip route rip
172.20.0.0/24 is subnetted, 6 subnets
R
172.20.1.0 [120/2] via 192.168.1.2, 00:00:06, FastEthernet0/0
R
R
R
R
! RIP Version custmization on Router & ASA
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip rip receive version 2
R1(config-if)#ip rip send version 2
ASA1(config-if)# rip send version 2
ASA1(config-if)# rip receive version 2
Page 60 of 846

Chapter 6
EIGRP
EIGRP
EIGRP Components
EIGRP Messages
EIGRP Terminology
EIGRP Tables Types
EIGRP Modes
EIGRP Neighbours Requirements
Page 61 of 846
Enhanced Interior Gateway Routing Protocol

It is an interior gateway class-less enhanced Distance vector routing protocol. It use IP protocol no
88. It sends multicast hello at 224.0.0.10.
Enhanced Components
PDM (Protocol Dependent Module)

RTP(Reliable Transport Protocol)
NDR(Neighbour Discovery and Recovery)
DUAL(Diffusing Update Algorithm)
PDM
It is used to support different type of routed protocol
Like IP, IPX, Apple Talk.
RTP
It is used to send some EIGRP messages
EIGRP messages:1. Hello
2. Update via RTP
3. Acknowledgement
4.Query via RTP
5.Reply via RTP
Multicast
Multicast
Unicast
Multicast
Unicast
NDR
It is used to maintain neighbour ship. Function
First it determines that how many neighbours are exist.
Second how many hello or Acknowledgement will be expected
If continue 3 hello missed neighbour is removed from neighbour table.
Page 62 of 846
DUAL
A modification in distance vector algorithm is called DUAL
It provides a loop free failover path.
EIGRP Terminology
Successor
Feasible Distance
Feasible Successor
Feasible Successor Requirement
AD/RD
Input Event
Local Computation
Going Active
Successor
A best route to reach a subnet or network.
Feasible Distance
Calculated metric of successor is called Feasible Distance.
Feasible Successor
An another best route it provides backup to successor.
Feasible Successor Requirements

A route whose AD is less then FD of current successor.
Page 63 of 846
AD/RD
A Router's FD is called AD/RD for its neighbours.
Input Event
An information which has capabilities to change the data base.
Local Computation
A term it has two function
If successor goes down it use FS
If FS is not available then it become active for that route
Going Active
It means that a router is sending query to its neighbour for a route.
EIGRP Additional Features
Incremental Updates
When there is a change in topology EIGRP will send updates.
Multicast Update
Updates at 224.0.0.10
Un-Equal Cost Load Balancing
In Un-Equal Cost Load Balancing best FD is multiply by multiplier and we get a product if
another routes are lower than that product they are eligible for load balancing.
EIGRP Tables
Neighbour Table
Topology Table
Routing Table
Page 64 of 846
Neighbour Tables
First of all EIGRP built neighbour table. It contain following information.
IP add of neighbour
Interface
Up time
Hold time
Sequence no of last packet
Packet in queue
SRTT
RTO
Topology Tables
After neighbour table EIGRP maintain topology table
It contain successor & feasible successor.
Routing Tables
It contain three types of route
Internal
External
Summary
EIGRP Metric
EIGRP metric is called composite metric. It contain 5 elements, these elements are called K-values.
Bandwidth
Delay
Load
Reliability
MTU
Only Bandwidth & delay is used for metric calculation.
EIGRP Neighbour Requirement
AS No.
K-values
Authentication
Page 65 of 846
Static neighbour ship
EIGRP Modes
Passive mode
When a successor goes down and router has FS , it is called Passive mode.
Active mode
When a successor goes down and router has no FS , it is called Passive mode.
EIGRP support only MD5 auth
EIGRP AD 5/90/170(summary /internal/external)
EIGRP default hop 100 , max 255
EIGRP default variance 1, max 128
EIGRP default max-path 4, max 16
EIGRP default hello 5/60 (LAN/FR)
EIGRP default hold 15/180 (LAN/FR)
Diagram:-
Initial-config
hostname R1
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
Page 66 of 846

int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
Page 67 of 846

int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
Interface
Protocol
GigabitEthernet0/0
up
GigabitEthernet0/1
up
GigabitEthernet0/2
up
GigabitEthernet0/3
up
Interface
Name
Security
GigabitEthernet0/0
inside
100
GigabitEthernet0/1
dmz1
60
GigabitEthernet0/2
outside
0
GigabitEthernet0/3
dmz2
50
!!!!!
!!!!!
Page 68 of 846

!!!!!
!!!!!
R1
router ei 100
no aut
net 0.0.0.0
R2
router ei 100
no aut
net 0.0.0.0
R3
router ei 100
no aut
net 0.0.0.0
R4
router ei 100
no aut
net 0.0.0.0
ASA1
router ei 100
no aut
net 0.0.0.0
! EIGRP Neighbour Verification
ASA1# sh eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address
Interface
Hold Uptime SRTT RTO
(sec)
(ms)
Cnt Num
3 192.168.4.1
dmz2
12 00:00:12 1 200 0
2 192.168.3.1
outside
14 00:00:14 1 200 0
1 192.168.2.1
dmz1
12 00:00:16 1 200 0
0 192.168.1.1
inside
10 00:00:17 1 200 0
Q Seq
3
3
3
3
! EIGRP Topology Verification

ASA1# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.4.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.20.5.0 255.255.255.0, 1 successors, FD is 130816
via 192.168.2.1 (130816/128256), dmz1
Page 69 of 846

via Connected, dmz2
via 192.168.3.1 (130816/128256), outside
via Connected, inside
via 192.168.2.1 (130816/128256), dmz1
via 192.168.4.1 (130816/128256), dmz2
via 192.168.1.1 (130816/128256), inside
via 192.168.2.1 (130816/128256), dmz1
via 192.168.1.1 (130816/128256), inside
via Connected, dmz1
via 192.168.3.1 (130816/128256), outside
via 192.168.1.1 (130816/128256), inside
via 192.168.4.1 (130816/128256), dmz2
via 192.168.2.1 (130816/128256), dmz1
via 192.168.2.1 (130816/128256), dmz1
via 192.168.4.1 (130816/128256), dmz2
via Connected, outside
via 192.168.4.1 (130816/128256), dmz2
via 192.168.4.1 (130816/128256), dmz2
via 192.168.1.1 (130816/128256), inside
via 192.168.4.1 (130816/128256), dmz2
via 192.168.3.1 (130816/128256), outside
via 192.168.3.1 (130816/128256), outside
via 192.168.2.1 (130816/128256), dmz1
via 192.168.1.1 (130816/128256), inside
via 192.168.3.1 (130816/128256), outside
via 192.168.1.1 (130816/128256), inside
Page 70 of 846

via 192.168.3.1 (130816/128256), outside
! Routing Table verification on ASA
ASA1# sh route
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.4.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.5.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.10.6.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:04:40, inside
172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:38, dmz1
172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:04:40, dmz1
172.30.1.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.2.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.3.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.4.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.5.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.30.6.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:04:38, outside
172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
Page 71 of 846

D
172.40.6.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:04:34, dmz2
C
L
C
192.168.2.0 255.255.255.0 is directly connected, dmz1
L
C
192.168.3.0 255.255.255.0 is directly connected, outside
L
C
L
ASA1# ping 172.10.1.1
!!!!!
ASA1# ping 172.20.1.1
!!!!!
ASA1# ping 172.30.1.1
!!!!!
ASA1# ping 172.40.1.1
!!!!!
ASA1# ping 172.10.6.1
!!!!!
ASA1# ping 172.20.6.1
!!!!!
ASA1# ping 172.30.6.1
!!!!!
ASA1# ping 172.40.6.1
!!!!!
Page 72 of 846

! Disabling Unwanted Updates or neighbourship in EIGRP
ASA1(config)# router eigrp 100
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface inside
ASA1(config-router)# no passive-interface outside
ASA1(config-router)# route outside 0 0 192.168.3.1
! Redistribution in EIGRP
ASA1(config-router)# redistribute static metric 1 1 1 1 1
! Redistribution verification on Routers
R1#sh ip route eigrp on R2, R3, R4
D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0
ASA1(config-router)# no redistribute static metric 1 1 1 1 1
ASA1(config-router)# default-metric 1 1 1 1 1
ASA1(config-router)# redistribute static
R1#sh ip route eigrp on R2, R3, R4
D*EX 0.0.0.0/0 [170/2560002816] via 192.168.1.2, 00:00:35, FastEthernet0/0
ASA1(config-router)# no redistribute static
! Static Neighbourship on ASA
ASA1(config-router)# neighbor 192.168.1.1 interface inside
! Debug Command review
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Sep 28 09:29:35.271: EIGRP: Sending HELLO on Loopback2
*Sep 28 09:29:35.271: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Sep 28 09:29:35.271: EIGRP: Received HELLO on Loopback2 nbr 172.10.2.1
*Sep 28 09:29:35.271: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Sep 28 09:29:35.271: EIGRP: Packet from ourselves ignored
R1#
*Sep 28 09:29:36.947: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.1.2
*Sep 28 09:29:36.947: EIGRP: Ignore unicast Hello from FastEthernet0/0 192.168.1.2
Page 73 of 846

R1#
! Static Neighbourship on Router
R1(config)#router ei 100
R1(config-router)#neighbor 192.168.1.2 fastEthernet 0/0
! Verification of Static neighbourship
D
172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D
172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D
172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D
172.10.4.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D
172.10.5.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
D
172.10.6.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:00:51, inside
! Route Filtering in EIGRP
ASA1
access-list 10 standard permit 172.10.1.0 255.255.255.0
! Verification
ASA1(config-router)# router eigrp 100
D
172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:02:10, inside
D
172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:02:10, inside
D
172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:02:10, inside
C
L
ASA1(config)# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
D
172.10.1.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
D
172.10.2.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
D
172.10.3.0 255.255.255.0
[90/130816] via 192.168.1.1, 00:03:02, inside
Page 74 of 846

D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
172.20.1.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1

172.20.2.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
172.20.3.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
172.20.4.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
172.20.5.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
172.20.6.0 255.255.255.0 [90/130816] via 192.168.2.1, 00:10:37, dmz1
172.30.1.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:28, outside
172.30.2.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
172.30.3.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
172.30.4.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
172.30.5.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
172.30.6.0 255.255.255.0
[90/130816] via 192.168.3.1, 00:10:30, outside
172.40.1.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
172.40.2.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
172.40.3.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
172.40.4.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
172.40.5.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
172.40.6.0 255.255.255.0 [90/130816] via 192.168.4.1, 00:10:38, dmz2
! EIGRP AD Changing
ASA1(config-router)# distance eigrp 111 222
D
172.10.1.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D
172.10.2.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
D
172.10.3.0 255.255.255.0
[111/130816] via 192.168.1.1, 00:00:06, inside
C
L
(Only One EIGRP AS IS ALLOWED)
Too many IP routing processes for this routing protocol
ERROR: Unable to create router process
! Authenticaton in EIGRP on ASA
ASA1(config-if)# authentication mode eigrp 100 md5
ASA1(config-if)# authentication key eigrp 100 shiva key-id 100
Page 75 of 846

! Verification of authentication on Router
R1(config-router)#
*Sep 28 09:39:11.267: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2
(FastEthernet0/0) is down: Auth failure
! Authenticaton in EIGRP on Router
R1(config)#key chain trust
R1(config-keychain)#key 100
R1(config-keychain-key)#key-string shiva
R1(config-keychain-key)#int f0/0
R1(config-if)#ip authentication mode eigrp 100 md5
R1(config-if)#ip authentication key-chain eigrp 100 trust
*Sep 28 09:40:06.495: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2
(FastEthernet0/0) is up: new adjacency
! Summrization in EIGRP
ASA1(config-if)# summary-address eigrp 100 0 0
! Verification on Router1
R1#sh ip route eigrp
D* 0.0.0.0/0 [90/28416] via 192.168.1.2, 00:00:30, FastEthernet0/0
R2# sh ip route eigrp
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D 192.168.4.0/24 [90/28416] via 192.168.2.2, 00:06:43, FastEthernet0/0
ASA1(config-if)# summary-address eigrp 100 172.10.0.0 255.255.248.0
R2# sh ip route eigrp
Page 76 of 846
D
D
D
D
D
D

192.168.4.0/24 [90/28416] via 192.168.2.2, 00:07:57, FastEthernet0/0
! EIGRP Hello & Hold Changing

ASA1(config-if)# hello-interval eigrp 100 2
ASA1(config-if)# hold-time eigrp 100 4
R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address
Interface
Hold Uptime SRTT RTO Q Seq
(sec)
(ms)
Cnt Num
0 192.168.1.2
Fa0/0
3 00:04:15 3 200 0 133
Page 77 of 846

Chapter 7
OSPF
OSPF
Difference between link State & Distance Vector
OSPF Tables
OSPF Messages & Contents
OSPF States
DR & BDR
DR & BDR Requirements
OSPF Area Structure
OSPF Network Types
OSPF Router Types
OSPF LSA Types
OSPF Area Types
OSPF Neighbour Ship Requirement
OSPF Authentication Types
OSPF Summarization Types
OSPF Virtual Link
Page 78 of 846
Open Shortest Path First

It is an interior gateway classless , link-state routing protocol. it use IP Protocol No. 89. it sends
multicast addresses 224.0.0.5, 224.0.0.6.
Difference Between DV & LS

Distance Vector
A Distance Vector routing protocol selects the route based on distance
That is called hop count.
Link State
As name tells us link state a link state routing protocol sends update based in the state of link. When
a link comes up & goes down it sends update.
It sends update with a sequence number. 0x80000001 goes till
0xFFFFFFFF.
Open Shortest Path First Tables
Neighbours Table
Database Table
Routing Table
Open Shortest Path First Messages
Hello
DBP(Database Descriptor)
LS Request
LS Update
LS Acknowledgement
OSPF Hello Contents
Router ID
Hello & Dead Interval
Network ID
Area
Page 79 of 846
Priority
DR & BDR information
Authentication
Stub information
OSPF Messages Contents
Version
Type
Packet length
Router ID
Area
Checksum
Authentication
Authentication data
Data
OSPF States
Down
Attempt
Initialization
2 way
Ex-start
Exchange
Loading
Full
OSPF Down State

it means that no hello exchange
OSPF Attempt State

This state is valid for NBMA network in this state a router sends Unicast hello to neighbour.
Because OSPF has no capabilities to establish neighbour ship automatically on NBMA network.
Page 80 of 846
OSPF Initialization State

when a router receives a hello that is called Initialization.
OSPF 2-Way State

when hello is exchanged between two OSPF routers that is called 2 way.
DR & BDR is elected here.
OSPF Ex-Start State

In this state they elect master & slave. Master a router who sends DBD first.
Master requirement higher priority or higher router ID.
OSPF Exchange State

In this state only DBD is exchanged between OSPF routers.
OSPF Loading State

In this state actual database is exchanged or we can say that LS-Request,
LS-Update ,LS Acknowledgement are also exchanged.
OSPF Full State

It means that the OSPF database is synchronized among OSPF router, and each router has a
complete database.
Page 81 of 846
OSPF Area
The logical grouping of OSPF routers is called OSPF Area
OSPF Area Structure

Here OSPF Area has two types
Backbone Area
Regular Area
OSPF Backbone Area

Area zero is called backbone area. it only has the capabilities to transfer route from one area to
another are i.e. it is also called Transit Area.
OSPF Regular Area

Apart from area zero all other areas are called regular area.
they must be connected to backbone area.
OSPF Priority
OSPF Hello message has 8 bits priority field. default value 1 , maximum 255.
if priority is zero then router will not participate in DR & BDR election.
Designated Router
Router when OSPF router are connected to a multi-access network. Then there is a responsibility of
one router who is responsible for making adjacencies with other router that is called DR.
Page 82 of 846
Backup Designated Router

Backup Designated Router it provides backup to DR.
Note:DR & BDR concept is only used to minimise the adjacencies count
Adjacencies count without DR & BDR
n(n-1)/2
Adjacencies count with DR & BDR
n*2-3
Adjacencies count with DR
n-1
DR Requirements
1. Higher Priority
2. Higher Router ID
DR is elected on every Broadcast & NB Segment.
Router ID Requirements
1. Highest Loopback
2. if no loopback then highest up physical interface ip
3. We can configure manual .
OSPF Metric
Is called Cost formula= 100 Mbps /bandwidth.
OSPF Network Types
RFC
Cisco
NBMA
P2MP
RFC
Cisco
Broadcast
P2P
P2MPNB
Broadcast & NB are for full mesh topology.

P2P, P2MP, P2MPNB for hub & spoke.
Page 83 of 846

Network
type
Broadcast
P2P
P2MP
P2MPNB
NB
Hellointerval
10
10
30
30
30
Deadinterval
40
40
120
120
120
Autoneighbour
YES
YES
YES
NO
NO
Manualneighbour
NO
NO
NO
YES
YES
DR or
BDR
YES
NO
NO
NO
YES
OSPF Router Types
Internal Router
Back Bone Router
ABR
ASBR
Internal Router
A router consist it's all interfaces in regular area, i.e. called Internal router.
Backbone Router
A router consist it's all interfaces in area 0 Backbone area, i.e. called Internal router.
Area Border Router

Area Border Router a router which connect Backbone area to regular area is called ABR.
ASBR
A router which connects OSPF routing domain to another routing domain is called ASBR.
Page 84 of 846

Note:- OSPF sends incremental updates these updates are called LSA
Link state advertisement.
LSA Types
Router LSA
Network LSA
Summary LSA
AS LSA
External LSA
Group member ship LSA
NSSA LSA
Router LSA
It contain router ID of a router . it is sent within area.
Network LSA
It contain DR router ID sent by DR. is sent within area.
Summary LSA
When the routes of one area go to another area , they go as summary LSA.
it is sent by ABR.
AS ASBR LSA
It contain ASBR router ID . it is generated by ABR when an ABR receives External LSA form ASBR.
External LSA
It contain external routes it is sent by ASBR.
Page 85 of 846
Group Member LSA

It is used in Multicast OSPF
NSSA LSA
It contain external route . it is used in NSSA area , it allow an ASBR to send external route through
stub area to back bone.
Why because STUB/NSSA area LSA 5 in not allowed they are filtered so do hide LSA 5 they are
encapsulated as LSA 7 and LSA 7 is only recognized by NSSA area.
OSPF Area Types
Standard Area
Stub Area
Totally Stub Area
NSSA
Totally NSSA
Standard Area
It contain entire OSPF domain itself.
if you are using standard area then you can't reduce the size of routing table
to reduce the size of routing table we use another area types.
Stub Area
It filter the external routes and place them as default route.
Totally Stub Area

It filter the external routes, inter-area routes and place them as default route.
Page 86 of 846
NSSA
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:but it filter the external route coming from ABR
it doesn't generate default-route.
Totally NSSA
It allow an ASBR to send external route through stub area to backbone area using LSA 7 (NSSA LSA).
Notes:but it filter the external route & inter-area route coming from ABR
It does generate default-route.
OSPF Virtual Link

OSPF designing says that all regular area must be connected to Backbone area. if it not possible then
we have to use virtual-link.
OSPF Authentication Types
1. Null
2. Plain text
3. MD5
Type 0
Type 1
Type 2
OSPF Summarization Types
External Summarization at ASBR

Inter-Area Summarization at ABR
Page 87 of 846
OSPF Routes Types
OSPF intra-area
O IA
OSPF inter-area
O E2
OSPF External Metric-type 2
O E1
OSPF External Metric-type 1
O N2
OSPF External Metric-type 2 in NSSA Area
O N1
OSPF External Metric-type 1 in NSSA Area
In Metric-type 2 internal cost is not added when route are propagated in OSPF domain.
In Metric-type 1 internal cost is do added when route are propagated in OSPF domain.
If you want that best path should be used for External router you have to use metric-type 1.
Seed Metric
when routes are redistributed in routing Protocol that wants a starting point
that starting point is called seed metric
OSPF seed metric is 20 . if you want to change it you can change it at the time of redistribution.
Important Note
Area 0 can't be stub

virtual link are not allowed in stub area
All router must be agree that we are a part of stub area.
OSPF NeighbourShip Requirement
1.Subet/mask
2. Hello interval
3. Dead interval
4. Authentication
5. Stub information
6. Area
7. MTU
Page 88 of 846
OSPF AD 110
Default max-path 4 , maximum 16
224.0.0.6 is used by NON-DR to DR only for update & acknowledgement
224.0.0.5 is used for Hello NON-DR or DR to NON-DR
224.0.0.5 is used for Update DR to NON-DR
Diagram:-
Initial-config
hostname R1
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int l1
ip add 172.10.1.1 255.255.255.0
int l2
ip add 172.10.2.1 255.255.255.0
int l3
ip add 172.10.3.1 255.255.255.0
int l4
ip add 172.10.4.1 255.255.255.0
int l5
ip add 172.10.5.1 255.255.255.0
int l6
ip add 172.10.6.1 255.255.255.0
R2
no shutdown
ip add 192.168.2.1 255.255.255.0
Page 89 of 846

no shutdown
int l1
ip add 172.20.1.1 255.255.255.0
int l2
ip add 172.20.2.1 255.255.255.0
int l3
ip add 172.20.3.1 255.255.255.0
int l4
ip add 172.20.4.1 255.255.255.0
int l5
ip add 172.20.5.1 255.255.255.0
int l6
ip add 172.20.6.1 255.255.255.0
R3
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int l1
ip add 172.30.1.1 255.255.255.0
int l2
ip add 172.30.2.1 255.255.255.0
int l3
ip add 172.30.3.1 255.255.255.0
int l4
ip add 172.30.4.1 255.255.255.0
int l5
ip add 172.30.5.1 255.255.255.0
int l6
ip add 172.30.6.1 255.255.255.0
R4
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int l1
ip add 172.40.1.1 255.255.255.0
int l2
ip add 172.40.2.1 255.255.255.0
int l3
ip add 172.40.3.1 255.255.255.0
int l4
ip add 172.40.4.1 255.255.255.0
int l5
ip add 172.40.5.1 255.255.255.0
int l6
ip add 172.40.6.1 255.255.255.0
Page 90 of 846

Interface
Protocol
GigabitEthernet0/0
up
GigabitEthernet0/1
up
GigabitEthernet0/2
up
GigabitEthernet0/3
up
Interface
Name
Security
GigabitEthernet0/0
inside
100
GigabitEthernet0/1
dmz1
60
GigabitEthernet0/2
outside
0
GigabitEthernet0/3
dmz2
50
!!!!!
!!!!!
!!!!!
!!!!!
R1
Page 91 of 846

R1(config)#router os 100
R1(config-router)#net 192.168.1.0 0.0.0.255 area 1
R2
R2(config-router)#router ei 100
R2(config-router)#no au
R2(config-router)#net 172.20.0.0 0.0.7.255
R3
R4
R4(config-router)#router ei 200
R4(config-router)#no au
R4(config-router)#net 172.40.0.0 0.0.7.255
ASA1(config)# router os 100
ASA1(config-router)# net 192.168.1.0 255.255.255.0 area 1
! OSPF Neighbour Table Verification
ASA1(config)# sh ospf neighbor
Neighbor ID
172.20.6.1
172.10.6.1
172.30.6.1
172.40.6.1
Pri State
1 FULL/DR
1 FULL/DR
1 FULL/DR
1 FULL/DR
Dead Time Address

0:00:32 192.168.2.1
0:00:39 192.168.1.1
0:00:37 192.168.3.1
0:00:32 192.168.4.1
Interface
dmz1
inside
outside
dmz2
! OSPF Topology Verification

ASA1(config)# sh ospf database
OSPF Router with ID (192.168.4.2) (Process ID 100)

Router Link States (Area 0)
Link ID
ADV Router Age
172.20.6.1 172.20.6.1 265
192.168.4.2 192.168.4.2 232
Seq#
Checksum Link count
0x80000002 0x 4c5 1
0x80000001 0x78f7 1
Net Link States (Area 0)

Link ID
ADV Router Age
192.168.2.1 172.20.6.1 265
Seq#
Checksum
0x80000001 0x 5c9
Page 92 of 846
Summary Net Link States (Area 0)

Link ID
ADV Router Age
172.30.1.1 192.168.4.2 212
172.30.2.1 192.168.4.2 212
172.30.3.1 192.168.4.2 212
172.30.4.1 192.168.4.2 212
172.30.5.1 192.168.4.2 212
172.30.6.1 192.168.4.2 212
192.168.1.0 192.168.4.2 222
192.168.3.0 192.168.4.2 212
192.168.4.0 192.168.4.2 213
Seq#
Checksum
0x80000001 0x8075
0x80000001 0x757f
0x80000001 0x6a89
0x80000001 0x5f93
0x80000001 0x549d
0x80000001 0x49a7
0x80000002 0xfa5d
0x80000001 0xe670
0x80000001 0xdb7a

Link ID
ADV Router Age
172.10.6.1 172.10.6.1 271
192.168.4.2 192.168.4.2 231
Seq#
Checksum Link count
0x80000002 0xb629 1
0x80000002 0x6011 1

Link ID
ADV Router Age
192.168.1.1 172.10.6.1 271
Seq#
Checksum
0x80000001 0x10d3

Link ID
ADV Router Age
172.30.1.1 192.168.4.2 213
172.30.2.1 192.168.4.2 213
172.30.3.1 192.168.4.2 213
172.30.4.1 192.168.4.2 213
172.30.5.1 192.168.4.2 213
172.30.6.1 192.168.4.2 213
192.168.2.0 192.168.4.2 223
192.168.3.0 192.168.4.2 213
192.168.4.0 192.168.4.2 214
Seq#
Checksum
0x80000001 0x8075
0x80000001 0x757f
0x80000001 0x6a89
0x80000001 0x5f93
0x80000001 0x549d
0x80000001 0x49a7
0x80000001 0xf166
0x80000001 0xe670
0x80000001 0xdb7a

Link ID
ADV Router Age
172.30.6.1 172.30.6.1 229
192.168.4.2 192.168.4.2 229
Seq#
Checksum Link count
0x80000003 0x9dd2 7
0x80000001 0x8edf 1

Link ID
ADV Router Age
192.168.3.1 172.30.6.1 229
Seq#
Checksum
0x80000001 0xf9bf

Page 93 of 846

Link ID
ADV Router Age
192.168.1.0 192.168.4.2 224
192.168.2.0 192.168.4.2 224
192.168.4.0 192.168.4.2 214
Seq#
Checksum
0x80000001 0xfc5c
0x80000001 0xf166
0x80000001 0xdb7a

Link ID
ADV Router Age
172.40.6.1 172.40.6.1 224
192.168.4.2 192.168.4.2 223
Seq#
Checksum Link count
0x80000002 0x9efe 1
0x80000001 0xa4c7 1

Link ID
ADV Router Age
192.168.4.1 172.40.6.1 224
Seq#
Checksum
0x80000001 0xeeb5

Link ID
ADV Router Age
172.30.1.1 192.168.4.2 215
172.30.2.1 192.168.4.2 215
172.30.3.1 192.168.4.2 215
172.30.4.1 192.168.4.2 215
172.30.5.1 192.168.4.2 215
172.30.6.1 192.168.4.2 215
192.168.1.0 192.168.4.2 215
192.168.2.0 192.168.4.2 215
192.168.3.0 192.168.4.2 215
Seq#
Checksum
0x80000001 0x8075
0x80000001 0x757f
0x80000001 0x6a89
0x80000001 0x5f93
0x80000001 0x549d
0x80000001 0x49a7
0x80000001 0xfc5c
0x80000001 0xf166
0x80000001 0xe670
! OSPF Routing Table Verification

ASA1# sh route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O
172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O
172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O
172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
O
172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
Page 94 of 846

O
O
C
L
C
L
C
L
C
L
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:04:18, outside
NO AREA 4 routes
! Virtual Link in OSPF
ASA1(config-router)# router ospf 100
ASA1(config-router)# area 1 virtual-link 172.10.6.1
R1(config-router)#router os 100
R1(config-router)#area 1 virtual-link 192.168.4.2
R1(config-router)#
*Sep 28 10:02:01.999: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from LOADING
to FULL, Loading Done
! Verification of routes Learn via Virtual Link
ASA1# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O IA 172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:23, inside
O
172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O
172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
O
172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
Page 95 of 846

O
O
O
C
L
C
L
C
L
C
L
172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:35, outside
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:02:41, outside
! Redistribution in OSPF on Router

R2(config)#router ospf 100
R2(config-router)#redistribute eigrp 100
% Only classful networks will be redistributed
R1#sh ip route ospf
O IA 172.30.3.1 [110/12] via 192.168.1.2, 00:02:54, FastEthernet0/0
O IA 192.168.4.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0
O 192.168.2.0/24 [110/11] via 192.168.1.2, 00:02:54, FastEthernet0/0
NO routes of eigrp 100
R2(config-router)#router ospf 100
R2(config-router)#redistribute eigrp 100 subnets metric-type 1
! Redistributed Route Verification
R1#sh ip route ospf
O E1 172.20.1.0 [110/31] via 192.168.1.2, 00:00:19, FastEthernet0/0
Page 96 of 846

! OSPF External Summrization
R2(config-router)#summary-address 172.20.0.0 255.255.248.0
! OSPF External Summrization Verification
R1#sh ip route ospf
! Disabling OSPF External Summrization
R2(config-router)#no summary-address 172.20.0.0 255.255.248.0
R1#sh ip route ospf
! OSPF Inter-area summrization
ASA1(config)# router os 100
ASA1(config-router)# area 2 range 172.30.0.0 255.255.248.0
! OSPF Inter-area summrization Verification
R1#sh ip route ospf
Page 97 of 846

! Disabling Inter-area summrization

ASA1(config-router)# router os 100
ASA1(config-router)# no area 2 range 172.30.0.0 255.255.248.0
R1#sh ip route ospf
! OSPF Authentication on ASA
ASA1(config-router)# interface gigabitEthernet 0/0
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 100 md5 shiva
R1#
*Sep 28 10:13:20.491: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on FastEthernet0/0 from
FULL to DOWN, Neighbor Down: Dead timer expired
R1#debug ip ospf events
OSPF events debugging is on
*Sep 28 10:20:40.255: OSPF: Rcv pkt from 192.168.1.2, FastEthernet0/0 : Mismatch Authentication
type. Input packet specified type 2, we use type 0
Page 98 of 846

! OSPF Authentication on Router
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 100 md5 shiva
! OSPF Authentication Verification
R1(config-if)#
LOADING to FULL, Loading Done
! OSPF Hello & Dead Interval Verification
ASA1(config-if)# sh ospf interface inside
inside is up, line protocol is up
Internet Address 192.168.1.2 mask 255.255.255.0, Area 1
Process ID 100, Router ID 192.168.4.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.4.2, Interface address 192.168.1.2
Backup Designated router (ID) 172.10.6.1, Interface address 192.168.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
! OSPF Hello & Dead Interval Modification on ASA
ASA1(config-if)# ospf hello-interval 5
Backup Designated router (ID) 172.10.6.1, Interface address 192.168.1.1
ASA1(config-if)# ospf dead-interval 15
No backup designated router on this network
! Effect of Timer Chainging
R1#
FULL to DOWN, Neighbor Down: Dead timer expired
R1#
*Sep 28 10:16:26.727: %OSPF-5-ADJCHG: Process 100, Nbr 192.168.4.2 on OSPF_VL0 from FULL to
DOWN, Neighbor Down: Interface down or detached
Page 99 of 846

! OSPF Debug Command Analyzation
R1#debug ip ospf events
OSPF events debugging is on
*Sep 28 10:18:03.567: OSPF: Send with youngest Key 100
*Sep 28 10:18:03.567: OSPF: Send hello to 224.0.0.5 area 1 on FastEthernet0/0 from 192.168.1.1
R1#
*Sep 28 10:18:05.223: OSPF: Rcv hello from 192.168.4.2 area 1 from FastEthernet0/0 192.168.1.2
*Sep 28 10:18:05.223: OSPF: Mismatched hello parameters from 192.168.1.2
*Sep 28 10:18:05.223: OSPF: Dead R 15 C 40, Hello R 5 C 10 Mask R 255.255.255.0 C 255.255.255.0
! OSPF Timer Chainging on Router
R1(config-if)#ip ospf hello-interval 5
R1(config-if)#ip ospf dead-interval 15
R3#sh ip route ospf
! Stub Area commands
ASA1(config)# router ospf 100
ASA1(config-router)# area 2 stub
R3(config)# router ospf 100
R3(config-router)# area 2 stub
R3(config-router)#
FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-router)#
! Stub Area verification
R3#sh ip route ospf
Page 100 of 846

O*IA 0.0.0.0/0 [110/2] via 192.168.3.2, 00:00:49, FastEthernet0/0
! Totally Stub Commands
ASA1(config-router)# area 2 stub no-summary
! Totally Stub Area Verification
R3#sh ip route ospf
R4#sh ip route ospf
! Area 3 Stub Commands

ASA1(config-router)# area 3 stub
R4(config-router)# area 3 stub
Page 101 of 846

R4(config-router)#
INIT to DOWN, Neighbor Down: Adjacency forced to reset
R4(config-router)#
! Stub Verification
R4#sh ip route ospf
ASA1(config-router)# area 3 stub no-summary
! Verification of Totally Stub Area

R4#sh ip route ospf
! Redistribute EIGRP 200 Route in OSPF
R4(config-router)#redistribute eigrp 200 subnets metric-type 1
R4(config-router)#
*Sep 28 11:13:14.383: %OSPF-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while
having only one area which is a stub area.
! Not allowed Please Remove Stub commands Then configure as NSSA
R4(config-router)#router os 100
R4(config-router)#no area 3 stub
R4(config-router)#area 3 nssa
ASA1(config-router)# no area 3 stub
Page 102 of 846

ASA1(config-router)# area 3 nssa
! NSSA Verification on ASA
ASA1(config-router)# sh route dmz2
O N1 172.40.1.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.2.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.3.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.4.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.5.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
O N1 172.40.6.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:08, dmz2
C
L
R4#sh ip route ospf
No eigrp routes
ASA1(config-router)# area 3 nssa no-summary default-information-originate
Page 103 of 846


! verification of Totally NSSA
R4#sh ip route ospf
O IA
O IA
O IA
O IA
O IA
O IA
172.10.1.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside

172.10.2.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
172.10.3.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
172.10.4.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
172.10.5.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
172.10.6.1 255.255.255.255 [110/11] via 192.168.1.1, 00:01:07, inside
! By Default OSPF Treat loopback as single host if you want that it should be treat as network
please do the following
R1(config)#interface loopback 1
R1(config-if)#ip ospf network point-to-point
R1(config-if)#interface loopback 2
O IA
O IA
O IA
172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:01:04, inside

172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
Page 104 of 846

O IA 172.10.4.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
O IA 172.10.5.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
O IA 172.10.6.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:54, inside
C
L
! OSPF Route filtering

ASA1
! OSPF Route filtering verification
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:05, inside
C
L
ASA1(config-router)# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:10, inside
O E1 172.20.1.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
Page 105 of 846

O E1 172.20.2.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.3.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.4.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.5.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O E1 172.20.6.0 255.255.255.0 [110/30] via 192.168.2.1, 00:00:10, dmz1
O
172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:10, outside
O
172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:10, outside
O
172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O
172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:14, outside
O N1 172.40.1.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.2.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.3.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.4.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.5.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
O N1 172.40.6.0 255.255.255.0 [110/30] via 192.168.4.1, 00:00:14, dmz2
! OSPF AD Changing
ASA1(config-router)#distance ospf inter-area 110 intra-area 110 external 180
ASA1(config-router)# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, outside
O IA 172.10.1.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside
O IA 172.10.2.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside
O IA 172.10.3.0 255.255.255.0 [110/11] via 192.168.1.1, 00:00:27, inside
O E1 172.20.1.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.2.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.3.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.4.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.5.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O E1 172.20.6.0 255.255.255.0 [180/30] via 192.168.2.1, 00:00:27, dmz1
O
172.30.1.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:27, outside
Page 106 of 846

O
O
O
O
O
O N1
O N1
O N1
O N1
O N1
O N1
172.30.2.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:27, outside
172.30.3.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.30.4.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.30.5.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.30.6.1 255.255.255.255
[110/11] via 192.168.3.1, 00:00:28, outside
172.40.1.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.2.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.3.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.4.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.5.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
172.40.6.0 255.255.255.0 [180/30] via 192.168.4.1, 00:00:28, dmz2
R1#sh ip route ospf

! OSPF Defaurt route Orgination

ASA1(config-router)# default-information originate always
Page 107 of 846


! OSPF Defaurt route Orgination verification
R1#sh ip route ospf
O*E2 0.0.0.0/0 [110/10] via 192.168.1.2, 00:00:54, FastEthernet0/0

ASA1(config-router)# no default-information originate always
! Mannual Router ID
ASA1(config-router)# router-id 123.123.123.123
R1#sh ip ospf neighbor
Neighbor ID Pri State
Dead Time Address
Interface
123.123.123.123 1 FULL/BDR
00:00:13 192.168.1.2 FastEthernet0/0
but virtual-link will down due to router-id mismatch.
Page 108 of 846


Chapter 8
IPv6 Introduction
IPv6
IPv6 Styles
IPv6 Routing Protocols
RIPng
OSPFv3
EIGRPv6
Page 109 of 846

IPv6
Before IPv6 we have to understand IP
IP Address
IP Addresses Styles
A logical address it enable a machine to communicate with other machine of network.
1. Unicast
2. Broadcast
IP Part
3. Multicast
1. Network ID
2. Host ID
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat
Network ID
upitour
bandwidth.
enable
us to determine that what is the network location in a class
Broadcast
Host ID
In it
we send
to all . it that
is useful
unknown
. it is used by DHCP, ARP,
It enable
usdata
to determine
whatwhen
is the destination
location of a is
host
in a network
RIPv1. Each NIC receive the broadcast and does process with it doesn't matter that, it is for
him or not. But they are not forwarded by router or appliance.
IP Address Classes
Multicast
in it source generate a stream & that is distributed among the clients.
or
A (1-126)/8
when a host
join a multicast group their NIC is again re-programmed. & it start capturing
B (128-191)/16
data for
group.
joined
C (192-223)/24
D (224-239)
Multicast
EMac
(240-255)
it is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always
zero. and last 23 bits obtain from multicast IP address
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
IP Address Types
Public
Multicast
Addresses
Private
1. Link Local
224.0.0.0/24
2. Source
Specific
232.0.0.0/8
Public
3. GLOP
They are accessible via internet , unique in the world 233.0.0.0/8
4. Administratively Scoped
239.0.0.0/8
Private Scoped
5. Globally
224.0.1.0-231.255.255.255
They are not accessible via internet. they can be used 234.0.0.0-238.255.255.255
by private organization.
Link Local
they send will TTL value one
Source Specific
Page 110 of 846
In Source Specific a host receive a multicast traffic form a single server.
GLOP
it allocate 256 multicast address to each AS. middle 16 bits are obtain from AS number.

