CCBOOTCAMP's CCIE Security Technology lab workbook is licensed by individual customer. Material cannot be resold, transferred, traded, sold, or have the price shared. License will be revoked if customer violates this licensing agreement in any way.
CCBOOTCAMP's CCIE Security Technology lab workbook is licensed by individual customer. Material cannot be resold, transferred, traded, sold, or have the price shared. License will be revoked if customer violates this licensing agreement in any way.
CCBOOTCAMP's CCIE Security Technology lab workbook is licensed by individual customer. Material cannot be resold, transferred, traded, sold, or have the price shared. License will be revoked if customer violates this licensing agreement in any way.
for the CCIE Security Lab Exam version 3.0 For questions about this workbook please visit: www.securityie.com CCBOOTCAMP 375 N. Stephanie Street Building 21, Suite 2111 Henderson, NV 89014 1.877.654.2243 Toll Free www.ccbootcamp.com Cisco, the Cisco Logo, CCNA, CCNP, CCDP, CCDA, CCIE, Cisco Certified Network Associate, Cisco Certified Design Professional, Cisco Certified Design Associate, and Cisco Certified Network Professional, are registered trademarks of Cisco Systems, Inc. The contents contained wherein, is not associated or endorsed by Cisco Systems, Inc. PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT. THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMPs CCIE Security Technology Lab Workbook. BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THIS PRODUCT. License Agreement CCBOOTCAMPs CCIE Security Technology Lab Workbook is copyrighted. In addition, this product is at all times the property of CCBOOTCAMP, and the customer shall agree to use this product only for themselves, the licensed user. The license for the specific customer remains valid from the purchase date until they pass their CCIE Security lab exam. CCBOOTCAMPs CCIE Security Technology Lab Workbook materials are licensed by individual customer. This material cannot be resold, transferred, traded, sold, or have the price shared in any way. Each specific individual customer must have a license to use this product. The customer agrees that this product is always the property of CCBOOTCAMP, and they are just purchasing a license to use it. A Customers license will be revoked if they violate this licensing agreement in any way. Copies of this material in any form or fashion are strictly prohibited. If for any reason a licensed copy of this material is lost or damaged a new copy will be provided free of charge, except for the cost of printing, shipping and handling. Individuals or entities that knowingly violate the terms of this licensing agreement may be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damages will be limited to a maximum of $500,000.00 per individual and $2,000,000.00 per entity. In addition, individuals or entities that knowingly violate the terms of this license agreement may be subject to criminal penalties as are allowed by law. The venue of any dispute, controversy, litigation or proceeding (formal or informal) arising out of or pertaining to this licensing agreement or the subject hereof shall lie exclusively in the County of Clark, State of Nevada. Provided, however, that if any such dispute, controversy, litigation or proceeding requires or permits jurisdiction in a federal court or agency of the United States, then venue shall lie in no federal court or agency other than those located in (or nearest to) the County of Clark, State of Nevada. Term and Termination of License Agreement This License is effective until terminated. Customer may terminate this License at any time by destroying all copies of written and electronic material of said product. Customer's rights under this License will terminate immediately without notice from CCBOOTCAMP, if Customer fails to comply with any provision of this License. Upon termination, Customer must destroy all copies of material in its possession or control. The license for the specific user remains valid from the purchase date until the user passes their lab exam pertaining to the purchased subscription. Once the customer passes the relevant lab exam the license is terminated and all material written or electronic in their possession or control must be destroyed or returned to CCBOOTCAMP. Warranty No warranty of any kind is provided with this product. There are no guarantees that the use of this product will help a customer pass any exams, tests, or certifications, or enhance their knowledge in any way. The product is provided on an AS IS basis. In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for any incurred costs, lost revenue, lost profit, lost data, or any other damages regardless of the theory of liability arising out of use or inability to use this product. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Table of Contents: Getting Started: ............................................ 7 Loading the Initial Configurations .................... 8 Sections .............................................. 9 Connectivity .......................................... 9 Join the Discussion .................................. 10 Chapter 1 - ASA Technology ................................. 11 Configure Device Management .......................... 26 Configure IP Routing ................................. 28 Configure Address Translation ........................ 29 Configure ACLs ....................................... 31 Configure Object Groups .............................. 32 Configure Sub Interfaces with VLANs .................. 33 Configure Filtering .................................. 34 Configure Modular Policy Framework ................... 35 Configure Application-Aware Inspection ............... 36 Configure Quality of Service ......................... 37 Configure Layer 2 Transparent Firewall ............... 37 Configure Security Contexts .......................... 39 Configure Failover ................................... 41 Configure High Availability Solutions ................ 42 ASA Technology Solutions ................................... 43 Basic Firewall Configuration ......................... 43 Configure Device Management .......................... 49 Configure IP Routing ................................. 53 Configure Address Translation ........................ 58 Configure ACLs ....................................... 63 Configure Object Groups .............................. 66 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Sub Interfaces with VLANs .................. 68 Configure Filtering .................................. 71 Configure Modular Policy Framework ................... 74 Configure Application-Aware Inspection ............... 79 Configure Quality of Service ......................... 85 Configure Layer 2 Transparent Firewall ............... 87 Configure Security Contexts .......................... 93 Configure Failover .................................. 103 Configure High Availability Solutions ............... 107 Chapter 2 - IOS Firewall .................................. 115 Configure CBAC ...................................... 123 Configure Zone-Based Firewall ....................... 126 Configure Auth-Proxy ................................ 129 Configure Access Control ............................ 130 IOS Firewalls Solutions ................................... 131 Configure CBAC ...................................... 131 Configure Zone-Based Firewall ....................... 151 Configure Auth-Proxy ................................ 158 Configure Access Control ............................ 165 Chapter 3 - VPN Technology ................................ 173 Configure IPsec lan to lan (IOS/ASA) ................ 181 DMVPN ............................................... 181 GET VPN ............................................. 182 Easy VPN ............................................ 183 QoS for VPN ......................................... 185 WebVPN(clientless) .................................. 186 High availability ................................... 187 VPN Technologies Solutions ................................ 187 Configure IPsec lan to lan (IOS/ASA) ................ 187 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated DMVPN ............................................... 199 GET VPN ............................................. 214 Easy VPN ............................................ 223 QoS for VPN ......................................... 232 WebVPN(clientless) .................................. 234 High availability ................................... 236 Chapter 4 - Intrusion Prevention Sensor ................... 244 Initialize the Sensor ............................... 251 Configure Sensor Appliance Management ............... 251 Configure SPAN and RSPAN ............................ 255 Configure Promiscuous and Inline Monitoring ......... 256 Configure and Tune Signatures ....................... 257 Configure Custom Signatures ......................... 258 Configure Blocking .................................. 259 Configure TCP Resets ................................ 260 Configure Rate Limiting ............................. 261 Configure Event Actions ............................. 262 Configure Event Monitoring .......................... 263 Configure Advanced Features ......................... 264 Intrusion Prevention Sensor Solutions ..................... 264 Initialize the Sensor ............................... 265 Configure Sensor Appliance Management ............... 272 Configure Security Policy ........................... 277 Configure Virtual Sensors ........................... 279 Configure SPAN and RSPAN ............................ 280 Configure Promiscuous and Inline Monitoring ......... 283 Configure and Tune Signatures ....................... 288 Configure Custom Signatures ......................... 293 Configure Blocking .................................. 301 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure TCP Resets ................................ 306 Configure Rate Limiting ............................. 309 Configure Event Actions ............................. 314 Configure Event Monitoring .......................... 318 Configure Advanced Features ......................... 321 Configure TACACS+ ................................... 334 Configure Secure ACS ................................ 335 Configure LDAP ...................................... 337 Configure Proxy Authentication ...................... 338 Configure 802.1x .................................... 339 Configure Advanced Identity Management .............. 340 Identity Management Solutions ............................. 340 Configure TACACS+ ................................... 340 Configure Secure ACS ................................ 343 Configure LDAP ...................................... 353 Configure Proxy Authentication ...................... 358 Configure 802.1x .................................... 362 Configure Advanced Identity Management .............. 367 Chapter 6 - Control Plane and Management Plane Security ... 374 Implement routing plane security features ........... 382 Configure Control Plane Policing .................... 383 Configure Broadcast Control and Switchport Security . 384 Configure CPU Protection Mechanisms ................. 387 Disable Unnecessary Services ........................ 388 Control Device Access ............................... 389 Configure SNMP, SYSLOG, AAA, NTP .................... 390 Control Plane and Management Plane Security Solutions ..... 390 Implement routing plane security features ........... 391 Configure Control Plane Policing .................... 405 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Broadcast Control and Switchport Security . 413 Configure CPU Protection Mechanisms ................. 421 Disable Unnecessary Services ........................ 423 Control Device Access ............................... 425 Configure SNMP, SYSLOG, AAA, NTP .................... 431 Chapter 7 - Advanced Security ............................. 435 Configure Packet Marking Techniques ................. 444 Implement Security RFCs ............................. 445 Configure Black Hole and Sink Hole Solutions ........ 446 Configure Remote Triggered Black Hole Filtering ..... 447 Configure Traffic Filtering using Access-Lists ...... 448 Configure IOS NAT ................................... 449 Configure TCP Intercept ............................. 450 Configure uRPF ...................................... 451 Configure CAR ....................................... 451 Configure NBAR ...................................... 452 Configure NetFlow ................................... 453 Configure Policing .................................. 454 Capture and Utilize Packet Captures ................. 455 Configure Transit Traffic Control and Congestion Management .......................................... 456 Advanced Security Solutions ............................... 456 Configure Packet Marking Techniques ................. 456 Implement Security RFCs ............................. 460 Configure Black Hole and Sink Hole Solutions ........ 461 Configure Remote Triggered Black Hole Filtering ..... 464 Configure Traffic Filtering using Access-Lists ...... 468 Configure IOS NAT ................................... 473 Configure TCP Intercept ............................. 475 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure uRPF ...................................... 479 Configure CAR ....................................... 480 Configure NBAR ...................................... 481 Configure NetFlow ................................... 483 Configure Policing .................................. 486 Capture and Utilize Packet Captures ................. 487 Configure Transit Traffic Control and Congestion Management .......................................... 488 Chapter - 8 Network Attacks ............................... 493 Identify and protect against fragmentation attacks .. 502 Identify and protect against malicious IP option usage .................................................... 503 Identify and protect against network reconnaissance attacks ............................................. 504 Identify and protect against IP spoofing attacks .... 505 Identify and protect against MAC spoofing and flooding attacks ............................................. 505 Identify and protect against DHCP attacks ........... 507 Identify and protect against ARP spoofing attacks ... 508 Identify and protect against VLAN hopping attacks ... 509 Identify and protect against Denial of Service (DoS) attacks ............................................. 510 Mitigate Man in the Middle attack ................... 511 Identify and protect against port redirection attacks 512 Identify and protect against DNS attacks ............ 513 Identify and protect against Smurf attacks .......... 514 Network Attacks Solutions ................................. 514 Identify and protect against fragmentation attacks .. 514 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against malicious IP option usage .................................................... 516 Identify and protect against network reconnaissance attacks ............................................. 516 Identify and protect against IP spoofing attacks .... 518 Identify and protect against MAC spoofing and flooding attacks ............................................. 519 Identify and protect against DHCP attacks ........... 521 Identify and protect against ARP spoofing attacks ... 522 Identify and protect against VLAN hopping attacks ... 522 Identify and protect against Denial of Service (DoS) attacks ............................................. 523 Mitigate Man in the Middle attack ................... 525 Identify and protect against port redirection attacks 527 Identify and protect against DNS attacks ............ 529 Identify and protect against Smurf attacks .......... 530
Getting Started: The FAQ for rack access can be downloaded from www.CCBootCamp.com/download beneath the security section. You should download and review this document before rack access. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Loading the Initial Configurations Verify that all configurations have been cleared, before you load initial configurations onto the devices in your rack. For the ASA, verify that the correct mode, single/multiple as well as routed/transparent, is in place before applying the initial configuration. By loading the startup configurations, you have a starting point only; the lab requires you to complete these configurations and verify that all network components are operating. Unless otherwise specified, use only the existing networks within your lab. Additional networks, static and default routes, may not be configured unless specified in a task. You must load initial configurations onto the devices in your pod for each section. Occasionally you may be asked to load initial configurations at a specific time within a section. All initial configurations are available for download from www.CCBootCamp.com/download beneath the security folder. Use the initial configuration files that match the workbook version you are using. The workbook version is in the upper right hand corner of most pages in the workbook. For users of SecureCRT, you may use the File Transfer | Send Ascii option, and select the local initial configuration file from the local drive you downloaded it to, to apply each initial configuration. This can be easier than a copy and paste. All pre-configurations should be assumed to be correct and should not be changed unless explicitly stated in a question. When creating For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated passwords, use cisco unless indicated otherwise in a specific task. The default username on the IPS is cisco, with a password of ccie5796. On the ACS computer, you may add static routes for connectivity. Do not change the default route on the ACS. Sections 1. ASA Firewalls 2. IOS Firewalls 3. VPNs 4. IPS 5. Identity Management 6. Control/Management Plane Security 7. Advanced Security 8. Network Attack Mitigation Each section is autonomous. At the beginning of each section there are 2 copies of the lab and physical topologies. 1 is for you to remove and have as a resource without needing to go back and forth in your workbook to review your diagram. The other copy may remain in your workbook as a permanent resource. Connectivity You may access your rack via TELNET, as described in the FAQ document, or you may open a single RDP session to your For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated racks ACS Server, and SecureCRT from there to open all your sessions there. Access via RDP is described in the FAQ.