Brief
32 bits address
Decimal format
separated by ( . )
20 bytes header
IPv6
128 bits address

Hexadecimal format
separated by( : )
40 bytes header
IPv6 Style
Unicast
Multicast
Anycast
Unicast Types
Unicast Types
Global Unicast
Unique Local
Link Local
Global Unicast
They are the public address routable over internet like ipv4 public addresses.
Start with 2000::/3
Unique Local
They are the private address not routable over internet like ipv4 private addresses. Start with
FD00::/8
Link Local
They are automatically created by device they are used by routing protocols to communicate
each other
Start with FE80::/10
Link Local address contain 64 interface ID
Interface ID contain 48 Bits MAC & 16 Bits EUI
EUI is FFFE
Procedure of Link Local
for example
MAC is 0000.0c07.ac01
MAC address 1st bytes 7th bit is replaced with zero to 1
Page 111 of 846

do
MAC now 100.0c07.ac01
Add EUI
100.0cFF.FE07.ac01
ADD Link Local Prefix
FE80:: 100.0cFF.FE07.ac01/10
Multicast
They are just like IPv4 multicast addresses
FF02::1 for all host
FF02::2 for all router
FF02::5 for OSPF
FF02::6 for OSPF
FF02::9 for RIPng
FF02::A for EIGRP
FF02::D for PIM
IPV6 Format
1234:1234:1234:1234:1234:1234:1234:1234 (right)
2000:0000:0000:1111:0000:0000:0000:0001 (right)
2000:0:0:1111:0:0:0:1 (right)
2000::1111:0:0:0:1 (right) {8-6=2 dual :: is representing 2 block 0}
2000:0:0:1111::1 (right) {8-5=3 dual :: is representing 3 block 0}
2000::1111::1 (wrong) {8-3=5, 3+2 or 2+3 }
:: Only Once
IPV6 Routing Protocols
RIPng
IS-ISv6
OSPFv3
EIGRPv6
MP-BGP
Page 112 of 846


RIPng
Routing Information Protocol next generation
It is based on RIPv2
It use UDP port 521
Multicast update FF02::9
No authentication support
We can run multiple RIPng process now.
Max-Path 16
IS-ISv6
It use same concept of IS-IS. it use IP protocol no. 131 (0x83).
It works at OSI layer 3
It PDU is directly encapsulated in frame.
EIGRPv6
Cisco Proprietary
IP protocol no. 88
Same concept like EIGRP
Max-Path 16
Default Shutdown
It require Router ID
Multicast at FF02::A
MD5 authentication
OSPFv3
Still Open Standard
IP protocol no. 89
Use IPSec Authentication
It ADD 16 bytes Header while OSPF ADD 24 bytes
Note
Cisco ASA OS version 8.6 support only static & default IPv6 routing
Cisco ASA OS version 9.2.2.4 support only static & default & OSPFv3 IPv6 routing.
Page 113 of 846


Diagram:-
Initial-config
R1
ipv6 unicast-routing
no shutdown
ipv6 add 192:168:1::1/48
int lo1
ipv6 add 192:168:101::1/48
ipv6 route ::/0 192:168:1::2
R2
no shutdown
ipv6 add 192:168:2::1/48
int l1
ipv6 add 192:168:102::1/48
ipv6 route ::/0 192:168:2::2
R3
no shutdown
ipv6 add 192:168:3::1/48
int l1
ipv6 add 192:168:103::1/48
ipv6 route ::/0 192:168:3::2
Page 114 of 846

R4
no shutdown
ipv6 add 192:168:4::1/48
int lo1
ipv6 add 192:168:104::1/48
ipv6 route ::/0 192:168:4::2
ASA1
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:2::2/48
!
nameif outside
security-level 0
no ip address
ipv6 address 192:168:3::2/48
!
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:4::2/48
!
ASA1(config)# sh ipv6 int brief
inside [up/up]
fe80::6e20:56ff:febd:ea87
192:168:1::2
dmz1 [up/up]
192:168:2::2
outside [up/up]
192:168:3::2
dmz2 [up/up]
192:168:4::2
GigabitEthernet0/4 [administratively down/down]
unassigned
GigabitEthernet0/5 [administratively down/down]
unassigned
Management0/0 [administratively down/down]
Page 115 of 846

unassigned
ASA1(config)# ping 192:168:1::1
Sending 5, 100-byte ICMP Echos to 192:168:1::1, timeout is 2 seconds:
!!!!!
!!!!!
!!!!!
!!!!!
! ipv6 static & default
ipv6 route inside 192:168:101::/48 192:168:1::1
ipv6 route dmz1 192:168:102::/48 192:168:2::1
ipv6 route outside ::/0 192:168:3::1
ipv6 route dmz2 192:168:104::/48 192:168:4::1
ASA1(config)# ping 192:168:101::1
!!!!!
ASA1(config)# ping 192:168:102::1
!!!!!
ASA1(config)# ping 192:168:103::1
!!!!!
ASA1(config)# ping 192:168:104::1
!!!!!
ASA will Allow Higher to lower
R1#telnet 192:168:102::1
Page 116 of 846

Trying 192:168:102::1 ... Open

[Connection to 192:168:102::1 closed by foreign host]
R1#telnet 192:168:103::1
Trying 192:168:103::1 ... Open

R1#telnet 192:168:104::1
Trying 192:168:104::1 ... Open

R1#
! if you want lower to higher apply acl
ASA1
access-list dmz1 permit ip 192:168:102::/48 192:168:101::/48
access-group dmz1 in interface dmz1
access-list out permit ip 192:168:103::/48 192:168:101::/48
access-group out in interface outside
access-group dmz2 in interface dmz2
R1
R1#ping 192:168:102::1 source loopback 1
Packet sent with a source address of 192:168:101::1
!!!!!
!!!!!
Page 117 of 846

!!!!!
R2
!!!!!
!!!!!
!!!!!
R3
!!!!!
!!!!!
!!!!!
Page 118 of 846

R4
!!!!!
!!!!!
!!!!!
Page 119 of 846


Chapter 9
Service Level Agreement (SLA)

SLA
Page 120 of 846

SLA Service Level Agreement
Assume that we have a appliance and it is connected to 2 ISP (ISP1,ISP2).

ISP1 is primary using AD 1, ISP2 is secondary using AD 2.
if over primary link will goes down then appliance will use secondary.
But here condition is this , there is no problem in our access-link , but ISP networks has
problem means that ISP1 is not able to give us connectivity.
in this situation, appliance will not use ISP2 link. Because ISP1 link is up
to solve this problem we have SLA (Service Level Agreement).
In SLA we check reach ability from over end to public server. using ICMP Echo-request.
that is called in Track, Track is associated with static route example ISP1
if reach ability is available , track will remain up , track is up route will remain in routing
table.
if no reach ability track will go down , track down appliance will remote primary link form
table then secondary will use.
Diagram:-
Initial-config
PC1
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip add 192.168.101.100 255.255.255.0
PC1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.101.1
ISP
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#no shutdown
ISP(config-if)#ip add 101.1.1.1 255.255.255.0
ISP(config-if)#int f0/1
ISP(config-if)#no shutdown
ISP(config-if)#int l1
ISP(config-if)#ip add 1
Page 121 of 846
ASA1
ASA1(config)# hostname ASA1
ASA1(config-if)# ip add 192.168.101.1 255.255.255.0
ASA1(config-if)# nameif outside1
INFO: Security level for "outside1" set to 0 by default.
ASA1(config-if)# nameif outside2
INFO: Security level for "outside2" set to 0 by default.
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# pin
!!!!!
ASA1(config)# pin
!!!!!
! SLA on ASA
sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 interface outside1
timeout 1000
frequency 1
exit
sla monitor schedule 1 start-time now life forever
track 11 rtr 1 reachability
route outside1 0 0 101.1.1.1 track 11
route outside2 0 0 102.1.1.1 2
Page 122 of 846


ASA1# sh track
Track 11
Response Time Reporter 1 reachability
Reachability is Up
2 changes, last change 00:00:17
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1
C
101.1.1.0 255.255.255.0 is directly connected, outside1
L
C
L
C
L
ISP(config-if)#shutdown
ASA1# sh track
Track 11
Reachability is Down
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
Page 123 of 846
S* 0.0.0.0 0.0.0.0 [2/0] via 102.1.1.1, outside2

C
L
C
L
C
L
ISP(config-if)#no sh
ASA1# sh track
Track 11
Reachability is Up
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1# sh route
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside1
C
L
C
L
C
L
! Optional commands
ASA1(config)# nat (inside,outside1) source dynamic any interface
ASA1(config)# nat (inside,outside2) source dynamic any interface
ASA1(config)# class-map shiva
ASA1(config-cmap)# match default-inspection-traffic
ASA1(config-cmap)# policy-map shiva
ASA1(config-pmap)# class shiva
ASA1(config-pmap-c)# inspect icmp
ASA1(config-pmap-c)# service-policy shiva interface inside
this section will cover in nat & MPF........
Page 124 of 846

Chapter 10
Multicasting
IP addresses styles
Multicast Mac
Multicast addresses
IGMP (internet group management protocol)
IGMP snooping
Multicast routing protocols
RPF (Reverse path forwarding)
Distribution tree
PIM (protocol independent multicast )
PIM version
Page 125 of 846

IP Addresses Styles
1. Unicast
2. Broadcast
3. Multicast
Unicast
They goes one-to-one if we are sending a data to a group it require retransmission. it will eat up our
bandwidth.
Broadcast
In it we send data to all . it is useful when destination is unknown . it is used by DHCP, ARP, RIPv1.
Each NIC receive the broadcast and does process with it doesn't matter that, it is for him or not. But
they are not forwarded by router or appliance.
Multicast
in it source generate a stream & that is distributed among the clients.
or
when a host join a multicast group their NIC is again re-programmed. & it start capturing data for
joined group.
Multicast Mac
It is a 48 bits address. the first half address (24 bits) pre-define 0100.5e. 25th bit is always zero. and
last 23 bits obtain from multicast IP address
For examples
224.0.0.1#0100.5e00.0001
224.0.0.10#0100.5e00.000a
Multicast Addresses
1. Link Local
2. Source Specific
3. GLOP
4. Administratively Scoped
5. Globally Scoped
224.0.0.0/24
232.0.0.0/8
233.0.0.0/8
239.0.0.0/8
224.0.1.0-231.255.255.255
234.0.0.0-238.255.255.255
Link Local
they send will TTL value one
Source Specific
In Source Specific a host receive a multicast traffic form a single server.
Page 126 of 846
GLOP
it allocate 256 multicast address to each AS. middle 16 bits are obtain from AS number.
Administratively Scoped
they just like IPv4 Private addresses they can be used by private organization.
239.192.0.0 organization local
239.252.0.0 site local
Globally Scoped
they are fully routable over internet.
IGMP (Internet Group Management Protocol)

It is used by router and host to join or leave multicast group
Versions: Version 1
Version 2
Version 3
Version 1
Router sends query after every 60 seconds.
No group leaving mechanism.
Query age out time 3 minutes.
No information that which group is active at interface.
Version 2
Router sends query after every 60 seconds on 224.0.0.1
Host can leave group using 224.0.0.2.
Query interval response time.
Group specific Queries.
Querier election
Version 3
use SSM Source specific multicast
IGMP Snooping
It enable switches to determine which port is requesting for which multicast.
Page 127 of 846

Multicast Routing Protocols
DVMRP
Multicast OSPF
Centre Base Tree
Core Base Tree
PIM
RPF (Reverse Path Forwarding)

It is performed with every multicast packet, to determine that multicast is going root to leaves or
not.
Distribution Tree
Multicast routing path is called distribution tree
types
Source Tree
Shared Tree
Source Tree
in it they take the shortest path from source to destination. used in PIM
they pre-calculated path Because of dense-mode.
Shared Tree
in it they use a common set of links . First packet pass through RP after receiving packet the select
the shortest path.
PIM (Protocol Independent Multicast)
Modes
Dense Mode
Sparse Mode
Sparse Dense Mode
Dense Mode
it assume that multicast recipient is in every subnet.
in it stream is flooded to each router if no receiver then they send prune message to stop un
wanted flooding.
Page 128 of 846

Sparse Mode
Multicast tree is not built until some will not make request.
Sparse Dense Mode
it works in differ approach if there is any RP for a group Sparse mode will work otherwise Dense
mode will work.
PIM Versions
Version 1
Version 2
Version1
it provides auto or manual RP process.
RP announce at 224.0.1.39
RP discovery at 224.0.1.40
we must define candidate of each router
Version 2
It use BSR boot Strap Router.
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
Page 129 of 846

no shutdown
ip add 192.168.101.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R3
no shutdown
ip add 192.168.101.30 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
Server1
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
interface gig 0/0
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface gig 0/1
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
ASA1# ping 192.168.101.10
!!!!!
ASA1# ping 192.168.101.20
!!!!!
ASA1# ping 192.168.101.30
!!!!!
ASA1# ping 192.168.102.100
!!!!!
! Enabling Multicasting & Forwading IGMP Query
ASA1(config)# multicast-routing
ASA1(config)# int gig 0/0
ASA1(config-if)# igmp forward interface outside
Page 130 of 846
! Verification of Muticast Routes

ASA1# sh mroute
No mroute entries found.
! Join Multicast Group on Clients
PC1(config-if)#ip igmp join-group 239.1.1.1
PC2(config-if)# ip igmp join-group 239.1.1.2
PC3(config-if)# ip igmp join-group 239.1.1.3
! Verification of Muticast Routes
ASA1# sh mroute
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT
Timers: Uptime/Expires
Interface state: Interface, State
(*, 239.1.1.1), 00:01:02/never, RP 0.0.0.0, flags: DC
Incoming interface: Null
RPF nbr: 0.0.0.0
Outgoing interface list:
inside, Forward, 00:01:02/never
(*, 239.1.1.2), 00:00:32/never, RP 0.0.0.0, flags: DC
RPF nbr: 0.0.0.0
(*, 239.1.1.3), 00:00:26/never, RP 0.0.0.0, flags: DC
RPF nbr: 0.0.0.0
! Multcast host can access multicast Stream Because of UDP or TCP

! This ACL is only When Server is Generating ICMP Stream
ASA1(config)# access-list out permit icmp any 239.1.1.0 255.255.255.0
ASA1(config)# access-group out in interface outside
Page 131 of 846
PC1#debug ip icmp
ICMP packet debugging is on
PC2#debug ip icmp
PC3#debug ip icmp
Server1#debug ip icmp
Server1#ping 239.1.1.1 repeat 5
*Mar 1 00:10:19.647: ICMP: echo reply rcvd, src 192.168.101.10, dst 192.168.102.100
Reply to request 0 from 192.168.101.10, 60 ms
Server1#
Server1#
Page 132 of 846

PC1#debug ip icmp
PC1#
*Mar 1 00:09:49.379: ICMP: echo reply sent, src 192.168.101.10, dst 192.168.102.100
PC1#
PC1#
PC1#
PC1#
PC1#
PC2#debug ip icmp
PC2#
PC2#
PC2#
PC2#
PC2#
PC3#debug ip icmp
PC3#
*Mar 1 00:08:39.027: %SYS-5-CONFIG_I: Configured from console by console
PC3#
PC3#
PC3#
Page 133 of 846

PC3#
PC3#
Page 134 of 846


Chapter 11
Access-list & Object Group

Access-list
Object Group
Object Group Types
Page 135 of 846

Access-list
A list of condition it is used to categorized packets.
Types:
Named Base Access-list
It is used to allow or deny entire ip packet. mostly used for route filtering
(range 1-99,100-1999)
It is used to allow or deny Layer 3 , Layer 4 & upper layer protocols. Mostly used for traffic filtering.
(100-199,2000-2699)
Named Base Access-list
In this access-list we can give name to access-list instead of number.
it can be standard or extended
it is time oriented in it we can give time in weekdays weekend etc.
Object Group
A feature of Cisco ASA it simplify access-list management.
Types
1. Network Object Group
2. Protocol Object Group
3. Service Object Group
4. ICMP Object Group
Network Object Group
In it we can define network, subnet, range, single IP address.
Protocol Object Group
In it we can define protocols like TCP, UDP etc.
Service Object Group
In it we can define services related to TCP & UDP.
ICMP Object Group
In it we can define only ICMP messages.
Page 136 of 846


Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
passive-interface fastEthernet 0/1
TSS1
no shutdown
ip add 192.168.10.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip domain-name cisco.com
crypto key generate rsa
1024
line vty 0 90
transport input ssh telnet
Page 137 of 846

login local
exit
username shiva privilege 15 secret shiva
TSS2
no shutdown
ip add 192.168.10.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
TSS3
no shutdown
ip add 192.168.10.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
WEB1
interface f0/0
no shutdown
ip add 192.168.20.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ip http secure-server
ip http authentication local
WEB2
no shutdown
ip add 192.168.20.20 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
Page 138 of 846

WEB3
no shutdown
ip add 192.168.20.30 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ISP
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
ASA1
interface GigabitEthernet 0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
no auto-summary
network 192.168.1.0 255.255.255.0
Page 139 of 846

redistribute static metric 1 1 1 1 1
!
ASA1# ping 192.168.101.1
!!!!!
ASA1# ping 192.168.10.10
!!!!!
ASA1# ping 192.168.10.20
!!!!!
ASA1# ping 192.168.10.30
!!!!!
ASA1# ping 192.168.20.10
!!!!!
ASA1# ping 192.168.20.20
!!!!!
ASA1# ping 192.168.20.30
!!!!!
ASA1# ping 192.168.102.1
!!!!!
! Network Object
ASA1
object network inside
subnet 192.168.1.0 255.255.255.0
object network inside-lan
subnet 192.168.101.0 255.255.255.0
object network TSS1
host 192.168.10.10
Page 140 of 846

object network TSS2
host 192.168.10.20
object network TSS3
host 192.168.10.30
object network WEB1
host 192.168.20.10
object network WEB2
host 192.168.20.20
object network WEB3
host 192.168.20.30
object network PUB-TSS1
host 101.1.1.101
host 101.1.1.102
host 101.1.1.103
object network PUB-WEB1
host 101.1.1.104
host 101.1.1.105
host 101.1.1.106
nat (dmz1,outside) source static TSS1 PUB-TSS1
nat (dmz2,outside) source static WEB1 PUB-WEB1
nat (inside,outside) source dynamic inside interface
nat (inside,outside) source dynamic inside-lan interface
ASA1(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses
protocol Specifies a group of protocols, such as TCP, etc
service Specifies a group of TCP/UDP ports/services
user
Specifies single user, local or import user group
object-group network ALL-TSS-SERVERS
network-object host 192.168.10.10
object-group network ALL-WEB-SERVERS
Page 141 of 846
! Service Object
object-group service TELNET tcp
port-object eq telnet
object-group service SSH tcp
port-object eq ssh
object-group service HTTP tcp
port-object eq www
object-group service HTTPS tcp
port-object eq https
! ICMP Object
object-group icmp-type MY-ICMP-OBJECT
icmp-object echo-reply
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group TELNET
access-list out extended permit tcp any object-group ALL-TSS-SERVERS object-group SSH
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTP
access-list out extended permit tcp any object-group ALL-WEB-SERVERS object-group HTTPS
access-list out extended permit icmp any object inside object-group MY-ICMP-OBJECT
access-list out extended permit icmp any object inside-lan object-group MY-ICMP-OBJECT
R1#ping 101.1.1.1
!!!!!
R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f
R1#ping 101.1.1.1 source fastEthernet 0/1
!!!!!
ASA1(config)# sh xlate
8 in use, 8 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz1:192.168.10.10 to outside:101.1.1.101
flags s idle 0:12:26 timeout 0:00:00
Page 142 of 846

ICMP PAT from inside:192.168.101.1/1 to outside:101.1.1.100/8269 flags ri idle 0:00:03 timeout
0:00:30
0:00:30
! config Verification on Clinet Side
Page 143 of 846

Page 144 of 846

Page 145 of 846

Page 146 of 846

Page 147 of 846

Page 148 of 846

Page 149 of 846

Page 150 of 846

Page 151 of 846


Chapter 12
NAT on OS 8.0
Static Nat
Dynamic NAT
PAT
Static PAT
NAT Bypass
Identity NAT
NAT Exemption
Policy NAT
Page 152 of 846

NAT
A services it enable internal users to access internet.
Or
Using NAT we map one IP address to another.
Types
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. NAT Bypass
a. Identity NAT
b. NAT exemption
6. Policy NAT
Static NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
Dynamic NAT
In dynamic NAT we map multiple IP addresses to some.
PAT
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
Static PAT
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
Page 153 of 846
NAT Bypass
When we enable NAT-control in OS 8.0 then natting is must. If you want to avoid NAT rule then we
use NAT Bypass.
Types of NAT Bypass

1. Identity NAT
2. NAT Exemption
Identity NAT
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI.
NAT Exemption
It is used for VPN traffic to exclude it for NAT rule in 8.0.
Policy NAT
In policy NAT we can define condition for natting
It could be port based or IP based.
Page 154 of 846


Diagram:
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
Server2
Page 155 of 846

no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
ASA1
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
route inside 192.168.101.0 255.255.255.0 192.168.1.1 1
!!!!!
ASA1(config)# pin
ASA1(config)# ping 192.168.10.100
Page 156 of 846

!!!!!
ASA1(config)# pin
ASA1(config)# ping 192.168.20.100
!!!!!
ASA1(config)# pin
!!!!!
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.102.100
?!!!!
ASA1(config)#
! static nat
nat-control
static (inside,outside) interface 192.168.1.1
static (inside,outside) 101.1.1.101 192.168.101.1
static (inside,outside) 101.1.1.102 192.168.101.100
Global 101.1.1.100 Local 192.168.1.1
Global 101.1.1.101 Local 192.168.101.1
Global 101.1.1.102 Local 192.168.101.100
! TCP & UDP will Work for ICMP ACL
access-list out permit icmp any interface outside
access-list out permit icmp any host 101.1.1.101
! in OS 8.0 we open access-list for natted ip
ISP#debug ip icmp
R1#ping 101.1.1.1
!!!!!
Page 157 of 846

R1#ping 101.1.1.1 so
R1#ping 101.1.1.1 source f0
R1#ping 101.1.1.1 source f0/1
.!!!!
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
! static nat is bi-directional
! private will map with public
! public will map with private
Global 101.1.1.100 Local 192.168.1.1
Global 101.1.1.101 Local 192.168.101.1
Page 158 of 846

Global 101.1.1.102 Local 192.168.101.100
! Static nat is bi-directional
! to check Open ACL
ASA1
access-list out permit tcp any host 101.1.1.102
PC1 #
PC2 can access FTP server using Public IP Address
Page 159 of 846

ASA1
clear configure nat
clear configure access-list
clear configure static
! dynamic nat
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 101.1.1.101-101.1.1.106
! TCP & UDP will Work for ICMP ACL
Page 160 of 846


! in dynamic many ip addresses map with some
! in this pool we have 6 ip address
! so 6 host can access internet
R1#ping 101.1.1.1
!!!!!
.!!!!
Server1#ping 101.1.1.1
.!!!!
Server1#
.!!!!
Server2#
Global 101.1.1.105 Local 192.168.20.100
Global 101.1.1.104 Local 192.168.10.100
Global 101.1.1.103 Local 192.168.101.1
Global 101.1.1.106 Local 192.168.101.100
Page 161 of 846

Global 101.1.1.102 Local 192.168.1.1
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
! PAT
ASA1
nat-control
nat (inside) 1 0 0
nat (dmz1) 1 0 0
nat (dmz2) 1 0 0
global (outside) 1 interface
! TCP & UDP will Work FOR ICMP ACL
Page 162 of 846

R1#ping 101.1.1.1
!!!!!
!!!!!
!!!!!
Server1#
!!!!!
Server2#
PAT Global 101.1.1.100(1) Local 192.168.102.100(138)
PAT Global 101.1.1.100(5) Local 192.168.101.100 ICMP id 1
ISP#
Page 163 of 846

*Mar
ISP#
*Mar
*Mar
*Mar
*Mar
*Mar
ISP#
*Mar
*Mar
*Mar
*Mar
*Mar
ISP#
*Mar
*Mar
ISP#
*Mar
*Mar
1 00:42:11.911: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.100

!ASA1
! static PAT
! now we have 5 servers telnet,ssh,http,https,ftp
! telnet , ssh in dmz1
! http , https in dmz2
! ftp in inside
static (inside,outside) tcp interface 21 192.168.101.100 21
static (dmz1,outside) tcp interface 22 192.168.10.100 22
! traffic will orginate form lower to higher apply access-list
access-list out permit tcp any interface outside eq 21
Page 164 of 846

Page 165 of 846

Page 166 of 846

Page 167 of 846

R1#telnet 192.168.10.100
Trying 192.168.10.100 ...
Page 168 of 846

R1#telnet 192.168.20.100
Trying 192.168.20.100 ...
! you cann't access inside to dmz1 or dmz2 bcoz of nat-control
! here we will use nat bypass
! 1 identity
! 2 nat exemption
Identity NAT
static (inside,dmz1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz1) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
Nat Exemption
access-list nat-exemption permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nat-exemption permit ip 192.168.101.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nat-exemption
R1#telnet 192.168.10.100
Trying 192.168.10.100 ... Open
User Access Verification

Username: shiva
Password:
Server1#
Server1#ex
Server1#exit
R1#telnet 192.168.20.100
Trying 192.168.20.100 ... Open

clear configure nat
clear configure global
clear configure access-list
clear configure static
ASA1 Policy NAT Based on Port
access-list icmp-traffic permit icmp any any
access-list ssh-traffic permit tcp any any eq 22
access-list telnet-traffic permit tcp any any eq 23
access-list http-traffic permit tcp any any eq 80
access-list https-traffic permit tcp any any eq 443
Page 169 of 846


nat (inside) 111 access-list icmp-traffic
nat (inside) 22 access-list ssh-traffic
nat (inside) 23 access-list telnet-traffic
nat (inside) 80 access-list http-traffic
nat (inside) 81 access-list https-traffic
nat (inside) 1 0 0
global (outside) 111 101.1.1.111
sh hist
ISP
1024
line vty 0 90
login local
exit
R1#telnet 101.1.1.1
Trying 101.1.1.1 ... Open

Username: shiva
Password:
ISP#
PAT Global 101.1.1.23(1024) Local 192.168.1.1(11440)
R1#ssh -l shiva 101.1.1.1
Password:
ISP#
PAT Global 101.1.1.22(1024) Local 192.168.1.1(15918)
R1#ping 101.1.1.1
.!!!!
Page 170 of 846

R1#
PAT Global 101.1.1.111(1) Local 192.168.1.1 ICMP id 8
so no................................................................................................................
Note:Please open access-list for natted ip address or service in os till 8.0, 8.1, 8.2.
Please use the same topology & configuration for CTP lab.............................................Thanks
Page 171 of 846


Chapter 13
NAT on OS 9.2.2.4
Static Nat
Dynamic NAT
PAT
Static PAT
Identity NAT
Twice NAT
Page 172 of 846

NAT
A services it enable internal users to access internet.
Or
Using NAT we map one IP address to another.
Types
1. Static
2. Dynamic
3. PAT
4. Static PAT
5. Identity NAT
6. Twice NAT
Static NAT
In static NAT we create one to one mapping of IP addresses
It is Bi-directional.
Dynamic NAT
In dynamic NAT we map multiple IP addresses to some.
PAT
In PAT we map multiple IP addresses to one
Using PAT we can map about 65k IP address to a single IP
Uni-directional.
Page 173 of 846

Static PAT
In static PAT we map the port of one IP address with another IP address port
Uni-directional.
Identity NAT
In it an IP address is translated into itself, used for those application which don't support NAT like
GDOI or VPN traffic in OS Version 8.4 & later.
Twice NAT
In Twice NAT we can define condition for natting that.
If source is A destination is B translate into X.
If source is A destination is C translate into Y.
Page 174 of 846


Diagram:-
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
Page 175 of 846

Server2
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
1024
line vty 0 90
login local
exit
ip http server
ASA1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
Page 176 of 846

ASA1(config-if)# sh int ip brief
Interface
Protocol
GigabitEthernet0/0
up
GigabitEthernet0/1
up
GigabitEthernet0/2
up
GigabitEthernet0/3
up
GigabitEthernet0/4
GigabitEthernet0/5
Internal-Control0/0
127.0.1.1
YES unset up
up
Internal-Data0/0
unassigned YES unset down
down
Internal-Data0/1
down
Internal-Data0/2
unassigned YES unset up
up
Management0/0
ASA1(config-if)# sh namei
Interface
Name
Security
GigabitEthernet0/0
inside
100
GigabitEthernet0/1
dmz1
60
GigabitEthernet0/2
outside
0
GigabitEthernet0/3
dmz2
50
ASA1(config)# sh running-config route
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
route inside 192.168.101.0 255.255.255.0 192.168.1.1 1
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.10.100
!!!!!
ASA1(config)# ping 192.168.20.100
!!!!!
ASA1(config)# ping 192.168.102.100
?!!!!
ASA1(config)# ! Object Defination
object network r1
host 192.168.1.1
object network r1-lan
host 192.168.101.1
Page 177 of 846

object network pc1
host 192.168.101.100
object network server1
host 192.168.10.100
host 192.168.20.100
object network ip1
host 101.1.1.101
object network ip2
host 101.1.1.102
object network ip3
host 101.1.1.103
object network ip4
host 101.1.1.104
object network ip5
host 101.1.1.105
! Static nat
object network r1
nat (inside,outside) static ip1
object network r1-lan
object network pc1
nat (dmz1,outside) static ip4
nat (dmz2,outside) static ip5
! ASA will Allow only TCP & UDP
! for ICMP Open ACL
access-list out permit icmp any object r1
access-list out permit icmp any object r1-lan
access-list out permit icmp any object pc1
access-list out permit icmp any object server1
access-list out permit icmp any object server2
ISP#debug ip icmp
R1#ping 101.1.1.1
!!!!!
R1#ping 101.1.1.1 so
Page 178 of 846

!!!!!
.!!!!
.!!!!
ASA1# sh xlate
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.1 to outside:101.1.1.101
Page 179 of 846

ISP#
*Sep 29 04:36:56.823: ICMP: echo reply sent, src 101.1.1.1, dst 101.1.1.101
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
Static is bi-directional
ASA1
access-list out permit tcp any object pc1
access-list out permit tcp any object server1
access-list out permit tcp any object server2
Page 180 of 846

Client Side Verification
Page 181 of 846

Page 182 of 846


ASA1(config)# ! Dynamic
object network all_network
subnet 192.168.0.0 255.255.0.0
object network dpool
range 101.1.1.101 101.1.1.104
object network all_network
nat (inside,outside) dynamic dpool
! ASA will allow tcp & udp
! for ICMP Acl
access-list out permit icmp any object all_network
R1#ping 101.1.1.1
!!!!!
R1#ping 101.1.1.1 so
!!!!!
ASA1# sh xlate
Page 183 of 846

NAT from inside:192.168.101.1 to outside:101.1.1.102 flags i idle 0:00:37 timeout 3:00:00
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ASA(config) ! PAT
! PAT
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface
! ASA will allow tcp & udp
! for icmp acl
access-list out permit icmp any object inside
R1#ping 101.1.1.1
!!!!!
!!!!!
Page 184 of 846
0:00:30
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
Page 185 of 846


!ASA1(config)# ! static pat
! static pat
object network pc1
host 192.168.101.100
nat (inside,outside) static interface service tcp 21 21
sh hist
! open acl
access-list out permit tcp any object pc1 eq 21
! static pat
object network pc1
host 192.168.101.100
nat (inside,outside) static interface service tcp 21 2121
! open acl
access-list out permit tcp any object pc1 eq 21
Page 186 of 846

ASA1(config)# !!!!!! twice nat based on ports

object service telnet
service tcp destination eq 23
object service ssh
object service http
object service https
object service ftp
exit
object network ip_23
host 101.1.1.23
host 101.1.1.22
host 101.1.1.80
host 101.1.1.81
host 101.1.1.21
ASA1(config)# sh running-config nat
nat (inside,outside) source dynamic any ip_23 service telnet telnet
nat (inside,outside) source dynamic any ip_22 service ssh ssh
nat (inside,outside) source dynamic any ip_21 service ftp ftp
Page 187 of 846

nat (inside,outside) source dynamic any ip_80 service http http
nat (inside,outside) source dynamic any ip_81 service https https
R1#telnet 101.1.1.1
Trying 101.1.1.1 ... Open

Username: shiva
Password:
ISP#
TCP PAT from outside:0.0.0.0/0 23-23 to inside:0.0.0.0/0 23-23
flags srIT idle 0:00:28 timeout 0:00:00
TCP PAT from inside:192.168.101.100/49237 to outside:101.1.1.23/49237 flags ri idle 0:00:28
timeout 0:00:30
TCP PAT from inside:192.168.1.1/45171 to outside:101.1.1.23/45171 flags ri idle 0:00:44 timeout
0:00:30
% Connection reset by user
Password:
ISP#
Page 188 of 846
TCP PAT from inside:192.168.101.100/49248 to outside:101.1.1.81/49248 flags ri idle 0:00:03
timeout 0:00:30
!ASA
! twice nat using ip
subnet 192.168.0.0 255.255.0.0
object network internet
subnet 101.1.1.0 255.255.255.0
object network internet-lan
subnet 192.168.102.0 255.255.255.0
object network ip
object network ip1
host 101.1.1.111
object network ip2
host 101.1.1.222
Page 189 of 846

exit
nat (inside,outside) source dynamic inside ip1 destination static internet internet
nat (inside,outside) source dynamic inside ip2 destination static internet-lan internet-lan
ISP#debug ip icmp
R1#ping 101.1.1.1
!!!!!
R1#ping 192.168.102.1
!!!!!
R1#
ISP#debug ip icmp
ISP#
ISP#
ISP#
! ASA1(config)# ! identity nat
subnet 192.168.0.0 255.255.0.0
object network s2s-traffic
subnet 192.168.102.0 255.255.255.0
ex
nat (inside,outside) source static inside inside destination static s2s-traffic s2s-traffic
nat (inside,outside) source dynamic any interface
Page 190 of 846

R1#ping 101.1.1.1
!!!!!
R1#ping 101.1.1.1 so
!!!!!
R1#
R1#pin
R1#ping 192.168.102.1
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.102.1 so
.....
ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
Page 191 of 846

ISP#
ISP#
ISP#
ISP#
ISP#
ISP#
Page 192 of 846


Chapter 14
CTP (Cut-Through-Proxy)
AAA(Authentication Authorization Accounting)

AAA Products
Radius
Tacacs+
Cisco AAA products
ACS
ISE
Page 193 of 846

CTP (Cut-Through-Proxy)
A feature in Cisco ASA using It we can authenticate the request of following protocols like TELNET,
HTTP, HTTPS, FTP for inbound or outbound connection.
But either inbound or outbound. Not both at a time.
Working
1. Client will initiate a request for a destination
2. ASA will prompt for username & password
3. Client will provide username & password
4. ASA will redirect credential to AAA server
5. AAA will authenticate user credential
6. If User is authenticated by AAA server ASA will add connection and forward the request to actual
destination.
7. Otherwise request will be drop
AAA Authentication Authorization &

Accounting
Authentication
It means validating a user access when he or she wants to access network resource.
Authorization
It means what a user can perform in the network.
Accounting
It means that what has been done by user.
Page 194 of 846
AAA Protocols
1. Radius(Remote authentication dial in user service)

2.Tacacs+ (Terminal Access Controller Access Control Server)
Radius
It was developed by Livingston Corporation.