Join the Discussion Discussions about CCIE Security blueprint 3 technology and workbook scenarios may be directed to www.SecurityIE.com website. Membership is free. SecurityIE.com is a valuable resource for everyone preparing for a CCIE in security. We are committed to your satisfaction. If you find any errors in this workbook, or have recommendations on how we can make our services better in the future, please email them to kbarker@ccbootcamp.com Copyright Information Copyright 2009 Network Learning, Inc. All rights reserved. Cisco, Cisco Systems and CCIE are registered trademarks of Cisco Systems. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 1 ~ ASA Technology For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Basic Firewall Configuration T a s k 1 . 1 Set the hostname of ASA1 to ASA1 T a s k 1 . 2 Configure interface E0/0; name it inside and use the IP address 192.168.2.100/16. Use the default security level. Bring the interface up. T a s k 1 . 3 Configure interface E0/3; name it outside and use the IP 24.234.0.100/24. Use the default security level. Bring the interface up. T a s k 1 . 4 Verify that your interfaces are functional. T a s k 1 . 5 Set the domain name to ccbootcamp.com T a s k 1 . 6 Set the clock to the current time. T a s k 1 . 7 Configure logging so that information level and above messages are sent to the local buffer. Log messages should contain a time-stamp. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 8 Configure logging to send messages of information level and above to syslog on the ACS server. Enable T a s k 1 . 9 Verify logging is operational both to the buffer and to the ACS server. Configure Device Management T a s k 1 . 1 0 Configure the management0/0 interface with an IP of address 50.50.50.100 255.255.255.0 and name it management. Ensure that only management traffic will be allowed to this interface without using an ACL. T a s k 1 . 1 1 Configure the ASA to use the ASDM image stored on disk0. Enable the HTTP server and permit *ONLY* the ACS server to access it. T a s k 1 . 1 2 Configure SSH and *ONLY* allow R4 to connect via SSH on the inside interface. Do not use an ACL to accomplish this. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 1 3 Setup a local user called cisco with a password of cisco and a privilege level of 15. Setup AAA so that SSH will use local authentication. T a s k 1 . 1 4 Verify that you can connect to the ASA using ASDM from the ACS server and with SSH from R4. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure IP Routing T a s k 1 . 1 5 Setup a default route so that traffic not matching any other routes will be sent to the next hop of R1. T a s k 1 . 1 6 Configure EIGRP on the ASA so that it becomes a neighbor with R4. Ensure that the loopback network of R4 appears in the ASAs routing table. T a s k 1 . 1 7 Configure OSPF on the ASA so that it becomes a neighbor with R1. Verify that the 1.1.1.0/24 network is reachable. T a s k 1 . 1 8 Configure EIGRP so that the default route is sent into EIGRP 1. Configure the ASA so that the EIGRP routes are sent into OSPF area 100 without summarizing them. Verify that R4 has received the default route and that R1 has received the EIGRP routes. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Address Translation T a s k 1 . 1 9 Configure ASA1 to require a NAT rule for traffic passing through it. T a s k 1 . 2 0 Configure dynamic address translation so that any outbound traffic from the 192.168.0.0/16 network translated to the outside interfaces IP address. T a s k 1 . 2 1 Configure NAT so that the ACS server is reachable from the outside as 24.234.0.101. This host is sensitive to DoS attacks, so set the total number of TCP connections allowed to no more than 100 and the number of embryonic connections allowed per host to 20. T a s k 1 . 2 2 Configure NAT so that hosts on the outside who telnet to 24.234.0.4 on port 2323 are able to reach R4 on port 23. T a s k 1 . 2 3 Allow SW1 (192.168.2.11) to send traffic to the outside without changing its IP address. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 2 4 Dynamically translate R4s address to 24.234.0.254 only when pings are sent from R4 to R1. T a s k 1 . 2 5 Verify that your PAT configuration is working, and that the static and policy NATs are in the ASAs translation table. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure ACLs T a s k 1 . 2 7 On ASA1, create a standard ACL called R1 to permit all traffic from R1. Do not apply it to any interface. T a s k 1 . 2 8 On ASA1, setup an ACL called OUTSIDE that will protect your network from outside attacks. When it is complete, apply it for traffic incoming to the outside interface. All traffic should be denied EXCEPT for: Telnet from any outside host to R4s outside address on port 2323 RADIUS from R1 to the ACS servers outside IP address T a s k 1 . 2 9 All traffic from R4 to anywhere should be allowed during business hours (9am to 5pm) but should be denied at all other times. Create an ACL called INSIDE that will meet these criteria and apply it to traffic inbound to the inside interface. Log all denied traffic. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 3 0 When a traffic flow matches the INSIDE ACL time based entry, the flow is cached. Configure the ASA so that an error message is generated when the number of these cached flows exceeds 2000. T a s k 1 . 3 1 Verify that the OUTSIDE ACL is applied and working by telnetting from R1 to 24.234.0.4 on port 2323. Configure Object Groups T a s k 1 . 3 2 Create a network object group called MAILERS and add both R4 and SW1 (192.168.2.11) to it. T a s k 1 . 3 3 Create a service object group called MAIL_PORTS and add DNS (TCP) and SMTP to it. T a s k 1 . 3 4 Add a single line to the INSIDE ACL that will block R4 and SW1 from sending e-mail or DNS to servers outside the local network. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Sub Interfaces with VLANs T a s k 1 . 3 5 Configure E0/1.11 on VLAN 11. Name it DMZ1 and give it an IP address of 172.16.11.100/24. Set the security level to 50. T a s k 1 . 3 6 Configure E0/1.22 on VLAN 22. Name it DMZ2 and give it an IP address of 172.16.22.100/24. Set the security level to 50. T a s k 1 . 3 7 Bring up interface E0/1. T a s k 1 . 3 8 Ping to both R2 and R3 to verify connectivity to the DMZ hosts. Ping from R2 to R3. T a s k 1 . 3 9 Correct the issue that is stopping pings between the DMZ routers. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Filtering T a s k 1 . 4 0 Remove activex objects from http traffic going from any source to any destination. T a s k 1 . 4 1 Stop hosts on the 192.168.0.0/16 network from downloading java applets via http. T a s k 1 . 4 2 Configure the ASA to use a URL filtering server in the DMZ. The server will use the IP address of R2 and will be running WebSense with the default settings. T a s k 1 . 4 3 Filter URLs using the newly setup websense server. Do this for all traffic from the 192.168.0.0/16 network. Block attempts to use a proxy server and remove any cgi- parameters. T a s k 1 . 4 4 The ACS server should be exempt from the URL filtering policy. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Modular Policy Framework T a s k 1 . 4 5 Ping from R4 to R1. Use logging to determine why the pings are failing. T a s k 1 . 4 6 View the default modular policy framework configuration on the ASA and then correct it to solve the ping issue. Do not use an ACL to accomplish this. Verify that R4 can ping R1. T a s k 1 . 4 7 Configure the ASA so that R2 is not allowed multiple telnet sessions to R3. T a s k 1 . 4 8 Verify that R2 is limited to 1 telnet connection at a time. The password is cisco. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Application~Aware Inspection T a s k 1 . 4 9 Allow R1 to FTP to the ACS servers outside IP address. Ensure that this traffic conforms to the RFCs for FTP. Reset the connection if R1 attempts to use the PUT command. T a s k 1 . 5 0 Create and test regular expressions that will match the domains illegal.com and spam.net T a s k 1 . 5 1 Drop and log outgoing http traffic from the ACS server when it contains either of the domain names identified by the regular expressions. T a s k 1 . 5 2 Verify that both of your layer 3/4 policies are applied to the correct interfaces and are using the correct layer 7 policies. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Quality of Service T a s k 1 . 5 3 DMZ2 contains mail servers. The mail servers send an excessive amount of SMTP traffic causing connectivity and speed problems for the entire network. Because of this, police outgoing SMTP bandwidth to no more than 20mbps. If the SMTP traffic exceeds this rate, drop it. T a s k 1 . 5 4 Clients on the inside network run streaming audio/video applications that use RTP on UDP ports 10000-20000. Because of its time sensitive nature, this traffic should be given priority over other traffic. The queue size for these packets should be increased to the maximum size. Configure Layer 2 Transparent Firewall T a s k 1 . 5 5 Setup ASA2 as a transparent firewall. Set the hostname to ASA2. Set the management IP to 24.234.2.200. Enable buffered logging with time-stamps at level 6. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 5 6 Configure interface e0/2.55 as the inside interface and set it to VLAN 55. T a s k 1 . 5 7 Configure interface e0/2.66 as the outside interface and set it to VLAN 66. T a s k 1 . 5 8 Add ICMP to the global inspect policy. Ping from R5 to R6 to verify lack of connectivity. Now bring up e0/2 and repeat the ping test. T a s k 1 . 5 9 View the log to see what kind of traffic is being denied. Configure the ASA to allow this traffic and verify that it is working on the routers. T a s k 1 . 6 0 A host on the outside is trying to perform a man in the middle attack by responding to ARP requests for IP 24.234.2.55 with its own MAC address. The real MAC that should be mapped to 24.234.2.55 is 001b.533b.5555. Configure the ASA to drop the bad ARP traffic. T a s k 1 . 6 1 Enable ICMP from the inside networks to anywhere. Verify that the ASA is blocking the bad ARP responses by pinging from R5 to 24.234.2.55 and viewing the firewall log. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Security Contexts T a s k 1 . 6 2 Prepare for multiple context mode. Erase the configurations on both ASA1 and ASA2. Change ASA2 to routed mode with the no firewall transparent command. Reload both firewalls. T a s k 1 . 6 3 Configure ASA1 as a multiple context firewall. Once it reboots configure the hostname to ASA. T a s k 1 . 6 4 Setup interfaces for future contexts. Interfaces should use unique mac addresses. Create interface e0/1.11 and set it to vlan 11. Create interface e0/1.22 and set it to vlan 22. Enable interfaces e0/0, e0/1 and e0/2. T a s k 1 . 6 5 Delete any existing .cfg files. Create the admin context. Assign it interface e0/2. Set the config to disk0: T a s k 1 . 6 6 Create context c1. Assign it interfaces e0/0 and e0/1.11. Save the config to disk0: T a s k 1 . 6 7 Create context c2. Assign it interfaces e0/0 and e0/1.22. Save the config to disk0: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 6 8 Switch to the admin context and setup interface e0/2 as inside with pi 192.168.2.200/24. Allow the ACS server SSH access to this context. Verify connectivity to the ACS server. T a s k 1 . 6 9 Switch to context c1. Configure e0/0 as outside with IP address 24.234.0.100/24 and e0/1.11 as inside with IP address 172.16.11.100/24. Add ICMP inspection to the global policy-map and test connectivity by pinging from R2 to R1. T a s k 1 . 7 0 Switch to context c2. Configure e0/0 as outside with IP address 24.234.0.200/24 and e0/1.22 as inside with IP address 172.16.22.100/24. NAT the inside network to the outside interface address and require a NAT translation for traffic passing through the firewall. Verify connectivity with telnet from R3 to R1. T a s k 1 . 7 1 Switch back to the system and set the maximum number of allowed connections for c1 to 200 and the maximum number of connections for c2 to 100. Set the maximum number of SSH connections to the admin context to 5. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Failover T a s k 1 . 7 2 Prepare for active/standby failover with ASA2. Set ASA1 as the primary failover unit. Set the failover interface to E0/3 and name it failover. Set the failover IP address to 10.1.1.1/24 and the standby to 10.1.1.11. Bring up the failover interface and enable failover. T a s k 1 . 7 3 Prepare ASA2 for failover. Ensure that it is in multiple mode. Set the failover interface to e0/3 and name it failover. Set the failover IP address to 10.1.1.1 and the standby to 10.1.1.11. Bring up the failover interface and enable failover. T a s k 1 . 7 4 Configure SW2 so that fa0/17 and fa0/23 are both on VLAN 66. This will be the failover VLAN. T a s k 1 . 7 5 Verify that unit failover configuration is operational. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure High Availability Solutions T a s k 1 . 7 6 Configure the firewall pair to use stateful failover. Verify that state information is replicating to the secondary unit. T a s k 1 . 7 7 Configure the firewall to monitor all of the interfaces for c1 and c2. Configure a standby IP address on each interface. This IP should be the primary +10. If one of these interfaces fails, the unit should failover. Set the interface polltime to 500 milliseconds. Set the unit polltime to 500 milliseconds. T a s k 1 . 7 8 In addition to normal state information, replicate http state information. T a s k 1 . 7 9 Prepare for load balancing. Disable failover on both ASA1 and ASA2. Configure ASA1 to be the primary for c1 and secondary for c2. Ensure that both ASAs will always take over as active for the context they are primary for. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 8 0 Enable failover and verify that active/active is working properly. T a s k 1 . 8 1 Final verification involves testing failover. Telnet from R2 to R1 and enter the password of cisco. Leave the session up. On SW1, shutdown port fa0/12. Verify that your telnet session has remained connected. Verify failover. ASA Technology Solutions Basic Firewall Configuration T a s k 1 . 1 Set the hostname of ASA1 to ASA1 The hostname is set with the hostname command. When entered, the prompt will change to reflect the new hostname. ciscoasa(config)# hostname ASA1 ASA1(config)# For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 2 Configure interface E0/0; name it inside and use the IP address 192.168.2.100/16. Use the default security level. Bring the interface up. Set the IP address with the IP address command. Interfaces are named with the nameif command. Using the name inside will automatically set the security-level to 100. Physical interfaces need the no shut command issued for them to come up. ASA1(config)# interface Ethernet0/0 ASA1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA1(config-if)# ip address 192.168.2.100 255.255.0.0 ASA1(config-if)# no shut T a s k 1 . 