Now it is open standard
It use UDP 1645, 1646 or 1812, 1813
It encrypt only password
First connection for Authentication & Authorization (1645, 1812)
Second connection for accounting (1646, 1813)
Tacacs+
Tacacs was invented by DOD Department of Defence of U.S.A

But Tacacs+ was introduced by Cisco
It use TCP port 49
It encrypt entire packet
Single connection for AAA
Cisco AAA Products
ACS (Access Control Server)

ISE (Identity Service Engine)
ACS (Access Control Server)
Versions
4.x
5.x
5.5 Latest
ISE (Identity Service Engine)
Versions
1.0
1.2.0
1.2.1 Latest
Page 195 of 846

Diagram:-
Initial-config
R1
interface f0/0
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Server1
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
Server2
Page 196 of 846

no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ISP
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
ASA1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
route inside 192.168.101.0 255.255.255.0 192.168.1.1 1
!!!!!
ASA1(config)# pin
ASA1(config)# ping 192.168.10.100
Page 197 of 846

!!!!!
ASA1(config)# pin
ASA1(config)# ping 192.168.20.100
!!!!!
ASA1(config)# pin
!!!!!
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.102.100
?!!!!
ASA1(config)#
BEFORE CTP YOU HAVE TO CONFIGURE POLICY NAT
access-list icmp-traffic permit icmp any any
access-list ssh-traffic permit tcp any any eq 22
access-list telnet-traffic permit tcp any any eq 23
access-list http-traffic permit tcp any any eq 80
access-list https-traffic permit tcp any any eq 443
nat (inside) 111 access-list icmp-traffic
nat (inside) 22 access-list ssh-traffic
nat (inside) 23 access-list telnet-traffic
nat (inside) 80 access-list http-traffic
nat (inside) 81 access-list https-traffic
nat (inside) 1 0 0
sh hist
ISP
Page 198 of 846

1024
line vty 0 90
login local
exit
ip http server
Page 199 of 846

Page 200 of 846

Page 201 of 846

Please install Access control System on PC 192.168.101.100

Please Follow the instructions..............................
Page 202 of 846

Page 203 of 846

Page 204 of 846

Page 205 of 846

Page 206 of 846

Page 207 of 846

Page 208 of 846

Page 209 of 846

Page 210 of 846

Page 211 of 846

Page 212 of 846

Page 213 of 846

Page 214 of 846

Page 215 of 846

ASA1(config)# ping 192.168.101.100

!!!!!
ASA1(config)# ! AAA config on ASA
aaa-server myacs protocol tacacs+
aaa-server myacs (inside) host 192.168.101.100
timeout 10
key shiva
exit
! CTP Config on ASA
aaa authentication include telnet inside 0 0 0 0 myacs
aaa authentication include http inside 0 0 0 0 myacs
aaa authentication include https inside 0 0 0 0 myacs
aaa authentication include ftp inside 0 0 0 0 myacs
auth-prompt prompt AAA_4.2_Please_authenticate_yourself
auth-prompt accept Enjoy_internet_service
auth-prompt reject Hummmm............try_again
Page 216 of 846

! AAA communication on ASA
test aaa-server authentication myacs host 192.168.101.100 username shiva password shiva
ASA1# test aaa-server authentication myacs host 192.168.101.100 username shiva$
INFO: Attempting Authentication test to IP address <192.168.101.100> (timeout: 12 seconds)
INFO: Authentication Successful
Please Initiate HTTP, HTTPS , FTP & TELNET Request on Client
ASA1# sh uauth
Current Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'shiva' at 192.168.101.100, authenticated (idle for 0:00:10)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1# clear uauth
Page 217 of 846

Page 218 of 846

If ask username & password again click cancel Tab & Refresh the ftp Page
Page 219 of 846

Page 220 of 846


Chapter 15
IPsec Introduction
IPsec VPN
IPsec VPN Features
Encryption Algorithms
Pre-shared Key
Public Key Infrastructure
ESP
AH
IKE
ISAKMP
NAT-T
Security Association
Page 221 of 846

IPsec VPN
IPsec VPN Provides secure IP communication over insecure network.
IPsec VPN Features
Confidentiality
Integrity
Anti-Replay
Confidentiality
It mean your data will keep as secret using encryption algorithm
Like DES, 3DES, AES.
Encryption Algorithms
Encryption is simply a mathematical algorithm, a key applied to data to make the contents
unreadable to everyone except those who have the ability to decrypt it
Types of Encryption Algorithms
Symmetric Encryption
Asymmetric Encryption
Symmetric Encryption
Symmetric encryption algorithms are also called secret key cryptography. As the name implies, there
is a single, secret key that is used to both encrypt and decrypt the data.
Page 222 of 846

Examples of Symmetric Algorithms
DES
3DES
AES
DES
56-bit key, has been broken in less than 24 hours using modern computers.
3DES
Three different 56-bit keys (DES encrypt, DES decrypt, DES encrypt) to create
The cipher text. It has not yet been broken, but has theoretical aws.
AES
It is considered the symmetric encryption choice today. 128 Bits to 256 bits
Integrity
It insure that your data is altered during transmission or not. Using hash algorithm like MD5, SHA.

It means that both devices will authenticate to each other before data exchange. Using Pre-Shared
or Certificate (PKI).
Pre-Shared
A single key is applied on both peers.
Page 223 of 846

Public Key Infrastructure

PKI provides framework for managing the security attributes between peer who are engaged in
secure communication over insecure network.
The PKI consists of a number of elements, which are also network entities
PeersDevices and people who securely communicate across a network. Also known as end
hosts.
Certication authority (CA)Grants and maintains digital Certicates. Also known as a trusted
entity or a trust point.
Digital certicateContains information to uniquely identify a peer, a signed copy of the public
encryption key used for secure communications, certicate validity data, and the signature of the CA
that issued the certicate. X.509v3 is the current version of digital certicate.
Distribution mechanismA means to distribute certicate revocation lists (CRLs) across the
network. LDAP and HTTP are examples.
The PKI Message Exchange Process
Host will generate RSA signature & request for public key of CA.
CA sends it public keys.
Host generate a certificate request and send to CA.
CA will sign the certificate request with its private key, and send certificate to host
Host will save it
Certificate will use for secure communication.
Anti-Replay
It means that of your data will arrive late it will consider as alter & it will be
drop. Anti-Replay can be define in kilobytes or seconds.
IPsec Protocols
ESP
AH
IKE
Page 224 of 846

ESP (Encapsulating Security Payload)
It provides all IPsec features

It use IP protocol no 50.
It works with NAT
It use NAT-T
It doesn't include external IP for ICV.
AH (Authentication Header)
It doesn't provides confidentiality, because it doesn't use encryption

It use IP protocol no 51.
It doesn't works with NAT
It doesn't use NAT-T
It does include external IP for ICV.
It doesn't include TTL value for ICV
IKE (Internet Key Exchange)

It provides a framework to exchange the security parameter & policies between two IPsec peers.
IKE Modes
Main Mode
Aggressive Mode
Quick Mode
Main Mode
In main mode 6 attributes or messages in three steps.
1. Initiator will send own proposal to responder, and responder will send own proposal to initiator.
2. Initiator will send own key to responder, and responder will send own key to initiator.
3. At the end they will authenticate the session.
OR
Page 225 of 846


Step1
Step2
Step3
Message 1-initiator will send own proposal to responder

Message 2-responder will send own proposal to initiator
Message 3-initiator will send own key to responder
Message 4-responder will send own key to initiator
Message 5-initiator will authenticate the session
Message 6-responder will authenticate the session
Aggressive Mode
In aggressive mode 6 attributes are in three steps.
1. Initiator will send own proposal &key to responder.
2. Responder will authenticate initiator's proposal & sends own proposal &key to initiator.
3. Initiator will authenticate the session.
Note: - Either main mode or aggressive mode will work not both
Quick Mode
In quick mode they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with
every packet by peers.
IKE Phases
1. Phase1
2. Phase1.5 (optional)
3. Phase2
Phase 1
In Phase1 they create single IKE bi-direction tunnel. Single key is used to authenticate the session. In
phase1 main mode or aggressive mode will work.
If main mode will work, aggressive mode will not work

If aggressive mode will work, main mode will not work
It dependence on IPsec VPN
Page 226 of 846
Site-Site
Main mode
Remote Access Aggressive mode
DMVPN
Main mode
GETVPN
Main mode
Phase 1.5
It is an optional IKE phase. Phase 1.5 provides an additional layer of Authentication, called Xauth, or
Extended Authentication. Xauth forces the user to authenticate before use Of the IPsec connection
is granted.
Phase 2
When phase1 is successfully completed Phase2 is started.
If phase1 is not successfully completed Phase2 will not start.
In phase2 they create multiple IPsec tunnels. Two tunnels per protocol
ESP or AH.
ISAKMP
IKE is a management protocol actually is use isakmp for key exchange.
Internet security association key management protocol. it use UDP Port 500.
IKE Versions
IKE Version1
6 messages
Use isakmp
NAT-T support
Fire & Forget
No VOIP support
No cryptography mechanism for key exchange
IKE Version2
4-6 messages
Use isakmp
NAT-T support
Check peer existence via cookies
VOIP support
Use suit B cryptography
IKE Version 2
Steps
IKE_SA_INIT_ (Two Messages)

IKE_AUTH+CREATE_CHID_SA (Two Messages)
IKE_ CREATE_SECOND_CHID_SA (Optional)/ (Two Messages)
Page 227 of 846
IKE_SA_INIT: Message 1
The Initiator Proposes Basic SA Attribute Along with
Authentication Material
Equivalent to messages 1 and 3 in IKEv1
IKE_SA_INIT: Message 2
The responder sends back a set of attributes acceptable
Under SA, along with authentication material
Equivalent to messages 2 and 4 in IKEv1
IKE_AUTH: Message 3
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 5 Main Mode
And part of the Quick Mode in IKEv1
IKE_AUTH: Message 4
Authentication Material Along with CHILD_SA Info Sent
Equivalent to message 6 Main Mode
And part of the Quick Mode in IKEv1
Note:VTI and GRE/ IPsec Complete after this Message
Optional
CREATE_CHILD_SA: Message 1
The Initiator Sends Its Authentication Material and ID
Additional child exchange equivalent to Quick Mode in IKEv1
CREATE_CHILD_SA: Message 2
The Responder Sends Its Authentication Material and ID
Additional child exchange equivalent to Quick Mode in IKEv1
IPsec Modes
1. Transport mode
2. Tunnel mode
Transport Mode
It protect layer4 & upper layer data. Used in DMVPN.
Tunnel Mode
Page 228 of 846

It protect layer3 & upper layer data. Used in Site-Site, Remote-Access, GETVPN.
NAT Transversal
A feature it enable us to establish VPN session through NAT device.
In NAT-T VPN devices add UDP header before ESP header, so that NAT device can perform NAT with
packet.
Why NAT-Traversal
AH doesn't work with nat. Because it include external IP address for ICV.
It include data, key, external-IP for integrity check value. If AH packet will pass through Nat device,
Nat device will translate external IP. When peer will receive AH packet it will verify packet ICV, due
to Nat peer will found ICV mismatch. So Packet will drop.
Note: - AH doesn't include TTL value for ICV. Because TTL is changed at every hop.
ESP doesn't include external IP for ICV. But it encrypt the data. A Nat device require layer 4
information but it is encrypted by esp. no layer 4 information so no Nat will perform.
To resolve this issue we use NAT-T, in NAT-T devices add UDP header before ESP header for Nat
device. That header is UDP 4500.
NAT Transversal Steps
NAT-T Support
NAT-T Detection
NAT-T Decision
NAT-T Support
In IKE Phase1, two peers exchange their vender id and IOS version information to each other to
determine that which features are supported.
NAT-T Detection
In IKE Phase1, they create a payload of external IP addresses. They hash it after hashing payload &
hash product is exchanged between peers. They verify hash if hash match, no Nat exist in the VPN
peer path otherwise Nat exist.
Page 229 of 846

NAT-T Decision
In IKE Phase2, if they found Nat in the VPN peer path. UDP 4500 header in inserted before ESP
header.
A group of security parameters & policies which is agreed between two IPsec peers.
A group of security parameters and policies which is agreed between two IPsec peers.
Parts
Security Association
SAD
SPD
SAD (Security Association Database)

It contain
Peer IP
SPI
IPsec Protocols information like ESP/AH?
Security Policy Database

It contain
Encryption algorithm (DES, 3DES, or AES)
Hash algorithm (MD5 or SHA-1)
IPsec mode (tunnel or transport)
Key lifetime (seconds or kilobytes)
Diffie-Hellman Key Exchange

DH allows two parties to share a secret key over an insecure channel. Because this key forms the
basis of the rest of the VPN, it is essential that the key be kept secret.
Security Parameter Index

Both Devices create a hash of Security Policy Database
That hash is call SPI.
Page 230 of 846

How to create Windows 2003 as CA
first install 2003 server in virtual box or real machine

second assign ip add 192.168.105.100 or differ
don't remove 2003 CD from CD-ROM
download cepsetup.exe from google
follow
start
run
appwiz.cpl
Page 231 of 846

Page 232 of 846

Page 233 of 846

Page 234 of 846

Page 235 of 846

Page 236 of 846

Page 237 of 846

Page 238 of 846

Page 239 of 846

Page 240 of 846

Page 241 of 846

Page 242 of 846

Page 243 of 846

Page 244 of 846

Page 245 of 846

Page 246 of 846

Page 247 of 846

Page 248 of 846

Page 249 of 846

Page 250 of 846

Page 251 of 846

stop the ca
start the ca
Page 252 of 846

password is shiva
Start>run>type
http://192.168.105.100/certsrv/mscep/mscep.dll
this url will use to obtain one time password for vpn
Page 253 of 846

Page 254 of 846

if this ca is in virual box you can use it for real network or gns topology
if it is for gns set following things
connect gns topology with host only interface

For Real network bridge with real interface
Page 255 of 846
you can connect to gig or wireless

thanks
Page 256 of 846


How to install Windows 2008 as CA
first install 2008 server data Centre edition

assign ip add 192.168.108.100 or any
Page 257 of 846

Page 258 of 846

Page 259 of 846

Page 260 of 846

Page 261 of 846

Page 262 of 846

Page 263 of 846

Page 264 of 846

Page 265 of 846

Page 266 of 846

Page 267 of 846

Page 268 of 846

Page 269 of 846

Page 270 of 846

Page 271 of 846

Page 272 of 846

Page 273 of 846

Page 274 of 846

Page 275 of 846

Page 276 of 846

Page 277 of 846

Page 278 of 846

Page 279 of 846

Page 280 of 846

Page 281 of 846

Page 282 of 846

Page 283 of 846

Page 284 of 846

Page 285 of 846

Turn off Firewall......

Page 286 of 846
in run type http://192.168.108.100/certsrv/mscep/mscep.dll

press OK...
Page 287 of 846

Page 288 of 846

click new url
Page 289 of 846

user= administrator
pass= admin password
press OK..........
Page 290 of 846

your new OTP for certificate Enrollment....
Page 291 of 846


How to configure windows 2012 as CA
First install 2012 server

assign ip add 192.168.112.100 or differ
follow
Page 292 of 846

Page 293 of 846

Page 294 of 846

Page 295 of 846

Page 296 of 846

Page 297 of 846

Page 298 of 846

Page 299 of 846

Page 300 of 846

Page 301 of 846

Page 302 of 846

Page 303 of 846

Page 304 of 846

Page 305 of 846

Page 306 of 846

Page 307 of 846

Page 308 of 846

Page 309 of 846

Page 310 of 846

Page 311 of 846

Page 312 of 846

Page 313 of 846

Page 314 of 846

Page 315 of 846

Page 316 of 846

Page 317 of 846

Page 318 of 846

Page 319 of 846

Page 320 of 846

Page 321 of 846

Page 322 of 846

Page 323 of 846

http://192.168.112.100/certsrv
Page 324 of 846

Page 325 of 846

Page 326 of 846

Page 327 of 846

Page 328 of 846

Page 329 of 846

Page 330 of 846

Page 331 of 846

Page 332 of 846


How to configure IOS CA
! first set clock
clock set 12:53:00 6 oct 2014
conf t
ip add 101.1.1.1 255.255.255.0
exit
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
crypto key generate rsa general-keys exportable label shiva modulus 1024
crypto key export rsa shiva pem url nvram: 3des cisco1234
ip http server
crypto pki server cisco
database level minimum
database url nvram:
issuer-name cn=lab.nb.com l=gr c=in
lifetime certificate 365
grant auto
no shutdown
give 9 alphabet password
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
R1#sh crypto pki server
Certificate Server cisco:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=lab.nb.com l=gr c=in
CA cert fingerprint: 3EE215BD E41454DF 0DB85E8C 41588E7F
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 12:53:00 UTC Oct 5 2017
CRL NextUpdate timer: 18:53:00 UTC Oct 6 2014
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
R1#dir nvram:
Directory of nvram:/
54 -rw55 ---1 ---2 -rw3 -rw4 -rw5 -rw6 -rw7 -rw-
233
0
15
4
272
963
32
230
1595
<no date> startup-config

<no date> private-config
<no date> persistent-data
<no date> rf_cold_starts
<no date> shiva.pub
<no date> shiva.prv
<no date> cisco.ser
<no date> cisco.crl
<no date> cisco_00001.p12

Page 333 of 846

Chapter 16
Site-Site VPN

Site-Site VPN
Working
Page 334 of 846

Site-Site VPN
It enables two sites to communicate with each other in a secure way over insecure network.
Working
192.168.101.0/24
192.168.102.0/24
Remote client wants to communicate with central office

It will generate a packet with 101.0 source & 102.0 destination that packet will deliver to
gateway.
Gateway will check its destination ip and packet will be forward to exit interface. When
packet will arrive a exit interface there is a crypto map. Router will intercept the packet that
if you match with crypto map access-list, it is encrypted & hashed.
then router will check sa with peer , if no sa found it will send proposal to peer using isakmp
udp port 500
IKE phase1 & Phase2 will come in picture. Phase 2 complete protected data will delivered to
peer.
Page 335 of 846


Diagram:-
Site-Site-pre-8.0
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface ethernet 0/0
no shu
nameif inside
ip add 192.168.101.1
interface e0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
route outside 0 0 101.1.1.1
Page 336 of 846

R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
no shu
nameif inside
ip add 192.168.102.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# pin
?!!!!
ASA2
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# pin
!!!!!
Page 337 of 846
ASA1
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key shiva add 102.1.1.100
crypto ipsec transform-set t-set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map test 10 set transform-set t-set
crypto map test 10 set peer 102.1.1.100
crypto map test 10 match address 101
crypto map test interface outside
crypto isakmp enable outside
ASA2
encryption aes
hash sha
group 5
lifetime 1800
R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ASA1# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Page 338 of 846

Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101.1.1.100
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 102.1.1.100
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ASA2# sh cry
ASA2# sh crypto ip
interface: outside
Page 339 of 846


ASA_s2s_pre_8.0_overlapping_subnet
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
Page 340 of 846

R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
R2
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# pin
!!!!!
ASA2
ASA2(config)# ping 192.168.101.100
!!!!!
ASA2(config)# pin
!!!!!
Page 341 of 846

ASA1(config)# static (inside,outside) 192.168.10.0 192.168.101.0
ASA2(config)# static (inside,outside) 192.168.20.0 192.168.101.0
ASA1
encryption a
hash sha
group 5
lifetime 1800
ASA2
encryption a
hash sha
group 5
lifetime 1800
R1#ping 192.168.20.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.10.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 342 of 846

interface: outside
#pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4C0DCAEF
inbound esp sas:
spi: 0xA35E7858 (2740877400)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, }
ASA1# sh cry
ASA1# sh crypto is
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
interface: outside
Page 343 of 846

local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: A35E7858
inbound esp sas:
spi: 0x4C0DCAEF (1275972335)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, }
ASA2# sh cry
ASA2# sh crypto is
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
Page 344 of 846


ASA_s2s_rsa_8.0
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
Page 345 of 846

R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
int f1/0
no shutdown
ip add 192.168.105.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
no shu
nameif inside
ip add 192.168.102.1 255.255.255.0
no shu
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.105.100
?!!!!
ASA1(config)# pin
?!!!!
ASA2(config)# ping 192.168.102.100
Page 346 of 846

!!!!!
ASA2(config)# pin
!!!!!
ASA2(config)# pin
ASA2(config)# ping 192.168.105.100
!!!!!
Configure R3 AS NTP SERVER

R3#clock set 22:07:00 29 sep 2014
R3#conf t
R3(config)#ntp master
Configure ASA1 & ASA2 AS NTP CLIENT

ASA1(config)# ntp server 101.1.1.1
ASA1# sh clock
22:08:49.224 UTC Mon Sep 29 2014
ASA2# sh clock
22:10:22.070 UTC Mon Sep 29 2014
ASA1
domain-name cisco.com
crypto ca trustpoint ttt
enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
ex
crypto ca authenticate ttt
yes
crypto ca enroll ttt
%% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ****************(this password will obtain from ca)
Re-enter password: ****************
Page 347 of 846
% The fully-qualified domain name in the certificate will be: ASA1.cisco.com

% Include the device serial number in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ASA1(config)# The certificate has been granted by CA!
go to ca in run type http://192.168.105.100/certsrv/mscep/mscep.dll
Page 348 of 846

copy one time password paste to asa1 or asa2
Page 349 of 846

To obtain new OTP please go to CA & refresh the page copy & Paste
ASA2
exit
yes
ASA2(config)# crypto ca enroll ttt
%
% Start certificate enrollment ..
Password: ****************

% Include the device serial number in the subject name? [yes/no]: no
Page 350 of 846

ASA1
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102.1.1.100 type ipsec-l2l
tunnel-group 102.1.1.100 ipsec-attributes
trust-point ttt
crypto map test 10 set trustpoint ttt
ASA2
encryption aes
hash sha
group 5
lifetime 1800
trust-point ttt
cry isakmp enable outside
R1#ping 192.168.102.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 351 of 846

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 re
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface: outside
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
ASA1#
ASA2
interface: outside
Active SA: 1
Total IKE SA: 1
Page 352 of 846

1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
Page 353 of 846


ASA_s2s_pre_ikev1
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
interface gigabitEthernet 0/0
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
R3
Page 354 of 846

int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
no shu
nameif inside
ip add 192.168.102.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
ASA1# ping 192.168.101.100
!!!!!
ASA1# pin
ASA1# ping 102.1.1.100
?!!!!
ASA2
ASA2# ping 192.168.102.100
!!!!!
ASA2# pin
ASA2# ping 101.1.1.100
!!!!!
Page 355 of 846

ASA1
crypto ikev1 policy 1
encryption aes
hash sha
group 5
lifetime 1800
ikev1 pre-shared-key shiva
crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac
crypto map test 10 set ikev1 transform-set t-set
crypto ikev1 enable outside
ASA2
encryption aes
hash sha
group 5
lifetime 1800
R1
R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 356 of 846

ASA1# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
interface: outside
access-list 101 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0

#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
local crypto endpt.: 101.1.1.100/0, remote crypto endpt.: 102.1.1.100/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5F93D48A
current inbound spi : 30046549
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ASA2# sh cry
Page 357 of 846

ASA2# sh crypto ip
interface: outside

current outbound spi: 30046549
current inbound spi : 5F93D48A
Page 358 of 846


ASA_s2s_pre_ikev2
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ASA1
hostname ASA1
no shu
nameif inside
ip add 192.168.101.1
interface g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA2
hostname ASA2
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1(config)# ping 192.168.101.100
Page 359 of 846

!!!!!
ASA1(config)# pin
!!!!!
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# pin
!!!!!
ASA1
encryption aes
integrity sha
group 5
lifetime seconds 1800
ikev2 local-authentication pre-shared-key shiva
ikev2 remote-authentication pre-shared-key shiva
crypto ipsec ikev2 ipsec-proposal ppp
protocol esp encryption aes
protocol esp integrity sha-1
crypto map test 10 set ikev2 ipsec-proposal ppp
ASA2
encryption aes
integrity sha
group 5
ikev2 local-authentication pre-shared-key shiva
ikev2 remote-authentication pre-shared-key shiva
Page 360 of 846

R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id
Local
Remote Status
Role
4946947
101.1.1.100/500
102.1.1.100/500 READY INITIATOR
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 1800/35 sec
Child sa: local selector 192.168.101.0/0 - 192.168.101.255/65535
remote selector 192.168.102.0/0 - 192.168.102.255/65535
ESP spi in/out: 0xbe7654ee/0x820c8ee1
ASA1# sh cry
ASA1# sh crypto ip
interface: outside
Page 361 of 846

current outbound spi: 820C8EE1
current inbound spi : BE7654EE
ASA1#
ASA2(config)# sh crypto ikev2 sa
IKEv2 SAs:
Tunnel-id
Local
Remote Status
Role
6108915
102.1.1.100/500
101.1.1.100/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0x820c8ee1/0xbe7654ee
ASA2(config)# sh cry
ASA2(config)# sh crypto ip
ASA2(config)# sh crypto ipsec sa
interface: outside

Page 362 of 846

current outbound spi: BE7654EE
current inbound spi : 820C8EE1
Page 363 of 846


ASA_s2s_rsa_ikev1
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.108.1 255.255.255.0
no shutdown
ASA1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA2
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
ASA1(config)# ping 192.168.101.100
Page 364 of 846

!!!!!
ASA1(config)# ping 192.168.108.100
!!!!!
!!!!!
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# ping 192.168.108.100
!!!!!
!!!!!
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ASA1
ex
yes
ERROR: Signature public key not found - Abort.
%
Page 365 of 846

Password: **************** (this password will obtain from 2008 ca)

!!!!! if ca does not give cert please remove ca & install again ca on 2008!!!!!!
ASA2
exit
yes
ERROR: Signature public key not found - Abort.
Page 366 of 846

%
Password: ****************

ASA1
encryption a
hash sha
group 5
lifetime 1800
ikev1 trust-point ttt
ASA2
encryption aes
hash sha
group 5
lifetime 1800
ikev1 trust-point
Page 367 of 846

R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
interface: outside

Page 368 of 846

current outbound spi: 34159C71
current inbound spi : F446BD48
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ASA2# sh cry
ASA2# sh crypto ip
interface: outside

current outbound spi: F446BD48
current inbound spi : 34159C71
Page 369 of 846

ASA_s2s_rsa_ikev1_ios_ca
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
int f0/0
ip add 101.1.1.1 255.255.255.0
no sh
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
no shu
nameif inside
ip add 192.168.101.1 255.255.255.0
no shu
int g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA1# ping 192.168.101.100
!!!!!
ASA1# pin
ASA1# ping 102.1.1.1
!!!!!
ASA2
no shu
nameif inside
Page 370 of 846

ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# pin
!!!!!
R3
R3#clock set 13:52:30 7 oct 2014
R3#conf t
R3
configure R3 AS CA
crypto key generate rsa general-keys exportable label shiva modulus 1024
crypto key export rsa shiva pem url nvram: 3des cisco123
yes
ip http server
crypto pki server cisco
database level minimum
database url nvram:
issuer-name cn=cisco1.cisco.com l=gurgaon c=in
lifetime certificate 365
grant auto
no shutdown
(give password 999999999)
ASA1
ASA1(config)# crypto ca trustpoint ttt
ASA1(config-ca-trustpoint)# enrollment url http://101.1.1.1
ASA1(config-ca-trustpoint)# ex
ASA1(config)# crypto ca authenticate ttt
INFO: Certificate has the following attributes:
Fingerprint: 06fb1021 06e41a7a fa64dc4b fa73efa3
Page 371 of 846

Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
ASA1(config)# crypto ca en ttt
%
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: ASA1
ASA2
ASA2(config-ca-trustpoint)# enrollment url http://101.1.1.1
Fingerprint: 06fb1021 06e41a7a fa64dc4b fa73efa3
%
Password:
Re-enter password:

Page 372 of 846
ASA1
encryption aes
hash sha
group 5
lifetime 1800
ASA2
encryption aes
hash sha
group 5
lifetime 1800
R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
Page 373 of 846

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ASA1
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
interface: outside

current outbound spi: 02BB4488
current inbound spi : 64AD6A6D
inbound esp sas:
spi: 0x64AD6A6D (1689086573)
transform: esp-aes esp-sha-hmac no compression
Page 374 of 846

in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: test
sa timing: remaining key lifetime (kB/sec): (3914980/1766)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x02BB4488 (45827208)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
ASA2
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ASA2# sh cry
ASA2# sh crypto ip
interface: outside

Page 375 of 846

current outbound spi: 64AD6A6D
current inbound spi : 02BB4488
inbound esp sas:
spi: 0x02BB4488 (45827208)
IV size: 16 bytes
Anti replay bitmap:
outbound esp sas:
spi: 0x64AD6A6D (1689086573)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
Page 376 of 846


ASA_s2s_rsa_ikev2
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.108.1 255.255.255.0
no shutdown
ASA1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA2
no shu
nameif inside
ip add 192.168.102.1
interface g0/1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
ASA1(config)# ping 192.168.101.100
Page 377 of 846

!!!!!
ASA1(config)# ping 192.168.108.100
!!!!!
!!!!!
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# ping 192.168.108.100
!!!!!
!!!!!
R3
R3#clock set 12:17:45 1 oct 2014
R3#conf t
Page 378 of 846

ASA1
exit
ASA1(config)# crypto ca en ttt
%
Password: ****************

ASA2
Page 379 of 846

exit
Obtain New Password From 2008 Ca

%
Password: ****************

Page 380 of 846

ASA1
encryption aes
integrity sha
group 5
ikev2 local-authentication certificate ttt
ikev2 remote-authentication certificate
ASA2
encryption aes
integrity sha
group 5
R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 381 of 846

R1#
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IKEv2 SAs:
Tunnel-id
Local
Remote Status
Role
5119715
101.1.1.100/500
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
remote selector 192.168.102.0/0 - 192.168.102.255/65535
ESP spi in/out: 0x9f01e33f/0x14ff9428
interface: outside

current outbound spi: 14FF9428
current inbound spi : 9F01E33F
Page 382 of 846
IKEv2 SAs:
Tunnel-id
Local
Remote Status
Role
4933683
102.1.1.100/500
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0x14ff9428/0x9f01e33f
ASA2# sh cry
ASA2# sh crypto ip
interface: outside

current outbound spi: 9F01E33F
current inbound spi : 14FF9428
ASA1
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
ex
nat (inside,outside) source static inside inside destination static s2s s2s
Page 383 of 846

R1#ping 101.1.1.1
!!!!!
R1#ping 192.168.102.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 384 of 846


Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
interface f0/0
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
int f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
ip add 102.1.1.1 255.255.255.0 secondary
int f0/1
no shutdown
ip add 192.168.112.1 255.255.255.0
ASA1
int g0/0
no shu
nameif inside
ip add 192.168.101.1
interface g0/1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA1# ping 192.168.101.100
!!!!!
ASA1# pin
ASA1# ping 102.1.1.1
!!!!!
ASA1# pin
ASA1# ping 192.168.112.1
Page 385 of 846

!!!!!
ASA1# ping 192.168.112.100
!!!!!
ASA2
no shu
nameif inside
ip add 192.168.102.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
ASA2# ping 192.168.102.100
!!!!!
ASA2# pin
ASA2# ping 101.1.1.100
!!!!!
ASA2# pin
ASA2# ping 192.168.112.100
!!!!!
R3
R3#clock set 14:24:30 7 oct 2014

R3#conf t
GO TO CA SERVER
Page 386 of 846
Page 387 of 846

copy OTP for ASA1 & Refresh page Obtain new for ASA2
Page 388 of 846

ASA1(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll
Fingerprint: 15e057f1 e800b9d9 90410bd8 cbd9263b
%
Password: ****************

ASA2
ASA2(config-ca-trustpoint)# enrollment url http://192.168.112.100/certsrv/mscep/mscep.dll
Fingerprint: 15e057f1 e800b9d9 90410bd8 cbd9263b
%
Password: ****************
Page 389 of 846


ASA1
encryption aes
integrity sha
group 5
ASA2
encryption aes
integrity sha
group 5
Page 390 of 846

R1#ping 192.168.102.100 repeat 100
*Oct 7 09:13:38.111: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IKEv2 SAs:
Tunnel-id
Local
Remote Status
Role
5337201
101.1.1.100/500
remote selector 192.168.102.0/0 - 192.168.102.255/65535
ESP spi in/out: 0x9888f2d4/0xb65c501b
ASA1# sh cry
ASA1# sh crypto ip
interface: outside

Page 391 of 846

current outbound spi: B65C501B
current inbound spi : 9888F2D4
inbound esp sas:
spi: 0x9888F2D4 (2559111892)
IV size: 16 bytes
Anti replay bitmap:
outbound esp sas:
spi: 0xB65C501B (3059503131)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
IKEv2 SAs:
Tunnel-id
Local
Remote Status
Role
6916937
102.1.1.100/500
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0xb65c501b/0x9888f2d4
ASA2# sh cry
ASA2# sh crypto ip
interface: outside
Page 392 of 846


current outbound spi: 9888F2D4
current inbound spi : B65C501B
inbound esp sas:
spi: 0xB65C501B (3059503131)
IV size: 16 bytes
Anti replay bitmap:
outbound esp sas:
spi: 0x9888F2D4 (2559111892)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
Page 393 of 846


Chapter 17
Remote Access VPN

Remote Access VPN
Modes
Working
Page 394 of 846

Remote Access VPN

It enable remote user or mobile user/ internet users to access the internal network of a company.
Modes
Client
Network extension
Network extension plus
Client Mode Software

In client mode an internal ip address if offered to remote client.
When remote client wants to access internal resource of server lan it generate PDU with internal
source & destination. That is protected by esp and an external ip address is attached with packet so
that is can be routed over internet.
Note
It is unidirectional only client can access server lan. But server lan can't access client.
It can be implemented on software or hardware.
Client Mode Hardware

In client mode an internal ip address if offered to remote client.
When remote client lan wants to access internal resource that request is pat in obtain if. If remote
lan wants to access internet that request is pat in public ip address of remote client.
Note
It is unidirectional only client can access server lan. But server lan can't access client.
Network Extension
In Network Extension internal ip address is not offered to remote client.
Page 395 of 846


Note
it is bi-directional
it can be implemented only on hardware.
Network Extension Plus

In Network Extension internal ip address is offered to remote client. Internal ip address is not for
patting it is for remote management purpose.
Note
It is bi-directional
It can be implemented only on hardware.
Working
Client will initiate a request it will send proposal to server.

Client will send pre-define policy
Server will match client proposal to own configure policy if proposal match
Server will prompt for username & password.
If user is authenticated server will send policy to client. This policy includes ip address, mask,
and interesting traffic.
At last a reverse route is installed in routing table.
Page 396 of 846


Diagram:-
ASA_ra_pre_8.0
Initial-config
R1
no shut
ip add 101.1.1.1 255.255.255.0
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
Page 397 of 846

no shutdown
router ei 100
no au
net 192.168.2.0
net 192.168.20.0
ADMIN
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
ip http server
MGMT
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
1024
line vty 0 90
login local
exit
ip http server
ASA1
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
Page 398 of 846

nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.10.100
!!!!!
ASA1(config)# ping 192.168.20.100
!!!!!
PAT
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
admin#ping 101.1.1.1
!!!!!
admin#
mgmt#ping 101.1.1.1
!!!!!
Page 399 of 846

encryption 3des
group 2
hash sha
crypto ipsec transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set transform-set ez
crypto dynamic-map d-map 10 set reverse-route
crypto map test 10 ipsec-isakmp dynamic d-map
ip local pool admin 192.168.100.100-192.168.100.254
ip local pool mgmt 192.168.200.100-192.168.200.100
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
tunnel-group admin ipsec-attributes
pre-shared-key admin
tunnel-group mgmt type ipsec-ra
tunnel-group mgmt general-attributes
address-pool mgmt
tunnel-group mgmt ipsec-attributes
pre-shared-key mgmt
Install vpn client software
Page 400 of 846

Page 401 of 846

Page 402 of 846

Page 403 of 846

Page 404 of 846

Page 405 of 846

Page 406 of 846

Page 407 of 846

connection entry any name

host asa public ip 101.1.1.100
tunnel group admin
key admin
confirm key admin
Page 408 of 846

save
same task for mgmt click new tab on vpn client
do same
go to asa
ASA1(config)# username shiva password shiva privilege 15

Page 409 of 846
go to pc1
click OK
Page 410 of 846

ASA1(config)# sh route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Page 411 of 846
C 101.1.1.0 255.255.255.0 is directly connected, outside
S 192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
ping reply is not coming reason NAT exclude vpn traffic from nat
using nat exemption
access-list nat-exemption permit ip any 192.168.100.0 255.255.255.0
access-list nat-exemption permit ip any 192.168.200.0 255.255.255.0
nat (inside1) 0 access-list nat-exemption
nat (inside2) 0 access-list nat-exemption
Page 412 of 846

Page 413 of 846

no internet access use split-tunnel

on asa
access-list stacl permit 192.168.0.0 255.255.0.0
Page 414 of 846

group-policy admin internal
group-policy admin attributes
split-tunnel-network-list value stacl
split-tunnel-policy tunnelspecified
group-policy mgmt internal
group-policy mgmt attributes
default-group-policy admin
default-group-policy mgmt
Disconnect & connect VPN connection
& see the effect
Page 415 of 846

Page 416 of 846

Page 417 of 846

ASA1
! banner
banner value ADMIN_GROUP
group-policy mgmt ge
banner value MGMT_GRPUP
Page 418 of 846

ASA1(config)# clock set 08:56:00 30 sep 2014

clock set 08:56:00 30 sep 2014
time-range shiva
periodic weekdays 09:00 to 18:00
vpn-access-hours value shiva
Page 419 of 846


no connection due to time acl now time is 8:59 wait 1 min try @ 9:00
ASA1# sh clock
08:59:43.968 UTC Tue Sep 30 2014
ASA1#
ASA1# sh clock
08:59:58.371 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.029 UTC Tue Sep 30 2014
ASA1# sh clock
08:59:59.820 UTC Tue Sep 30 2014
ASA1# sh clock
09:00:01.090 UTC Tue Sep 30 2014
currect time now you can access.
Page 420 of 846


ASA_ra_rsa_8.0
Diagram:-
Initial-config
R1
no sh
ip add 101.1.1.1 255.255.255.0
int f01
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no au
net 192.168.1.0
net 192.168.10.0
R3
no shutdown
ip add 192.168.2.2 255.255.255.0
Page 421 of 846

no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
do sh hist
router ei 100
no au
net 192.168.2.0
net 192.168.20.0
ADMIN
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
ip http server
MGMT
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
1024
line vty 0 90
login local
exit
ip http server
ASA1
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
Page 422 of 846

nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
nameif dmz
security-level 50
ip address 192.168.105.1 255.255.255.0
! route outside 0 0 101.1.1.1
router eigrp 100
no aut
net 192.168.1.0
net 192.168.2.0
net 192.168.105.0
ASA1(config)# sh int ip br
Interface
Protocol
Ethernet0/0
up
Ethernet0/1
up
Ethernet0/2
up
Ethernet0/3
up
Ethernet0/4
unassigned YES unset administratively down up
Ethernet0/5
unassigned YES unset administratively down up
ASA1# ping 192.168.101.100

!!!!!
ASA1# ping 192.168.105.100
!!!!!
ASA1# ping 192.168.10.100
!!!!!
ASA1# ping 192.168.20.100
!!!!!
Page 423 of 846

ASA1
nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
!!!!!
mgmt#ping 101.1.1.1
!!!!!
R1
R1#clock set 09:19:15 30 sep 2014
R1#
*Sep 30 09:19:15.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:18:29 UTC Fri
Mar 1 2002 to 09:19:15 UTC Tue Sep 30 2014, configured from console by console.
R1#conf t
ASA1(config)# domain-name cisco.com
ASA1(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA1(config)# sh clock
09:20:29.523 UTC Tue Sep 30 2014
ex
yes
%
Password: **************** this password will obtain from ca like site-site
Page 424 of 846


% Include the device serial number in the subject name? [yes/no]: no
ASA1
encryption 3des
group 2
hash sha
address-pool admin
Page 425 of 846

trust-point ttt
address-pool mgmt
trust-point ttt
username shiva password shiva privilege 15
access-list nat0 permit ip any 192.168.100.0 255.255.255.0
nat (inside1) 0 access-list nat0
STATIC PAT for CA so that internet user can obtain certificates from CA
static (dmz,outside) tcp interface 80 192.168.105.100 80
go to pc
ping 101.1.1.100
start
run
type
http://101.1.1.100/certsrv
Page 426 of 846

if you see this error it is saying that update your ca enrolment pages from microsoft
tips
1. update ca pages
2. use client XP, ca 2003
3. use client win 7, ca 2008
what do you say..............................................?
now we will use client XP
Later Labs we will use CA 2008 & Client win 7 ok.
Page 427 of 846

in run type http://101.1.1.100/certsrv
Page 428 of 846

Page 429 of 846

Page 430 of 846

in Department must be admin or mgmt to join tunnel group
Page 431 of 846

scroll down & submit
yes
Page 432 of 846

install cert
yes
yes
Page 433 of 846

Page 434 of 846

Page 435 of 846

Page 436 of 846

Page 437 of 846

Page 438 of 846

Page 439 of 846

Page 440 of 846

Page 441 of 846

ASA1
for split tunnel
Page 442 of 846


ASA_ra_ikev1_pre
Initial-config
R1
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
hostname ASA1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
interface g0/2
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
R2
interface f0/0
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
no shutdown
ip add 192.168.2.2 255.255.255.0
Page 443 of 846

no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 192.168.2.0
net 192.168.20.0
R4
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R5
interface f0/0
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ASA1
ASA1# ping 192.168.101.100
!!!!!
ASA1# ping 192.168.10.100
!!!!!
ASA1# ping 192.168.20.100
!!!!!
ASA1#
encryption 3des
group 2
crypto ipsec ikev1 transform-set ez esp-3des esp-sha-hmac
crypto dynamic-map d-map 10 set ikev1 transform-set ez
Page 444 of 846

sh history
address-pool admin
ikev1 pre-shared-key admin
address-pool mgmt
ikev1 pre-shared-key mgmt
ASA1
sh history
Page 445 of 846

Page 446 of 846

ASA1# sh route outside

S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
Page 447 of 846

C
L
S

192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside
ASA1#
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 192.168.101.100
Type : user
Role : responder
Rekey : no
State : AM_ACTIVE
ASA1# sh cry
ASA1# sh crypto ip
interface: outside
Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100
current_peer: 192.168.101.100, username: shiva
dynamic allocated peer ip: 192.168.100.100
dynamic allocated peer ip(ipv6): 0.0.0.0
current outbound spi: 349BA5D9
current inbound spi : 9D375C4D
ASA1
PAT
nat (inside1,outside) source dynamic any interface
nat (inside2,outside) source dynamic any interface
access-list out permit icmp any 192.168.0.0 255.255.0.0
R4#ping 101.1.1.1
Page 448 of 846

!!!!!
R4#
R5#ping 101.1.1.1
!!!!!
ASA1
object network admin
subnet 192.168.100.0 255.255.255.0
object network mgmt
subnet 192.168.200.0 255.255.255.0
exit
object network inside1
subnet 192.168.10.0 255.255.255.0
object network inside2
subnet 192.168.20.0 255.255.255.0
ex
sh running-config object
nat (inside1,outside) 1 source static inside1 inside1 destination static admin admin
nat (inside1,outside) 1 source static inside1 inside1 destination static mgmt mgmt
nat (inside2,outside) 1 source static inside2 inside2 destination static admin admin
nat (inside2,outside) 1 source static inside2 inside2 destination static mgmt mgmt
R4#ping 101.1.1.1
!!!!!
R5#ping 101.1.1.1
!!!!!
Page 449 of 846

Page 450 of 846


ASA_ra_ikev1_rsa
Diagram:-
Initial-config
R1
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no sh
int g0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
no shu
nameif dmz
Page 451 of 846

security-level 50
ip add 192.168.108.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
R2
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no au
net 0.0.0.0
R4
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip http server
R5
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
ASA1
ASA1# ping 192.168.101.100
Page 452 of 846

!!!!!
ASA1# ping 192.168.108.100
!!!!!
ASA1# ping 192.168.10.100
!!!!!
ASA1# ping 192.168.20.100
?!!!!
R1
R1#clock set 15:00:40 1 oct 2014
R1#conf t
ASA1
ex
yes
%
Password: ****************

Page 453 of 846

ASA1
encryption 3des
group 2
ex
sh history
address-pool admin
tunnel-group admin
ASA1
Page 454 of 846

ASA
Static-pat
object network ca
host 192.168.108.100
nat (dmz,outside) static interface service tcp 80 80
access-list out permit tcp any object ca eq 80
On client in run type

http://101.1.1.100/certsrv
Page 455 of 846

Page 456 of 846

on windows 7 this site should be trusted site
Page 457 of 846

Page 458 of 846

Page 459 of 846

Page 460 of 846

Page 461 of 846

Page 462 of 846

Page 463 of 846

Page 464 of 846

Page 465 of 846

Page 466 of 846

Page 467 of 846

Page 468 of 846

Page 469 of 846

Page 470 of 846

Page 471 of 846

Page 472 of 846


Page 473 of 846

S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C
L
S
192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside

interface: outside
Crypto map tag: d-map, seq num: 10, local addr: 101.1.1.100
Page 474 of 846

current_peer: 192.168.101.100, username: shiva
dynamic allocated peer ip: 192.168.100.100
dynamic allocated peer ip(ipv6): 0.0.0.0
current outbound spi: CA9454E5
current inbound spi : ABBB7A60
ASA1# sh cry
ASA1# sh crypto is
ASA1# sh crypto ik
ASA1# sh crypto ikev1
ERROR: % Incomplete command
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 192.168.101.100
Type : user
Role : responder
Rekey : no
State : MM_ACTIVE
Page 475 of 846


Chapter 18
VPN Load Balancing

VPN Load Balancing
Limitation
VPN Load Balancing Terminology
Page 476 of 846

VPN Load Balancing

Load balancing is a Cisco-proprietary feature that allows Easy VPN servers to logically appear as one
server.
Limitation
Only for IPsec & SSL
In IPSec, only for Remote Access. It is not for site-site vpn.
VPN Load Balancing Terminology
Cluster
Master
Member
VPN Load Balancing
VCA Virtual Cluster Agent.
Cluster
A logical group of devices or appliances which provides common application access it is identified
with a virtual ip.
Master
An appliance which has a higher priority. Master is responsible for handling client request and it
distributes client request to group members based on load. Master is responsible for cluster ip.
Default ASA priority 1
Member
An appliance which is participating in cluster.
Page 477 of 846
VPN Load Balancing

Client will initiate a phase1 request to virtual ip address of cluster. It will accepted by master. Then
master will check the load of members. Load is calculated based on total active vpn connection of
total maximum connection.
It is not true load like cpu utilization or amount of traffic. After checking load master will redirect
connection to member. Redirection message in phase1 is cisco proprietary. Only cisco client can
understand it. If master has least load it will redirect connection to itself.
VCA Virtual Cluster Agent

This protocols is used for vpn load balancing it use udp port 9023
Diagram:-
Page 478 of 846


Initial-config
R1
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.102.1 255.255.255.0 secondary
ip add 192.168.103.1 255.255.255.0 secondary
ip add 192.168.104.1 255.255.255.0 secondary
R2
no shutdown
ip add 192.168.1.3 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
interface f0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ASA1
nameif outside
security-level 0
ip address 101.1.1.101 255.255.255.0
!
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
nameif admin
security-level 100
ip address 192.168.100.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
network 192.168.100.0 255.255.255.0
Page 479 of 846

ASA2
nameif outside
security-level 0
ip address 101.1.1.102 255.255.255.0
!
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif admin
security-level 100
ip address 192.168.200.1 255.255.255.0
!
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
network 192.168.200.0 255.255.255.0
!
!
!
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.102.100
!!!!!
ASA1(config)# ping 192.168.103.100
!!!!!
ASA1(config)# ping 192.168.104.100
!!!!!
ASA1(config)# ping 192.168.10.100
!!!!!
Page 480 of 846

!
!
!
ASA2(config)# ping 192.168.101.100
!!!!!
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# ping 192.168.103.100
!!!!!
ASA2(config)# ping 192.168.104.100
!!!!!
ASA2(config)# ping 192.168.10.100
!!!!!
!
!
!
ASA1
!
encryption 3des
group 2
address-pool admin
Page 481 of 846

ASA2
encryption 3des
group 2
address-pool admin
ASA1
vpn load-balancing
cluster ip address 101.1.1.100
interface lbpublic outside
interface lbprivate inside
priority 10
participate
ASA2
vpn load-balancing
cluster ip address 101.1.1.100
interface lbpublic outside
interface lbprivate inside
priority 9
participate
ASA1
ASA1# sh vpn load-balancing
-------------------------------------------------------------------------Status Role Failover Encryption Peers Cluster IP
-------------------------------------------------------------------------Enabled Master n/a
Disabled
1 101.1.1.100
Peers:
-------------------------------------------------------------------------Role Pri Model
Load-Balancing Version Public IP
-------------------------------------------------------------------------Master 10 ASA5512
4 101.1.1.101*
Backup 9 ASA5512
4 101.1.1.102
Total License Load:
-------------------------------------------------------------------------AnyConnect Premium/Essentials
Other VPN
Public IP
Page 482 of 846

----------------------------- --------------------Limit Used Load
Limit Used Load
-------------------------------------------------------------------------2
0 0%
250
0 0% 101.1.1.101*
2
0 0%
250
0 0% 101.1.1.102
Licenses Used By Inactive Sessions :
-------------------------------------------------------------------------AnyConnect Premium/Essentials Inactive Load
Public IP
-------------------------------------------------------------------------0
0%
101.1.1.101*
0
0%
101.1.1.102
ASA2
-------------------------------------------------------------------------Enabled Backup n/a
Disabled
1 101.1.1.100
Peers:
-------------------------------------------------------------------------Role Pri Model
-------------------------------------------------------------------------Backup 9 ASA5512
4 101.1.1.102*
Master 10 ASA5512
4 101.1.1.101
Total License Load:
Other VPN
Public IP
----------------------------- --------------------Limit Used Load
Limit Used Load
-------------------------------------------------------------------------2
0 0%
250
0 0% 101.1.1.102*
Public IP
-------------------------------------------------------------------------0
0%
101.1.1.102*
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!
!
Page 483 of 846

Page 484 of 846

ASA1
-------------------------------------------------------------------------Enabled Master n/a
Disabled
1 101.1.1.100
Peers:
-------------------------------------------------------------------------Role Pri Model
Page 485 of 846

-------------------------------------------------------------------------Master 10 ASA5512
4 101.1.1.101*
Backup 9 ASA5512
4 101.1.1.102
Total License Load:
Other VPN
Public IP
----------------------------- --------------------Limit Used Load
Limit Used Load
-------------------------------------------------------------------------2
0 0%
250
2 1% 101.1.1.101*
2
0 0%
250
2 1% 101.1.1.102
Public IP
-------------------------------------------------------------------------0
0%
101.1.1.101*
0
0%
101.1.1.102
ASA2(config)# sh vpn load-balancing
-------------------------------------------------------------------------Enabled Backup n/a
Disabled
1 101.1.1.100
Peers:
-------------------------------------------------------------------------Role Pri Model
-------------------------------------------------------------------------Backup 9 ASA5512
4 101.1.1.102*
Master 10 ASA5512
4 101.1.1.101
Total License Load:
Other VPN
Public IP
----------------------------- --------------------Limit Used Load
Limit Used Load
-------------------------------------------------------------------------2
0 0%
250
2 1% 101.1.1.102*
Public IP
-------------------------------------------------------------------------0
0%
101.1.1.102*
ASA1
Page 486 of 846

S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C
L
S
192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside
S
192.168.100.101 255.255.255.255 [1/0] via 101.1.1.1, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
C
L
S
192.168.200.100 255.255.255.255 [1/0] via 101.1.1.1, outside
S
192.168.200.101 255.255.255.255 [1/0] via 101.1.1.1, outside
Page 487 of 846


Chapter19
Secure Socket Layer VPN

Modes
Requirements
Working
Page 488 of 846


SSL was originally developed by Netscape . It was designed for secure data transmission between
web server & web browser over internet. But some vendors are adopting it as a VPN. Web VPN is
marketing term of cisco for SSL VPN
SSL initiate request at session layer, its data is protected at presentation layer. and that is carried by
transport layer. So in both OSI or TCP/IP modals, SSL works on the behalf of Transport Layer.
Version 1 never released

Version 2 publically released
Version 3
SSL Modes
Clientless
Thin Client
Thick Client
Clientless Mode
As name suggest us Clientless in clientless there is no need of any client software. In clientless client
makes a request to SSL gateway, gateway proxy it to internal resources.
Clientless provides secure communication only of web based applications.
Like, HTTP, HTTPS, SMTP, POP3 ,IMAP or MS exchange Server etc.
Thin Client Mode

As we know that Clientless provides secure communication only of web based applications. Thin
Client was designed for those non web based applications which have static tcp port.
Also known as Port-Forwarding. In thin-client, client makes a request to SSL gateway, gateway proxy
it to internal resources. Like Telnet, SSH, RDP etc.
Page 489 of 846

Thick Client Mode

It provides us network layer access like IPSec Remote access. Using thick we can access all web
based or non web based applications. In thick when client initiate request server push a package to
client , client will install this package.
After package installation server push policies to client, these policies include ip address, mask,
interesting traffic etc.
SSL Requirements
Clientless requirements
Only web browser.
Thin requirements
Web browser
Java
Active x and pop ups should be enables on client web browser.
Thick requirements
Web browser
Java
Active x and pop ups should be enable on client web browser
Any-connect package & cisco secure desktop package.
Working
Client will initiate a request to server

Server will provide a certificate to client. This certificate contain public key of server.
Client generates a shared key. That key is protected by public key of server
Encrypted shared secret is delivered to server. Server decrypt is using its private key.
No both has same secret bulk encryption happen.
Page 490 of 846


Diagram:-
ASA_ssl_8.0
R1
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ASA1
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
no auto-summary
Page 491 of 846

network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
!
R2
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
en
router ei 100
no au
net 0.0.0.0
admin
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
ip http server
mgmt
no shutdown
Page 492 of 846

ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
1024
line vty 0 90
login local
exit
ip http server
ASA1
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.10.100
!!!!!
ASA1(config)# ping 192.168.20.100
!!!!!
ASA1
webvpn
enable outside
Page 493 of 846

Page 494 of 846

Page 495 of 846

Page 496 of 846

Page 497 of 846

ASA1
webvpn
enable outside
port-forward admin 2222 192.168.10.100 ssh
port-forward admin 2323 192.168.10.100 telnet
port-forward admin 8080 192.168.10.100 www
port-forward admin 8181 192.168.10.100 https
port-forward mgmt 2222 192.168.20.100 ssh
port-forward mgmt 2323 192.168.20.100 telnet
port-forward mgmt 8080 192.168.20.100 www
port-forward mgmt 8181 192.168.20.100 https
vpn-tunnel-protocol webvpn
webvpn
port-forward name admin
port-forward enable admin
vpn-tunnel-protocol webvpn
webvpn
port-forward name mgmt
port-forward auto-start mgmt
tunnel-group admin type remote-access
Page 498 of 846

tunnel-group admin webvpn-attributes
group-alias admin enable
tunnel-group mgmt type remote-access
tunnel-group mgmt webvpn-attributes
group-alias mgmt enable
webvpn
tunnel-group-list enable
Page 499 of 846

Page 500 of 846

Page 501 of 846

Page 502 of 846

Page 503 of 846

Page 504 of 846

Page 505 of 846

webvpn
enable outside
svc image disk0:/svc2.5.pkg 1
svc enable
vpn-tunnel-protocol svc webvpn
webvpn
svc keep-installer installed
svc ask enable
vpn-tunnel-protocol svc webvpn
webvpn
svc keep-installer installed
svc ask enable
Page 506 of 846

tunnel-group admin type remote-access
address-pool admin
tunnel-group admin webvpn-attributes
group-alias admin enable
tunnel-group mgmt type remote-access
address-pool mgmt
tunnel-group mgmt webvpn-attributes
group-alias mgmt enable
Page 507 of 846

Page 508 of 846

Page 509 of 846

Page 510 of 846

webvpn
no enable outside
port 9090
enable outside
Page 511 of 846

https://101.1.1.100:9090
Page 512 of 846

Page 513 of 846


banner value admin
banner value mgmt
Page 514 of 846

webvpn
onscreen-keyboard logon
Page 515 of 846

clear configure ip local pool

dhcp-network-scope 192.168.100.0
dhcp-network-scope 192.168.200.0
ex
dhcp-server 192.168.10.100
dhcp-server 192.168.20.100
admin
ip dhcp pool admin
network 192.168.100.0
default-router 192.168.100.
mgmt
ip dhcp pool mgmt
network 192.168.200.0
default-router 192.168.200.1
Page 516 of 846

Page 517 of 846

Page 518 of 846

Page 519 of 846

admin#sh ip dhcp binding

Bindings from all pools not associated with VRF:
IP address
Client-ID/
Lease expiration
Type
Hardware address/
User name
192.168.100.1
0063.6973.636f.2d30. Mar 02 2002 01:04 AM Automatic
3061.622e.6364.3932.
2e35.3230.312d.636c.
6965.6e74.312d.696e.
7369.6465.3100
Page 520 of 846

Page 521 of 846

Page 522 of 846

Page 523 of 846

mgmt#sh ip dhcp binding

IP address
Client-ID/
Lease expiration
Type
Hardware address/
User name
192.168.200.1
3061.622e.6364.3932.
2e35.3230.322d.636c.
6965.6e74.322d.696e.
7369.6465.3200
Page 524 of 846

nat-control
nat (inside1) 1 0 0
nat (inside2) 1 0 0
!!!!!
mgmt#ping 101.1.1.1
!!!!!

access-list stacl standard permit 192.168.0.0 255.255.0.0
Page 525 of 846


Page 526 of 846


IP address
Client-ID/
Lease expiration
Type
Hardware address/
User name
192.168.100.7
3061.622e.6364.3932.
2e35.3230.312d.636c.
6965.6e74.342d.696e.
7369.6465.3100
Page 527 of 846
!!!!!
mgmt#ping 101.1.1.1
!!!!!

encryption 3des
group 2
ex
sh history
pre-shared-key admin
pre-shared-key mgmt
Page 528 of 846

vpn-tunnel-protocol svc webvpn ipSec
vpn-tunnel-protocol svc webvpn ipSec
Page 529 of 846


IP address
Client-ID/
Lease expiration
Type
Hardware address/
User name
192.168.100.8
3061.622e.6364.3932.
2e35.3230.312d.636c.
6965.6e74.392d.696e.
7369.6465.3100
192.168.100.9
3061.622e.6364.3932.
Page 530 of 846

2e35.3230.312d.636c.
6965.6e74.312d.696e.
7369.6465.3100
!!!!!
mgmt#ping 101.1.1.1
Page 531 of 846

!!!!!
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
C 101.1.1.0 255.255.255.0 is directly connected, outside
S 192.168.100.9 255.255.255.255 [1/0] via 101.1.1.1, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside
Page 532 of 846


ASA_ssl_9.2
Initial-config
R1
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
R2
no shutdown
ip add 192.168.1.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.10.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
R3
no shutdown
ip add 192.168.2.2 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.20.1 255.255.255.0
no shutdown
router ei 100
no au
net 0.0.0.0
R4
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
ip http server
Page 533 of 846

R5
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
1024
line vty 0 90
login local
exit
ip http server
ASA1
hostname ASA1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
int gigabitEthernet 0/1
no shu
nameif inside1
security-level 100
ip add 192.168.1.1
no shu
nameif inside2
security-level 100
ip add 192.168.2.1
router ei 100
no au
net 192.168.1.0
net 192.168.2.0
ASA1# ping 192.168.101.100
!!!!!
ASA1# ping 192.168.10.100
Page 534 of 846

!!!!!
ASA1# ping 192.168.20.100
!!!!!
ASA1
webvpn
enable outside
on client access https://101.1.1.100
Page 535 of 846

Page 536 of 846

in url bar type http://192.168.10.100 or http://192.168.20.100
Page 537 of 846

ASA thin
webvpn
enable outside
Page 538 of 846

vpn-tunnel-protocol ssl-clientless
webvpn
webvpn
tunnel-group admin_group type remote-access
tunnel-group admin_group general-attributes
tunnel-group admin_group webvpn-attributes
group-alias ADMIN_GROUP enable
tunnel-group mgmt_group type remote-access
tunnel-group mgmt_group general-attributes
tunnel-group mgmt_group webvpn-attributes
group-alias MGMT_GROUP enable
webvpn
ASA1(config-webvpn)# username shiva password shiva privilege 15
Page 539 of 846

Page 540 of 846

Page 541 of 846

Page 542 of 846

Page 543 of 846

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
Page 544 of 846

vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
anyconnect keep-installer installed
anyconnect ask enable
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
anyconnect keep-installer installed
anyconnect ask enable
address-pool admin
address-pool mgmt
Page 545 of 846

Page 546 of 846

ASA1# vpn-sessiondb logoff webvpn

Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions of type "webvpn" logged off : 2
Page 547 of 846

Page 548 of 846

Page 549 of 846

Page 550 of 846


Page 551 of 846
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.1, outside

C
L
S
192.168.100.100 255.255.255.255 [1/0] via 101.1.1.1, outside

Disconnect & connect......................
Page 552 of 846

Page 553 of 846

Page 554 of 846

Page 555 of 846

Page 556 of 846

Page 557 of 846

webvpn
csd image disk0:/csd_3.6.6203-k9.pkg
csd enable
exit
http server enable
http 0 0 outside
PC
https://101.1.1.100/ for ssl
https://101.1.1.100/admin for ASDM
Page 558 of 846

Page 559 of 846

Page 560 of 846

Page 561 of 846

Page 562 of 846

Page 563 of 846

webvpn
no csd enable
webvpn
smart-tunnel list sss telnet telnet.exe
webvpn
port-forward disable
smart-tunnel enable sss
https://101.1.1.100
Page 564 of 846

Page 565 of 846

Install the addons & again start smart-tunnel
Page 566 of 846

Page 567 of 846

Page 568 of 846

Page 569 of 846


Chapter 20
ASA Modes
Advantages
Limitations
Difference between Switching &Transparent Firewall
Page 570 of 846

Cisco ASA comes in two modes Routed mode, & transparent mode.
Routed Mode
In routed mode asa works as a layer 3 device. It forward the packet based on destination IP address.
Transparent Mode
In transparent mode asa works as layer 2 device it forwards the frames based on destination mac.
But still it has capabilities to filter the traffic from layer 2 to layer 7.
Advantages
If you want to implement firewall in your network without readdressing the network.
Page 571 of 846
Transparent Firewall limitation
Only 2 interface can use

No dynamic routing
No VPN only site-site vpn can configure for management.
No CDP
No DTP
No VTP
No IPv6
NAT is optional in OS version 8.0 and later
No DHCP Relay Service
Non IP traffic default drop.
Difference between Switching &

Switch
1.
2.
3.
Learns mac based on source mac

Forwards a frame based in destination mac
Use STP
They flood
Broadcast
Multicast
Unknown unicast
1.
2.
Learns mac based on source mac

Forwards a frame based in destination mac
Don't use STP
They flood
Broadcast
Multicast
Page 572 of 846


Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
R2
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R3
Page 573 of 846

no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
R4
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R5
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R1
R1#ping 102.1.1.100
!!!!!
R2
R2#ping 101.1.1.100
!!!!!
R1
ip nat inside
ip nat outside
exit
ip access-list extended natacl
permit ip 192.168.0.0 0.0.255.255 any
exit
ip nat inside source list natacl interface fastEthernet 0/1 overload
R2
ip nat inside
Page 574 of 846

ip nat outside
exit
ip access-list extended natacl
permit ip 192.168.0.0 0.0.255.255 any
exit
ip nat inside source list natacl interface fastEthernet 0/1 overload
R1
!!!!!
R1#sh ip nat
R1#sh ip nat t
R1#sh ip nat translations
Pro Inside global Inside local
Outside local Outside global
icmp 101.1.1.100:2 192.168.101.1:2 101.1.1.1:2
101.1.1.1:2

!!!!!
R2#sh ip nat
R2#sh ip nat t
R2#sh ip nat translations
Pro Inside global Inside local
Outside local Outside global
icmp 102.1.1.100:1 192.168.102.1:1 101.1.1.1:1
101.1.1.1:1
R1
interface t0
ip add 192.168.123.1 255.255.255.0
tunnel source 101.1.1.100
tunnel destination 102.1.1.100
tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R2
interface tunnel 0
ip add 192.168.123.2 255.255.255.0
tunnel source 102.1.1.100
tunnel destination 101.1.1.100
Page 575 of 846

tunnel mode gre ip
ip ospf 100 area 0
int f0/0
ip ospf 100 area 0
R1
R1#sh ip route ospf
O 192.168.102.0/24 [110/1001] via 192.168.123.2, 00:00:04, Tunnel0
R2
R2#sh ip route ospf
O 192.168.101.0/24 [110/1001] via 192.168.123.1, 00:00:28, Tunnel0
R1
!!!!!
R2
!!!!!
ASA1
ASA1(config)# firewall transparent

ciscoasa(config)# ho
ASA1(config)#
ASA2
ASA2(config)# firewall transparent
ciscoasa(config)# ho
ASA2(config)#
ASA2(config)#
ASA1
interface bvI 1
ip address 192.168.101.111 255.255.255.0
Page 576 of 846

no shu
nameif inside
bridge-group 1
no shu
nameif outside
bridge-group 1
route outside 0 0 192.168.101.1
ASA1(config)# ping 192.168.101.100
!!!!!
!!!!!
ASA2
interface bvI 1
ip add 192.168.102.111 255.255.255.0
no shu
nameif inside
bridge-group 1
no shu
nameif outside
bridge-group 1
route outside 0 0 192.168.102.1
!!!!!
!!!!!
ASA1# ping 192.168.102.1
!!!!!
Page 577 of 846