3 Configure interface E0/3; name it outside and use the IP 24.234.0.100/24. Use the default security level. Bring the interface up. Set the IP address with the IP address command. Interfaces are named with the nameif command. Using the name outside will automatically set the security-level to 0. Physical interfaces need the no shut command issued for them to come up. ASA1(config)# interface Ethernet0/3 ASA1(config-if)# nameif outside For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated INFO: Security level for "outside" set to 0 by default. ASA1(config-if)# ip address 24.234.0.100 255.255.255.0 ASA1(config-if)# no shut T a s k 1 . 4 Verify that your interfaces are functional. Verify that interfaces are up and have the correct IP with show interface ip brief. ASA1(config)# show interface ip brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 192.168.2.100 YES manual up up Ethernet0/1 unassigned YES unset administratively down down Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 24.234.0.100 YES manual up up Management0/0 unassigned YES unset administratively down down Now verify connectivity to the outside by pinging to R1 and to the inside by pinging R4. ASA1(config)# ping 24.234.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA1(config)# ping 192.168.2.4 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms T a s k 1 . 5 Set the domain name to ccbootcamp.com The domain name is set with the domain-name command. ASA1(config)# domain-name ccbootcamp.com T a s k 1 . 6 Set the clock to the current time. The date and time are set manually with the clock set command. ASA1(config)# clock set 16:24:00 16 february 2009 T a s k 1 . 7 Configure logging so that information level and above messages are sent to the local buffer. Log messages should contain a time-stamp. Buffered logging is configured with the logging buffered <level> command. The syslog level (0-7) can be used as For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated well. Time-stamping is included with the command logging timestamp. ASA1(config)# logging buffered informational ASA1(config)# logging timestamp T a s k 1 . 8 Configure logging to send messages of information level and above to syslog on the ACS server. Enable Logging. Logging to a syslog server is configured with logging host <interface> <ip address> where the interface equals the interface used to reach the host. Logging level is set with the logging trap <level> command. Logging is enabled with the logging enable command. Notice that we used the syslog level (Level 6) instead of informational. ASA1(config)# logging host inside 192.168.2.101 ASA1(config)# logging trap 6 ASA1(config)# logging enable T a s k 1 . 9 Verify logging is operational both to the buffer and to the ACS server. Verify that buffered logging is working by issuing the show logging command. You will see the current logging settings as well as syslog traffic. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# show logging Syslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2446 messages logged Trap logging: level informational, facility 20, 677 messages logged Logging to inside 192.168.2.101 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled 16 2009 16:00:04: %ASA-6-302015: Built outbound UDP connection 18 for inside:192.168.2.101/514 (192.168.2.101/514) to NP Identity Ifc:192.168.2.100/514 (192.168.2.100/514) Logging to the syslog server on the ACS can be verified by connecting to the ACS and launching the available syslog program. (Kiwi shown) The program will receive log entries similar to those shown here: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Device Management T a s k 1 . 1 0 Configure the management0/0 interface with an IP of address 50.50.50.100 255.255.255.0 and name it management. Ensure that only management traffic will be allowed to this interface without using an ACL. The management interface is configured like any other. To allow only management traffic to *ANY* interface; use the management-only command in interface configuration mode. The management interface can be used as a regular interface simply by using the no version of this command. ASA1(config)# interface management0/0 ASA1(config-if)# nameif management ASA1(config-if)# ip address 50.50.50.100 255.255.255.0 ASA1(config-if)# management-only ASA1(config-if)# no shut T a s k 1 . 1 1 Configure the ASA to use the ASDM image stored on disk0. Enable the HTTP server and permit *ONLY* the ACS server to access it. The ASDM image is set with asdm image <location> command. The http server is enabled with http server enable. These commands are necessary for ASDM to function. To allow a specific IP or network access to the http server use the command http <ip address and mask> <interface> where ip For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated address is the IP and subnet mask of the allowed host and interface is the interface by which the allowed host can be reached. ASA1(config)# asdm image disk0:/asdm-61551.bin ASA1(config)# http server enable ASA1(config)# http 192.168.2.101 255.255.255.255 inside T a s k 1 . 1 2 Configure SSH and *ONLY* allow R4 to connect via SSH on the inside interface. Do not use an ACL to accomplish this. Before enabling SSH you need to generate keys. This is done with crypto key generate rsa modulus <modulus size>. Allowing specific hosts or networks to connect via SSH works much the same as with HTTP in task 2. Use the command ssh <ip address and mask> <interface>. ASA1(config)# crypto key generate rsa modulus 1024 ASA1(config)# ssh 192.168.2.4 255.255.255.255 inside T a s k 1 . 1 3 Setup a local user called cisco with a password of cisco and a privilege level of 15. Setup AAA so that SSH will use local authentication. A user is configured with username <name> password <password> privilege <priv level>. To setup SSH to use For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated local authentication the command is AAA authentication ssh console LOCAL. ASA1(config)# username cisco password cisco privilege 15 ASA1(config)# aaa authentication ssh console LOCAL T a s k 1 . 1 4 Verify that you can connect to the ASA using ASDM from the ACS server and with SSH from R4. First verify that you can connect using ASDM. Get on the ACS server, open internet explorer and go to https.//I9?.I88.?.I00. You should get to a page that looks like the example below. Click on run ASDM applet. Finally, select yes on all security prompts and if prompted for a username and password use cisco/cisco. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated To verify that you can SSH to the ASA from R4, connect to R4 and use ssh l cisco 192.168.2.100 which will connect using the username cisco. When prompted for the password use cisco. R4#ssh -l cisco 192.168.2.100 Password: cisco Type help or '?' for a list of available commands. ASA1> For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure IP Routing T a s k 1 . 1 5 Setup a default route so that traffic not matching any other routes will be sent to the next hop of R1. Static routes are done with the route command. The order of the command is route->interface the traffic will be routed to->ip and subnet of the traffic to be routed->next hop address. For default routes you can use the shorthand of 0 0 for the IP and subnet. ASA1(config)# route outside 0 0 24.234.0.1 T a s k 1 . 1 6 Configure EIGRP on the ASA so that it becomes a neighbor with R4. Ensure that the loopback network of R4 appears in the ASAs routing table. EIGRP is configured much the same as on a router. Use the router <routing protocol> <instance number> command. Once in router configuration mode, the networks who will be participating in the routing protocol are added with the network command. Notice that we use a regular subnet mask to identify the network instead of the wildcard mask that would be used on a router. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# router eigrp 1 ASA1(config-router)# network 192.168.0.0 255.255.0.0 Verify that the ASA has become a neighbor with R4 by using the show eigrp neighbors command. ASA1(config)# show eigrp neighbors EIGRP-IPv4 neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.2.4 Et0/0 11 00:27:09 1 4500 0 5 Verify that R4s loopback network is in the routing table with the command show route. It is the 4.4.4.4/32 network and the D indicates the route came from EIGRP. ASA1(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 24.234.0.1 to network 0.0.0.0 D 4.4.4.4 255.255.255.255 [90/131072] via 192.168.2.4, 0:25:38, inside C 24.234.0.0 255.255.255.0 is directly connected, outside For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.0.1, outside C 192.168.0.0 255.255.0.0 is directly connected, inside T a s k 1 . 1 7 Configure OSPF on the ASA so that it becomes a neighbor with R1. Verify that the 1.1.1.0/24 network is reachable. Configuring OSPF is very similar to setting up the EIGRP network except that we must be sure to add the 24.234.0.0 network to the proper area. ASA1(config)# router ospf 1 ASA1(config-router)# network 24.234.0.0 255.255.255.0 area 100 We can verify the neighbor relationship with R1 by using the command show ospf neighbor. ASA1(config)# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR 0:00:32 24.234.0.1 outside A show route will show that the 1.1.1.0/24 network is reachable via R1. ASA1(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 24.234.0.1 to network 0.0.0.0 O 1.1.1.0 255.255.255.0 [110/11] via 24.234.0.1, 0:03:06, outside D 4.4.4.4 255.255.255.255 [90/131072] via 192.168.2.4, 2:13:55, inside C 24.234.0.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 24.234.0.1, outside C 192.168.0.0 255.255.0.0 is directly connected, inside And a ping to 1.1.1.1 will verify that it is reachable. ASA1(config)# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms T a s k 1 . 1 8 Configure EIGRP so that the default route is sent into EIGRP 1. Configure the ASA so that the EIGRP routes are sent into OSPF area 100 without summarizing them. Verify that R4 has received the default route and that R1 has received the EIGRP routes. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configuring EIGRP to propagate the default route is done with route redistribution. First we will redistribute the default route into EIGRP 1. ASA1(config)# router eigrp 1 ASA1(config-router)# redistribute static Then we redistribute EIGRP into OSPF. Note that we use the subnets keyword so that the networks are not summarized. ASA1(config)# router ospf 1 ASA1(config-router)# redistribute eigrp 1 subnets Verify that R4 has received the default route by doing a show ip route. It shows up as an EIGRP external route. R4#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 192.168.2.100 to network 0.0.0.0 4.0.0.0/24 is subnetted, 1 subnets C 4.4.4.0 is directly connected, Loopback0 D*EX 0.0.0.0/0 [170/30720] via 192.168.2.100, 00:12:04, FastEthernet0/0 C 192.168.0.0/16 is directly connected, FastEthernet0/0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Verify that R1 has received the EIGRP routes with show ip route. They show up as OSPF external type 2 routes. Notice that it receives 4.4.4.0/24 because of the subnets keyword. R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 4.0.0.0/24 is subnetted, 1 subnets O E2 4.4.4.0 [110/20] via 24.234.0.100, 00:06:47, FastEthernet0/1 24.0.0.0/24 is subnetted, 1 subnets C 24.234.0.0 is directly connected, FastEthernet0/1 O E2 192.168.0.0/16 [110/20] via 24.234.0.100, 00:14:51, FastEthernet0/1 Configure Address Translation T a s k 1 . 1 9 Configure ASA1 to require a NAT rule for traffic passing through it. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated To make ASA1 require a NAT rule use the global command nat-control. ASA1(config)# nat-control T a s k 1 . 2 0 Configure dynamic address translation so that any outbound traffic from the 192.168.0.0/16 network translated to the outside interfaces IP address. To translate from an entire network to a single IP you must use PAT. First define the inside network to be translated. Note the NAT ID of 1 after the (inside) keyword. ASA1(config)# nat (inside) 1 192.168.0.0 255.255.0.0 Then, using the global command and the same NAT ID used to configure the translation. We use the interface keyword but you could also type the IP address or a range of IPs. ASA1(config)# global (outside) 1 interface INFO: outside interface address added to PAT pool T a s k 1 . 2 1 Configure NAT so that the ACS server is reachable from the outside as 24.234.0.101. This host is sensitive to DoS attacks, so set the total number of TCP connections allowed For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated to no more than 100 and the number of embryonic connections allowed per host to 20. Use the static command to allow the ACS server to be reached from the outside. We use the TCP keyword to set TCP specific parameters and 100 for the total TCP connections allowed. The second number is the total number of embryonic TCP connections allow per host to the ACS server. ASA1(config)# static (inside,outside) 24.234.0.101 192.168.2.101 tcp 100 20 T a s k 1 . 2 2 Configure NAT so that hosts on the outside who telnet to 24.234.0.4 on port 2323 are able to reach R4 on port 23. This type of NAT is known as port-redirection or port- forwarding. The static command follows the same basic format but we use TCP before the IP is entered and the TCP ports after the IP addresses. ASA1(config)# static (inside,outside) tcp 24.234.0.4 2323 192.168.2.4 23 T a s k 1 . 2 3 Allow SW1 (192.168.2.11) to send traffic to the outside without changing its IP address. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Nat-control requires a translation, but we can get around this requirement by using identity NAT, also known as NAT 0. Notice that the NAT ID is set to 0. ASA1(config)# nat (inside) 0 192.168.2.11 255.255.255.255 nat 0 192.168.2.11 will be identity translated for outbound T a s k 1 . 2 4 Dynamically translate R4s address to 24.234.0.254 only when pings are sent from R4 to R1. A NAT translation based on requests from specific hosts is known as policy NAT. An ACL is used to identify the specific traffic. That ACL is then tied to a NAT ID. Notice that we use a different NAT ID than that used for our PAT. ASA1(config)# access-list POLICY_NAT extended permit icmp host 192.168.2.4 host 24.234.0.1 ASA1(config)# nat (inside) 2 access-list POLICY_NAT ASA1(config)# global (outside) 2 24.234.0.254 INFO: Global 24.234.0.254 will be Port Address Translated T a s k 1 . 2 5 Verify that your PAT configuration is working, and that the static and policy NATs are in the ASAs translation table. First, verify the PAT configuration is working by telnetting from R4 to R1. R4#telnet 24.234.0.1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Trying 24.234.0.1 ... Open R1# To see the translation table on the ASA use the show xlate detail command. We can see TCP PAT from R4s address on the inside to the ASAs outside IP. The flags show as ri which indicates a port map and a dynamic translation. We can also see the static translation for the ACS server which has the s or static flag and the policy NAT which has the sr flags. ASA1(config)# show xlate detail 3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static TCP PAT from inside:192.168.2.4/23 to outside:24.234.0.4/2323 flags sr NAT from inside:192.168.2.101 to outside:24.234.0.101 flags s TCP PAT from inside:192.168.2.4/17116 to outside:24.234.0.100/17803 flags ri For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure ACLs T a s k 1 . 