!!!!!
R4
R4#ping 192.168.102.100
.....
R5
R5#ping 192.168.
R5#ping 192.168.101.100
.....
ASA1
access-list out permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
ASA2
R4#ping 192.168.102.100
!!!!!
R5#ping 192.168.101.100
!!!!!
ASA1
object network obj_net_192.168.101.0
subnet 192.168.101.0 255.255.255.0
Page 578 of 846

subnet 192.168.102.0 255.255.255.0
subnet 192.168.111.0 255.255.255.0
nat (inside,outside) source static obj_net_192.168.101.0 obj_net_192.168.101.0 destination static
obj_net_192.168.102.0 obj_net_192.168.102.0
nat (inside,outside) source static obj_net_192.168.101.0 obj_net_192.168.111.0
R1(config)#ip route 192.168.111.0 255.255.255.0 192.168.101.111

R1#debug ip icmp
R4#ping 192.168.102.100
!!!!!
R4#ping 192.168.101.1
.....
R1#debug ip icmp
R1#
*Oct 4 06:59:21.311: ICMP: echo reply sent, src 192.168.101.1, dst 192.168.111.100
R1#
R1#
R1#
R1#
ASA1
access-list out permit icmp any object obj_net_192.168.101.0
R4#ping 192.168.101.1
!!!!!
R1#
Page 579 of 846

*Oct
*Oct
*Oct
*Oct
*Oct

ASA2
subnet 192.168.102.0 255.255.255.0
subnet 192.168.101.0 255.255.255.0
subnet 192.168.222.0 255.255.255.0
nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.102.0 destination static
obj_net_192.168.101.0 obj_net_192.168.101.0
nat (inside,outside) source static obj_net_192.168.102.0 obj_net_192.168.222.0
R2#debug ip icmp
R5#ping 192.168.101.100
!!!!!
R5#ping 192.168.102.1
.....
R2#debug ip icmp
R2#
*Oct 4 12:38:04.115: ICMP: dst (192.168.102.1) host unreachable rcv from 102.1.1.1
R2#
R2#
R2#
R2#
Page 580 of 846

R2(config)#ip route 192.168.222.0 255.255.255.0 192.168.102.111
R5#ping 192.168.102.1
.....
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
ASA2
access-list out permit icmp any object obj_net_192.168.102.0
R5#ping 192.168.101.100
!!!!!
R5#ping 192.168.102.1
!!!!!
R2(config)#
R4#ping 101.1.1.1
!!!!!
Page 581 of 846

R5#ping 101.1.1.1
!!!!!
R4#ping 101.1.1.1
!!!!!
R4#ping 192.168.102.100
!!!!!
R5#ping 192.168.101.100
!!!!!
R5#pin
R5#ping 101.1.1.1
!!!!!
Page 582 of 846


Chapter 21
Context
Context
Context Requirement
Context Use
Advantages
Limitations
Context Terminology
Page 583 of 846

Context
We can partition an appliance in many virtual appliances these virtual appliances are called security
context.
Requirement
Assume you are running a company that provides web host services and you have 200 clients. Now
the client demands that we require a dedicated appliance for our servers. To fulfil client
requirements we have to purchase 200 appliance. 200 appliance are very costly. So virtual context
solve this problem.
Context Use
Active-Active failover
Web Hosting Companies
Companies needing more than one firewall on a single location
Advantages
Cost Saving
Eco-Friendly or Go Green
Limitations in context till OS 8.6
No dynamic routing
No VPN
But in ASA OS 9.2.2.4
They also support Dynamic routing & IPsec site-site VPN
Page 584 of 846

Context Terminology
System Area
Admin Context
Context Channing
Shared Interface
System Area
When an appliance boots in multiple mode than you will find yourself in system area.
Functions
It is used to create or delete context

It is used to enable physical interfaces
It is used to create or delete logical interfaces
It is used to allocate resources to context
Admin Context
When an appliance boot in multiple mode admin context is default created.
It is used for appliance management. When appliance is in multiple mode there should be one admin
context. it is used for appliance management.
Context Channing
We can connect one context to another i.e. called context Channing. It is only possible with shared
interface.
Shared Interface
When we call one interface in more than one context that interface is called shared interface.
Page 585 of 846


Mac Address auto
A command use with only shared interface to avoid mac problems because one interface has one
mac when we use shared interface one interface is shared in multiple context. Both context will use
same mac when a packet will arrive a physical interface classifier will confused to classify frame. To
solve this problem we use Mac Address auto is command that automatically generate mac for each
shared interface.
Diagram:-
Initial-config
ASA_Context
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
Page 586 of 846

R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
ASA1(config)#
ASA1(config)# sh mode
Security context mode: multiple
no shutdown
no shutdown
no shutdown
no shutdown
context c1
context c2
context c1
allocate-interface GigabitEthernet0/0
config-url disk0:/c1.cfg
!
context c2
Page 587 of 846

!
ASA1
ASA1(config-ctx)# changeto context c1
changeto context c1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA1/c1(config)# ping 192.168.101.100
!!!!!
ASA1/c1(config)# ping 102.1.1.1
!!!!!
ASA1(config)# changeto context c2
no shu
nameif inside
ip add 192.168.102.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
ASA1/c2(config)# ping 192.168.102.100
!!!!!
ASA1/c2(config)# pin
!!!!!
ASA1
Page 588 of 846

changeto context c1
R1#ping 101.1.1.1
!!!!!
ASA1/c1(config)# sh xlate
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:07 timeout 0:00:00
0:00:30
ASA1/c1(config)# changeto context c2
changeto context c2
R2#ping 101.1.1.1
!!!!!
0:00:30
Page 589 of 846


ASA_inter-context_routing
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
Page 590 of 846

no shutdown
no shutdown
no shutdown
context c1
!
context c2
!
ASA1(config)# mac-address auto
INFO: Converted to mac-address auto prefix 60035

ASA1/c1(config)#
changeto context c1
no shu
nameif outside
ip add 101.1.1.101 255.255.255.0
no shu
no shu
nameif inside
ip add 192.168.101.1
ASA1/c1(config)# ping 192.168.101.100
!!!!!
!!!!!
changeto context c2
Page 591 of 846

no shu
nameif outside
ip add 101.1.1.102 255.255.255.0
no shu
no shu
nameif inside
ip add 192.168.102.1
ASA1/c2(config)# ping 192.168.102.100

!!!!!
!!!!!
R3#sh arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 101.1.1.1
- 44e4.d987.ecde ARPA FastEthernet0/0
Internet 101.1.1.100
22 6c20.56bd.ea84 ARPA FastEthernet0/0
1 a283.ea00.0002 ARPA FastEthernet0/0
0 a283.ea00.0006 ARPA FastEthernet0/0
Internet 102.1.1.1
- 44e4.d987.ecdf ARPA FastEthernet0/1
21 6c20.56bd.ea85 ARPA FastEthernet0/1

ASA1/c1(config)# route outside 192.168.102.0 255.255.255.0 101.1.1.102
ASA1/c2(config)# route outside 192.168.101.0 255.255.255.0 101.1.1.101
R1#ping 192.168.102.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 592 of 846

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 593 of 846


Chapter 22
Failover
Failover
Failover Types
Failover Implementation types
Failover System Requirements
The Failover and Stateful Failover Links
Device Initialization and configuration
Failover Behaviour
Failover Triggers
Stateless (Regular) and Stateful Failover
Things not replicated during failover
Failover Health Monitoring
Interface Monitoring
Failover configuration limitation
Page 594 of 846

Failover
A cisco proprietary feature it provides us uninterrupted network access.
Failover types
Stateless Failover
Hardware Failover
State full Failover
Stateless
Stateless failover provides logical redundancy. If primary link goes down secondary path is used.
Hardware Failover
When failover was introduced only Hardware Failover was supported. It provides hardware
redundancy & configuration replication. If failover occur we have to re-establish the connection.
Page 595 of 846

State full Failover

It not only provides hardware redundancy but also configuration replication ARP table replication,
Xlate replication, VPN connection replication, conn table replication. if failover occur there is no
need to re-establish the connection.
Failover Implementation types
Active-Standby
Active-Active
Active-Standby
In active-standby failover we require two appliances. One primary, another secondary. Primary will
works as an active secondary will works as standby. If primary goes down secondary will take role.
OR
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby
state. Active/Standby failover is available on units running in either single or multiple context mode.
Page 596 of 846

Active-Active
In active-active failover we require two appliances & two security context or even context . Each
appliance will active for one context. With Active/Active failover, both units can pass network traffic.
Active/Active failover is available only on units running in multiple context mode.
Note: - Both failover configurations support stateful or stateless (regular) failover.
Failover System Requirements
Hardware Requirements
Software Requirements
License Requirements
Page 597 of 846

Hardware Requirements
The two units in a failover configuration must have the same hardware configuration.
They must be the same model
They must have the same number and types of interfaces
The same amount of RAM
The same SSMs installed (if any).
Note: - The Exception is Flash memory. If using units with different Flash memory sizes in your
failover configuration, make sure the unit with the smaller Flash memory has enough space to
accommodate the software image files and the configuration files. Otherwise configuration
synchronization will fail.
Software Requirements
The two units in a failover configuration must be in the operating modes. They software version.
However, you can use different versions of the software during an upgrade process
License Requirements
For ASA 5510, 5512 you need Security Plus License.
The Failover and Stateful Failover Links

The two units in a failover pair constantly communicate over a failover link and Stateful Failover to
determine the operating status of each unit.
Like:
The unit state (active or standby).

Hello messages (keep-alives).
Network link status.
MAC address exchange.
Configuration replication and synchronization.
Page 598 of 846

Caution: - All information sent over the failover and Stateful Failover links is sent in clear text
unless you secure the communication with a failover key.
Types:
LAN-Based Failover Link

Serial Cable Failover Link (PIX Security Appliance Only)
LAN-Based Failover Link
You can use any unused Ethernet interface on the device as the failover link.
Using a switch, with no other device on the same network segment (broadcast domain or
VLAN) as the LAN failover interfaces of the ASA
Using a crossover Ethernet cable to connect the appliances directly
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a
crossover cable or a straight-through cable. If you use a straight-through cable, the interface
automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
Serial Cable Failover Link (PIX Security

Appliance Only)
The serial Failover cable, or cable-based failover, is only available on the PIX 500 series security.
One end of the cable is labeled Primary. The unit attached to this end of the cable automatically
becomes the primary unit. The other end of the cable is labeled Secondary.
The benefits of using cable-based failover include
Immediately detect a power loss

No need of dedicated switch
The disadvantages include:
Distance limitation.
Slower configuration replication.
Stateful Failover Link

To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
Page 599 of 846
Note:
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface. However, this option is not recommended.
Enable the Port Fast option on Cisco switch ports that connect directly to the security
appliance.
Using a data interface as the Stateful Failover interface is only supported in single context,
routed mode.
In multiple context mode, the Stateful Failover link resides in the system context
Device Initialization and Configuration

Synchronization
If both units boot simultaneously, then the primary unit becomes the active unit and the
secondary unit becomes the standby unit.

If a unit boots and does not detect a peer, it becomes the active unit.
If a unit boots and detects a peer already running as active, it becomes the standby unit.
The primary unit MAC addresses are always coupled with the active IP addresses. The
exception to this rule occurs when the secondary unit is active
To solve this problem define static mac
Failover Behaviour
Failover Triggers
The unit has a hardware failure.

The unit has a power failure.
The unit has a software failure.
The no failover active or the failover active command is entered
Interface Down
Stateless (Regular) and Stateful Failover
Stateless (Regular)
Stateful Failover
Page 600 of 846


Stateless (Regular) Failover
When a failover occurs, all active connections are dropped. Clients need to re-establish connections
when the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state
information to the standby unit.
Following things not replicated during

failover
OS images
Any-connect Images
CSD images
ASMD Images
Smart Tunnels
Port Forwarding
Plugins
Java Applets
Pv6 clientless or Anyconnect sessions
Citrix authentication (Citrix users must reauthenticate after failover)
Failover Health Monitoring
Unit Health Monitoring


The security appliance determines the health of the other unit by monitoring the failover link. When
a unit does not receive three consecutive hello messages on the failover link, the unit sends
interface hello messages on each interface, including the failover interface, to validate whether or
not the peer interface.
If the security appliance receives a response then it does not fail over.
Page 601 of 846
If the security appliance does not receive a response on the failover link, but receives a
response on another interface, then the unit does not failover.
The failover link is marked as failed. You should restore the failover link as soon as possible
because the unit cannot fail over to the standby while the failover link is down.
If the security appliance does not receive a response on any interface, then the standby unit
switches to active mode and classifies the other unit as failed.
1.
2.
3.
4.
Link Up/Down test

Network Activity test
ARP test
Broadcast Ping test
Link Up/Down testA test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests.
Network Activity testA network activity test. The unit counts all received packets for up to 5
seconds. If no traffic is received, the ARP test begins
ARP testA reading of the unit ARP cache for the 2 most recently acquired entries. The unit counts
all received traffic for up to 5 seconds. no traffic has been received, the ping test begins.
Broadcast Ping testA ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds.
Failover Result
Failover Response
Both don't receives
No failover
Both receives
No failover
Primary receives, Secondary doesn't
No failover
Primary doesn't, Secondary does
failover
Failover Configuration Limitations

You cannot configure failover with the following type of IP addresses:
IP addresses obtained through DHCP

IP addresses obtained through PPPoE
IPv6 addresses
Page 602 of 846

Additionally, the following restrictions apply:
Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
You cannot configure failover when Easy VPN remote is enabled on the ASA 5505 adaptive
security appliance.
CA server is not supported.
Diagram:-
ASA_active_standby
Initial-config
R1
int fastEthernet 0/0
no shutdown
ip add 192.168.10.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
R2
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
1024
line vty 0 90
Page 603 of 846

login local
exit
ip http server
ip http au local
R3
interface f0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
ASA1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
nameif outside
security-level 0
!
nameif dmz
security-level 50
!
ASA1(config-if)# route outside 0 0 101.1.1.1
ASA1(config)# ping 192.168.10.100
!!!!!
ASA1(config)# ping 192.168.20.100
!!!!!
ASA1(config)# ping 192.168.101.100
?!!!!
Page 604 of 846
ASA1
subnet 192.168.10.0 255.255.255.0
object network dmz
host 192.168.20.100
object network ip111
host 101.1.1.111
nat (dmz,outside) source static dmz ip111
access-list out extended permit icmp any object inside
access-list out extended permit icmp any object dmz
access-list out extended permit tcp any object dmz eq ssh
access-list out extended permit tcp any object dmz eq telnet
access-list out extended permit tcp any object dmz eq www
access-list out extended permit tcp any object dmz eq https
R3#debug ip icmp
R1#ping 101.1.1.1
!!!!!
R2#ping 101.1.1.1
.!!!!
R3#debug ip icmp
R3#
R3#
R3#
Page 605 of 846

Page 606 of 846

Page 607 of 846

ASA1
failover lan unit primary
failover lan interface shiva GigabitEthernet0/3
failover interface ip shiva 192.168.111.1 255.255.255.0 standby 192.168.111.2
failover
ASA2
no shu
failover lan unit secondary
failover lan interface shiva g0/3
failover
ASA2(config)# Beginning configuration replication from mate.
End configuration replication from mate.
ASA1
ASA1(config)# ! State full failover
ASA1(config)# failover link shiva
ASA1(config)# ! http replication
ASA1(config)# failover replication http
ASA1(config)# ! change timers
ASA1(config)# failover polltime msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
ASA1(config)# failover polltime unit msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
Page 608 of 846

ASA1(config)# ! failover key
ASA1(config)# failover key shiva
ASA1(config)# ! failover mac
ASA1(config)# failover mac address inside 0000.0000.0001 0000.0000.0002
ASA1(config)# failover mac address outside 0000.0000.0003 0000.0000.0004
ASA1(config)# failover mac address dmz 0000.0000.0005 0000.0000.0006
Please clear arp on all devices..................thanks
ASA1
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: shiva GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 16:07:52 UTC Oct 4 2014
This host: Primary - Active
Active time: 296 (sec)
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
Interface inside (192.168.10.1): Normal (Monitored)
Interface outside (101.1.1.100): Normal (Monitored)
Interface dmz (192.168.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Stateful Failover Logical Update Statistics
Link : shiva GigabitEthernet0/3 (up)
Stateful Obj xmit
xerr
rcv
rerr
General
41
0
29
0
sys cmd
29
0
29
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
4
0
0
0
ARP tbl
6
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
Page 609 of 846

VPN IKEv1 SA 0
VPN IKEv1 P2 0
VPN IKEv2 SA 0
VPN IKEv2 P2 0
VPN CTCP upd 0
VPN SDI upd 0
VPN DHCP upd 0
SIP Session 0
Route Session 0
Router ID
0
User-Identity 2
CTS SGTNAME 0
CTS PAC
0
TrustSec-SXP 0
IPv6 Route 0
STS Table
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Logical Update Queue Information

Cur Max Total
Recv Q:
0
17 30
Xmit Q:
0
282 718
ASA2
Failover On
Failover unit Secondary
Interface Policy 1
This host: Secondary - Standby Ready
Other host: Primary - Active
Stateful Obj xmit
xerr
rcv
rerr
Page 610 of 846

General
42
0
56
0
sys cmd
42
0
42
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
6
0
ARP tbl
0
0
6
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
0
Router ID
0
0
0
0
User-Identity 0
0
2
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
12 784
Xmit Q:
0
1
42
ASA1(config)# ! ASA2
ASA1(config)# fa
ASA1(config)# failover a
ASA1(config)# failover active
Switching to Active
ASA1 or on Active applicance

encryption 3des
group 2
Page 611 of 846

sh history
address-pool admin
object network admin
subnet 192.168.100.0 255.255.255.0
exit
nat (inside,outside) 1 source static inside inside destination static admin admin
PC1
ASA2
ASA1(config)# failover active
Switching to Active
Page 612 of 846

Page 613 of 846

System config has been modified. Save? [Y]es/[N]o: n
ASA1(config)#
Failover On
Interface Policy 1
Page 614 of 846

This host: Secondary - Active
Interface inside (192.168.10.1): Normal (Waiting)
Interface outside (101.1.1.100): Normal (Waiting)
Interface dmz (192.168.20.1): Normal (Waiting)
Other host: Primary - Failed
slot 0: ASA5512 hw/sw rev (1.0/9.2(2)4) status (Unknown/Unknown)
Interface inside (192.168.10.2): Unknown (Monitored)
Interface outside (101.1.1.101): Unknown (Monitored)
Interface dmz (192.168.20.2): Unknown (Monitored)
PC1
Page 615 of 846


ASA_Active_Active
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
no shutdown
Page 616 of 846

ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
no shutdown
no shutdown
no shutdown
no shutdown
no shutdown
class c1
limit-resource Conns 50.0%
limit-resource Xlates 65000
limit-resource Mac-addresses 45.0%
limit-resource VPN Other 125
!
class c2
limit-resource Mac-addresses 45.0%
!
context c1
member c1
!
context c2
member c2
!
changeto context c1
nameif inside
Page 617 of 846

ip add 192.168.101.1 255.255.255.0 standby 192.168.101.2
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0 standby 101.1.1.101
ASA1/c1(config)# ping 192.168.101.100
!!!!!
!!!!!
changeto context c2
no shu
nameif inside
ip add 192.168.102.1 255.255.255.0 standby 192.168.102.2
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0 standby 102.1.1.101
ASA1/c2(config)# ping 192.168.102.100
!!!!!
!!!!!
changeto context c1
R1#ping 101.1.1.1
Page 618 of 846

!!!!!
0:00:30
changeto context c2
R2#ping 101.1.1.1
!!!!!
0:00:30
ASA1(config)# changeto system
Active-standby failover in multiple mode
ASA1
failover
Page 619 of 846

ASA2
no shutdown
failover
ASA2(config)# .
Detected an Active mate
Beginning configuration replication from mate.
Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
Creating context 'c1'... Done. (3)
WARNING: Skip fetching the URL disk0:/c1.cfg
Creating context 'c2'... Done. (4)
WARNING: Skip fetching the URL disk0:/c2.cfg
End configuration replication from mate.
ASA1
Failover On
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Policy 1
c1 Interface inside (192.168.101.1): Normal (Monitored)
c1 Interface outside (101.1.1.100): Normal (Monitored)
Page 620 of 846

Link : Unconfigured.
ASA2
Failover On
Interface Policy 1
Link : Unconfigured.
ASA1
ASA1(config)# ! state full failover
ASA1(config)# failover link shiva
Failover On
Interface Policy 1
Page 621 of 846

Stateful Obj xmit
xerr
rcv
rerr
General
9
0
2
0
sys cmd
4
0
4
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
4
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
0
Router ID
0
0
0
0
User-Identity 3
0
0
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
3
4
Xmit Q:
0
3
50
Page 622 of 846
ASA2
Failover On
Interface Policy 1
Stateful Obj xmit
xerr
rcv
rerr
General
6
0
13
0
sys cmd
6
0
6
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
4
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
Page 623 of 846

SIP Session 0
Route Session 0
Router ID
0
User-Identity 0
CTS SGTNAME 0
CTS PAC
0
TrustSec-SXP 0
IPv6 Route 0
STS Table
0
0
0
0
0
0
0
0
3
0
0
0
0
0
0
0
0
0
0
0

Cur Max Total
Recv Q:
0
4
87
Xmit Q:
0
1
6
ASA1
ASA1(config)# ! to replicate http
ASA1(config)# failover replication http
ASA1
! TO change timers
failover polltime msec 200
failover polltime unit msec 200
ASA1
ASA1(config)# failover key shiva
To configure Active-Active failover please disable failover

ASA2
no failover
ASA1
no failover
ASA1 primary
failover group 1
primary
preempt
failover group 2
secondary
preempt
context c1
join-failover-group 1
context c2
Page 624 of 846

ASA1
failover
ASA2
failover
ASA1
Failover On
Interface Policy 1
Group 1 last failover at: 15:13:11 UTC Oct 4 2014
This host: Primary
Group 1
State:
Active
Group 2
State:
Standby Ready
Other host: Secondary
Group 1
State:
Standby Ready
Group 2
State:
Active
Stateful Obj xmit
xerr
rcv
rerr
General
96
0
62
2
Page 625 of 846

sys cmd
64
0
62
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
12
0
0
0
ARP tbl
8
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
2
Router ID
0
0
0
0
User-Identity 12
0
0
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
3
104
Xmit Q:
0
5
1073
ASA2
Failover On
Interface Policy 1
This host: Secondary
Group 1
State:
Standby Ready
Group 2
State:
Active
Page 626 of 846

Other host: Primary
Group 1
State:
Active
Group 2
State:
Standby Ready
Stateful Obj xmit
xerr
rcv
rerr
General
67
0
97
0
sys cmd
65
0
65
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
12
0
ARP tbl
0
0
8
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 2
0
0
0
Router ID
0
0
0
0
User-Identity 0
0
12
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
5
1040
Page 627 of 846

Xmit Q:
121
ASA1
ASA1(config)# prompt hostname context state
ASA1/act(config)#
ASA1/act(config)# changeto context c1
ASA1/c1/act(config)#
ASA1/c1/act(config)# changeto context c2
ASA1/c2/stby(config)#
ASA2
ASA1/stby(config)#
ASA1/stby(config)# changeto context c
ASA1/stby(config)# changeto context c1
ASA1/c1/stby(config)#
ASA1/c1/stby(config)# changeto context c2
ASA1/c2/act(config)#
R1#ping 101.1.1.1
!!!!!
R2#ping 101.1.1.1
!!!!!
ASA1/c1/act(config)# sh xlate
0:00:30
ASA2
ASA1/c2/act(config)# sh xlate
Page 628 of 846

0:00:30
ASA1/act(config)# ! to save config
ASA1/act(config)# write memory all
ASA1/act(config)# mode single
Security context mode: single
***
*** --- START GRACEFUL SHUTDOWN --***
*** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW --***
*** Message to all terminals:
***
*** change mode
ASA2
ASA1/act(config)# sh failover
Failover On
Interface Policy 1
Group 1
State:
Active
Page 629 of 846

Group 2
State:
Active
c1 Interface inside (192.168.101.1): Normal (Waiting)
c1 Interface outside (101.1.1.100): Normal (Waiting)
c2 Interface inside (192.168.102.1): Normal (Waiting)
c2 Interface outside (102.1.1.100): Normal (Waiting)
Other host: Primary
Group 1
State:
Failed
Group 2
State:
Failed
c1 Interface inside (192.168.101.2): Unknown (Monitored)
c1 Interface outside (101.1.1.101): Unknown (Monitored)
c2 Interface inside (192.168.102.2): Unknown (Monitored)
c2 Interface outside (102.1.1.101): Unknown (Monitored)
Stateful Obj xmit
xerr
rcv
rerr
General
150
0
180
0
sys cmd
146
0
146
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
12
0
ARP tbl
2
0
10
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 2
0
0
0
Router ID
0
0
0
0
User-Identity 0
0
12
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Page 630 of 846

Cur Max Total
Recv Q:
0
5
2072
Xmit Q:
0
1
495
R1#ping 101.1.1.1
!!!!!
R2#ping 101.1.1.1
!!!!!
ASA1(config)# ! TO save config
ASA1(config)# write memory all
Page 631 of 846


Chapter 23
Modular Policy Framework
MPF Function
Connection restriction
Traffic Policing
MPF Components
Class Map
Policy Map
Service Policy
DCE
SUN RPC
ILS
NET BIOS
IPSec-Pass_throu
XDMCP
ICMP Inspection
FTP Modes
SMTP
DNS
TFTP
HTTP
RSH
SQL .NET
SIP
SCCP
CTIQBE
MGCP
Page 632 of 846

Moduler Policy Framework
It provide us following Features:
Traffic Priortization
Traffic Policing
Using this feature we can configure the Cisco Appliance that which protocol should be add in state
table along with TCP & UDP, For example ICMP. Using inspection of connection we can make ICMP
as a stateful traffic.
Using connection restriction we can set per protocol max-conn, per-client-max conn, max-embronic
conn, per-client embronic connection etc.
Using this feature we can give priority to delay sensitive data like voice traffic or vpn traffic.
Traffic Policing
Using this feature we can police incoming & outgoing traffic limit on an interface.
MPF Components
Class-map
Policy-map
Service-policy
Class-map types
L3/L4 Class-map
L7 Class-map
Regex Class-map
Policy-map types
L3/L4 Class-map
L7 Class-map
Serive-policy
It can be called on a specific interface or globally.
Page 633 of 846


Default_inspected_protocols in version os 9.2.2.4
FTP
DNS
H.323 RAS
H.323 225
RSTP
RSH
SIP
SCCP
SQL.NET
SUN RPC
ESMTP
TFTP
NETBIOS
XDMCP
IP_OPTION
DCE (Distributed Computing Environment)

A protocols it is used by programmers to make softwares. It allow software to work over multiple
systems , But it appear that software is working on a single system. It use TCP Port 135
By default it is not inspected by cisco appliance if any company is using it we have to inspect it.
class-map class_default
match default_inspection
policy-map global_policy
class class_default
inspect dce
service-policy global_policy global
SUN RPC
It was developed by sun . It is useed by NFS (Network File System) for file sharing.
By default it is inspected by appliance. it use TCP port 111
class class_default
inspect sunrpc
Page 634 of 846


ILS (Internet Locater Service)
It protocol is used by microsoft active directory , netmetting . This protocol allow systems to gather
the information which is required to communicate with other system in a domain.
By default it is not inspect by appliance . it use TCP por 389.
If AD or netmetting is not working properly we have to inspect it
class class_default
inspect ils
NET BIOS
This protocol is used in older OS for name resolution. name to ip or ip to name.
By default it is inspected by appliance . It use UDP port 137, 138
If you are not using it you can remove it from inspected protocol list
class class_default
no inspect netbios
IPsec-Pass-Throu
When a vpn client establish vpn session it establish 2 connection per protocols ESP or AH.
But By default no limitation , They can establish more than 2 connection , to solve this problem
appliance as a feature ipsec-pass-throu using this we can set per client ESP or AH max connection.
It use UDP port 500.
policy-map type inspect ipsec-pass-thru l7-ipsec-pass-thru
parameters
esp per-client-max 2
ah per-client-max 2
class default_class
inspect ipsec-pass-thru l7-ipsec-pass-thru
Page 635 of 846

XDMCP ( X Display Manager Protocol)
When the PC was came in this world . it was very costly so a solution was developed by UNIX
X-Dispaly, in this solution we use a diskless client & A X Server. It is By default inspected.
Working:When client bootup it use UDP dynamic port & hit to UDP 177 of X server . this is called
management connection . after management connection client use TCP & hit to TCP 6000 for display
if there is an outbound connection nothing to do
Higher to lower nothing to do.
Client UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 177 Server
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 6000 Server
Lower to Higher connection
we have to open acl for UDP 177

Plus establish keyword
class-map default
match default-inspection-traffic
policy-map shiva
class default
inspect xdmcp
service-policy shiva global
ICMP
This protocol is use for connectivity checking. but it could be used to overload a server with ICMP
traffic i.e. it is inspected by appliance. it use ip protocol no 1.
if you want you can configure it as an inspected traffic.
class-map shiva_class
policy-map shiva_policy
class shiva_class
inspect icmp
inspect icmp error
service-policy shiva_policy global
Page 636 of 846


FTP
This protocol is use for file transfering. it use TCP port 21
it has two modes
class-map default
policy-map shiva
class default
inspect ftp
Modes
Active mode
Passive mode
Active mode working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 21 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 20 Server
Higher to lower insection

Lower to higher only ACL
Passive mode working

Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 21 Server
Client TCP 1024<<<<<<<<hit 4321 for data<<<<<<<<<<<<<<<<<<<<<TCP 21 Server
Higher to lower nothing to do

Lower to higher Acl Plus Inspection
SMTP
It is used to send mail . it use TCP port 25. Appliance has capability to apply deeper inspection of
SMTP. like SMTP Boby Length.
Working
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 25 Server
access-list smtp-limit permit tcp any any eq 25
class-map smtp
match access-list smtp-limit
Page 637 of 846

policy-map type inspect esmtp l7-esmtp
parameters
match body length gt 1000
drop-connection
policy-map shiva
class smtp
inspect esmtp l7-esmtp
DNS
Domain Name System use for name resolution . it use TCP or UDP port 53.
DNS Inspection Features
DNS Gurad
DNS Doctoring
DNS Query Length
DNS Gurad
it allow only first reply of DNS query
DNS Doctoring
This feature enale appliance to translate inside inside query with another ip address used on another
interface.
commands
static (inside,outside) interface 192.168.101.53 dns
DNS Query Length
By default DNS query lenght is 512 bytes we can extend it
Default inspected by appliance.
static (inside,outside) interface 192.168.101.53 dns
policy-map type inspect dns l7-dns
parameters
dns-guard
nat-rewrite
protocol-enforcement
message-length maximum 1024
exit
ex
class-map default
policy-map shiva
class default
inspect dns l7-dns
Page 638 of 846

TFTP
Used for backup & upgrade network aplliance it use UDP port 69
Default inspected
Working
Client UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 69 Server
Client UDP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UDP 1234 Server
Higher to ower inspection

Lower to higher ACL
HTTP
Used for web browsing it use TCP port 80. Appliance has capabilities to block http site using name &
ip address.
regex fb \.facebook\.com
regex 420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
class-map type regex match-any rs
match regex fb
match regex 420
policy-map type inspect http l7-http
parameters
match request header host regex class rs
reset
access-list http permit tcp any any eq 80
class-map http-class
match access-list http
policy-map shiva
class http-class
inspect http l7-http
RSH
Used in Unix for remote terminal. it use TCP port 514
working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 514 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1024 Server
Higher to lower inspection
Lower to higher ACL
Default Inspected.
Page 639 of 846


SQL.NET
Used by oracal database use TCP port 1521 default inspected.
Working
Client TCP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>TCP 1521 Server
Client TCP 1024<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<TCP 1521 Server
Higher to lower nothing
Lower to higher Acl
SIP/SCCP/CTIQUBE (TCP-UDP-5060/TCP-2000/TCP-2748)
These protocols used to establish voip call
Clinet IP Phone TCP/UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>5060/2000/2748 Server
Client IP Phone UDP 1025>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>voice Server
Client IP Phone UDP 1026>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>synch Server
Higher to lower nothing to do

Lower to higher ACL Plus inspection
MGCP
Used by VOIP gateway to call-manager
Working
Gateway UDP 1024>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>UDP 2427 Server
Gateway UDP 2727<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<UDP 1024 Server
Higher to lower inspection
Lower to higher ACL Plus Inspection
Page 640 of 846


Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.101.1 255.255.255.0
ip add 192.168.106.1 255.255.255.0 secondary
router ei 100
no auto-summary
net 0.0.0.0
R2
no sh
ip add 192.168.10.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1
1024
line vty 0 90
login local
exit
Page 641 of 846

R3
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 101.1.1.1 255.255.255.0
!
ip address 102.1.1.1 255.255.255.0
!
ip address 103.1.1.1 255.255.255.0
!
ip address 192.168.104.1 255.255.255.0
ip http server
R4
no shutdown
ip add 192.168.20.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip http server
R5
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
Page 642 of 846

ip dns server
ip host www.cisco.com 101.1.1.111
ip host www.abc.com 101.1.1.222
ip host www.google.com 1.1.1.1
ip host www.facebook.com 2.2.2.2
ip host www.gmail.com 3.3.3.3
R6
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
ASA1(config)# ping 192.168.101.100
!!!!!
ASA1(config)# ping 192.168.106.100
!!!!!
Page 643 of 846

ASA1(config)# ping 192.168.10.100
!!!!!
ASA1(config)# ping 192.168.20.100
!!!!!
ASA1(config)# ping 192.168.104.100
!!!!!
!!!!!
!!!!!
ASA2
ASA2(config)# ping 192.168.102.100
!!!!!
ASA2(config)# pin
ASA2(config)# ping 192.168.104.100
!!!!!
!!!!!
!!!!!
ASA1
object network R2
Page 644 of 846

host 192.168.10.100
object network R4
host 192.168.20.100
object network www.cisco.com
host 101.1.1.111
object network www.abc.com
host 101.1.1.222
nat (dmz1,outside) source static R2 www.cisco.com
nat (dmz2,outside) source static R4 www.abc.com
ASA1(config)# sh running-config class-map
!
class-map inspection_default
!
ASA1(config)# sh running-config policy-map

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
ASA1(config)# sh running-config service-policy
Page 645 of 846

ASA1(config)# clear configure service-policy
!
ASA1(config)# clear configure policy-map
!
ASA1(config)# clear configure class-map
!
!
ASA1
ASA1(config)# class-map shiva_class
ASA1(config-cmap)# match default-inspection-traffic
ASA1(config-cmap)# policy-map shiva_policy
ASA1(config-pmap)# class shiva_class
ASA1(config-pmap-c)# inspect icmp
ASA1(config-pmap-c)# inspect icmp error
ASA1(config-pmap-c)# service-policy shiva_policy global
R3#debug ip icmp
R1#ping 101.1.1.1
!!!!!
!!!!!
R2#ping 101.1.1.1
!!!!!
R4#ping 101.1.1.1
!!!!!
Page 646 of 846
R3#debug ip icmp
R3#
R3#
R3#
*Oct 8 07:07:01.019: ICMP: dst (10.0.0.255) host unreachable sent to 10.0.0.10
R3#
R3#
R3#
ASA1(config)# ! Open ACL for www.cisco.com
ASA1(config)# ! Open ACL for www.abc.com
ASA1(config)# ! So that Internet-Users can ping www.cisco.com ,www.abc.com
ASA1(config)# access-list out permit icmp any object R2
ASA1(config)# access-list out permit icmp any object R4
R3
R3(config)#ip domain-lookup
R3(config)#ip name-server 102.1.1.100
R3#ping www.cisco.com
Translating "www.cisco.com"...domain server (102.1.1.100) [OK]
Page 647 of 846

!!!!!
R3#ping www.abc.com
Translating "www.abc.com"...domain server (102.1.1.100) [OK]
!!!!!
PC 192.168.104.100
Page 648 of 846

ASA1
ASA1(config)# access-list out permit tcp any object R2 eq 22
Page 649 of 846

ASA1
access-list telnet-limit permit tcp any object R2 eq 23
class-map telnet-class
match access-list telnet-limit
class telnet-class
set connection conn-max 123
set connection embryonic-conn-max 1
set connection per-client-max 2
set connection per-client-embryonic-max 1
Page 650 of 846

ASA1
encryption aes
hash sha
group 5
lifetime 1800
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
nat (inside,outside) 1 source static inside inside destination static s2s s2s
Page 651 of 846

ASA2
encryption aes
hash sha
group 5
lifetime 1800
R1#ping 192.168.102.100 source fastEthernet 0/1 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R6#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ASA1
!
priority-queue outside
class-map s2s-class
match tunnel-group 103.1.1.100
class s2s-class
priority
Page 652 of 846


ASA1
Page 653 of 846

ASA1
access-list traffic-limit deny ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list traffic-limit permit ip 192.168.101.0 255.255.255.0 any
class-map traffic-limit-class
match access-list traffic-limit
class traffic-limit-class
police input 8000 conform-action transmit exceed-action drop
police output 8000 conform-action transmit exceed-action drop
Page 654 of 846

FTP Inspection
outbound connection is working
check inbound connection
host 192.168.101.100
object service obj_ser_ftp
service tcp source eq 21
nat (inside,outside) 3 source static obj_net_192.168.101.100 interface service obj_ser_ftp
obj_ser_ftp
access-list out permit tcp any object obj_net_192.168.101.100 eq 21
Page 655 of 846

not working
ASA1
class shiva_class
inspect ftp
Page 656 of 846

SMTP
host 192.168.106.100
ex
object service obj_ser_smtp
object service obj_ser_pop3
ex
sh history
nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_smtp
obj_ser_smtp
nat (inside,outside) 3 source static obj_net_192.168.106.100 interface service obj_ser_pop3
obj_ser_pop3
Page 657 of 846


192.168.106.100 is exchange server
Page 658 of 846

GO on Internet User
Page 659 of 846

Page 660 of 846

Page 661 of 846

Page 662 of 846

Page 663 of 846

Page 664 of 846

Page 665 of 846

Page 666 of 846

Page 667 of 846

access-list smtp-limit permit tcp any object obj_net_192.168.106.100 eq 25

class-map smtp-class
match access-list smtp-limit
policy-map type inspect esmtp l7-esmtp
match body length gt 10
drop-connection
class smtp-class
Page 668 of 846

inspect esmtp l7-esmtp
Page 669 of 846

ASA1(config-pmap)# policy-map shiva_policy

ASA1(config-pmap)# class smtp-class
ASA1(config-pmap-c)# no inspect esmtp l7-esmtp
Page 670 of 846

Page 671 of 846

Page 672 of 846


ASA1(config)# sh conn
UDP outside
UDP outside
UDP outside
UDP outside
UDP outside
UDP outside
10.0.0.255:137 inside 10.0.0.10:137, idle 0:00:13, bytes 25650, flags 10.0.0.255:137 dmz1 10.0.0.10:137, idle 0:00:13, bytes 25800, flags 102.1.1.100:53 inside 192.168.101.100:54918, idle 0:00:12, bytes 80, flags h
102.1.1.100:53 inside 192.168.101.100:55714, idle 0:00:38, bytes 78, flags h
!!!!!
R3#ping www.abc.com
!!!!!
R1(config)#ip domain-lookup
R1(config)#ip name-server 102.1.1.100
.....
R1#ping www.abc.com
.....
Page 673 of 846


ASA1
policy-map type inspect dns l7-dns
parameters
dns-guard
nat-rewrite
protocol-enforcement
class shiva_class
inspect dns l7-dns
nat (dmz1,outside) source static R2 www.cisco.com dns
nat (dmz2,outside) source static R4 www.abc.com dns
!!!!!
R1#ping www.abc.com
!!!!!
Page 674 of 846

R1#copy tftp: flash:

Address or name of remote host []? 192.168.104.100
Source filename []? svc.pkg
Destination filename [svc.pkg]?
Accessing tftp://192.168.104.100/svc.pkg...
%Error opening tftp://192.168.104.100/svc.pkg (Timed out)
R1#
ASA1(config)# ! TFTP Inspection
ASA1(config)#
ASA1(config)# policy-map shiva_policy
ASA1(config-pmap)# class shiva_class
ASA1(config-pmap-c)# inspect tftp
R1#copy tftp: flash:
Address or name of remote host [192.168.104.100]?
Source filename [svc.pkg]?
Destination filename [svc.pkg]?
Accessing tftp://192.168.104.100/svc.pkg...
Erase flash: before copying? [confirm]q
Loading svc.pkg from 192.168.104.100 (via FastEthernet0/0): !
%Error opening flash:svc.pkg (No space left on device)
Page 675 of 846

Page 676 of 846

Page 677 of 846

regex fb \.facebook\.com
regex ip420 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
class-map type regex match-any rs
match regex fb
match regex ip420
policy-map type inspect http l7-http
match request header host regex class rs
reset
ex
class shiva_class
inspect http l7-http
Page 678 of 846

Page 679 of 846

Page 680 of 846

Page 681 of 846

Page 682 of 846

Page 683 of 846


class shiva_class
inspect ils
inspect dcerpc
inspect sunrpc
inspect netbios
inspect xdmcp
inspect rsh
inspect sqlnet
inspect tftp
inspect sip
inspect skinny
inspect ctiqbe
inspect mgcp
policy-map type inspect ipsec-pass-thru l7-ipsec-pass-thru

parameters
esp per-client-max 5
ah per-client-max 5
access-list ipsec-pass-acl permit udp any any eq 500
class-map ipsec-pass-class
match access-list ipsec-pass-acl
class ipsec-pass-class
inspect ipsec-pass-thru l7-ipsec-pass-thru
Page 684 of 846


Chapter 24
OSPFv3

OSPFv3
Diagram:-
Initial-config
R1
no shutdown
ipv6 add 192:168:1::1/48
Page 685 of 846

!
ipv6 add 192:168:101::1/48
no shutdown
!
int lo1
ipv6 add 172:10:1::1/48
int lo2
ipv6 add 172:10:2::1/48
int lo3
ipv6 add 172:10:3::1/48
int lo4
ipv6 add 172:10:4::1/48
int lo5
ipv6 add 172:10:5::1/48
int lo6
ipv6 add 172:10:6::1/48
R2
no shutdown
ipv6 add 192:168:2::1/48
no shutdown
int lo1
ipv6 add 172:20:1::1/48
int lo2
ipv6 add 172:20:2::1/48
int lo3
ipv6 add 172:20:3::1/48
int lo4
ipv6 add 172:20:4::1/48
int lo5
ipv6 add 172:20:5::1/48
int lo6
ipv6 add 172:20:6::1/48
R3
no shutdown
ipv6 add 192:168:3::1/48
no shutdown
!
ipv6 add 192:168:103::1/48
no shutdown
!
int lo1
ipv6 add 172:30:1::1/48
int lo2
ipv6 add 172:30:2::1/48
Page 686 of 846

int lo3
ipv6 add 172:30:3::1/48
int lo4
ipv6 add 172:30:4::1/48
int lo5
ipv6 add 172:30:5::1/48
int lo6
ipv6 add 172:30:6::1/48
R4
no shutdown
ipv6 add 192:168:4::1/48
no shutdown
int lo1
ipv6 add 172:40:1::1/48
int lo2
ipv6 add 172:40:2::1/48
int lo3
ipv6 add 172:40:3::1/48
int lo4
ipv6 add 172:40:4::1/48
int lo5
ipv6 add 172:40:5::1/48
int lo6
ipv6 add 172:40:6::1/48
ASA1
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:2::2/48
!
nameif outside
security-level 0
no ip address
ipv6 address 192:168:3::2/48
!
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:4::2/48
Page 687 of 846
ASA1(config-if)# sh ipv6 int brief

inside [up/up]
192:168:1::2
dmz1 [up/up]
192:168:2::2
outside [up/up]
192:168:3::2
dmz2 [up/up]
192:168:4::2
ASA1(config-if)# ping 192:168:1::1
!!!!!
!!!!!
!!!!!
!!!!!
R1
ipv6 router ospf 100
router-id 1.1.1.1
exit
ipv6 ospf 100 area 1
int l1
int l2
int l3
Page 688 of 846

int l4
int l5
int l6
R2
router-id 2.2.2.2
int f0/0
ipv6 router ei 100
no shutdown
int lo1
ip add 2.2.2.2 255.255.255.255
ipv6 eigrp 100
int lo2
ipv6 eigrp 100
int lo3
ipv6 eigrp 100
int lo4
ipv6 eigrp 100
int lo5
ipv6 eigrp 100
int lo6
ipv6 eigrp 100
R3
ipv6 router os 100
router-id 3.3.3.3
int f0/0
int f0/1
int l1
int l2
int l3
int l4
int l5
int l6
R4
Page 689 of 846

router-id 4.4.4.4
int f0/0
ipv6 router eigrp 200
router-id 4.4.4.4
no sh
int l1
ipv6 eigrp 200
int l2
ipv6 eigrp 200
int l3
ipv6 eigrp 200
int l4
ipv6 eigrp 200
int l5
ipv6 eigrp 200
int l6
ipv6 eigrp 200
ASA1
router-id 5.5.5.5
int g0/0
int g0/1
int g0/2
int g0/3
ASA1# sh ipv6 ospf neighbor

Dead Time Interface ID Interface
2.2.2.2 1 FULL/DR
0:00:31
4 dmz1
1.1.1.1 1 FULL/DR
0:00:35
4 inside
3.3.3.3 1 FULL/DR
0:00:32
3 outside
4.4.4.4 1 FULL/DR
0:00:33
3 dmz2
ASA1# sh ipv6 ospf database
OSPFv3 Router with ID (5.5.5.5) (Process ID 100)

ADV Router
Age
Seq#
Fragment ID Link count Bits
2.2.2.2 162 0x80000003
0
1 None
5.5.5.5 161 0x80000001
0
1B
Page 690 of 846

ADV Router
Age
Seq#
Link ID Rtr count
2.2.2.2 162 0x80000001
42
Inter Area Prefix Link States (Area 0)
ADV Router
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
Age
151
151
141
141
141
141
141
141
143
143
143
Seq#
Prefix
0x80000002 192:168:101::/48
0x80000002 192:168:1::/48
0x80000001 192:168:103::/48
0x80000001 172:30:6::1/128
0x80000001 172:30:5::1/128
0x80000001 172:30:4::1/128
0x80000001 172:30:3::1/128
0x80000001 172:30:2::1/128
0x80000001 172:30:1::1/128
0x80000001 192:168:3::/48
0x80000001 192:168:4::/48
Link (Type-8) Link States (Area 0)

ADV Router
Age
Seq#
Link ID Interface
2.2.2.2 835 0x80000001
4 dmz1
5.5.5.5 162 0x80000001
4 dmz1
Intra Area Prefix Link States (Area 0)
ADV Router
Age
Seq#
Link ID Ref-lstype Ref-LSID
2.2.2.2 163 0x80000001
4096 0x2002 4
ADV Router
Age
Seq#
1.1.1.1 166 0x80000007
0
1 None
5.5.5.5 160 0x80000002
0
1B
ADV Router
Age
Seq#
Link ID Rtr count
1.1.1.1 166 0x80000001
42
ADV Router
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
Age
153
143
143
143
143
143
Seq#
Prefix
0x80000001 192:168:2::/48
0x80000001 192:168:103::/48
0x80000001 172:30:6::1/128
0x80000001 172:30:5::1/128
0x80000001 172:30:4::1/128
0x80000001 172:30:3::1/128
Page 691 of 846


5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
143
143
143
143
0x80000001
0x80000001
0x80000001
0x80000001
172:30:2::1/128
172:30:1::1/128
192:168:3::/48
192:168:4::/48

ADV Router
Age
Seq#
Link ID Interface
1.1.1.1 939 0x80000001
4 inside
5.5.5.5 165 0x80000001
3 inside
ADV Router
Age
Seq#
1.1.1.1 166 0x80000003
0 0x2001 0
1.1.1.1 166 0x80000001
4096 0x2002 4
ADV Router
Age
Seq#
3.3.3.3 150 0x8000000a
0
1 None
5.5.5.5 149 0x80000001
0
1B
ADV Router
Age
Seq#
Link ID Rtr count
3.3.3.3 150 0x80000001
32
ADV Router
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
Age
143
143
143
143
Seq#
Prefix
0x80000001 192:168:101::/48
0x80000001 192:168:1::/48
0x80000001 192:168:4::/48
0x80000001 192:168:2::/48

ADV Router
Age
Seq#
Link ID Interface
3.3.3.3 652 0x80000001
3 outside
5.5.5.5 149 0x80000001
5 outside
ADV Router
Age
Seq#
3.3.3.3 150 0x80000007
0 0x2001 0
3.3.3.3 150 0x80000001
3072 0x2002 3
ADV Router
Age
Seq#
Page 692 of 846


4.4.4.4 147
5.5.5.5 146
0x80000003
0x80000001
0
0
1 None
1B

ADV Router
Age
Seq#
Link ID Rtr count
4.4.4.4 147 0x80000001
32
ADV Router
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
5.5.5.5
Age
143
143
143
143
143
143
143
143
143
143
143
Seq#
Prefix
0x80000001 192:168:101::/48
0x80000001 192:168:1::/48
0x80000001 192:168:103::/48
0x80000001 172:30:6::1/128
0x80000001 172:30:5::1/128
0x80000001 172:30:4::1/128
0x80000001 172:30:3::1/128
0x80000001 172:30:2::1/128
0x80000001 172:30:1::1/128
0x80000001 192:168:3::/48
0x80000001 192:168:2::/48

ADV Router
Age
Seq#
Link ID Interface
4.4.4.4 361 0x80000001
3 dmz2
5.5.5.5 146 0x80000001
6 dmz2
ADV Router
Age
Seq#
4.4.4.4 151 0x80000001
3072 0x2002 3
ASA1# sh ipv6 route ospf
IPv6 Routing Table - 18 entries
Codes: C - Connected, L - Local, S - Static
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 172:30:1::1/128 [110/10]
via fe80::46e4:d9ff:fe87:ecde, outside
O 172:30:2::1/128 [110/10]
O 172:30:3::1/128 [110/10]
O 172:30:4::1/128 [110/10]
O 172:30:5::1/128 [110/10]
O 172:30:6::1/128 [110/10]
Page 693 of 846

O 192:168:101::/48 [110/11]
via fe80::224:14ff:fedd:17e8, inside
O 192:168:103::/48 [110/11]
ASA1# ping 192:168:101::1
!!!!!
ASA1# ping 192:168:103::1
!!!!!
ASA1(config-rtr)# ipv6 router ospf 100
ASA1(config-rtr)# area 1 virtual-link 1.1.1.1
R1(config-rtr)#ipv6 router ospf 100
R1(config-rtr)#area 1 virtual-link 5.5.5.5
ASA1# sh ipv6 ospf neighbor

1.1.1.1 0 FULL/ 2.2.2.2 1 FULL/DR
1.1.1.1 1 FULL/DR
3.3.3.3 1 FULL/DR
4.4.4.4 1 FULL/DR

0:00:26
15 OSPFV3_VL0
0:00:35
4 dmz1
0:00:39
4 inside
0:00:39
3 outside
0:00:39
3 dmz2

OI 172:10:1::1/128 [110/10]
OI 172:10:2::1/128 [110/10]
OI 172:10:3::1/128 [110/10]
OI 172:10:4::1/128 [110/10]
OI 172:10:5::1/128 [110/10]
OI 172:10:6::1/128 [110/10]
Page 694 of 846

O 172:30:1::1/128 [110/10]
O 172:30:2::1/128 [110/10]
O 172:30:3::1/128 [110/10]
O 172:30:4::1/128 [110/10]
O 172:30:5::1/128 [110/10]
O 172:30:6::1/128 [110/10]
O 192:168:101::1/128 [110/10]
O 192:168:101::/48 [110/11]
O 192:168:103::/48 [110/11]

ASA1(config-rtr)# passive-interface default
ASA1(config-rtr)# no passive-interface inside
ASA1(config-rtr)# no passive-interface dmz1
ASA1(config-rtr)# no passive-interface dmz2
ASA1(config-rtr)# no passive-interface outside

!!!!!
!!!!!
!!!!!
!!!!!
Page 695 of 846

!!!!!
!!!!!

R2(config-rtr)#redistribute eigrp 100 metric-type 1 include-connected
OI 172:10:1::1/128 [110/10]
OI 172:10:2::1/128 [110/10]
OI 172:10:3::1/128 [110/10]
OI 172:10:4::1/128 [110/10]
OI 172:10:5::1/128 [110/10]
OI 172:10:6::1/128 [110/10]
OE1 172:20:1::/48 [110/30]
via fe80::21f:9eff:fe5f:8060, dmz1
OE1 172:20:2::/48 [110/30]
OE1 172:20:3::/48 [110/30]
OE1 172:20:4::/48 [110/30]
OE1 172:20:5::/48 [110/30]
OE1 172:20:6::/48 [110/30]
O 172:30:1::1/128 [110/10]
O 172:30:2::1/128 [110/10]
O 172:30:3::1/128 [110/10]
O 172:30:4::1/128 [110/10]
Page 696 of 846

O 172:30:5::1/128 [110/10]
O 172:30:6::1/128 [110/10]
O 192:168:101::1/128 [110/10]
O 192:168:101::/48 [110/11]
O 192:168:103::/48 [110/11]
R2(config-rtr)#summary-prefix 172:20:0::/45
OI 172:10:1::1/128 [110/10]
OI 172:10:2::1/128 [110/10]
OI 172:10:3::1/128 [110/10]
OI 172:10:4::1/128 [110/10]
OI 172:10:5::1/128 [110/10]
OI 172:10:6::1/128 [110/10]
OE1 172:20::/45 [110/30]
O 172:30:1::1/128 [110/10]
O 172:30:2::1/128 [110/10]
O 172:30:3::1/128 [110/10]
O 172:30:4::1/128 [110/10]
O 172:30:5::1/128 [110/10]
O 172:30:6::1/128 [110/10]
O 192:168:101::1/128 [110/10]
O 192:168:101::/48 [110/11]
O 192:168:103::/48 [110/11]
Page 697 of 846

R2(config-rtr)#no summary-prefix 172:20:0::/45
R1#sh ipv6 route ospf
IPv6 Routing Table - Default - 34 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
OE1 172:20:1::/48 [110/31]
via FE80::6E20:56FF:FEBD:EA87, FastEthernet0/0
OE1 172:20:2::/48 [110/31]
OE1 172:20:3::/48 [110/31]
OE1 172:20:4::/48 [110/31]
OE1 172:20:5::/48 [110/31]
OE1 172:20:6::/48 [110/31]
OI 172:30:1::1/128 [110/11]
OI 172:30:2::1/128 [110/11]
OI 172:30:3::1/128 [110/11]
OI 172:30:4::1/128 [110/11]
OI 172:30:5::1/128 [110/11]
OI 172:30:6::1/128 [110/11]
O 192:168:1::2/128 [110/1]
O 192:168:2::/48 [110/11]
OI 192:168:3::/48 [110/11]
OI 192:168:4::/48 [110/11]
OI 192:168:103::/48 [110/12]
ASA1(config-rtr)# area 2 range 172:30::/45

Page 698 of 846

IPv6 Routing Table - Default - 29 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
OE1 172:20:1::/48 [110/31]
OE1 172:20:2::/48 [110/31]
OE1 172:20:3::/48 [110/31]
OE1 172:20:4::/48 [110/31]
OE1 172:20:5::/48 [110/31]
OE1 172:20:6::/48 [110/31]
OI 172:30::/45 [110/11]
O 192:168:1::2/128 [110/1]
O 192:168:2::/48 [110/11]
OI 192:168:3::/48 [110/11]
OI 192:168:4::/48 [110/11]
OI 192:168:103::/48 [110/12]
ASA1(config-rtr)# no area 2 range 172:30::/45
R3
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
OI 172:10:1::1/128 [110/11]
OI 172:10:2::1/128 [110/11]
OI 172:10:3::1/128 [110/11]
Page 699 of 846

OI 172:10:4::1/128 [110/11]
OI 172:10:5::1/128 [110/11]
OI 172:10:6::1/128 [110/11]
OE1 172:20:1::/48 [110/31]
OE1 172:20:2::/48 [110/31]
OE1 172:20:3::/48 [110/31]
OE1 172:20:4::/48 [110/31]
OE1 172:20:5::/48 [110/31]
OE1 172:20:6::/48 [110/31]
OI 192:168:1::/48 [110/11]
OI 192:168:1::2/128 [110/1]
OI 192:168:2::/48 [110/11]
OI 192:168:4::/48 [110/11]
OI 192:168:101::/48 [110/12]
OI 192:168:101::1/128 [110/11]
ASA1(config-rtr)# area 2 stub
R3(config-rtr)#area 2 stub
OI ::/0 [110/2]
OI 172:10:1::1/128 [110/11]
OI 172:10:2::1/128 [110/11]
Page 700 of 846

OI 172:10:3::1/128 [110/11]
OI 172:10:4::1/128 [110/11]
OI 172:10:5::1/128 [110/11]
OI 172:10:6::1/128 [110/11]
OI 192:168:1::/48 [110/11]
OI 192:168:1::2/128 [110/1]
OI 192:168:2::/48 [110/11]
OI 192:168:4::/48 [110/11]
OI 192:168:101::/48 [110/12]
OI 192:168:101::1/128 [110/11]
ASA1(config-rtr)# area 2 stub no-summary
OI ::/0 [110/2]
ASA1
ASA1(config-rtr)# area 3 stub
R4(config)#ipv6 router ospf 100
R4(config-rtr)#area 3 stub

Page 701 of 846

OI ::/0 [110/2]
OI 172:10:1::1/128 [110/11]
OI 172:10:2::1/128 [110/11]
OI 172:10:3::1/128 [110/11]
OI 172:10:4::1/128 [110/11]
OI 172:10:5::1/128 [110/11]
OI 172:10:6::1/128 [110/11]
OI 172:30:1::1/128 [110/11]
OI 172:30:2::1/128 [110/11]
OI 172:30:3::1/128 [110/11]
OI 172:30:4::1/128 [110/11]
OI 172:30:5::1/128 [110/11]
OI 172:30:6::1/128 [110/11]
OI 192:168:1::/48 [110/11]
OI 192:168:1::2/128 [110/1]
OI 192:168:2::/48 [110/11]
OI 192:168:3::/48 [110/11]
OI 192:168:101::/48 [110/12]
OI 192:168:101::1/128 [110/11]
OI 192:168:103::/48 [110/12]
ASA1(config-rtr)# area 3 stub no-summary
Page 702 of 846

OI ::/0 [110/2]
R4(config)#ipv6 router ospf 100

R4(config-rtr)#redistribute eigrp 200 metric-type 1 include-connected
R4(config-rtr)#
*Oct 5 07:57:12.939: %OSPFv3-4-ASBR_WITHOUT_VALID_AREA: Router is currently an ASBR while
having only one area which is a stub area
R4(config-rtr)#no area 3 stub
R4(config-rtr)#area 3 nssa
ASA1(config-rtr)# no area 3 stub
ASA1(config-rtr)# area 3 nssa

OI 172:10:1::1/128 [110/11]
OI 172:10:2::1/128 [110/11]
OI 172:10:3::1/128 [110/11]
OI 172:10:4::1/128 [110/11]
OI 172:10:5::1/128 [110/11]
OI 172:10:6::1/128 [110/11]
OI 172:30:1::1/128 [110/11]
OI 172:30:2::1/128 [110/11]
OI 172:30:3::1/128 [110/11]
OI 172:30:4::1/128 [110/11]
OI 172:30:5::1/128 [110/11]
OI 172:30:6::1/128 [110/11]
Page 703 of 846

OI 192:168:1::/48 [110/11]
OI 192:168:1::2/128 [110/1]
OI 192:168:2::/48 [110/11]
OI 192:168:3::/48 [110/11]
OI 192:168:101::/48 [110/12]
OI 192:168:101::1/128 [110/11]
OI 192:168:103::/48 [110/12]
ASA1(config-rtr)# area 3 nssa no-summary default-information-originate
OI ::/0 [110/2]
ASA1(config)# sh ipv6 route interface dmz2
ON1 172:40:1::/48 [110/30]
via fe80::21a:6cff:fed4:e56e, dmz2
ON1 172:40:2::/48 [110/30]
ON1 172:40:3::/48 [110/30]
ON1 172:40:4::/48 [110/30]
ON1 172:40:5::/48 [110/30]
ON1 172:40:6::/48 [110/30]
R1(config-if)#interface lo1
R1(config-if)#ipv6 ospf network point-to-point
Page 704 of 846

R1(config-if)#ipv6 ospf network
point-to-point
point-to-point
point-to-point
point-to-point
point-to-point
ASA1
OI 172:10:1::/48 [110/11]
OI 172:10:2::/48 [110/11]
OI 172:10:3::/48 [110/11]
OI 172:10:4::/48 [110/11]
OI 172:10:5::/48 [110/11]
OI 172:10:6::/48 [110/11]
OE1 172:20:1::/48 [110/30]
OE1 172:20:2::/48 [110/30]
OE1 172:20:3::/48 [110/30]
OE1 172:20:4::/48 [110/30]
OE1 172:20:5::/48 [110/30]
OE1 172:20:6::/48 [110/30]
O 172:30:1::1/128 [110/10]
O 172:30:2::1/128 [110/10]
O 172:30:3::1/128 [110/10]
O 172:30:4::1/128 [110/10]
O 172:30:5::1/128 [110/10]
Page 705 of 846

O 172:30:6::1/128 [110/10]
ON1 172:40:1::/48 [110/30]
ON1 172:40:2::/48 [110/30]
ON1 172:40:3::/48 [110/30]
ON1 172:40:4::/48 [110/30]
ON1 172:40:5::/48 [110/30]
ON1 172:40:6::/48 [110/30]
O 192:168:101::1/128 [110/10]
O 192:168:101::/48 [110/11]
O 192:168:103::/48 [110/11]
ASA1(config-rtr)# distance ospf external 222 inter-area 111 intra-area 111
OI 172:10:1::/48 [111/11]
OI 172:10:2::/48 [111/11]
OI 172:10:3::/48 [111/11]
OI 172:10:4::/48 [111/11]
OI 172:10:5::/48 [111/11]
OI 172:10:6::/48 [111/11]
OE1 172:20:1::/48 [222/30]
OE1 172:20:2::/48 [222/30]
OE1 172:20:3::/48 [222/30]
OE1 172:20:4::/48 [222/30]
Page 706 of 846

OE1 172:20:5::/48 [222/30]
OE1 172:20:6::/48 [222/30]
O 172:30:1::1/128 [111/10]
O 172:30:2::1/128 [111/10]
O 172:30:3::1/128 [111/10]
O 172:30:4::1/128 [111/10]
O 172:30:5::1/128 [111/10]
O 172:30:6::1/128 [111/10]
ON1 172:40:1::/48 [222/30]
ON1 172:40:2::/48 [222/30]
ON1 172:40:3::/48 [222/30]
ON1 172:40:4::/48 [222/30]
ON1 172:40:5::/48 [222/30]
ON1 172:40:6::/48 [222/30]
O 192:168:101::1/128 [111/10]
O 192:168:101::/48 [111/11]
O 192:168:103::/48 [111/11]
Page 707 of 846


Chapter 25
IPv6 Static NAT

IPv6 Dynamic NAT
IPv6 PAT
IPv6 Static PAT
IPv6 Twice NAT
IPv6 Identity NAT
Diagram:-
Page 708 of 846


Initial-config
R1
int f0/0
no shutdown
ipv6 add 192:168:1::1/48
int f0/1
no shutdown
ipv6 add 192:168:101::1/48
ipv6 route ::/0 192:168:1::2
1024
line vty 0 90
login lo
exit
ip http server
R2
no shutdown
ipv6 add 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
1024
line vty 0 90
login lo
exit
R3
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 192:168:102::1/48
Page 709 of 846

no shutdown
R4
no shutdown
ipv6 add 192:168:20::100/48
ipv6 route ::/0 192:168:20::1
ip http server
R5
ipv6 add 192:168:101::111/48
no shutdown
ipv6 route ::/0 192:168:1
1024
line vty 0 90
login lo
exit
ip http server
ASA1
nameif inside
security-level 100
no ip address
ipv6 address 192:168:1::2/48
!
nameif dmz1
security-level 60
no ip address
ipv6 address 192:168:10::1/48
!
nameif outside
Page 710 of 846

security-level 0
no ip address
ipv6 address 101:1:1::100/48
!
nameif dmz2
security-level 50
no ip address
ipv6 address 192:168:20::1/48
ipv6 route inside 192:168:101::/48 192:168:1::1

ASA1# ping 192:168:101::1

!!!!!
ASA1# ping 192:168:101::111
!!!!!
ASA1# ping 192:168:10::100
!!!!!
ASA1# ping 192:168:20::100
!!!!!
ASA1# ping 192:168:102::1
!!!!!
ASA1
STATIC
object network obj_net_192:168:1::1
host 192:168:1::1
host 192:168:101::1
host 192:168:101::111
Page 711 of 846

host 192:168:10::100
host 192:168:20::100
host 101:1:1::101
host 101:1:1::102
host 101:1:1::103
host 101:1:1::104
nat (inside,outside) static interface ipv6
nat (inside,outside) static obj_net_101:1:1::101
nat (inside,outside) static obj_net_101:1:1::102
nat (dmz1,outside) static obj_net_101:1:1::103
nat (dmz2,outside) static obj_net_101:1:1::104
! ASA will allow TCP & UDP for ICMP open ACL
access-list out permit icmp6 any object obj_net_192:168:1::1
R3#debug ipv6 icmp
R1#ping 101:1:1::1
!!!!!
R1#ping 101:1:1::1 so
R1#ping 101:1:1::1 source f
R1#ping 101:1:1::1 source fastEthernet 0/1
!!!!!
R2#ping 101:1:1::1
Page 712 of 846

!!!!!
R4#ping 101:1:1::1
!!!!!
R5#ping 101:1:1::1
!!!!!
R3#debug ipv6 icmp
R3#
R3#
R3#
R3#
*Oct 5 08:54:26.379: ICMPv6: Received echo request from 101:1:1::100
*Oct 5 08:54:26.379: ICMPv6: Sending echo reply to 101:1:1::100
R3#
*Oct 5 08:54:32.123: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
R3#
R3#
R3#
R3#
Page 713 of 846

*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
R3#
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
5 08:54:43.839: ICMPv6: Received echo request from 101:1:1::102

5 08:54:43.839: ICMPv6: Sending echo reply to 101:1:1::102
5 08:54:43.839: ICMPv6: Received ICMPv6 packet from FE80::6E20:56FF:FEBD:EA88, type 136
NAT from inside:192:168:1::1/128 to outside:101:1:1::100/128
NAT from dmz1:192:168:10::100/128 to outside:101:1:1::103/128
NAT from dmz2:192:168:20::100/128 to outside:101:1:1::104/128
Page 714 of 846

Dynamic
ASA1
object network obj_net_inside
subnet 192:168:1::/48
object network obj_net_inside_lan
subnet 192:168:101::/48
object network obj_net_dmz1_lan
subnet 192:168:10::/48
subnet 192:168:20::/48
object network obj_net_dpool
range 101:1:1::101 101:1:1::104
nat (inside,outside) dynamic obj_net_dpool
nat (inside,outside) dynamic obj_net_dpool
nat (dmz1,outside) dynamic obj_net_dpool
nat (dmz2,outside) dynamic obj_net_dpool
access-list out extended permit icmp6 any object obj_net_inside

access-list out extended permit icmp6 any object obj_net_inside_lan
access-list out extended permit icmp6 any object obj_net_dmz1_lan
R1#ping 101:1:1::1
!!!!!
!!!!!
R5#ping 101:1:1::1
Page 715 of 846

!!!!!
R2#ping 101:1:1::1
!!!!!
R4#ping 101:1:1::1
.....
NAT from dmz1:192:168:10::100 to outside:101:1:1::103 flags i idle 0:02:33 timeout 3:00:00
NAT from inside:192:168:101::111 to outside:101:1:1::102 flags i idle 0:02:37 timeout 3:00:00
R3
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct

Page 716 of 846

*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct

ASA1
PAT
subnet 192:168:1::/48
subnet 192:168:101::/48
subnet 192:168:10::/48
subnet 192:168:20::/48
!
nat (inside,outside) dynamic interface ipv6
nat (inside,outside) dynamic interface ipv6
nat (dmz1,outside) dynamic interface ipv6
nat (dmz2,outside) dynamic interface ipv6
access-list out extended permit icmp6 any object obj_net_inside
access-list out extended permit icmp6 any object obj_net_inside_lan
Page 717 of 846