2 7 On ASA1, create a standard ACL called R1 to permit all traffic from R1. Do not apply it to any interface. A standard ACL is very basic, it permits or denies based only on the source IP address. ASA1(config)# access-list R1 standard permit host 24.234.0.1 T a s k 1 . 2 8 On ASA1, setup an ACL called OUTSIDE that will protect your network from outside attacks. When it is complete, apply it for traffic incoming to the outside interface. All traffic should be denied EXCEPT for: Telnet from any outside host to R4s outside address on port 2323 RADIUS from R1 to the ACS servers outside IP address This second ACL gives us a good mix of TCP, UDP and a routing protocol. Regardless of which protocol were working with, the order is the same. Permit/Deny->protocol- >From this address/port->To this address/port. Remember that there is an implicit deny at the end of the ACL, so if For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated a packet doesnt match any of the permit lines it will be dropped. ASA1(config)# access-list OUTSIDE extended permit tcp any host 24.234.0.4 eq 2323 ASA1(config)# access-list OUTSIDE extended permit udp host 24.234.0.1 host 24.234.0.101 eq radius ACLs are applied with the access-group command for traffic that is entering or leaving an interface. In this case it is entering the interface so we use the in keyword. ASA1(config)# access-group OUTSIDE in interface outside T a s k 1 . 2 9 All traffic from R4 to anywhere should be allowed during business hours (9am to 5pm) but should be denied at all other times. Create an ACL called INSIDE that will meet these criteria and apply it to traffic inbound to the inside interface. Log all denied traffic. This is an example of a time based ACL. To accomplish the task we first have to create a time range using the time- range command. Time-range is based on a 24 hour clock. ASA1(config)# time-range R4_BLOCK ASA1(config-time-range)# periodic daily 00:00 to 08:59 ASA1(config-time-range)# periodic daily 17:01 to 23:59 Next, we have to apply the time range to an ACL deny entry. Remember that we also have to permit all other traffic at For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated all times so that it wont be dropped by the implicit deny at the end of the ACL. Note the log keyword in the deny statement. This will generate log entries when this line is matched. ASA1# access-list INSIDE extended deny ip host 192.168.2.4 any log time-range R4_BLOCK ASA1# access-list INSIDE extended permit ip any any Now we need to apply this ACL to the inside interface. ASA1(config)# access-group INSIDE in interface inside T a s k 1 . 3 0 When a traffic flow matches the INSIDE ACL time based entry, the flow is cached. Configure the ASA so that an error message is generated when the number of these cached flows exceeds 2000. To set a maximum number of cached flows use the deny-flow- max command. This is useful in detecting a DoS attack. ASA1(config)# access-list deny-flow-max 2000 T a s k 1 . 3 1 Verify that the OUTSIDE ACL is applied and working by telnetting from R1 to 24.234.0.4 on port 2323. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated On R1, use telnet to 24.234.0.4 2323 to verify that the ACL is allowing the traffic and that the port map is working. R1#telnet 24.234.0.4 2323 Trying 24.234.0.4, 2323 ... Open R4# Now, on the ASA, further verify that the ACL allowed the traffic with show access-list OUTSIDE. Notice that the hit count is 1 for the line which permits the telnet traffic. ASA1(config)# show access-list OUTSIDE access-list OUTSIDE; 2 elements access-list OUTSIDE line 1 extended permit tcp any host 24.234.0.4 eq 2323 (hitcnt=1) 0x84f0d3e2 access-list OUTSIDE line 2 extended permit udp host 24.234.0.1 host 24.234.0.101 eq radius (hitcnt=0) 0x24db0f17 Configure Object Groups T a s k 1 . 3 2 Create a network object group called MAILERS and add both R4 and SW1 (192.168.2.11) to it. Create the group with the object-group command and the network keyword. Then add the object to the group with the network-object command. We added individual hosts with the For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated host keyword, but you can also add networks with an IP address and subnet mask. ASA1(config)# object-group network MAILERS ASA1(config-network)# network-object host 192.168.2.4 ASA1(config-network)# network-object host 192.168.2.11 T a s k 1 . 3 3 Create a service object group called MAIL_PORTS and add DNS (TCP) and SMTP to it. A service group is also created with the object-group command, using the service keyword. ASA1(config)# object-group service MAIL_PORTS ASA1(config-service)# service-object tcp eq domain ASA1(config-service)# service-object tcp eq smtp T a s k 1 . 3 4 Add a single line to the INSIDE ACL that will block R4 and SW1 from sending e-mail or DNS to servers outside the local network. Now were going to use our object groups to save several lines in an ACL. Remember that there is a permit ip any any near the end of the ACL so we have to insert the deny statement before it. Note that instead of deny <protocol> we have denied the object group. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# access-list INSIDE line 1 deny object-group MAIL_PORTS object-group MAILERS any With this line in place, issue the show access-list INSIDE command to see how many lines we saved by using the object groups. ASA1(config)# show access-list INSIDE access-list INSIDE; 8 elements access-list INSIDE line 1 extended deny object-group MAIL_PORTS object-group MAILERS any 0x3eef95c1 access-list INSIDE line 1 extended deny tcp host 192.168.2.4 any eq domain (hitcnt=0) 0x8b85ea80 access-list INSIDE line 1 extended deny tcp host 192.168.2.1 any eq domain (hitcnt=0) 0x60d1a14a access-list INSIDE line 1 extended deny tcp host 192.168.2.4 any eq smtp (hitcnt=0) 0x4e7ad89b access-list INSIDE line 1 extended deny tcp host 192.168.2.1 any eq smtp (hitcnt=0) 0x441049a2 access-list INSIDE line 2 extended deny ip host 192.168.2.4 any log informational interval 300 time-range R4_BLOCK (hitcnt=0) (inactive) 0x7b2cc583 access-list INSIDE line 3 extended permit ip any any (hitcnt=0) 0x2a29f5f2 Configure Sub Interfaces with VLANs T a s k 1 . 3 5 Configure E0/1.11 on VLAN 11. Name it DMZ1 and give it an IP address of 172.16.11.100/24. Set the security level to 50. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 6 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Sub-interfaces are configured like regular interfaces with the addition of .x where x is the number of the sub- interface. Add the sub-interface to a vlan with the vlan command. When sub-interfaces with VLANS are configured on an interface, the physical interface acts as a DOT1Q trunk. ASA1(config)# interface Ethernet0/1.11 ASA1(config-subif)# vlan 11 ASA1(config-subif)# nameif DMZ1 ASA1(config-subif)# security-level 50 ASA1(config-subif)# ip address 172.16.11.100 255.255.255.0 T a s k 1 . 3 6 Configure E0/1.22 on VLAN 22. Name it DMZ2 and give it an IP address of 172.16.22.100/24. Set the security level to 50. This sub-interface is configured just like the one above. ASA1(config)# interface Ethernet0/1.22 ASA1(config-subif)# vlan 22 ASA1(config-subif)# nameif DMZ2 ASA1(config-subif)# security-level 50 ASA1(config-subif)# ip address 172.16.22.100 255.255.255.0 T a s k 1 . 3 7 Bring up interface E0/1. The sub-interfaces will not come up unless the physical interface is brought up. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# int e0/1 ASA1(config-if)# no shut T a s k 1 . 3 8 Ping to both R2 and R3 to verify connectivity to the DMZ hosts. Ping from R2 to R3. The pings to the DMZ routers from the firewall should be successful. ASA1(config)# ping 172.16.11.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.11.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ASA1(config)# ping 172.16.22.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.22.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms But the pings from R2 to R3 should fail. R2#ping 172.16.22.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.22.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 3 9 Correct the issue that is stopping pings between the DMZ routers. The pings are being dropped at the firewall even though the security levels of the DMZ interfaces are both 50. This is the default behavior of an ASA. For the traffic to be allowed, you must use the same-security-traffic command. We permit inter-interface because the traffic is going from one interface to another. In this case the sub- interfaces act as different interfaces even though they are entering and exiting the same physical interface. ASA1(config)# same-security-traffic permit inter-interface Now try the ping from R2 to R3 again. R2#ping 172.16.22.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.22.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Configure Filtering For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 4 0 Remove activex objects from http traffic going from any source to any destination. This is done with the filter activex command. You can enter a port number or range to filter traffic on, but we used http instead of 80. Notice the 0 0 0 0, each zero is shorthand for 0.0.0.0. This means match all or from any to any. ASA1(config)# filter activex http 0 0 0 0 T a s k 1 . 4 1 Stop hosts on the 192.168.0.0/16 network from downloading java applets via http. Java is filtered using the same format as activex. In this example we entered 80 instead of http. We also entered a source for the traffic, the 192.168.0.0/16 network. The destination is still any, shortened to 0 0. Its important to note that this command blocks the java from returning to the ASA through the outbound connection. It still allows the HTTP traffic, but with the source for the java applet commented out. ASA1(config)# filter java 80 192.168.0.0 255.255.0.0 0 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 4 2 Configure the ASA to use a URL filtering server in the DMZ. The server will use the IP address of R2 and will be running Websense with the default settings. A URL filtering server is configured with the command url- server. Notice the interface the server is reached through in parenthesis, the vendor used and the IP of the server. ASA1(config)# url-server (DMZ1) vendor websense host 172.16.11.2 T a s k 1 . 4 3 Filter URLs using the newly setup websense server. Do this for all traffic from the 192.168.0.0/16 network. Block attempts to use a proxy server and remove any cgi- parameters. With the URL filtering server configured, you must choose which outgoing traffic will be checked against the servers policy. This is done with the filter url command. The IPs are entered in a from->to format and we again use the 0 0 shorthand to filter from our network to any destination. The proxy-block option is used to block attempts to use an http proxy server. The cgi-truncate option removes CGI script parameters from the URL. ASA1(config)# filter url http 192.168.0.0 255.255.0.0 0 0 proxy- block cgi-truncate For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 4 4 The ACS server should be exempt from the URL filtering policy. Exceptions to the filtering policy can be added using the filter url except command. These can be specific hosts or entire networks, determined by the subnet mask. We use a 32 bit mask to identify only the ACS server host address. ASA1(config)# filter url except 192.168.2.101 255.255.255.255 0 0 Configure Modular Policy Framework T a s k 1 . 4 5 Ping from R4 to R1. Use logging to determine why the pings are failing. Pings from R4 to R1 are failing even though they are coming from the inside (trusted) network to the outside. R4#ping 24.234.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Using logging shows that NAT is translating R4s address properly and that a flow is being created for the ICMP connection. The returning pings are being blocked by the outside ACL. ASA1(config)# show logging | inc 24.234.0.1 Feb 23 2009 13:53:05: %ASA-6-302020: Built outbound ICMP connection for faddr 24.234.0.1/0 gaddr 24.234.0.254/56751 laddr 192.168.2.4/3 Feb 23 2009 13:53:05: %ASA-4-106023: Deny icmp src outside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) by access-group "OUTSIDE" [0x0, 0x0] Feb 23 2009 13:53:07: %ASA-4-106023: Deny icmp src outside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) by access-group "OUTSIDE" [0x0, 0x0] Feb 23 2009 13:53:09: %ASA-4-106023: Deny icmp src outside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) by access-group "OUTSIDE" [0x0, 0x0] Feb 23 2009 13:53:11: %ASA-4-106023: Deny icmp src outside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) by access-group "OUTSIDE" [0x0, 0x0] Feb 23 2009 13:53:13: %ASA-4-106023: Deny icmp src outside:24.234.0.1 dst inside:24.234.0.254 (type 0, code 0) by access-group "OUTSIDE" [0x0, 0x0] Feb 23 2009 13:53:15: %ASA-6-302021: Teardown ICMP connection for faddr 24.234.0.1/0 gaddr 24.234.0.254/56751 laddr 192.168.2.4/3 T a s k 1 . 4 6 View the default modular policy framework configuration on the ASA and then correct it to solve the ping issue. Do not use an ACL to accomplish this. Verify that R4 can ping R1. View the default MPF configuration with the show service- policy command. Notice that ICMP is not included in the For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated inspection_default class-map. This explains why outgoing ICMP is allowed but the return traffic is dropped. ASA1(config)# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns migrated_dns_map_1, packet 0, drop 0, reset- drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: netbios, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: skinny , packet 0, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip , packet 0, drop 0, reset-drop 0 Inspect: xdmcp, packet 0, drop 0, reset-drop 0 This can be corrected by editing the global_policy policy- map and adding inspect ICMP to the inspection_default class. ASA1(config)# policy-map global_policy ASA1(config-pmap)# class inspection_default ASA1(config-pmap-c)# inspect icmp Verify by once again pinging from R4 to R1, the pings are now successful. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4#ping 24.234.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms You can also look at the show service-policy command again to see that the ICMP packet counter has increased. ASA1(config-pmap)# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: icmp, packet 10, drop 0, reset-drop 0 T a s k 1 . 4 7 Configure the ASA so that R2 is not allowed multiple telnet sessions to R3. Modular policy framework is used in situations where ACLs do not provide enough control. In this case we must first define the traffic we want to act on with an ACL. ASA1(config)# access-list R2_TELNET permit tcp host 172.16.11.2 host 172.16.22.3 eq telnet Then we have to create a class map which creates a class of traffic that matches our ACL. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# class-map R2_TELNET ASA1(config-cmap)# match access-list R2_TELNET A policy map is created to apply an action to traffic matching our class. In this case the action is to set the maximum number of connections allowed per client to 1. ASA1(config-cmap)# policy-map R2_TELNET ASA1(config-pmap)# class R2_TELNET ASA1(config-pmap-c)# set connection per-client-max 1 Finally we apply this policy to an interface (or globally) with a service-policy. ASA1(config)# service-policy R2_TELNET interface DMZ1 T a s k 1 . 