!!!!!
!!!!!
R5#ping 101:1:1::1
!!!!!
R2#ping 101:1:1::1
!!!!!
R4#ping 101:1:1::1
!!!!!
ASA1(config-network-object)# sh xlate
ICMP6 PAT from dmz2:192:168:20::100/8784 to outside:101:1:1::100/8784 flags ri idle 0:00:00
timeout 0:00:30
ICMP6 PAT from dmz1:192:168:10::100/5560 to outside:101:1:1::100/5560 flags ri idle 0:00:03
timeout 0:00:30
ICMP6 PAT from inside:192:168:101::111/4159 to outside:101:1:1::100/4159 flags ri idle 0:00:08
timeout 0:00:30
ICMP6 PAT from inside:192:168:1::1/8024 to outside:101:1:1::100/8024 flags ri idle 0:00:13 timeout
0:00:30
Page 718 of 846

ICMP6 PAT from inside:192:168:101::1/954 to outside:101:1:1::100/954 flags ri idle 0:00:12 timeout
0:00:30
ICMP6 PAT from inside:192:168:101::1/3788 to outside:101:1:1::100/3788 flags ri idle 0:00:15
timeout 0:00:30
ASA1
STATIC PAT
host 192:168:1::1
nat (inside,outside) static interface ipv6 service tcp ssh ssh
access-list out extended permit tcp any object obj_net_192:168:1::1 eq ssh
R3#ssh -l shiva 101:1:1::100
Password:
R1#
TCP PAT from inside:192:168:1::1/128 22-22 to outside:101:1:1::100/128 22-22
flags sr idle 0:00:12 timeout 0:00:00
TCP outside 101:1:1::1:40109 inside 192:168:1::1:22, idle 0:00:03, bytes 2452, flags UIOB
R3#ssh -l shiva 101:1:1::100
Password:
R1#ex
R1#exit
R3#
R3#
Page 719 of 846

ASA1
Identity NAT
subnet 192:168:101::/48
subnet 192:168:102::/48
nat (inside,outside) source static obj_net_192:168:101::0 obj_net_192:168:101::0 destination static

obj_net_192:168:102::0 obj_net_192:168:102::0
nat (inside,outside) source dynamic any interface ipv6
access-list out extended permit icmp6 any object obj_net_192:168:101::0
access-list out extended permit icmp6 any 192:168:1::/48
R1#ping 101:1:1::1
!!!!!
R1#ping 101:1:1::1 so
!!!!!
R1#ping 192:168:102::1
!!!!!
R1#ping 192:168:102::1 so
R1#ping 192:168:102::1 source f
Page 720 of 846

.....
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
R3#
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
R3#
*Oct
*Oct
R3#
*Oct

5 09:36:07.555: ICMPv6: Received ICMPv6 packet from 101:1:1::100, type 136
Page 721 of 846

*Oct
R3#
*Oct
*Oct
R3#
*Oct
*Oct

ASA1
Twice NAT
subnet 101:1:1::/48
subnet 192:168:102::/48
host 101:1:1::111
host 101:1:1::222
nat (inside,outside) source dynamic any obj_net_101:1:1::111 destination static obj_net_101:1:1::0
obj_net_101:1:1::0
nat (inside,outside) source dynamic any obj_net_101:1:1::222 destination static
obj_net_192:168:102::0 obj_net_192:168:102::0
access-list out extended permit icmp6 any any
R1#ping 101:1:1::1
!!!!!
R1#ping 101:1:1::1 so
!!!!!
R1#
R1#pin
R1#ping 192:168:102::1
!!!!!
Page 722 of 846

R1#ping 192:168:102::1 so
R1#ping 192:168:102::1 source f
!!!!!
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct
R3#
*Oct
*Oct
*Oct
*Oct
*Oct
*Oct

Page 723 of 846

*Oct
*Oct
*Oct
*Oct

Page 724 of 846


Chapter 26

Site-Site on IPv6
Diagram:-
Page 725 of 846


Initial-config
R1
ipv6 add 192:168:101::100/48
no shutdown
ipv6 route ::/0 192:168:101::1
R2
ipv6 add 192:168:102::100/48
no shutdown
ipv6 route ::/0 192:168:102::1
R3
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
no shutdown
ipv6 add 102:1:1::1/48
ASA1
no shu
nameif inside
ipv6 add 192:168:101::1/48
no shu
nameif outside
ipv6 add 101:1:1::100/48
ASA1(config)# ping 192:168:101::100
!!!!!
!!!!!
ASA2
no shu
nameif inside
ipv6 add 192:168:102::1/48
Page 726 of 846

no shu
interface g0/1
no shu
nameif outside
ipv6 add 102:1:1::100/48
no shu
ASA2(config)# ping 192:168:102::100
!!!!!
ASA2(config)# pin
!!!!!
ASA1
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 102:1:1::100 type ipsec-l2l
tunnel-group 102:1:1::100 ipsec-attributes
access-list 101 permit ip 192:168:101::/48 192:168:102::/48
crypto map test 10 set peer 102:1:1::100
ASA2
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 101:1:1::100 type ipsec-l2l
tunnel-group 101:1:1::100 ipsec-attributes
Page 727 of 846

access-list 102 permit ip 192:168:102::/48 192:168:101::/48
crypto map test 10 set peer 101:1:1::100
R1#ping 192:168:102::100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192:168:101::100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102:1:1::100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
interface: outside
Crypto map tag: test, seq num: 10, local addr: 101:1:1::100
access-list 101 extended permit ip 192:168:101::/48 192:168:102::/48
local ident (addr/mask/prot/port): (192:168:101::/48/0/0)
remote ident (addr/mask/prot/port): (192:168:102::/48/0/0)
current_peer: 102:1:1::100

Page 728 of 846

local crypto endpt.: 101:1:1::100/0, remote crypto endpt.: 102:1:1::100/0
current outbound spi: DD53A4C1
current inbound spi : 21DA3675
inbound esp sas:
spi: 0x21DA3675 (567948917)
IV size: 16 bytes
Anti replay bitmap:
outbound esp sas:
spi: 0xDD53A4C1 (3713246401)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
ASA2
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101:1:1::100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
interface: outside
Crypto map tag: test, seq num: 10, local addr: 102:1:1::100
Page 729 of 846

access-list 102 extended permit ip 192:168:102::/48 192:168:101::/48
local ident (addr/mask/prot/port): (192:168:102::/48/0/0)
remote ident (addr/mask/prot/port): (192:168:101::/48/0/0)
current_peer: 101:1:1::100

local crypto endpt.: 102:1:1::100/0, remote crypto endpt.: 101:1:1::100/0
current outbound spi: 21DA3675
current inbound spi : DD53A4C1
inbound esp sas:
spi: 0xDD53A4C1 (3713246401)
IV size: 16 bytes
Anti replay bitmap:
outbound esp sas:
spi: 0x21DA3675 (567948917)
IV size: 16 bytes
Anti replay bitmap:
0x00000000 0x00000001
Page 730 of 846


Chapter 27
SSL VPN on IPv6

SSL on IPv6
Diagram:-
Initial-config
R1
ipv6 add 101:1:1::1/48
no shutdown
Page 731 of 846

int f0/1
no shutdown
ipv6 add 192:168:101::1/48
no shutdown
ipv6 add 192:168:102::1/48
R2
int f0/0
no shutdown
ipv6 add 192:168:1::2/48
no sh
int f0/1
no shutdown
ipv6 add 192:168:10::1/48
exit
router-id 2.2.2.2
int f0/0
int f0/1
R3
int f0/0
no shutdown
ipv6 add 192:168:2::2/48
int f0/1
no sh
ipv6 add 192:168:20::1/48
exit
router-id 3.3.3.3
int f0/0
int f0/1
R4
ipv6 add 192:168:10::100/48
no shutdown
ipv6 route ::/0 192:168:10::1
1024
line vty 0 90
login local
exit
ip http server
Page 732 of 846

ip http au local
R5
int f0/0
no shutdown
ipv6 add 192:168:20::100/48
no shutdown
ipv6 route ::/0 192:168:20::1
1024
line vty 0 90
login local
exit
ip http server
ip http au local
ASA1
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48
!
nameif inside1
security-level 100
no ip address
ipv6 address 192:168:1::1/48
!
nameif inside2
security-level 100
no ip address
ipv6 address 192:168:2::1/48
!
router-id 1.1.1.1
log-adjacency-changes
!
ASA1(config)# sh ipv6 ospf neighbor
Neighbor ID
Pri State
Page 733 of 846


3.3.3.3 1 FULL/BDR
0:00:35
2.2.2.2 1 FULL/DR
0:00:31
ASA1(config)# sh ipv6 route ospf
3 inside2
4 inside1

O 192:168:10::/48 [110/11]
via fe80::21f:9eff:fe5f:8060, inside1
O 192:168:20::/48 [110/11]
via fe80::46e4:d9ff:fe87:ecde, inside2
ASA1(config)# ping 192:168:101::100
!!!!!
ASA1(config)# ping 192:168:10::100
!!!!!
ASA1(config)# ping 192:168:20::100
!!!!!
ASA1
webvpn
enable outside
username shiva password shiva privilege 15privilege 15
https://[101:1:1::100]
Page 734 of 846

in url bar type

[192:168:10:100] for admin
[192:168:20:100] for mgmt
Page 735 of 846

Page 736 of 846

Page 737 of 846

webvpn
port 9090
enable outside
Page 738 of 846

Page 739 of 846

webvpn
port 9090
enable outside
port-forward admin 2222 192:168:10::100 ssh
port-forward admin 2323 192:168:10::100 telnet
port-forward admin 8080 192:168:10::100 www
port-forward admin 8181 192:168:10::100 https
port-forward mgmt 2222 192:168:20::100 ssh
port-forward mgmt 2323 192:168:20::100 telnet
port-forward mgmt 8080 192:168:20::100 www
port-forward mgmt 8181 192:168:20::100 https
group-policy admin_policy internal
group-policy admin_policy attributes
webvpn
group-policy mgmt_policy internal
group-policy mgmt_policy attributes
webvpn
default-group-policy admin_policy
Page 740 of 846

default-group-policy mgmt_policy
webvpn
Page 741 of 846

Page 742 of 846

Page 743 of 846

Page 744 of 846

Page 745 of 846

Page 746 of 846

Page 747 of 846

Page 748 of 846

Page 749 of 846

Page 750 of 846

ASA1# vpn-sessiondb logoff webvpn

Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions of type "webvpn" logged off : 2
Page 751 of 846

Page 752 of 846

Page 753 of 846

Page 754 of 846

Page 755 of 846


Chapter 28
BGP (Border Gateway Protocol)
BGP Messages
BGP Tables
BGP States
BGP Terminology
BGP Lab
Page 756 of 846

BGP Border Gateway Protocol

It is an exterior gate classless path vector routing protocol.
Why it is called Path Vector
Because it is path vector because it select the route based on the AS path. It reject those which
have already across their AS.
BGP Messages
Open
Keep Alive
Update
Notification
Open
BGP sends open message using TCP port 179
Contain:1.Version
2.My AS
3.Router ID
4.Hold Time default 180sec
Keep Alive
BGP sends periodic keep alive after every 60 sec.
Update
When two router become BGP neighbour they send update message to each other.
Contain:1. Route
2. Route's Attributes
Route's Attributes
They are those criteria which are used to select best route.
they are also called Rich Metric.
Notification
When a neighbour is rested then it sends notification message.
Contain:it contain cause of resetting.
BGP can be implemented within AS i.e. called iBGP.
BGP can be implemented over AS i.e. called eBGP.
Page 757 of 846

BGP Tables
Neighbour Table
BGP Table
Routing Table
BGP States
Idle
Connect
Open Sent
Open Confirm
Establish
1.Idle
it means that searching neighbour.
2.Connect
it means that TCP three-way hand-shake complete.
3. Open Sent
it means that Open message has been sent.
4. Open Confirm
it means that Open acknowledgement has been received.
5. Establish
it means that neighbour ship complete.
Some BGP Terminology
Next-hop-self
EBGP-Multi-hop
Max-path
Source-update
BGP-redistribute Internal
Next-hop-self
When a BGP edge router learns the external route then it advertise those route with default nexthop to iBGP neighbour, to solve this problem we use next-hop-self .This command force a router to
send own IP address as next-hop to iBGP neighbour.
Page 758 of 846

Normally an iBGP router doesn't exchange the route of one neighbour with another neighbour.
To solve this we use route-reflector-client. this command force a router to exchange the routes of
one neighbour with another.
EBGP-Multi-hop
When a BGP router wants to establish eBGP neighbour ship it set TTL value 1 in open message. if
your neighbour is not directly connected. than neighbour ship will not establish.
Using EBGP-Multi-hop command we can increase TTL value.
Max-Path
By default BGP select one best path using its attributes. or we can say
that by default BGP don't use load-balancing. if you want to use load-balancing then change maxpath value using Max-Path command.
Source-update
If you want to establish neighbour ship you can use physical interface IP for peering. But physical
interface can be goes down. this is not recommended for BGP peering.
you can use loopback for peering. if you are using loopback for peering you have to use updatesource command . this command tells a router when you send message to your peer use particular
loopback IP as source otherwise neighbour ship will not perform.
BGP-redistribute Internal
We can redistribute IGP to iBGP, or IGP to eBGP, eBGP to IGP.
But iBGP to IGP redistribution not allowed if you want we have to use BGP-redistribute Internal.
Page 759 of 846


Diagram:-
Initial-config
R1
interface Loopback1
ip address 192.10.1.1 255.255.255.0
!
interface Loopback2
ip address 192.10.2.1 255.255.255.0
!
interface Loopback3
ip address 192.10.3.1 255.255.255.0
!
interface Loopback4
ip address 192.10.4.1 255.255.255.0
!
interface Loopback5
ip address 192.10.5.1 255.255.255.0
!
interface Loopback6
ip address 192.10.6.1 255.255.255.0
!
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
Page 760 of 846

!
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
R2
no shutdown
ip add 192.168.2.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.102.1 255.255.255.0
R3
no shutdown
ip add 192.168.3.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.35.1 255.255.255.0
no shutdown
int l1
ip add 192.168.103.1 255.255.255.0
no shutdown
R4
no shutdown
ip add 192.168.4.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 192.168.104.1 255.255.255.0
no shutdown
R5
interface f0/1
no shutdown
ip add 192.168.35.2 255.255.255.0
no shutdown
int f0/0
no shutdown
ip add 192.168.105.1 255.255.255.0
no shutdown
ASA1
nameif inside
Page 761 of 846

security-level 100
ip address 192.168.1.2 255.255.255.0
!
nameif dmz1
security-level 60
ip address 192.168.2.2 255.255.255.0
!
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
nameif dmz2
security-level 50
ip address 192.168.4.2 255.255.255.0
!
!!!!!
!!!!!
!!!!!
!!!!!
R1
R1(config)#router bgp 100
R1(config-router)#neighbor 192.168.1.2 remote-as 100
R1(config-router)#net 192.168.1.0
Page 762 of 846

R2
R3
R4
R5
ASA1
ASA1(config)# router bgp 100
ASA1(config-router)# address-family ipv4 unicast
ASA1(config-router-af)# neighbor 192.168.1.1 remote-as 100
ASA1(config-router-af)# network 192.168.1.0
ASA1# sh bgp neighbors
BGP neighbor is 192.168.1.1, context single_vf, remote AS 100, internal link
BGP version 4, remote router ID 192.10.6.1
BGP state = Established, up for 00:02:20
Last read 00:00:19, last write 00:00:56, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Page 763 of 846

Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications: 0
0
Updates:
4
1
Keepalives: 3
4
Route Refresh: 0
0
Total:
8
6
Default minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
Session: 192.168.1.1
BGP table version 17, neighbor version 17/0
Output queue size : 0
Index 1
1 update-group member
Sent
Rcvd
Prefix activity:
------Prefixes Current: 7
8
(Consumes 640 bytes)
Prefixes Total:
7
8
Implicit Withdraw: 0
0
Explicit Withdraw: 0
0
Used as bestpath: n/a
7
Used as multipath: n/a
0
Outbound Inbound
Local Policy Denied Prefixes: -------- ------Bestpath from this peer: 7
n/a
Bestpath from iBGP peer: 2
n/a
Total:
9
0
Number of NLRIs in the update sent: max 4, min 0
Address tracking is enabled, the RIB does have a route to 192.168.1.1
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled

Neighbor sessions:
Page 764 of 846

Four-octets ASN Capability: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications: 0
0
Updates:
4
1
Keepalives: 4
4
Route Refresh: 0
0
Total:
9
6
Session: 192.168.2.1
Index 1
Sent
Rcvd
Prefix activity:
2
Prefixes Total:
7
2
0
0
1
0
Outbound Inbound
n/a
n/a
Total:
9
0
Last reset never
BGP neighbor is 192.168.3.1, context single_vf, remote AS 200, external link

Neighbor sessions:
Page 765 of 846

Four-octets ASN Capability: advertised
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications: 0
0
Updates:
3
2
Keepalives: 4
5
Route Refresh: 0
0
Total:
8
8
Session: 192.168.3.1
Index 2
Sent
Rcvd
Prefix activity:
4
Prefixes Total:
13
4
0
0
3
0
Outbound Inbound
n/a
Total:
3
0
Last reset never

Page 766 of 846

Neighbor sessions:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications: 0
0
Updates:
4
1
Keepalives: 4
5
Route Refresh: 0
0
Total:
9
7
Session: 192.168.4.1
Index 1
Sent
Rcvd
Prefix activity:
2
Prefixes Total:
7
2
0
0
1
0
Outbound Inbound
n/a
n/a
Total:
9
0
Last reset never
ASA1# sh bgp
BGP table version is 17, local router ID is 192.168.4.2
Page 767 of 846

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metric LocPrf Weight Path
*>i192.10.1.0
192.168.1.1
0 100 0 i
*>i192.10.2.0
192.168.1.1
0 100 0 i
*>i192.10.3.0
192.168.1.1
0 100 0 i
*>i192.10.4.0
192.168.1.1
0 100 0 i
*>i192.10.5.0
192.168.1.1
0 100 0 i
*>i192.10.6.0
192.168.1.1
0 100 0 i
*> 192.168.1.0 0.0.0.0
0
32768 i
*i
192.168.1.1
0 100 0 i
* i192.168.2.0 192.168.2.1
0 100 0 i
*>
0.0.0.0
0
32768 i
*> 192.168.3.0 0.0.0.0
0
32768 i
*
192.168.3.1
0
0 200 i
* i192.168.4.0 192.168.4.1
0 100 0 i
*>
0.0.0.0
0
32768 i
*> 192.168.35.0 192.168.3.1
0
0 200 i
*>i192.168.101.0 192.168.1.1
0 100 0 i
*>i192.168.102.0 192.168.2.1
0 100 0 i
*> 192.168.103.0 192.168.3.1
0
0 200 i
*>i192.168.104.0 192.168.4.1
0 100 0 i
*> 192.168.105.0 192.168.3.1
0 200 i
ASA1# sh route bgp
B
B
B
B
B
B
B
B
B
B
B
B
192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29

192.10.2.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
192.10.4.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
192.10.6.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29
192.168.101.0 255.255.255.0 [200/0] via 192.168.1.1, 00:03:29
192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:03:29
192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29
192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:03:29
192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:03:29
Page 768 of 846

ASA1# ping 192.168.101.1
!!!!!
ASA1# ping 192.168.102.1
!!!!!
ASA1# ping 192.168.103.1
!!!!!
ASA1# ping 192.168.104.1
!!!!!
ASA1# ping 192.168.105.1
!!!!!
BGP Authentication
ASA1(config-router-af)# neighbor 192.168.1.1 password shiva
R1(config-router)#neighbor 192.168.1.2 password shiva
R1#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:00:44
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:00:39
B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:00:44
B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:00:44
R2#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:08:47
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:08:47
B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:42
B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:08:47
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.35.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:09:02
Page 769 of 846

B 192.168.103.0/24 [200/0] via 192.168.3.1, 00:08:56
B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:09:02
B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:09:02
ASA1
ASA1(config-router-af)# neighbor 192.168.1.1 next-hop-self
R1
R1#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.4.0/24 [200/0] via 192.168.1.2, 00:04:48
B 192.168.35.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.103.0/24 [200/0] via 192.168.1.2, 00:00:04
B 192.168.2.0/24 [200/0] via 192.168.1.2, 00:04:48
B 192.168.3.0/24 [200/0] via 192.168.1.2, 00:04:48
R2
R2#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.2.2, 00:00:09
B 192.168.4.0/24 [200/0] via 192.168.2.2, 00:12:39
B 192.168.35.0/24 [200/0] via 192.168.2.2, 00:00:08
B 192.168.1.0/24 [200/0] via 192.168.2.2, 00:12:39
B 192.168.103.0/24 [200/0] via 192.168.2.2, 00:00:08
B 192.168.3.0/24 [200/0] via 192.168.2.2, 00:12:39
R4
R4#sh ip route bgp
B 192.168.105.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.35.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.1.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.103.0/24 [200/0] via 192.168.4.2, 00:00:12
B 192.168.2.0/24 [200/0] via 192.168.4.2, 00:12:43
B 192.168.3.0/24 [200/0] via 192.168.4.2, 00:12:43
R3
R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:22:24
B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:00:47
B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:00:47
Page 770 of 846

B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:00:47
ASA1(config-router-af)# aggregate-address 192.10.0.0 255.255.248.0

R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:23:46
B 192.10.4.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.5.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.6.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.1.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.2.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.3.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:02:09
B 192.10.0.0/21 [20/0] via 192.168.3.2, 00:00:07
ASA1(config-router-af)# aggregate-address 192.10.0.0 255.255.248.0 summary-only

R3#sh ip route bgp
B 192.168.104.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.105.0/24 [200/0] via 192.168.35.2, 00:25:09
B 192.168.4.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.102.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.1.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.2.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.168.101.0/24 [20/0] via 192.168.3.2, 00:03:31
B 192.10.0.0/21 [20/0] via 192.168.3.2, 00:01:29
ASA1# ping 192.168.35.2
!!!!!
R5#ping 192.168.3.2
!!!!!
Page 771 of 846

ASA1(config-router-af)# neighbor 192.168.35.2 ebgp-multihop 2
R5(config-router)#router bgp 200
R5(config-router)#neighbor 192.168.3.2 ebgp-multihop 2
R5(config-router)#
*Oct 7 07:15:01.111: %BGP-5-ADJCHANGE: neighbor 192.168.3.2 Up
ASA1# sh bgp neighbors 192.168.35.2
BGP neighbor is 192.168.35.2, context single_vf, remote AS 200, external link
Neighbor sessions:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications: 0
0
Updates:
6
5
Keepalives: 2
3
Route Refresh: 0
0
Total:
9
9
R5#sh ip bgp neighbors 192.168.3.2
BGP neighbor is 192.168.3.2, remote AS 100, external link
Route refresh: advertised and received(old & new)
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent
Rcvd
Opens:
1
1
Notifications:
0
0
Updates:
5
6
Keepalives:
4
2
Route Refresh:
0
0
Page 772 of 846

Total:
10
9
router bgp 100

bgp log-neighbor-changes
address-family ipv4 unicast
ASA1(config-router-af)# no neighbor 192.168.35.2 ebgp-multihop 2
ASA1(config-router-af)# neighbor 192.168.35.2 ttl-security hops 2
R5(config-router)#no neighbor 192.168.3.2 ebgp-multihop 2
R5(config-router)#neighbor 192.168.3.2 ttl-security hops 2
C
L


C
L

ASA1# sh route dmz1

Page 773 of 846

C
L

ASA1# sh route dmz2

C
L

ASA1# sh route
B
B
B
B
B
B
B
C
L
C
L
C
L
C
L
B
192.10.0.0 255.255.248.0 [200/0] via 0.0.0.0, 00:11:07, Null0

192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
192.10.2.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
192.10.4.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
192.10.6.0 255.255.255.0 [200/0] via 192.168.1.1, 00:10:06
192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13
Page 774 of 846

B
B
B
B
B
192.168.101.0 255.255.255.0 [200/0] via 192.168.1.1, 00:13:13

192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:13:13
192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13
192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:13:13
192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:13:13

ASA1(config-router-af)# neighbor 192.168.1.1 distribute-list 10 in
ASA1# clear bgp 192.168.1.1
ASA1# sh route
B
B
B
C
L
C
L
C
L
C
L
B
B
B
B
B
192.10.1.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03

192.10.3.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03
192.10.5.0 255.255.255.0 [200/0] via 192.168.1.1, 00:00:03
192.168.35.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:49
192.168.102.0 255.255.255.0 [200/0] via 192.168.2.1, 00:14:49
192.168.103.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:49
192.168.104.0 255.255.255.0 [200/0] via 192.168.4.1, 00:14:56
192.168.105.0 255.255.255.0 [20/0] via 192.168.3.1, 00:14:56
Note:BGP is out of the scope of this book this book is specially designed for ASA
if you want to know which commands are working or available please have a look blow
Page 775 of 846


ASA1(config-router)# ?
Router configuration commands:
address-family Enter Address Family command mode
bgp
BGP specific commands
exit
Exit from router configuration mode
help
Interactive help for router subcommands
no
Negate a command
timers
Adjust routing timers
ASA1(config-router-af)# ?
Router Address Family configuration commands:
aggregate-address Configure BGP aggregate entries
auto-summary
Enable automatic network number summarization
bgp
BGP specific commands
default
Set a command to its defaults
default-information Control distribution of default information
distance
Define an administrative distance
distribute-list Filter networks in routing updates
exit-address-family Exit from Address Family configuration mode
help
Description of the interactive help system
maximum-paths
Forward packets over multiple paths
neighbor
Specify a neighbor router
network
Specify a network to announce via BGP
no
Negate a command or set its defaults
redistribute
Redistribute information from another routing protocol
synchronization Perform IGP synchronization
table-map
Map external entry attributes into routing table
ASA1(config-router-af)# neighbor 192.168.1.1 ?
bgp address-family mode commands/options:
activate
Enable the Address Family for this Neighbor
advertisement-interval Minimum interval between sending BGP routing updates
default-originate
Originate default route to this neighbor
description
Neighbor specific description
disable-connected-check one-hop away EBGP peer using loopback address
distribute-list
Filter updates to/from this neighbor
ebgp-multihop
Allow EBGP neighbors not on directly connected
networks
filter-list
Establish BGP filters
local-as
Specify a local-as number
maximum-prefix
Maximum number of prefixes accepted from this peer
next-hop-self
Disable the next hop calculation for this neighbor
password
Set a password
prefix-list
Filter updates to/from this neighbor
Page 776 of 846

remote-as
Specify a BGP neighbor
remove-private-as
Remove private AS number from outbound updates
route-map
Apply route map to neighbor
send-community
Send Community attribute to this neighbor
shutdown
Administratively shut down this neighbor
timers
BGP per neighbor timers
transport
Transport options
ttl-security
BGP ttl security check
version
Set the BGP version to match a neighbor
weight
Set default weight for routes from this neighbor
.........Thanks....
Page 777 of 846


Chapter 29
EIGRP & OSPF in Multiple Mode
Diagram:-
Initial-config
R1
Page 778 of 846

no shutdown
ip add 192.168.101.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.101.1
interface l1
ip add 1.1.1.1 255.255.255.0
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.102.1
int l1
ip add 2.2.2.2 255.255.255.0
R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
ASA1
no shutdown
no shutdown
no shutdown
no shutdown
!
context c1
!
context c2
Page 779 of 846

!
changeto context c1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA1/c1(config)# ping 192.168.101.100
!!!!!
!!!!!
!!!!!
changeto context c2
no shu
nameif inside
ip add 192.168.102.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
no shu
ASA1/c2(config)# ping 192.168.102.100
!!!!!
Page 780 of 846

!!!!!
changeto context c1
router ei 100
no au
net 192.168.101.0
R1
router ei 100
no auto-summary
net 0.0.0.0
ASA1/c1# sh eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100) context(c1)
H Address
Interface
Hold Uptime SRTT RTO Q Seq
(sec)
(ms)
Cnt Num
0 192.168.101.100
inside
12 00:00:30 1 200 0 3
ASA1/c1# sh eigrp topology
EIGRP-IPv4 Topology Table for AS(100)/ID(192.168.101.1) context(c1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
via Rstatic (2560000256/0)
via Connected, inside
via 192.168.101.100 (130816/128256), inside
ASA1/c1# sh route eigrp
Routing Table: c1
D
1.1.1.0 255.255.255.0
[90/130816] via 192.168.101.100, 00:00:48, inside
Page 781 of 846
ASA1/c1(config-router)# router eigrp 100

ASA1/c1(config-router)# passive-interface default
ASA1/c1(config-router)# no passive-interface inside
ASA1/c1(config-router)# neighbor 192.168.101.100 interface inside

ASA1/c1(config-router)# distance eigrp 111 222
ASA1/c1(config-if)# interface gigabitEthernet 0/0
ASA1/c1(config-if)# hello-interval eigrp 100 2
ASA1/c1(config-if)# hold-time eigrp 100 4
ASA1/c1(config-if)# authentication mode eigrp 100 md5
ASA1/c1(config-if)# authentication key eigrp 100 shiva key-id 100
Remaining features are same...............................

ASA1/c2(config-router)# changeto context c2
ASA1/c2(config)# router ospf 100
ASA1/c2(config-router)# network 192.168.102.0 255.255.255.0 area 0
ASA1/c2(config-router)# default-information originate always
R2(config-if)#int f0/0
R2(config-if)#ip ospf 100 area 0
R2(config-if)#int lo1
R2(config-if)#ip ospf 100 area 0
ASA1/c2# sh ospf neighbor

2.2.2.2
1 FULL/BDR
Dead Time Address

Interface
0:00:30 192.168.102.100 inside
ASA1/c2# sh ospf database
OSPF Router with ID (192.168.102.1) (Process ID 100)

Link ID
ADV Router Age
Seq#
Checksum Link count
2.2.2.2
2.2.2.2
31
0x80000003 0x60a2 2
192.168.102.1 192.168.102.1 30
0x80000003 0x2fb3 1
Link ID
ADV Router
Age
Seq#
Checksum
Page 782 of 846


192.168.102.1 192.168.102.1 30
0x80000001 0x318e
Type-5 AS External Link States

Link ID
0.0.0.0
ADV Router Age

192.168.102.1 101
Seq#
Checksum Tag
0x80000001 0x5925 100
ASA1/c2# sh route ospf
Routing Table: c2
O
2.2.2.2 255.255.255.255
[110/11] via 192.168.102.100, 00:00:38, inside
Remaining features are same...............................

ASA1/c2(config)# router bgp 100
%BGP process cannot be created in non-system context
ERROR: Unable to create router process
ASA1/c2(config)# changeto system
ASA1(config-router)#
Page 783 of 846


Chapter 30
How to configure site-site in multiple mode
Diagram:-
Initial-config
R1
Page 784 of 846

no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int f0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
ASA1
!
!
!
!
!
!
class c1-class
!
class c2-class
!
!
context c1
member c1-class
!
context c2
Page 785 of 846

member c2-class
!
ASA1(config-ctx)# changeto context c1
ASA1/c1(config)#
changeto context c1
no shu
nameif inside
ip add 192.168.101.1
no shu
nameif outside
ip add 101.1.1.100 255.255.255.0
no shu
ASA1/c1(config)# ping 192.168.101.100
!!!!!
!!!!!
no shu
nameif inside
ip add 192.168.102.1
no shu
nameif outside
ip add 102.1.1.100 255.255.255.0
ASA1/c2(config)# ping 192.168.102.100
!!!!!
Page 786 of 846

!!!!!
encryption aes
hash sha
group 5
lifetime 1800
encryption aes
hash sha
group 5
lifetime 1800
R1#ping 192.168.102.100 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 787 of 846
R2#ping 192.168.101.100 repeat 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ASA1/c1(config)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 102.1.1.100
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
ASA1/c1(config)# sh cry
ASA1/c1(config)# sh crypto ip
ASA1/c1(config)# sh crypto ipsec sa
interface: outside

current outbound spi: 6D68EF77
current inbound spi : 18275EA3
ASA1/c2(config)# sh crypto ikev1 sa
IKEv1 SAs:
Page 788 of 846
Active SA: 1
Total IKE SA: 1
1 IKE Peer: 101.1.1.100
Type : L2L
Role : responder
Rekey : no
State : MM_ACTIVE
ASA1/c2(config)# sh cry
ASA1/c2(config)# sh crypto ip
ASA1/c2(config)# sh crypto ipsec sa
interface: outside

current outbound spi: 18275EA3
current inbound spi : 6D68EF77
subnet 192.168.101.0 255.255.255.0
object network s2s
subnet 192.168.102.0 255.255.255.0
exit
subnet 192.168.102.0 255.255.255.0
Page 789 of 846

object network s2s
subnet 192.168.101.0 255.255.255.0
exit
R1#ping 192.168.102.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R1#ping 101.1.1.1 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#ping 192.168.101.100 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2#pin
R2#ping 101.1.1.1 re
R2#ping 101.1.1.1 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Page 790 of 846


Chapter 31
Clustering
Clustering
Configuration Replication
ASA Cluster Management
ASA Features and Clustering
Centralized Featuring
Performance Throughput
Page 791 of 846

Clustering
Clustering enables we group multiple ASAs together as a single logical device.
Note:ASA OS version 9.2 Support for 16 members for the cluster. The ASA 5585-X now supports 16-unit
clusters. Support for 32 active links in a spanned Ether-Channel for clustering
Master Unit
Slave Unit
New Connection Ownership
ASA Cluster Interfaces & Modes
Cluster Control Link
High Availability within the ASA Cluster
Data Path Connection State Replication
Master Unit
1. The First device on which you will configure Clustering that become master unit.
2. You must perform all configuration on the master unit only the configuration is then
replicated to the slave units.
3. Bootstrap is configured on all master & slaves.
Master Unit Election
1. When you enable clustering for a unit it broadcasts an election request every 3 seconds.
2. If after 45 seconds, a unit does not receive a response from another unit with a higher
priority, then it becomes master.
3. Note if multiple units tie for the highest priority, the cluster unit name, and then the serial
number is used to determine the master.
4. If a unit later joins the cluster with a higher priority, it does not automatically become the
master unit; the existing master unit always remains as the master unless it stops
responding, at which point a new master unit is elected.
Note: - You can manually force a unit to become the master. For centralized features, if you force a
master unit change, then all connections are dropped, and you have to re-establish the connections
on the new master unit.
Page 792 of 846

Slave Unit
When we enable clustering on other devices. They join the cluster as slaves. or we can configure
New Connection Ownership

When a new connection is directed to a member of the cluster, that unit owns both directions of the
connection. If any connection packets arrive at a different unit, they are forwarded to the owner unit
over the cluster control link.
ASA Cluster Interfaces

We can configured data interface as either spanned EtherChannels or as individual interfaces. All
data interfaces in the cluster must be one type only.
Interface Types
Spanned EtherChannel
Spanned EtherChannel
Interfaces on multiple members of the cluster are grouped into a single EtherChannel.
Page 793 of 846

Individual interfaces (Routed mode only)

Individual interfaces are normal routed interfaces, each with their own local IP address. Because
interface configuration must be configured only on the master unit.
Page 794 of 846

Cluster Control Link

Each unit must dedicate at least one hardware interface as the cluster control link. Cluster control
link traffic includes both control and data traffic.
Control traffic includes:
Master election.
Configuration replication.
Health monitoring.
Data traffic includes:
State replication.
Connection ownership queries and data packet forwarding.
Cluster Control Link Network
Each cluster control link has an IP address on the same subnet. This subnet should be isolated from
all other traffic.
High Availability within the ASA Cluster

Interface monitoring
The master unit monitors every slave unit by sending keepalive messages over the cluster
control link periodically (the period is configurable).
Each slave unit monitors the master unit using the same mechanism.
Page 795 of 846

Interface monitoring
Each unit monitors the link status of all hardware interfaces in use, and reports status changes to the
master unit.
Spanned EtherChannelUses cluster Link Aggregation Control Protocol (cLACP). Each unit
monitors the link status and the cLACP protocol messages to determine if the port is still
active in the EtherChannel. The status is reported to the master unit.
Individual interfaces (Routed mode only)each unit self-monitors its interfaces and reports
interface status to the master unit.
Unit or Interface Failure

When health monitoring is enabled, a unit is removed from the cluster if it fails or if its interfaces
fail.
When a unit in the cluster fails, the connections hosted by that unit are seamlessly transferred to
other units state information for traffic flows is shared over the control cluster link.
If the master unit fails, then another member of the cluster with the highest priority (lowest
number) becomes the master.