4 8 Verify that R2 is limited to 1 telnet connection at a time. The password is cisco. First, telnet from R2 to R3 R2#telnet 172.16.22.3 Trying 172.16.22.3 ... Open User Access Verification Password: R3> Then drop back to R2 leaving the session open with shift_ctrl_66,x. Issue the show sessions command to verify your telnet connection is still open. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 7 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2#show sessions Conn Host Address Byte Idle Conn Name * 1 172.16.22.3 172.16.22.3 0 0 172.16.22.3 Now attempt to open another telnet connection to R3. The connection will fail. R2#telnet 172.16.22.3 Trying 172.16.22.3 ... % Connection timed out; remote host not responding Further verify by viewing the ASA log. Notice that the per client max has been exceeded. ASA1(config)# show logging | inc 172.16.11.2 Feb 23 2009 15:04:58: %ASA-3-201013: Per-client connection limit exceeded 1/1 for input packet from 172.16.11.2/38100 to 172.16.22.3/23 on interface DMZ1 Configure Application~Aware Inspection T a s k 1 . 4 9 Allow R1 to FTP to the ACS servers outside IP address. Ensure that this traffic conforms to the RFCs for FTP. Reset the connection if R1 attempts to use the PUT command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated First we must allow the FTP traffic, and this is done by adding a line to the OUTSIDE ACL. ASA1(config)# access-list OUTSIDE extended permit tcp host 24.234.0.1 host 24.234.0.101 eq ftp Now we have to setup our application level inspection. This is an added set of steps to the regular MPF configuration. We will identify the specific type of layer 7 traffic we want; in this case the ftp put command. To do this we use class-map type inspect ftp. ASA1(config)# class-map type inspect ftp match-all ACS_FTP ASA1(config-cmap)# match request-command put Now we are going to apply actions to the identified layer 7 traffic with a policy-map type inspect ftp. The action we apply is reset. ASA1(config)# policy-map type inspect ftp ACS_FTP ASA1(config-pmap)# class ACS_FTP ASA1(config-pmap-c)# reset Policy map type inspects cannot be directly applied to an interface. They must be nested within a normal layer 3/4 policy map. So we will proceed with our normal MPF procedure. Identifying the layer 3/4 traffic to be acted on with an ACL that will be used in a class map, in this case R1s connection to the ACS outside address via FTP. ASA1(config)# access-list R1_ACS extended permit tcp host 24.234.0.1 host 24.234.0.101 eq ftp For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# class-map R1_ACS ASA1(config-cmap)# match access-list R1_ACS Now we will apply actions to the identified traffic using a layer 3/4 policy map. Notice that we inspect ftp with the strict option which ensures that the FTP traffic conforms to the FTP RFCs. Also note the ACS_FTP at the end. This is our layer 7 policy map. This means that FTP will be inspected and passed as normal, UNLESS the put command is used, in which case the connection will be reset. ASA1(config)# policy-map R1_ACS ASA1(config-pmap)# class R1_ACS ASA1(config-pmap-c)# inspect ftp strict ACS_FTP Finally, we have to apply the policy map to an interface. This is done with the service-policy command. ASA1(config)# service-policy R1_ACS interface outside T a s k 1 . 5 0 Create and test regular expressions that will match the domains illegal.com and spam.net Create the regular expressions with the regex command. ASA1(config)# regex illegal "illegal\.com" ASA1(config)# regex spam "spam\.net" Test them with the test command. Notice that even though there is a www. before the phrase it still matches. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# test regex www.illegal.com "illegal\.com" INFO: Regular expression match succeeded. ASA1(config)# test regex www.spam.net "spam\.net" INFO: Regular expression match succeeded. T a s k 1 . 5 1 Drop and log outgoing http traffic from the ACS server when it contains either of the domain names identified by the regular expressions. First we must create a class type regex that will identify the phrases. Note the match-any option meaning either of the phrases (not both) can be matched. ASA1(config)# class-map type regex match-any BAD_DOMAINS ASA1(config-cmap)# match regex illegal ASA1(config-cmap)# match regex spam Next we will create a class-map type inspect that will identify the specific layer 7 attributes we want to identify, in this case the domains we want to drop. Notice that we are matching a request url that matches one of our BAD_DOMAINS regular expressions. ASA1(config)# class-map type inspect http ACS_URL ASA1(config-cmap)# match request uri regex class BAD_DOMAINS We have now identified the specific layer 7 traffic and must apply actions to it with a policy-map type inspect. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Note that we apply multiple actions, dropping the connection and logging the dropped connection. ASA1(config-cmap)# policy-map type inspect http ACS_URL ASA1(config-pmap)# class ACS_URL ASA1(config-pmap-c)# drop-connection log Now we need to create an ACL that will identify the layer 3/4 traffic. Traffic from the ACS to any host using http. ASA1(config)# access-list ACS_HTTP permit tcp host 192.168.2.101 any eq http Well use this ACL in a layer 3/4 class-map to identify the traffic. ASA1(config)# class-map ACS_HTTP ASA1(config-cmap)# match access-list ACS_HTTP Now well apply actions to the traffic identified by the layer 3/4 class-map with a policy-map. Note the inspect http ACS_URL which nests our layer 7 policy within the layer 3/4 policy-map. ASA1(config)# policy-map ACS_HTTP ASA1(config-pmap)# class ACS_HTTP ASA1(config-pmap-c)# inspect http ACS_URL Finally, apply the policy so that it will affect outgoing traffic from the ACS server. This is done with service- policy on the inside interface. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# service-policy ACS_HTTP interface inside T a s k 1 . 5 2 Verify that both of your layer 3/4 policies are applied to the correct interfaces and are using the correct layer 7 policies. Because the configuration is lengthy, its always a good idea to double check your policies. First verify the layer 3/4 policies are applied correctly with show service- policy (global policy output removed). Note that on the inside interface, the ACS_HTTP policy is applied and that it is inspecting http with the ACS_URL layer 7 policy map. Also note that the R1_ACS policy is applied to the outside interface and is inspecting ftp strict using the ACS_FTP layer 7 policy map. ASA1# show service-policy Interface inside: Service-policy: ACS_HTTP Class-map: ACS_HTTP Inspect: http ACS_URL, packet 0, drop 0, reset-drop 0 Interface outside: Service-policy: R1_ACS Class-map: R1_ACS Inspect: ftp strict ACS_FTP, packet 0, drop 0, reset-drop 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Quality of Service T a s k 1 . 5 3 DMZ2 contains mail servers. The mail servers send an excessive amount of SMTP traffic causing connectivity and speed problems for the entire network. Because of this, police outgoing SMTP bandwidth to no more than 20mbps. If the SMTP traffic exceeds this rate, drop it. This is done with MPF, and as such we need a class map to identify the SMTP traffic. Instead of matching an ACL as in previous examples, were going to match a TCP port. ASA1(config)# class-map SMTP_LIMIT ASA1(config-cmap)# match port tcp eq smtp Now that weve identified our traffic, we will apply actions to it with a policy map. We will be using the QoS action police. With this command were policing the output rate to 20,000,000 bits per second which is 20MB. Notice that if the traffic rate conforms (up to 20MB) it will be transmitted but if it exceeds (over 20MB) it will be dropped. ASA1(config)# policy-map SMTP_LIMIT ASA1(config-pmap)# class SMTP_LIMIT ASA1(config-pmap-c)# police output 20000000 conform-action transmit exceed-action drop For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated We now need to apply the policy to an interface, in this case DMZ2 since that is where the SMTP traffic originates from. ASA1(config)# service-policy SMTP_LIMIT interface DMZ2 T a s k 1 . 5 4 Clients on the inside network run streaming audio/video applications that use RTP on UDP ports 10000-20000. Because of its time sensitive nature, this traffic should be given priority over other traffic. The queue size for these packets should be increased to the maximum size. This QoS feature is known as priority queuing. To configure it, first setup the priority queue on an interface, in this case inside. Per the task, we increase the default queue size from 1024 to 2048. ASA1(config)# priority-queue inside ASA1(config-priority-queue)# queue-limit 2048 Next we need to identify the traffic that will be prioritized. Were going to create a class-map that matches RTP starting on UDP port 10000 with a range of 10000, meaning ports 10000-20000. ASA1(config)# class-map RTP_INSIDE ASA1(config-cmap)# match rtp 10000 10000 Now we need to apply an action to the identified traffic with a policy-map. We already have a policy map in place For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated for the inside interface, so we simply add our class to it with the class command. Then set the action to priority. The policy map is already applied to the inside interface so no further configuration is needed. ASA1(config)# policy-map ACS_HTTP ASA1(config-pmap)# class RTP_INSIDE ASA1(config-pmap-c)# priority Configure Layer 2 Transparent Firewall T a s k 1 . 5 5 Setup ASA2 as a transparent firewall. Set the hostname to ASA2. Set the management IP to 24.234.2.200. Enable buffered logging with time-stamps at level 6. Before any configuration, use the command firewall transparent to set the ASA to transparent mode. ciscoasa(config)# firewall transparent You should already be familiar with the hostname command from the previous ASA configuration. The management IP of a transparent firewall is setup from global configuration mode with the ip address command. ciscoasa(config)# hostname ASA2 ASA2(config)# ip address 24.234.2.200 255.255.255.0 Logging configuration is identical to a standard ASA. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA2(config)# logging buffered 6 ASA2(config)# logging timestamp ASA2(config)# logging enable T a s k 1 . 5 6 Configure interface e0/2.55 as the inside interface and set it to VLAN 55. Sub-interfaces are configured like a standard ASA, except that they do not need an IP address since they are not working at layer 3. ASA2(config)# int e0/2.55 ASA2(config-subif)# vlan 55 ASA2(config-subif)# nameif inside INFO: Security level for "inside" set to 100 by default. T a s k 1 . 5 7 Configure interface e0/2.66 as the outside interface and set it to VLAN 66. e0/2.66 is setup similar to e0/2.55 ASA2(config)# int e0/2.66 ASA2(config-subif)# vlan 66 ASA2(config-subif)# nameif outside INFO: Security level for "outside" set to 0 by default. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 8 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 5 8 Add ICMP to the global inspect policy. Ping from R5 to R6 to verify lack of connectivity. Now bring up e0/2 and repeat the ping test. You should be familiar with adding icmp inspection to the global_policy from the previous ASA configuration. ASA2(config)# policy-map global_policy ASA2(config-pmap)# class inspection_default ASA2(config-pmap-c)# inspect icmp Ping from R5 to R6. This ping is expected to fail since the routers are on separate VLANs and there is nothing to bridge the L2 traffic from one vlan to another. R5#ping 24.234.2.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.2.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Bring up physical interface e0/2 and repeat the ping. Notice that the ping is now successful because the firewall is bridging the traffic at L2. ASA2(config)# interface e0/2 ASA2(config-if)# no shut R5#ping 24.234.2.6 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.2.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms T a s k 1 . 5 9 View the log to see what kind of traffic is being denied. Configure the ASA to allow this traffic and verify that it is working on the routers. View the log with show logging. Notice that the traffic denied is IP protocol 88 with a destination address of 224.0.0.10. This is EIGRP traffic. ASA2(config)# show logging Feb 25 2009 15:27:03: %ASA-3-106010: Deny inbound protocol 88 src outside:24.234.2.6 dst inside:224.0.0.10 Feb 25 2009 15:27:04: %ASA-3-106010: Deny inbound protocol 88 src inside:24.234.2.5 dst outside:224.0.0.10 Feb 25 2009 15:27:08: %ASA-3-106010: Deny inbound protocol 88 src outside:24.234.2.6 dst inside:224.0.0.10 Feb 25 2009 15:27:08: %ASA-3-106010: Deny inbound protocol 88 src inside:24.234.2.5 dst outside:224.0.0.10 To permit this traffic we must create and apply ACLs in both directions. First for the traffic from the inside- >out. ASA2(config)# access-list INSIDE permit eigrp host 24.234.2.5 host 224.0.0.10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA2(config)# access-group INSIDE in interface inside And then for the traffic from the outside->in ASA2(config)# access-list OUTSIDE permit eigrp host 24.234.2.6 host 224.0.0.10 ASA2(config)# access-group OUTSIDE in interface outside Youll notice that neighbor adjacencies are formed on the routers but they are going up and down. Viewing the ASA log again points to the reason why. The 224.0.0.10 traffic is allowed, but now the EIGRP traffic between the routers themselves is being denied. ASA2(config)# show logging cess-group "INSIDE" [0x0, 0x0] Feb 25 2009 15:39:44: %ASA-4-106023: Deny protocol 88 src outside:24.234.2.6 dst inside:24.234.2.5 by access-group "OUTSIDE" [0x0, 0x0] Feb 25 2009 15:39:44: %ASA-4-106023: Deny protocol 88 src inside:24.234.2.5 dst outside:24.234.2.6 by access-group "INSIDE" [0x0, 0x0] Feb 25 2009 15:39:49: %ASA-4-106023: Deny protocol 88 src outside:24.234.2.6 dst inside:24.234.2.5 by access-group "OUTSIDE" [0x0, 0x0] To correct this we must add lines to both of our ACLs to permit the router to router EIGRP traffic. ASA2(config)# access-list OUTSIDE permit eigrp host 24.234.2.6 host 24.234.2.5 ASA2(config)# access-list INSIDE permit eigrp host 24.234.2.5 host 24.234.2.6 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The EIGRP neighbor adjacencies are now up and stable. You can view them on the routers. R5#sho ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 24.234.2.6 Fa0/1 13 00:01:24 4 200 0 12 T a s k 1 . 