Every connection has one owner and at least one backup owner in the cluster. The backup owner
does not take over the connection in the event of a failure instead, it stores TCP/UDP state
information, so that the connection can be seamlessly transferred to a new owner in case of a
failure.
Page 796 of 846

Configuration Replication
All units in the cluster share a single configuration. Except for the initial bootstrap configuration
ASA Cluster Management

Management Network should be isolated to other network
Management Interface can be individual or spanned
How the ASA Cluster Manages

ConnectionsReplication
Connection Roles
Sample Data Flow

Rebalancing New Connections across the Cluster
Connection Roles
There are 3 different ASA roles defined for each connection:
OwnerThe unit that initially receives the connection. The owner maintains the TCP state
and processes packets. A connection has only one owner.
DirectorThe unit that handles owner lookup requests from forwarders and also maintains
the connection state to serve as a backup if the owner fails. When the owner receives a new
connection, it chooses a director based on a hash of the source/destination IP address and
TCP ports, and sends a message to the director to register the new connection. If packets
arrive at any unit other than the owner, the unit queries the director about which unit is the
owner so it can forward the packets. A connection has only one director.
ForwarderA unit that forwards packets to the owner. If a forwarder receives a packet for a
connection it does not own, it queries the director for the owner, and then establishes a
flow to the owner for any other packets it receives for this connection. The director can also
be a forwarder. Note that if a forwarder receives the SYN-ACK packet, it can derive the
owner directly from a SYN cookie in the packet, so it does not need to query the director (if
you disable TCP sequence randomization, the SYN cookie is not used; a query to the director
is required). For short-lived flows such as DNS and ICMP, instead of querying, the forwarder
immediately sends the packet to the director, which then sends them to the owner. A
connection can have multiple forwarders; the most efficient throughput is achieved by a
Page 797 of 846

good load-balancing method where there are no forwarders and all packets of a connection
are received by the owner.
Sample Data Flow
1. The SYN packet originates from the client and is delivered to an ASA (based on the load
balancing method), which becomes the owner. The owner creates a flow, encodes owner
information into a SYN cookie, and forwards the packet to the server.
2. The SYN-ACK packet originates from the server and is delivered to a different ASA (based on
the load balancing method). This ASA is the forwarder.
3. Because the forwarder does not own the connection, it decodes owner information from the
SYN cookie, creates a forwarding flow to the owner, and forwards the SYN-ACK to the
owner.
4. The owner sends a state update to the director, and forwards the SYN-ACK to the client.
5. The director receives the state update from the owner, creates a flow to the owner, and
records the TCP state information as well as the owner. The director acts as the backup
owner for the connection.
6. Any subsequent packets delivered to the forwarder will be forwarded to the owner.
7. If packets are delivered to any additional units, it will query the director for the owner and
establish a flow.
8. Any state change for the flow results in a state update from the owner to the director.
Page 798 of 846

ASA Features and Clustering

Unsupported Features
These features cannot be configured with clustering enabled, and the commands will be rejected.
Unified Communications
Remote access VPN (SSL VPN and IPsec VPN)
The following application inspections:
CTIQBE
GTP
H323, H225, and RAS
IPsec passthrough
MGCP
MMP
RTSP
SIP
SCCP (Skinny)
WAAS
WCCP
Botnet Traffic Filter

Auto Update Server
DHCP client, server, relay, and proxy
VPN load balancing
Failover
ASA CX module
Centralized Features
The following features are only supported on the master unit, and are not scaled for the cluster. For
example, you have a cluster of eight units (5585-X with SSP-60). The Other VPN license allows a
maximum of 10,000 IPsec tunnels for one ASA 5585-X with SSP-60. For the entire cluster of eight
units, you can only use 10,000 tunnels; the feature does not scale. For centralized features, if the
master unit fails, all connections are dropped, and you have to re-establish the connections on the
new master unit.
Site-to-site VPN
The following application inspections:
DCERPC
NetBios
PPTP
RADIUS
RSH
Page 799 of 846
SUNRPC
TFTP
XDMCP
Dynamic routing (spanned EtherChannel mode only)
Multicast routing (individual interface mode only)
Static route monitoring
IGMP multicast control plane protocol processing (data plane forwarding is distributed
across the cluster)
PIM multicast control plane protocol processing (data plane forwarding is distributed across
the cluster)
Authentication and Authorization for network access. Accounting is decentralized.
Filtering Services
Features Applied to Individual Units

QoS
Threat detection
When you place the cluster in your network, the upstream and downstream routers need to be able
to load-balance the data coming to and from the cluster. Using one of the following methods:
Spanned Ether-Channel (Recommended)

Policy-Based Routing (Routed mode only)
Equal-Cost Multi-Path Routing (Routed mode only)
Spanned Ether-Channel (Recommended)

Interfaces on multiple members of the cluster are grouped into a single EtherChannel the
EtherChannel performs load balancing between units.
In spanned ether-channel , ether-channel load balancing algorithm is used.
Policy-Based Routing (Routed mode only)

The upstream and downstream routers perform load balancing between units using route maps and
ACLs.
Equal-Cost Multi-Path Routing-Routed

mode) only)
The upstream and downstream routers perform load balancing between units using equal cost static
or dynamic routes.
Page 800 of 846

Performance Throughput
70% of the combined throughput
60% of maximum connections
50% of connections per second
For example, for throughput, the ASA 5585-X with SSP-40 can handle approximately 10 Gbps of real
world firewall traffic when running alone.
For a cluster of 8 units, 8*10= 80 Gbps will be approximately 70% of 80 Gbps (8 units x 10 Gbps): 56
Gbps
For a cluster of 16 units, 16*10=160 Gbps will be approximately 70% of 160 Gbps: 112 Gbps
Diagram:-
Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
ip add 192.168.102.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ASA1 Master Bootstrap Configuration
cluster interface-mode spanned force
Page 801 of 846

no sh
!
cluster group shiva
local-unit A
cluster-interface GigabitEthernet0/0 ip 192.168.1.1 255.255.255.0
priority 1
key shiva
enable noconfirm
ASA2 Slave Bootstrap
cluster interface-mode spanned force
no sh
!
cluster group shiva
local-unit B
priority 20
key shiva
enable as-slave
Master Configuration
! MASTER
no shutdown
channel-group 1 mode active
no shudown
interface Port-channel1
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
mac-address aaaa.dddd.cccc
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
ASA1(config)# prompt hostname cluster-unit
Page 802 of 846

ASA1/A(config)#
ASA1/A(config)#
ASA1/A(config)# sh cluster info
Cluster shiva: On
Interface mode: spanned
This is "A" in state MASTER
ID
:0
Version : 9.2(2)4
Serial No.: FCH16407FXZ
CCL IP : 192.168.1.1
CCL MAC : 6c20.56bd.ea87
Last join : 16:14:25 UTC Oct 10 2014
Last leave: N/A
Other members in the cluster:
Unit "B" in state SLAVE
ID
:1
Version : 9.2(2)4
Serial No.: FCH16407G0X
CCL IP : 192.168.1.2
CCL MAC : 6c20.56bd.df21
Last join : 16:20:50 UTC Oct 10 2014
Last leave: 16:17:39 UTC Oct 10 2014
ASA1/B# sh cluster info

Cluster shiva: On
Interface mode: spanned
This is "B" in state SLAVE
ID
:1
Version : 9.2(2)4
Serial No.: FCH16407G0X
CCL IP : 192.168.1.2
CCL MAC : 6c20.56bd.df21
Last join : 16:20:50 UTC Oct 10 2014
Last leave: N/A
Other members in the cluster:
Unit "A" in state MASTER
ID
:0
Version : 9.2(2)4
Serial No.: FCH16407FXZ
CCL IP : 192.168.1.1
CCL MAC : 6c20.56bd.ea87
Last join : 16:14:25 UTC Oct 10 2014
Last leave: N/A
ASA1/A(config)# sh cluster conn
Usage Summary In Cluster:*********************************************
16 in use, stub connection 0 in use (cluster-wide aggregated)
A(LOCAL):*************************************************************
8 in use, 10 most used, stub connection 0 in used, 0 most used
Page 803 of 846
B:********************************************************************
ASA1/B# sh cluster conn
B(LOCAL):*************************************************************
A:********************************************************************
ASA1/A(config)# sh port-channel summary

Flags: D - down
P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+-----------------------------------1 Po1(U)
LACP
Yes Gi0/1(P)
2 Po2(U)
LACP
Yes Gi0/3(P)
ASA1/B# sh port-channel summary
Flags: D - down
------+-------------+---------+------------+-----------------------------------1 Po1(U)
LACP
Yes Gi0/1(P)
2 Po2(U)
LACP
Yes Gi0/3(P)
ASA1/A# sh int ip brief
Interface
GigabitEthernet0/0
192.168.1.1 YES unset up
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
GigabitEthernet0/4
GigabitEthernet0/5
Protocol
up
up
up
up
up
up
Page 804 of 846


Internal-Control0/0
127.0.1.1
YES unset up
up
Internal-Data0/0
down
Internal-Data0/1
down
Internal-Data0/2
up
Management0/0
Port-channel1
up
Port-channel2
up
ASA1/B# sh int ip brief
Interface
Protocol
GigabitEthernet0/0
192.168.1.2 YES unset up
up
GigabitEthernet0/1
up
GigabitEthernet0/2
up
GigabitEthernet0/3
up
GigabitEthernet0/4
up
GigabitEthernet0/5
up
Internal-Control0/0
127.0.1.1
YES unset up
up
Internal-Data0/0
down
Internal-Data0/1
down
Internal-Data0/2
up
Management0/0
Port-channel1
192.168.101.1 YES CONFIG up
up
Port-channel2
192.168.102.1 YES CONFIG up
up
SW1#sh vlan brief
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa1/0/2, Fa1/0/3, Fa1/0/4
Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9, Fa1/0/10
Fa1/0/12, Fa1/0/13, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/24
Gi1/0/1, Gi1/0/2
101 VLAN0101
active Fa1/0/1, Po1
102 VLAN0102
active
1002 fddi-default
act/unsup
1003 trcrf-default
act/unsup
1004 fddinet-default
act/unsup
1005 trbrf-default
act/unsup
SW2#sh vlan brief
VLAN Name
Status Ports
---- -------------------------------- --------- ------------------------------1 default
active Fa0/1, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/11, Fa0/12, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/23
Fa0/24, Gi0/1, Gi0/2
Page 805 of 846

101 VLAN0101
102 VLAN0102
1002 fddi-default
1003 trcrf-default
1004 fddinet-default
1005 trbrf-default
active
active Fa0/2, Po2
act/unsup
act/unsup
act/unsup
act/unsup
SW1#sh etherchannel summary

Flags: D - down
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
d - default port

Number of aggregators:
1
Group Port-channel Protocol Ports
------+-------------+-----------+----------------------------------------------1 Po1(SU)
LACP Fa1/0/11(P) Fa1/0/14(P)
SW2#sh etherchannel summary
Flags: D - down
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
d - default port

Number of aggregators:
1
Group Port-channel Protocol Ports
------+-------------+-----------+----------------------------------------------2 Po2(SU)
LACP Fa0/10(P) Fa0/13(P)
ASA1/A(config)# sh cluster conn
Page 806 of 846

A(LOCAL):*************************************************************
B:********************************************************************
ASA1/B# sh cluster conn

B(LOCAL):*************************************************************
A:********************************************************************
ASA1/A(config)# sh cluster access-list
hitcnt display order: cluster-wide aggregated result, A, B
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list out; 1 elements; name hash: 0x5589cfea
access-list out line 1 extended permit icmp any any (hitcnt=3, 0, 3) 0x4f3e126c
ASA1/B# sh cluster access-list
hitcnt display order: cluster-wide aggregated result, B, A
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list out; 1 elements; name hash: 0x5589cfea
access-list out line 1 extended permit icmp any any (hitcnt=3, 3, 0) 0x4f3e126c
SW1
SW1#sh running-config
Current configuration : 3436 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
!
!
Page 807 of 846

no aaa new-model
switch 1 provision ws-c3750-24p
system mtu routing 1500
no ip domain-lookup
!
!
!
!
crypto pki trustpoint TP-self-signed-3398030592
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3398030592
revocation-check none
rsakeypair TP-self-signed-3398030592
!
!
crypto pki certificate chain TP-self-signed-3398030592
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333938 30333035 3932301E 170D3933 30333031 30303031
34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393830
33303539 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B71A 93D8E49D C81AF71A 6691EA05 DEC986D2 BB34BFC9 94C85C14 F5FD5663
401DBF29 94356037 D453D201 9A7D5346 717D2C40 9FBC2F07 172590EF A9D508C1
33EE703E 0197FC1F D8F23810 A54A1D61 D88D8761 246C8E27 1290964B F46CB991
9BF2270A 05EB0159 C1815D12 4BB98EE4 A708FB5C A3728098 20D7E002 9846919A
767B0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
551D1104 08300682 04535731 2E301F06 03551D23 04183016 8014A77A 6EE8D5A3
2F3CC9BA DA830E8F A8567A87 BD4B301D 0603551D 0E041604 14A77A6E E8D5A32F
3CC9BADA 830E8FA8 567A87BD 4B300D06 092A8648 86F70D01 01040500 03818100
8CBB655C 8805B6AA B6C6E88A 0F97321C 9386F7D1 D6FC8E56 AC95263D 4A3C353E
4E3BF867 CB3ACCBF 4746DBCA 9997C688 52EE83C0 3EFBED29 EE46D396 186A01B7
3BF59B1A 37E690C9 1162867E EBAB3A32 8AA8DB26 2759EB33 9601F7A5 40285F02
8DA8A86B 8BECB5F0 4782C36F D0CCADD6 BD15EB13 B4C0E5A4 B28DB1A4 E96E2CCF
quit
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
switchport access vlan 101
switchport mode access
Page 808 of 846

!
interface FastEthernet1/0/1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Page 809 of 846

!
!
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
ip address dhcp
!
ip classless
ip http server
!
!
ip sla enable reaction-alerts
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end
SW1#
SW2
SW2#sh ru
SW2#sh running-config
Current configuration : 4045 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
!
Page 810 of 846

no aaa new-model
ip subnet-zero
no ip domain-lookup
!
!
!
crypto pki trustpoint TP-self-signed-1187955840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1187955840
revocation-check none
rsakeypair TP-self-signed-1187955840
!
!
crypto pki certificate chain TP-self-signed-1187955840
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313837 39353538 3430301E 170D3933 30333031 30303031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383739
35353834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B68A 8F1A0987 7DE1BEE3 8A770370 2889D0D7 38086A59 6C976F82 04FAEB9C
59CEA030 70552551 CEFCD186 FA411F3B 6674363A 0BB0EFAA 030F4619 47F3CC18
D5889167 A42B3D0B 5EEF8076 49A7B1F3 7BDDCC2B EDE3FC20 4306AF7C 5E4B9E6B
0BB6C927 10C5D9BF 9940AA46 96C91F35 DED5E9B5 BE5A031D D910D861 1AC0569F
58830203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
551D1104 08300682 04535732 2E301F06 03551D23 04183016 80143605 878C31DB
DC5A5428 7B800116 62CFD3DB 80AC301D 0603551D 0E041604 14360587 8C31DBDC
5A54287B 80011662 CFD3DB80 AC300D06 092A8648 86F70D01 01040500 03818100
3CC0DD50 37CBC9C8 42B37386 79FEFA3C 02F53B4C 23DA6BEE 5E1ED166 17F5414F
48DF65EE F1AF7509 63DE1E42 3899E5F3 133B11AC BBEB2210 99197D5C 89391410
1AA41D6A CA850B39 AB5CC299 17F17F02 1002E315 ECEC95D1 00900B2E 357D040B
A4F6A1B2 EB0A839B 381C611B 7F63BE09 31C31232 DCCB3C83 6F6F0A5D 110BAB80
quit
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
Page 811 of 846

switchport mode dynamic desirable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Page 812 of 846

!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
ip address dhcp
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
Page 813 of 846

!
end
SW2#
ASA1/Master
ASA1(config)# sh running-config
: Saved
:
: Serial Number: FCH16407FXZ
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA1
names
!
description Clustering Interface
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
Page 814 of 846

no nameif
no security-level
no ip address
!
lacp max-bundle 8
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
lacp max-bundle 8
nameif outside
security-level 0
ip address 192.168.102.1 255.255.255.0
!
ftp mode passive
access-list out extended permit icmp any any
cluster group shiva
key *****
local-unit A
priority 10
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
pager lines 24
mtu inside 1500
mtu outside 1500
mtu cluster 1500
sno failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
Page 815 of 846

no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
!
parameters
inspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
prompt hostname context
Cryptochecksum:49b89413b0c2641169352402952806c1
: end
ASA1(config)#
ASA2/Slave
ASA1(cfg-cluster)# sh running-config
: Saved
:
: Serial Number: FCH16407G0X
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA1
names
Page 816 of 846

!
description Clustering Interface
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
management-only
shutdown
no nameif
no security-level
no ip address
!
lacp max-bundle 8
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
lacp max-bundle 8
nameif outside
Page 817 of 846

security-level 0
ip address 192.168.102.1 255.255.255.0
!
ftp mode passive
access-list out extended permit icmp any any
cluster group shiva
key *****
local-unit B
priority 20
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
pager lines 24
mtu inside 1500
mtu outside 1500
mtu cluster 1500
no failover
arp timeout 14400
no arp permit-nonconnected
dynamic-access-policy-record DfltAccessPolicy
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
!
Page 818 of 846

parameters
inspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
prompt hostname context
Cryptochecksum:5bfa37f9cceb992fef77e50f46518ca1
: end
Page 819 of 846


Chapter 32
Management of ASA
ASA as DHCP
ASA as DHCP Relay Agent
Disable Fragmentation on ASA
Enabling uRPF on ASA
Ether-channal
Redundent Interface
Diagram:-
Page 820 of 846

Initial-config
R1
no shutdown
ip add 192.168.101.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.101.1
R2
no shutdown
no ip address
R3
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int l1
ip add 102.1.1.1 255.255.255.0
no shutdown
R4
no shutdown
ip add 192.168.20.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.20.1
Page 821 of 846


SW1
ip routing
int vlan 1
ip add 192.168.101.1 255.255.255.0
no shutdown
exit
interface range fastEthernet 1/0/10 - 11
no switchport
interface Port-channel 1
ip add 192.168.1.1 255.255.255.0
no shutdown
router ei 100
no auto-summary
net 0.0.0.0
ASA1
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
nameif dmz1
security-level 60
ip address 192.168.10.1 255.255.255.0
!
no nameif
no security-level
no ip address
!
no nameif
no security-level
no ip address
!
nameif dmz2
security-level 50
ip address 192.168.20.1 255.255.255.0
!
management-only
shutdown
Page 822 of 846

no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/3
member-interface GigabitEthernet0/4
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
!
lacp max-bundle 8
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
ASA1(config-router)# sh int ip brief
Interface
Protocol
GigabitEthernet0/0
up
GigabitEthernet0/1
up
GigabitEthernet0/2
up
GigabitEthernet0/3
up
GigabitEthernet0/4
up
GigabitEthernet0/5
up
Internal-Control0/0
127.0.1.1
YES unset up
up
Internal-Data0/0
down
Internal-Data0/1
down
Internal-Data0/2
up
Management0/0
Port-channel1
up
Redundant1
up
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1
router eigrp 100
network 192.168.1.0 255.255.255.0
!
ASA1# ping 192.168.101.100
!!!!!
ASA1# pin
ASA1# ping 192.168.20.100
!!!!!
ASA1# pin
Page 823 of 846

ASA1# ping 102.1.1.1
!!!!!
ASA1# sh port-channel summary
Flags: D - down
------+-------------+---------+------------+-----------------------------------1 Po1(U)
LACP
No Gi0/0(P) Gi0/1(P)
ASA1# sh interface redundant 1
Interface Redundant1 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 6c20.56bd.ea85, MTU 1500
IP address 101.1.1.100, subnet mask 255.255.255.0
9 packets input, 846 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
3 L2 decode drops
8 packets output, 782 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (1013/505)
output queue (blocks free curr/low): hardware (1022/510)
Traffic Statistics for "outside":
6 packets input, 546 bytes
8 packets output, 584 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member GigabitEthernet0/3(Active), GigabitEthernet0/4
Last switchover at 18:03:31 UTC Oct 8 2014
Page 824 of 846

ASA1
R1#ping 101.1.1.1
!!!!!
R1#ping 101.1.1.1 size 18000
!!!!!
ASA1(config)# fragment chain 1
ASA1(config)# fragment chain 1 inside
ASA1(config)# fragment chain 1 dmz1
ASA1(config)# fragment chain 1 dmz2
R1#ping 101.1.1.1 size 18000

.....
R1#ping 101.1.1.1
!!!!!
R1
R1(config)#interface lo1
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#^Z
R1#ping 101.1.1.1 source loopback 1 repeat 10
Page 825 of 846

......
ICMP PAT from inside:1.1.1.1/6 to outside:101.1.1.100/6 flags ri idle 0:00:02 timeout 0:00:3
ASA1(config)# ip verify reverse-path interface inside
01.1.1.1 source loopback 1 repeat 10
......
ASA1# sh xlate
ASA AS DHCP
ASA1(config)# dhcpd address 192.168.10.100-192.168.10.254 dmz1
ASA1(config)# dhcpd enable dmz1
ASA1(config)# dhcpd option 3 ip 192.168.10.1
R2
int f0/0
no shutdown
ip add dhcp
R2#sh ip int brief
Interface
FastEthernet0/0
192.168.10.100 YES DHCP up
FastEthernet0/1
unassigned YES NVRAM up
R2#sh ip ro
R2#sh ip route st
Protocol
up
up
Page 826 of 846


R2#sh ip route static
S* 0.0.0.0/0 [254/0] via 192.168.10.1
ASA1# sh dhcpd binding
IP address
Client Identifier
Lease expiration
192.168.10.100 0063.6973.636f.2d30.
3031.662e.3965.3566.
2e38.3036.302d.4661.
302f.30
ASA AS DHCP RELAY_AGNET
Type
3545 seconds Automatic
ASA1(config)# clear configure dhcpd

R4
R4(config)#ip dhcp pool dmz1
R4(dhcp-config)#network 192.168.10.0
R4(dhcp-config)#default-router 192.168.10.1
R4(dhcp-config)#ex
R4(config)#ip dhcp excluded-address 192.168.10.1
ASA1
ASA1(config)# dhcprelay server 192.168.20.100 dmz2
ASA1(config)# dhcprelay enable dmz1

R2(config-if)#no ip address
R2(config-if)#ip address dhcp
R2#sh ip int brief
Interface
Protocol
FastEthernet0/0
192.168.10.2 YES DHCP up
up
FastEthernet0/1
unassigned YES NVRAM up
up
R2#sh ip route static
S
192.168.20.100 [254/0] via 192.168.10.1, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 192.168.10.1
R4#sh ip dhcp binding
IP address
Client-ID/
Lease expiration
Type
Hardware address/
User name
192.168.10.2
0063.6973.636f.2d30. Oct 09 2014 01:38 PM Automatic
3031.662e.3965.3566.
2e38.3036.302d.4661.
302f.30
Page 827 of 846

Chapter 33
Active-Standby IPv6 FO
Active-Standby FO
Diagram:-
Initial-config
R1
ipv6 address 192:168:10::100/48
ipv6 route ::/0 192:168:10::1
!
R2
Page 828 of 846

ipv6 address 192:168:20::100/48
ipv6 route ::/0 192:168:20::1
R3
ipv6 address 101:1:1::1/48
ASA1
nameif inside
security-level 100
no ip address
ipv6 address 192:168:10::1/48 standby 192:168:10::2
!
nameif outside
security-level 0
no ip address
!
nameif dmz
security-level 50
no ip address
!
ASA1# ping 192:168:10::100
!!!!!
ASA1# ping 192:168:20::100
!!!!!
ASA1# ping 101:1:1::1
!!!!!
subnet 192:168:10::/48
object network s2s
subnet 192:168:102::/48
Page 829 of 846


ASA1
nat (inside,outside) source static R1 interface ipv6 service telnet telnet
access-list out extended permit icmp6 any 192:168:10::/48
access-list out extended permit tcp any object R1 eq telnet
R3#debug ipv6 icmp
R1#ping 101:1:1::1
!!!!!
R3#debug ipv6 icmp
R3#
*Oct 9 06:13:44.059: ICMPv6: Received ICMPv6 packet from FE80::200:CFF:FE07:AC05, type 136
R3#
R3#telnet 101:1:1::100
Trying 101:1:1::100 ... Open
R1>
ASA1
failover
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key shiva
failover mac address GigabitEthernet0/0 0000.0c07.ac01 0000.0c07.ac02
Page 830 of 846

failover link shiva GigabitEthernet0/3
failover interface ip shiva 192:168:111::1/48 standby 192:168:111::2
ASA2
failover
failover key shiva
Failover On
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Monitored)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Monitored)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Monitored)
Stateful Obj xmit
xerr
rcv
rerr
General
85
0
76
0
sys cmd
75
0
75
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
Page 831 of 846

UDP conn
0
0
0
0
ARP tbl
0
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 10
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
0
Router ID
0
0
0
0
User-Identity 0
0
1
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
9
567
Xmit Q:
0
1
172
ASA2
Failover On
Interface Policy 1
Page 832 of 846

Stateful Obj xmit
xerr
rcv
rerr
General
94
0
110
0
sys cmd
93
0
93
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
16
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
0
Router ID
0
0
0
0
User-Identity 1
0
1
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
9
541
Xmit Q:
0
282 585
ASA1
System config has been modified. Save? [Y]es/[N]o: y
Cryptochecksum: e120f795 a8075185 3bbb3555 55f80897
ASA1(config)#
ASA2
Page 833 of 846

Failover On
Interface Policy 1
This host: Secondary - Active
Interface inside (0.0.0.0/fe80::200:cff:fe07:ac01): Normal (Waiting)
Interface outside (0.0.0.0/fe80::200:cff:fe07:ac05): Normal (Waiting)
Interface dmz (0.0.0.0/fe80::200:cff:fe07:ac03): Normal (Waiting)
Other host: Primary - Failed
Interface inside (0.0.0.0): Unknown (Monitored)
Interface outside (0.0.0.0): Unknown (Monitored)
Interface dmz (0.0.0.0): Unknown (Monitored)
Page 834 of 846


Chapter 34

Diagram:-
Page 835 of 846


Initial-config
R1
no shutdown
ipv6 add 192:168:101::100/48
no sh
ipv6 route ::/0 192:168:101::1
R2
no shutdown
ipv6 add 192:168:102::100/48
no shutdown
ipv6 route ::/0 192:168:102::1
R3
no shutdown
ipv6 add 101:1:1::1/48
no shutdown
int f0/1
no shutdown
ipv6 add 102:1:1::1/48
no shutdown
ASA1
ASA2
ASA1
ASA1(config-if)# no shutdown
Page 836 of 846

!
class c1
!
class c2
!
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
member c1
!
context c2
member c2
!
failover group 1
preempt
failover group 2
secondary
preempt
!
!
failover
Page 837 of 846

ASA1/c1(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c1
names
ipv6 local pool inside 192:168:101::111/48 10
ipv6 local pool outside 101:1:1::111/48 10
!
nameif inside
security-level 100
no ip address
ipv6 address 192:168:101::1/48 cluster-pool inside
!
nameif outside
security-level 0
no ip address
ipv6 address 101:1:1::100/48 cluster-pool outside
!
pager lines 24
mtu inside 1500
mtu outside 1500
arp timeout 14400
telnet timeout 5
ssh stricthostkeycheck
Page 838 of 846

ssh timeout 5
!
!
!
parameters
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Cryptochecksum:885c4647c80e89f4ec3a2eaa43731b2f
: end
ASA1/c2(config)# sh running-config
: Saved
:
: Hardware: ASA5512
:
ASA Version 9.2(2)4 <context>
!
hostname c2
names
Page 839 of 846

ipv6 local pool inside 192:168:102::111/48 10
ipv6 local pool outside 102:1:1::111/48 10
!
nameif inside
security-level 100
no ip address
ipv6 address 192:168:102::1/48 cluster-pool inside
!
nameif outside
security-level 0
no ip address
ipv6 address 102:1:1::100/48 cluster-pool outside
!
pager lines 24
mtu inside 1500
mtu outside 1500
arp timeout 14400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
!
!
!
parameters
Page 840 of 846

inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Cryptochecksum:d7353dc0e7aca0f5812eb5557e8df3dd
: end
ASA1(config)#
failover
failover group 1
preempt
failover group 2
secondary
preempt
Failover On
Interface Policy 1
Page 841 of 846

This host: Primary
Group 1
State:
Active
Group 2
State:
Standby Ready
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Monitored)
Other host: Secondary
Group 1
State:
Standby Ready
Group 2
State:
Active
Stateful Obj xmit
xerr
rcv
rerr
General
22
0
17
0
sys cmd
15
0
15
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 3
0
0
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
0
Router ID
0
0
0
0
User-Identity 4
0
2
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
Page 842 of 846

STS Table

Cur Max Total
Recv Q:
0
2
70
Xmit Q:
0
2
199
ASA1/stby(config)# sh failover
Failover On
Interface Policy 1
Group 1
State:
Standby Ready
Group 2
State:
Active
Other host: Primary
Group 1
State:
Active
Group 2
State:
Standby Ready
Stateful Obj xmit
xerr
rcv
rerr
General
21
0
26
0
Page 843 of 846

sys cmd
19
0
19
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
0
0
Xlate_Timeout 0
0
0
0
IPv6 ND tbl 0
0
3
0
VPN IKEv1 SA 0
0
0
0
VPN IKEv1 P2 0
0
0
0
VPN IKEv2 SA 0
0
0
0
VPN IKEv2 P2 0
0
0
0
VPN CTCP upd 0
0
0
0
VPN SDI upd 0
0
0
0
VPN DHCP upd 0
0
0
0
SIP Session 0
0
0
0
Route Session 0
0
0
0
Router ID
0
0
0
0
User-Identity 2
0
4
0
CTS SGTNAME 0
0
0
0
CTS PAC
0
0
0
0
TrustSec-SXP 0
0
0
0
IPv6 Route 0
0
0
0
STS Table
0
0
0
0
Cur Max Total
Recv Q:
0
5
252
Xmit Q:
0
1
89
R1
R1#ping 101:1:1::1
!!!!!
R2#ping 101:1:1::100
!!!!!
ASA1/act(config)# mode single
Page 844 of 846

Failover On
Interface Policy 1
Group 1
State:
Active
Group 2
State:
Active
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:101): Normal (Waiting)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:101): Normal (Waiting)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:201): Normal (Waiting)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:201): Normal (Waiting)
Other host: Primary
Group 1
State:
Failed
Group 2
State:
Failed
c1 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe01:102): Unknown (Monitored)
c1 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe02:102): Unknown (Monitored)
c2 Interface inside (0.0.0.0/fe80::2a0:c9ff:fe03:202): Unknown (Monitored)
c2 Interface outside (0.0.0.0/fe80::2a0:c9ff:fe04:202): Unknown (Monitored)
Stateful Obj xmit
xerr
rcv
rerr
General
36
0
41
2
sys cmd
31
0
30
0
up time
0
0
0
0
RPC services 0
0
0
0
TCP conn
0
0
0
0
UDP conn
0
0
0
0
ARP tbl
0
0
0
0
Xlate_Timeout 0
0
0
0
Page 845 of 846

IPv6 ND tbl 2
VPN IKEv1 SA 0
VPN IKEv1 P2 0
VPN IKEv2 SA 0
VPN IKEv2 P2 0
VPN CTCP upd 0
VPN SDI upd 0
VPN DHCP upd 0
SIP Session 0
Route Session 0
Router ID
0
User-Identity 3
CTS SGTNAME 0
CTS PAC
0
TrustSec-SXP 0
IPv6 Route 0
STS Table
0
5
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
0
0
0
0
0
0
0

Cur Max Total
Recv Q:
0
5
431
Xmit Q:
0
1
154
Page 846 of 846


Cisco ASA Second Generation&#39;s OS 9.x

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ASA Second Generation&#39;s OS 9.x

Uploaded by

Copyright:

Available Formats

Secure Your Network With Cisco ASA Second Generation's OS 9.

Secure Your Network With

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Access-list & NAT

Remote Access VPN

VPN Load balancing

Advance Firewall Features

Secure Your Network With Cisco ASA Second Generation's OS 9.x

OS 9.x Advance Features

NAT on OS 9.2.x on IPv6

Site-Site VPN on IPv6

SSL VPN on IPv6

Dynamic Routing in Context

Site-Site VPN in Context

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Access-list & NAT

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Remote Access VPN

VPN Load balancing

Advance Firewall Features

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

OS 9.x Advance Features

Site-Site VPN on IPv6

Dynamic Routing in Context

Site-Site VPN in Context

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Practicals Covered in this book

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Introducing Firewall &

After Reading this chapter you would be able to describe

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Secure Your Network With Cisco ASA Second Generation's OS 9.x

State table contents

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Cisco ASA Introduction

After Reading this chapter you would be able to describe

Secure Your Network With Cisco ASA Second Generation's OS 9.x

What is Cisco ASA

Proprietary Operating system

Proprietary Operating System

State full Firewall

User Base Authentication

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Protocol & Application Inspection

Modular Policy Framework

Web Base Management

State full Failover

Secure Your Network With Cisco ASA Second Generation's OS 9.x

VPN Load Balancing

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Cisco asa Modes

Secure Your Network With Cisco ASA Second Generation's OS 9.x

ASA Basic LAB

How to set hostname.

Secure Your Network With Cisco ASA Second Generation's OS 9.x

Cisco ASA Second Generation's OS 9.x

Cisco ASA Second Generation's OS 9.x