6 0 A host on the outside is trying to perform a man in the middle attack by responding to ARP requests for IP 24.234.2.55 with its own MAC address. The real MAC that should be mapped to 24.234.2.55 is 001b.533b.5555. Configure the ASA to drop the bad ARP traffic. We can defend against man in the middle attacks with ARP inspection. We are going to statically map IP 24.234.2.55 to MAC 001b.533b.5555 and the inside interface with the arp command. After mapping with ARP, we need to apply the ARP inspection on the outside interface with the arp- inspection command. ASA2(config)# arp inside 24.234.2.55 001b.533b.5555 ASA2(config)# arp-inspection outside enable For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 6 1 Enable ICMP from the inside networks to anywhere. Verify that the ASA is blocking the bad ARP responses by pinging from R5 to 24.234.2.55 and viewing the firewall log. First, we have to allow ICMP from our inside networks to anywhere. This is done by adding an entry to the INSIDE ACL. ASA2(config)# access-list INSIDE extended permit icmp any any Then, try to ping from R5 to 24.234.2.55. The host on the outside that is MAC spoofing will try to respond to the ARP requests, but the ASA will block them since they have the wrong MAC address and are coming from the wrong interface. View the log, the entry is very clear as to why the traffic is being blocked. ASA2(config)# show logging Feb 25 2009 16:23:01: %ASA-3-322002: ARP inspection check failed for arp response received from host 001b.533b.e951 on interface outside. This host is advertising MAC Address 001b.533b.e951 for IP Address 24.234.2.55, which is statically bound to MAC Address 001b.533b.5555 Configure Security Contexts For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 6 2 Prepare for multiple context mode. Erase the configurations on both ASA1 and ASA2. Change ASA2 to routed mode with the no firewall transparent command. Reload both firewalls. This is done with the write erase command. Reload the firewall with the reload command. ASA1# write erase Erase configuration in flash memory? [confirm] [OK] ASA1# reload Proceed with reload? [confirm] On ASA 2, be sure to change back to routed mode with no firewall transparent. ASA2(config)# no firewall transparent T a s k 1 . 6 3 Configure ASA1 as a multiple context firewall. Once it reboots configure the hostname to ASA. The firewall mode is changed from single context to multiple context with the mode command. After the reboot youll be in the system execution space. Youll notice that many of the standard ASA commands are no longer available. This is because the system execution space is primarily used for configuring resources that will be used by the For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated contexts. The actual firewall configuration that we are use to will be done later within the contexts themselves. ciscoasa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] Security context mode: multiple After the reboot well name the firewall ASA. ciscoasa(config)# hostname ASA ASA(config)# T a s k 1 . 6 4 Setup interfaces for future contexts. Interfaces should use unique mac addresses. Create interface e0/1.11 and set it to vlan 11. Create interface e0/1.22 and set it to vlan 22. Enable interfaces e0/0, e0/1 and e0/2. Unique mac addresses can be configured with the mac- address auto command. ASA(config)# mac-address auto Weve created sub-interfaces on previous configurations and the commands are the same. ASA(config)# int e0/1.11 ASA(config-subif)# vlan 11 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA(config-subif)# int e0/1.22 ASA(config-subif)# vlan 22 Interfaces are enabled with the no shut command ASA(config)# int e0/0 ASA(config-if)# no shut ASA(config-if)# int e0/1 ASA(config-if)# no shut ASA(config-if)# int e0/2 ASA(config-if)# no shut T a s k 1 . 6 5 Delete any existing .cfg files. Create the admin context. Assign it interface e0/2. Set the config to disk0: Before creating contexts its a good idea to remove any existing configuration files that might be on your ASA. This is done with the delete command. ASA1# delete *.cfg Delete filename [*.cfg]? Delete disk0:/old_running.cfg? [confirm] Delete disk0:/c1.cfg? [confirm] Delete disk0:/c2.cfg? [confirm] Delete disk0:/admin.cfg? [confirm] The admin context is used for firewall and context management, sending system related logs, etc To create it, use the admin-context command. Like other contexts, you can configure it with the context command. ASA1(config)# admin-context admin ASA1(config)# context admin For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Interfaces are added to a context with the allocate- interface command. ASA(config-ctx)# allocate-interface e0/2 The configuration file for the context is set with the config-url command. If the file doesnt already exist, it will be created. Note the .cfg which indicates a configuration file. ASA(config-ctx)# config-url disk0:admin.cfg INFO: Converting disk0:admin.cfg to disk0:/admin.cfg WARNING: Could not fetch the URL disk0:/admin.cfg INFO: Creating context with default config INFO: Admin context will take some time to come up .... please wait. T a s k 1 . 6 6 Create context c1. Assign it interfaces e0/0 and e0/1.11. Save the config to disk0: The configuration of context c1 is very similar to the admin context. We will create the context, allocate interfaces to it and set a configuration file location. ASA(config)# context c1 Creating context 'c1'... Done. (2) ASA(config-ctx)# allocate-interface e0/0 ASA(config-ctx)# allocate-interface e0/1.11 ASA(config-ctx)# config-url disk0:c1.cfg For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated INFO: Converting disk0:c1.cfg to disk0:/c1.cfg WARNING: Could not fetch the URL disk0:/c1.cfg INFO: Creating context with default config T a s k 1 . 6 7 Create context c2. Assign it interfaces e0/0 and e0/1.22. Save the config to disk0: Context c2 is setup very similar to context c1. Notice that contexts c1 and c2 are sharing interface e0/0. This is acceptable because the ASA will assign packets to the appropriate context based on a variety of criteria such as source and destination IP, VLAN, etc. ASA(config)# context c2 Creating context 'c2'... Done. (3) ASA(config-ctx)# allocate-interface e0/0 ASA(config-ctx)# allocate-interface e0/1.22 ASA(config-ctx)# config-url disk0:c2.cfg INFO: Converting disk0:c2.cfg to disk0:/c2.cfg WARNING: Could not fetch the URL disk0:/c2.cfg INFO: Creating context with default config T a s k 1 . 6 8 Switch to the admin context and setup interface e0/2 as inside with ip 192.168.2.200/24. Allow the ACS server SSH access to this context. Verify connectivity to the ACS server. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 9 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated You can move to context configuration mode with the changeto context command. In this case well change to the context admin and enter the listed configuration. Inside the context, configuration is treated just as if you were on a physical firewall. ASA(config)# changeto context admin ASA/admin(config)# int e0/2 ASA/admin(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA/admin(config-if)# ip address 192.168.2.200 255.255.255.0 SSH access is granted with the ssh command. Notice that we generated a crypto key and configured the ACS server with a 32 bit mask using the inside option. ASA1/admin(config)# crypto key generate rsa modulus 1024 ASA/admin(config)# ssh 192.168.2.101 255.255.255.255 inside We can verify connectivity to the ACS server with a ping. ASA/admin(config)# ping 192.168.2.101 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.101, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms T a s k 1 . 6 9 Switch to context c1. Configure e0/0 as outside with IP address 24.234.0.100/24 and e0/1.11 as inside with IP For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated address 172.16.11.100/24. Add ICMP inspection to the global policy-map and test connectivity by pinging from R2 to R1. Switch to context c1 with the changeto command and enter the required interface configurations. ASA/admin(config)# changeto context c1 ASA/c1(config)# int e0/0 ASA/c1(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA/c1(config-if)# ip address 24.234.0.100 255.255.255.0 ASA/c1(config-if)# int e0/1.11 ASA/c1(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ASA/c1(config-if)# ip address 172.16.11.100 255.255.255.0 You should already be familiar with adding ICMP inspect to the global policy-map. ASA/c1(config)# policy-map global_policy ASA/c1(config-pmap)# class inspection_default ASA/c1(config-pmap-c)# inspect icmp The final step is to test your configuration by pinging from R2 to R1. This lets you know that your first context is operational. R2#ping 24.234.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 7 0 Switch to context c2. Configure e0/0 as outside with IP address 24.234.0.200/24 and e0/1.22 as inside with IP address 172.16.22.100/24. NAT the inside network to the outside interface address and require a NAT translation for traffic passing through the firewall. Verify connectivity with telnet from R3 to R1. The first part of this contexts configuration is very similar to c1. We change to the context and setup the interfaces. ASA/c1(config)# changeto context c2 ASA/c2(config)# int e0/0 ASA/c2(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default.. ASA/c2(config-if)# ip address 24.234.0.200 255.255.255.0 ASA/c2(config-if)# int e0/1.22 ASA/c2(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default ASA/c2(config-if)# ip address 172.16.22.100 255.255.255.0 Now we have to configure PAT, with nat for the inside network and global for the outside interface. Dont forget nat-control to require a translation. ASA/c2(config)# nat (inside) 1 172.16.22.0 255.255.255.0 ASA/c2(config)# global (outside) 1 interface INFO: outside interface address added to PAT pool ASA/c2(config)# nat-control For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Our connectivity test is done with telnet instead of ping. The telnet is successful although we cant log in. We now have two virtual firewalls with different policies running on a single physical ASA. R3#telnet 24.234.0.1 Trying 24.234.0.1 ... Open R1# T a s k 1 . 7 1 Switch back to the system and set the maximum number of allowed connections for c1 to 200 and the maximum number of connections for c2 to 100. Set the maximum number of SSH connections to the admin context to 5. Change to the system with the changeto system command. Limits to individual contexts are set by defining a class with the class command. This should not be confused with a class-map. The limits are set with the limit-resource command. Each class can have multiple limit-resource entries although weve only used one per context in our example. Once the class is created, configure each context to join the proper class with the member command. ASA(config)# class c1 ASA(config-class)# limit-resource conns 200 ASA(config-class)# context c1 ASA(config-ctx)# member c1 ASA(config)# class c2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA(config-class)# limit-resource conns 100 ASA(config-class)# context c2 ASA(config-ctx)# member c2 ASA(config)# class admin ASA(config-class)# limit-resource ssh 5 ASA(config-class)# context admin ASA(config-ctx)# member admin Configure Failover T a s k 1 . 7 2 Prepare for active/standby failover with ASA2. Set ASA1 as the primary failover unit. Set the failover interface to E0/3 and name it failover. Set the failover IP address to 10.1.1.1/24 and the standby to 10.1.1.11. Bring up the failover interface and enable failover. Failover configuration is done from the system, not the contexts. From the system, use the failover lan unit command to set the firewall to either primary or secondary. Name and set the interface to be used with failover lan interface command. Finally, set the IP with the failover interface ip command. Notice the standby IP is set here as well. ASA(config)# failover lan unit primary ASA(config-if)# failover lan interface failover e0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces ASA(config)# failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.11 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Bring up the interface with no shut and enable failover with failover. ASA(config)# int e0/3 ASA(config-if)# no shut ASA(config)# failover T a s k 1 . 7 3 Prepare ASA2 for failover. Ensure that it is in multiple mode. Set the failover interface to e0/3 and name it failover. Set the failover IP address to 10.1.1.1 and the standby to 10.1.1.11. Bring up the failover interface and enable failover. For failover to function, both firewalls must be in the same mode. Change ASA2 to multiple mode with the mode multiple command. This will require a reboot. ciscoasa(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] Failover configuration for the secondary unit is almost identical to the primary. First set the unit as secondary. Then configure and name interface e0/3 with failover LAN interface. Set failover interface IP with the same IP and standby address as ASA1. Issue a no shut command on the For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated failover interface and then enable failover with the failover command. ciscoasa(config)# failover lan unit secondary ciscoasa(config)# failover lan interface failover e0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces ciscoasa(config)# failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.11 ciscoasa(config)# int e0/3 ciscoasa(config-if)# no shut ciscoasa(config)# failover T a s k 1 . 7 4 Configure SW2 so that fa0/17 and fa0/23 are both on VLAN 66. This will be the failover VLAN. These are simple switchport configuration commands. The failover VLAN should be isolated from any other network traffic. Once this configuration is complete, your failover replication should complete shortly. SW2(config)#int fa0/17 SW2(config-if)#sw mode access SW2(config-if)#sw access vlan 66 SW2(config-if)#int fa0/23 SW2(config-if)#sw mode access SW2(config-if)# sw access vlan 66 T a s k 1 . 7 5 Verify that unit failover configuration is operational. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Failover can be verified with the show failover command. This is the output for ASA1. Notice that this host is listed as Primary Active and the other host as Secondary Standby Ready. Also notice that stateful failover is not enabled. Well address this in the next section. ASA# show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.0(4), Mate 8.0(4) Last Failover at: 14:11:11 UTC Feb 26 2009 This host: Primary - Active Active time: 1521 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) admin Interface inside (192.168.2.200): Link Down (Waiting) c1 Interface outside (24.234.0.100): Normal (Waiting) c1 Interface inside (172.16.11.100): Normal (Not-Monitored) c2 Interface outside (24.234.0.200): Normal (Waiting) c2 Interface inside (172.16.22.100): Normal (Not-Monitored) slot 1: empty Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) admin Interface inside (0.0.0.0): Link Down (Waiting) c1 Interface outside (0.0.0.0): Normal (Waiting) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated c1 Interface inside (0.0.0.0): Normal (Not- Monitored) c2 Interface outside (0.0.0.0): Normal (Waiting) c2 Interface inside (0.0.0.0): Normal (Not- Monitored) slot 1: empty Stateful Failover Logical Update Statistics Link : Unconfigured. Configure High Availability Solutions T a s k 1 . 7 6 Configure the firewall pair to use stateful failover. Verify that state information is replicating to the secondary unit. Stateful failover allows for all state information to be transmitted to the standby unit. This is configured with the failover link command on the primary unit. ASA(config)# failover link failover e0/3 Verify this is working with show failover. Youll see the additional state information at the bottom of the output. ASA(config)# show failover Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 51 0 46 0 sys cmd 46 0 46 0 up time 0 0 0 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 5 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 46 Xmit Q: 0 1 51 T a s k 1 . 7 7 Configure the firewall to monitor all of the interfaces for c1 and c2. Configure a standby IP address on each interface. This IP should be the primary +10. If one of these interfaces fails, the unit should failover. Set the interface polltime to 500 milliseconds. Set the unit polltime to 500 milliseconds. Interface monitoring is setup in the individual security contexts. So youll need to change to each context and set monitoring with the monitor-interface <interface> command. To setup the standby IP re-enter the interface IP address with the standby option. ASA(config)# changeto context c1 ASA/c1(config)# monitor-interface inside ASA/c1(config)# monitor-interface outside ASA/c1(config)# int e0/0 ASA/c1(config-if)# ip address 24.234.0.100 255.255.255.0 standby 24.234.0.110 ASA/c1(config-if)# int e0/1.11 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 0 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA/c1(config-if)# ip address 172.16.11.100 255.255.255.0 standby 172.16.11.110 ASA/c1(config)# changeto context c2 ASA/c2(config)# monitor-interface inside ASA/c2(config)# monitor-interface outside ASA/c2(config-if)# ip address 24.234.0.200 255.255.255.0 standby 24.234.0.210 ASA/c2(config-if)# int e0/1.22 ASA/c2(config-if)# ip address 172.16.22.100 255.255.255.0 standby 172.16.22.110 To set the interface polltime, change back to the system and use the command failover polltime interface. Unit polltime is set with failover polltime unit. ASA/c2(config)# changeto system ASA(config)# failover polltime interface msec 500 INFO: Failover interface holdtime is set to 5 seconds ASA(config)# failover polltime unit msec 500 INFO: Failover unit holdtime is set to 2 seconds T a s k 1 . 7 8 In addition to normal state information, replicate http state information. HTTP state information is not normally included since these connections are short lived and commonly retried. To enable http replication, use the failover replication http command. ASA(config)# failover replication http For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 1 . 7 9 Prepare for load balancing. Disable failover on both ASA1 and ASA2. Configure ASA1 to be the primary for c1 and secondary for c2. Ensure that both ASAs will always take over as active for the context they are primary for. Disable failover with the no failover command. This only has to be done on ASA1. ASA(config)# no failover To setupload balancing you must configure failover groups and then join contexts to those groups. To configure the failover groups, use the command failover group. Notice that for failover group 1 we set this firewall as the primary. We also setup both groups to preempt, which means the ASA will take over the active state for its group when it comes up. ASA(config)# failover group 1 ASA(config-fover-group)# primary ASA(config-fover-group)# preempt ASA(config)# failover group 2 ASA(config-fover-group)# secondary ASA(config-fover-group)# preempt With the failover groups created, we have to join the contexts to their respective groups. This is done with the join failover-group command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA(config)# context c1 ASA(config-ctx)# join-failover-group 1 ASA(config-ctx)# context c2 ASA(config-ctx)# join-failover-group 2 T a s k 1 . 8 0 Enable failover and verify that active/active is working properly. Enable failover with the failover command on ASA1. ASA(config)# failover Verify the configuration with show failover. Youll notice that this firewall is active for group 1 and standby for group 2. Just below that youll see the interface IP addresses for c1 but not for c2. This is because the other firewall is currently handling the traffic for c2. ASA(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover Ethernet0/3 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 500 milliseconds, holdtime 5 seconds Interface Policy 1 Monitored Interfaces 5 of 250 maximum failover replication http Version: Ours 8.0(4), Mate 8.0(4) Group 1 last failover at: 15:57:37 UTC Feb 26 2009 Group 2 last failover at: 15:57:36 UTC Feb 26 2009 This host: Primary Group 1 State: Active Active time: 1118 (sec) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Group 2 State: Standby Ready Active time: 97 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) admin Interface inside (192.168.2.200): Link Down (Waiting) c1 Interface outside (24.234.0.100): Normal (Waiting) c1 Interface inside (172.16.11.100): Normal (Waiting) c2 Interface outside (24.234.0.210): Normal (Waiting) c2 Interface inside (172.16.22.110): Normal (Waiting) slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 107 (sec) Group 2 State: Active Active time: 1036 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) admin Interface inside (0.0.0.0): Link Down (Waiting) c1 Interface outside (24.234.0.110): Normal (Waiting) c1 Interface inside (172.16.11.110): Normal (Waiting) c2 Interface outside (24.234.0.200): Normal (Waiting) c2 Interface inside (172.16.22.100): Normal (Waiting) slot 1: empty Stateful Failover Logical Update Statistics Link : failover Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 419 0 407 0 sys cmd 410 0 407 0 up time 0 0 0 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 9 0 0 0 Xlate_Timeout 0 0 0 0 SIP Session 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 408 Xmit Q: 0 1 420 T a s k 1 . 8 1 Final verification involves testing failover. Telnet from R2 to R1 and enter the password of cisco. Leave the session up. On SW1, shutdown port fa0/12. Verify that your telnet session has remained connected. Verify failover. For this final test, telnet from R2 to R1 using the password cisco. R2#telnet 24.234.0.1 Trying 24.234.0.1 ... Open R1# Now, shutdown port fa0/12 on sw1. This connects to the e0/0 interface of ASA1 and will cause an interface failure. Verify that your telnet session is still connected by hitting enter a few times. R1# R1# R1# For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Finally, do a show failover on ASA2 to make sure it is active for both failover groups. ASA(config)# show failover Failover On Failover unit Secondary Failover LAN Interface: failover Ethernet0/3 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 500 milliseconds, holdtime 5 seconds Interface Policy 1 Monitored Interfaces 5 of 250 maximum failover replication http Version: Ours 8.0(4), Mate 8.0(4) Group 1 last failover at: 16:06:03 UTC Feb 26 2009 Group 2 last failover at: 15:57:34 UTC Feb 26 2009 This host: Secondary Group 1 State: Active Active time: 444 (sec) Group 2 State: Active Active time: 1789 (sec) slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys) admin Interface inside (192.168.2.200): Link Down (Waiting) c1 Interface outside (24.234.0.100): Normal (Waiting) c1 Interface inside (172.16.11.100): Normal (Waiting) c2 Interface outside (24.234.0.200): Normal (Waiting) c2 Interface inside (172.16.22.100): Normal (Waiting) slot 1: empty For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 2 ~ IoS Firewall For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ACS .101 R5 IOS Firewall Technology Diagram VLAN 12 24.234.12.0 /24 Frame Relay 24.234.245.0 /24 VLAN 192 192.168.0.0 /16 VLAN 36 24.234.36.0 /24 VLAN 6 24.234.6.0 /24 VLAN 5 24.234.5.0 /24 VLAN 4 24.234.4.0 /24 R2 VLAN 23 24.234.23.0 /24 R1 R3 R4 R5 R6 F0/0 F0/0 F0/1 F0/1 S0/0/0 S0/0/0 F0/0 F0/1 S0/0/0 F0/1 F0/0 F0/0 F0/0 EIGRP 1 RIP v2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 1 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure CBAC T a s k 2 . 1 Configure R3 so that interface F0/0 is trusted and interface F0/1 is untrusted. Allow TCP, UDP, and ICMP returning traffic. Allow telnet sessions from FastEthernet0/0 of R6. R3 and R6 should continue to exchange routing information. T a s k 2 . 2 Configure R3 to log all dropped packets to the local buffer and to the syslog server at 192.168.2.101. T a s k 2 . 3 Configure R3 to log the total number of bytes transmitted over TCP sessions. T a s k 2 . 4 Configure R3 so that it will start dropping incomplete TCP sessions after the number of existing half-open sessions rises above 600. It should stop dropping incomplete TCP sessions when the number of existing half-open sessions falls below 300. Set it to start dropping incomplete TCP sessions when the number of existing half-open sessions rises above 400 within a minute. It should stop dropping incomplete TCP sessions when the number of existing half- open sessions falls below 200 incomplete within a minute. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 5 Configure R3 to drop TCP sessions if they are not established within 20 seconds. After completion, TCP sessions should only be managed for 4 seconds. T a s k 2 . 6 Configure R3 to drop TCP sessions after 30 minutes of inactivity and UDP sessions after 15 seconds of inactivity. Drop DNS name lookup sessions after 4 seconds. T a s k 2 . 7 Configure R3 to only allow 25 half-open TCP connections to the same host. If this is exceeded, delete all existing half-open sessions for the host and block all new connection requests to the host for 10 minutes. T a s k 2 . 8 Configure R3 to only allow java responses from webserver 24.234.36.6. T a s k 2 . 9 Configure R3 to inspect all TCP, UDP and ICMP traffic originating from the router. T a s k 2 . 1 0 Improve the performance of CBAC on R3 by increasing the inspect hash table size to 2048. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 1 1 Configure R3 to inspect fragmented packets, with a maximum of 30 unassembled packets. T a s k 2 . 1 2 Configure R3 to inspect http traffic on port 8000 in addition to the default port. Also inspect port 2121 for ftp traffic if it is destined for 24.234.6.6. T a s k 2 . 1 3 Configure FastEthernet0/1 on R3 to re-assemble fragments for inspection. The maximum number of IP data grams to be reassembled is 50, and should be completed within 10 seconds. T a s k 2 . 1 4 Configure R3 so that IM applications running over http are dropped. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Zone~Based Firewall T a s k 2 . 1 5 Setup the following security zones on R2: (1) PRIVATE (2) PUBLIC. T a s k 2 . 1 6 Setup a zone pair to allow traffic from the PRIVATE zone to the PUBLIC zone. T a s k 2 . 1 7 Configure a class-map that should identify all TCP and UDP traffic. T a s k 2 . 1 8 Configure a policy-map to inspect the class map created above. T a s k 2 . 1 9 Apply the policy-map to the zone pair for private to public. T a s k 2 . 2 0 Assign interface FastEthernet0/0 and FastEthernet0/1 to the PRIVATE zone and interface Serial0/0/0 to the PUBLIC zone. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 2 1 Configure R2 the inspect parameters listed below. This parameter map should be applied to the existing class for TCP and UDP traffic. Alerting should be on Auditing should be on DNS timeout should be set to 4 seconds Drop existing half-open sessions when the number rises above 1000. Stop dropping existing half-open sessions when the number falls below 800. Drop existing half- open sessions when the number rises above 700 within a minute, and stop dropping existing half-open sessions when the number falls below 500 within a minute. Allow a maximum of 3000 sessions Each host can have a maximum of 25 existing half-open sessions. When this is exceeded, all existing half- open sessions should be deleted and blocked for 10 minutes. Manage TCP sessions for only 5 seconds after they have finished. Delete TCP sessions after 30 minutes of inactivity. Delete TCP sessions if not fully established within 20 seconds. Delete UDP sessions after 20 seconds of inactivity. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 2 2 Rate limit ICMP traffic from the PRIVATE zone to the PUBLIC zone to 8000 bps with a burst of 2000 bytes. T a s k 2 . 2 3 Drop all P2P (KaZaA, Morpheus, Grokster) traffic and AOL and Yahoo IM traffic from the PRIVATE zone to the PUBLIC zone. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 2 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated
Configure Auth~Proxy T a s k 2 . 2 4 Configure R1 to authenticate the ACS Server via HTTP before allowing the ACS Server to browse to R2. Use a local user with username authproxyuser and password cisco to do this. T a s k 2 . 2 5 Configure R1 with a login banner for Authentication Proxy that states Unauthorized access is prohibited. T a s k 2 . 2 6 Configure R1 so that user authentication entries are removed after 30 minutes of inactivity. Configure R1 so that the absolute time is 30 minutes. The maximum number of retries should be set to 5. T a s k 2 . 2 7 Configure R1 so that it only requires authentication if the ACS Server is attempting to HTTP to R2s loopback 0 address (2.2.2.2). For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated
Configure Access Control (Reload startup config for R2 and R3) T a s k 2 . 2 8 Configure R2 to deny any IP connectivity from behind FastEthernet0/0 to the rest of the network. In order for anyone behind FastEthernet0/0 to have IP connectivity to the rest of the network, they must authenticate to R2 with the username locknkey and password cisco. Idle time should be 2 minutes minimum. Ensure that EIGRP is not interrupted. T a s k 2 . 2 9 Modify the configuration of R2 to enable per-host access only. T a s k 2 . 3 0 Configure R3 so that all TCP, UDP, and ICMP traffic initiated from behind FastEthernet0/0 is automatically allowed to return. Permit FastEthernet0/0 on R6 to initiate telnet sessions to the 24.234.0.0 network. Ensure that routing information is not interrupted. Log any denied packets to the local buffer. Do not use CBAC to accomplish this. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 3 1 Configure R2 s0/0/0 so that ICMP from R5 s0/0/0 is denied access to the rest of the network from 2am to 4am. Also, deny all non-initial fragments inbound on FastEthernet0/0. All other traffic should be allowed at all times. IoS Firewalls Solutions Configure CBAC T a s k 2 . 1 Configure R3 so that interface F0/0 is trusted and interface F0/1 is untrusted. Allow TCP, UDP, and ICMP returning traffic. Allow telnet sessions from FastEthernet0/0 of R6. R3 and R6 should continue to exchange routing information. This is done with CBAC. An ACL is used to block most incoming traffic on the untrusted interface. The ip inspect command allows for specific traffic to be statefully inspected and return traffic allowed through the ACL. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The inspect rule can be configured either inbound on FastEthernet0/0 or outbound on FastEthernet0/1. Enabling it outbound on FastEthernet0/1 allows for multiple trusted interfaces. R3#configure terminal R3(config)#ip inspect name CBAC tcp R3(config)#ip inspect name CBAC udp R3(config)#ip inspect name CBAC icmp R3(config)#ip access-list extended CBAC_ACL R3(config-ext-nacl)#permit tcp host 24.234.36.6 any eq 23 R3(config-ext-nacl)#permit udp host 24.234.36.6 host 224.0.0.9 eq 520 R3(config)#interface FastEthernet0/1 R3(config-if)#ip inspect CBAC out R3(config-if)#ip access-group CBAC_ACL in You can verify the configuration with show ip inspect all. R3#sh ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Interface Configuration Interface FastEthernet0/1 Inbound inspection rule is not set Outgoing inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10 Inbound access list is CBAC_ACL Outgoing access list is not set You can further verify with ICMP. R1 can ping R6, but pings initiated from R6 fail. R1#ping 24.234.36.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.36.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R6#ping 24.234.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.12.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R3 shows the established icmp session from R1 to R6. R3#show ip inspect sessions detail Established Sessions Session 46A16EA4 (24.234.12.1:8)=>(24.234.36.6:0) icmp SIS_OPEN Created 00:00:08, Last heard 00:00:08 ECHO request Bytes sent (initiator:responder) [360:360] For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated In SID 24.234.36.6[0:0]=>24.234.12.1[0:0] on ACL CBAC_ACL (5 matches) In SID 0.0.0.0[0:0]=>24.234.12.1[3:3] on ACL CBAC_ACL In SID 0.0.0.0[0:0]=>24.234.12.1[11:11] on ACL CBAC_ACL R3 continues to learn the 24.234.6.0 network (VLAN 6) via RIP. R3#sh ip route 24.234.6.0 Routing entry for 24.234.6.0/24 Known via "rip", distance 120, metric 1 Redistributing via eigrp 1, rip Advertised by eigrp 1 metric 1000 1 255 1 1500 Last update from 24.234.36.6 on FastEthernet0/1, 00:00:04 ago Routing Descriptor Blocks: * 24.234.36.6, from 24.234.36.6, 00:00:04 ago, via FastEthernet0/1 Route metric is 1, traffic share count is 1 T a s k 2 . 2 Configure R3 to log all dropped packets to the local buffer and to the syslog server at 192.168.2.101. This is done with the logging command. The buffered keyword sends logs to the local buffer and the host keyword followed by an IP sends logs to an external host, in this case the ACS server. R3(config)#logging buffered R3(config)#logging host 192.168.2.101 R3(config)#ip access-list extended CBAC_ACL R3(config-ext-nacl)#deny ip any any log For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated To verify, open the kiwi syslog server on the ACS. Ping from R6 to R2. The ping will fail. R6#ping 24.234.23.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.23.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R3s local buffer shows the denied packet. R3#sh logging Syslog logging: enabled (11 messages dropped, 1 messages rate- limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: level debugging, 59 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 3 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled No active filter modules. Trap logging: level informational, 55 message lines logged Logging to 192.168.2.101 (udp port 514, audit disabled, link up), 3 message lines logged, xml disabled, filtering disabled Log Buffer (4096 bytes): For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated *Mar 11 16:27:10.447: %SYS-5-CONFIG_I: Configured from console by console *Mar 11 16:27:13.039: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.2.101 started - CLI initiated *Mar 11 16:28:07.927: %SEC-6-IPACCESSLOGDP: list CBAC_ACL denied icmp 24.234.36.6 -> 24.234.23.2 (8/0), 1 packet The Kiwi Syslog server shows the denied packet. T a s k 2 . 3 Configure R3 to log the total number of bytes transmitted over TCP sessions. The audit trail feature tracks all network transactions, recording information such as source/destination host For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated addresses, ports used, and the total number of transmitted bytes with time stamps. By default, audit-trail is off. R3(config)#ip inspect name CBAC tcp audit-trail on Verify by launching a telnet session from R2 to R6, then exit. R2#telnet 24.234.36.6 Trying 24.234.36.6 ... Open User Access Verification Password: R6#exit [Connection to 24.234.36.6 closed by foreign host] R2# R3 shows the audit trail starting and stopping for the telnet session from R2 to R6. R3#sh logging Syslog logging: enabled (11 messages dropped, 1 messages rate- limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: level debugging, 63 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 7 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated No active filter modules. Trap logging: level informational, 59 message lines logged Logging to 192.168.2.101 (udp port 514, audit disabled, link up), 7 message lines logged, xml disabled, filtering disabled Log Buffer (4096 bytes): *Mar 11 16:33:39.123: %SEC-6-IPACCESSLOGDP: list CBAC_ACL denied icmp 24.234.36.6 -> 24.234.23.2 (8/0), 19 packets *Mar 11 16:39:17.643: %SYS-5-CONFIG_I: Configured from console by console *Mar 11 16:39:56.139: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (24.234.23.2:16071) -- responder (24.234.36.6:23) *Mar 11 16:40:04.499: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (24.234.23.2:16071) sent 43 bytes -- responder (24.234.36.6:23) sent 86 bytes The Kiwi Syslog server also shows the audit trail starting and stopping for the telnet session from R2 to R6. T a s k 2 . 4 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 3 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure R3 so that it will start dropping incomplete TCP sessions after the number of existing half-open sessions rises above 600. It should stop dropping incomplete TCP sessions when the number of existing half-open sessions falls below 300. Set it to start dropping incomplete TCP sessions when the number of existing half-open sessions rises above 400 within a minute. It should stop dropping incomplete TCP sessions when the number of existing half- open sessions falls below 200 incomplete within a minute. This is done with the ip inspect max-incomplete and ip inspect one-minute commands. Aggressive behavior (dropping sessions) begins when the number of existing half-open sessions rises above the high threshold value, and ends when the number of existing half-open sessions falls below the low threshold value. R3(config)#ip inspect max-incomplete high 600 R3(config)#ip inspect max-incomplete low 300 R3(config)#ip inspect one-minute high 400 R3(config)#ip inspect one-minute low 200 The max-incomplete and one-minute thresholds have been changed. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] max-incomplete tcp connections per host is 50. Block-time 0 minute. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10 T a s k 2 . 5 Configure R3 to drop TCP sessions if they are not established within 20 seconds. After completion, TCP sessions should only be managed for 4 seconds. By default, CBAC waits 30 seconds for TCP sessions to establish and will manage TCP sessions for 5 seconds after they are completed. This behavior can be changed with the IP inspect using the TCP synwait-time and finwait-time keywords. R3(config)#ip inspect tcp synwait-time 20 R3(config)#ip inspect tcp finwait-time 4 The TCP snywait-time and finwait-time timers have been changed. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 20 sec -- tcp finwait-time is 4 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 3600 udp alert is on audit-trail is off timeout 30 icmp alert is on audit-trail is off timeout 10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 6 Configure R3 to drop TCP sessions after 30 minutes of inactivity and UDP sessions after 15 seconds of inactivity. Drop DNS name lookup sessions after 4 seconds. The TCP and UDP idle timers are measured in seconds. The default idle time for TCP is 3600 seconds (1 hour) and for UDP, 30 seconds. The DNS timer is measured in seconds and the default DNS name lookup timeout is 5 seconds. These can all be changed using IP inspect with the idle-time and dns-timeout keywords. R3(config)#ip inspect tcp idle-time 1800 R3(config)#ip inspect udp idle-time 15 R3(config)#ip inspect dns-timeout 4 Verify with the show ip inspect config command. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 20 sec -- tcp finwait-time is 4 sec tcp idle-time is 1800 sec -- udp idle-time is 15 sec dns-timeout is 4 sec Inspection Rule Configuration Inspection name CBAC For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated tcp alert is on audit-trail is on timeout 1800 udp alert is on audit-trail is off timeout 15 icmp alert is on audit-trail is off timeout 10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 7 Configure R3 to only allow 25 half-open TCP connections to the same host. If this is exceeded, delete all existing half-open sessions for the host and block all new connection requests to the host for 10 minutes. This is done with ip inspect using the max-incomplete host keywords. The default behavior is to allow for 50 tcp sessions per host. The default block-time is 0 which deletes the oldest existing half-open session for the host for every new connection request. When setting a block-time greater than 0, the router will delete all existing half- open sessions for the host and then block all new connection requests. The router will continue to block all new connection requests to the host until the block-time expires. R3(config)#ip inspect tcp max-incomplete host 25 block-time 10 Verify with the show ip inspect config command. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] max-incomplete tcp connections per host is 25. Block-time 10 minutes. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated tcp synwait-time is 20 sec -- tcp finwait-time is 4 sec tcp idle-time is 1800 sec -- udp idle-time is 15 sec dns-timeout is 4 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 udp alert is on audit-trail is off timeout 15 icmp alert is on audit-trail is off timeout 10 T a s k 2 . 8 Configure R3 to only allow java responses from webserver 24.234.36.6. This is accomplished by using IP inspect for http with the java-list keyword. Java blocking only works with numbered standard access lists. R3(config)#access-list 1 permit host 24.234.36.6 R3(config)#ip inspect name CBAC http java-list 1 Verify with the show ip inspect config command. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] max-incomplete tcp connections per host is 25. Block-time 10 minutes. tcp synwait-time is 20 sec -- tcp finwait-time is 4 sec tcp idle-time is 1800 sec -- udp idle-time is 15 sec dns-timeout is 4 sec Inspection Rule Configuration For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 udp alert is on audit-trail is off timeout 15 icmp alert is on audit-trail is off timeout 10 http java-list 1 alert is on audit-trail is off timeout 1800 T a s k 2 . 9 Configure R3 to inspect all TCP, UDP and ICMP traffic originating from the router. To enable Inspection of Router-Generated Traffic, use IP inspect with the router-traffic keyword. R3(config)#ip inspect name CBAC tcp router-traffic R3(config)#ip inspect name CBAC udp router-traffic R3(config)#ip inspect name CBAC icmp router-traffic Verify with the show ip inspect config command. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] max-incomplete tcp connections per host is 25. Block-time 10 minutes. tcp synwait-time is 20 sec -- tcp finwait-time is 4 sec tcp idle-time is 1800 sec -- udp idle-time is 15 sec dns-timeout is 4 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 inspection of router local traffic is enabled udp alert is on audit-trail is off timeout 15 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated inspection of router local traffic is enabled icmp alert is on audit-trail is off timeout 10 inspection of router local traffic is enabled http java-list 1 alert is on audit-trail is off timeout 1800 Telnet from R3 to R6 provides a router generated TCP session. R3#telnet 24.234.36.6 Trying 24.234.36.6 ... Open User Access Verification Password: *Mar 11 17:20:13.083: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (24.234.36.3:21825) -- responder (24.234.36.6:23) R6# T a s k 2 . 1 0 Improve the performance of CBAC on R3 by increasing the inspect hash table size to 2048. This is done with the ip inspect hashtable-size command. Increasing the size of the hash table allows the number of sessions per hash bucket to be reduced which can improve the throughput performance of CBAC. R3(config)#ip inspect hashtable-size 2048 CBAC: Changing Hashlen from 1024 to 2048 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 1 1 Configure R3 to inspect fragmented packets, with a maximum of 30 unassembled packets. This is done with IP inspect and the fragment maximum command. R3(config)#ip inspect name CBAC fragment maximum 30 Verify with the show ip inspect config command. R3#show ip inspect config Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [200:400] connections max-incomplete sessions thresholds are [300:600] max-incomplete tcp connections per host is 25. Block-time 10 minutes. tcp synwait-time is 20 sec -- tcp finwait-time is 4 sec tcp idle-time is 1800 sec -- udp idle-time is 15 sec dns-timeout is 4 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is on timeout 1800 inspection of router local traffic is enabled udp alert is on audit-trail is off timeout 15 inspection of router local traffic is enabled icmp alert is on audit-trail is off timeout 10 inspection of router local traffic is enabled http java-list 1 alert is on audit-trail is off timeout 1800 fragment Maximum 30 In Use 0 alert is on audit-trail is off timeout 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 4 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 1 2 Configure R3 to inspect http traffic on port 8000 in addition to the default port. Also inspect port 2121 for ftp traffic if it is destined for 24.234.6.6. This is accomplished by using PAM (Port to Application Mapping) via the ip port-map command. PAM allows you to customize TCP or UDP port numbers for network services or applications. R3(config)#ip port-map http port tcp 8000 R3#show ip port-map http Default mapping: http tcp port 80 system defined Default mapping: http tcp port 8000 user defined R3(config)#access-list 21 permit 24.234.6.6 R3(config)#ip port-map ftp port 2121 list 21 R3#show ip port-map ftp Default mapping: ftp tcp port 21 system defined Host specific: ftp tcp port 2121 in list 21 user defined T a s k 2 . 1 3 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure FastEthernet0/1 on R3 to re-assemble fragments for inspection. The maximum number of IP data grams to be reassembled is 50, and should be completed within 10 seconds. Well be using virtual fragmentation reassembly (VFR) to allow the firewall to assemble fragments before inspection. This is done with the ip virtual-reassembly command. It is configured per-interface. R3(config)#int f0/1 R3(config-if)#ip virtual-reassembly max-fragments 50 timeout 10 T a s k 2 . 1 4 Configure R3 so that IM applications running over http are dropped. The application firewall allows the router to perform limited deep packet inspection of instant messenger traffic. In this case were using it to detect and block IM over http. R3(config)#appfw policy-name IM R3(cfg-appfw-policy)#application http R3(cfg-appfw-policy-http)#port-misuse im action reset R3(config)#ip inspect name CBAC appfw IM Verify with the show appfw configuration command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3#show appfw configuration Application Firewall Rule configuration Application Policy name IM Application http port-misuse im action reset Configure Zone~Based Firewall T a s k 2 . 1 5 Setup the following security zones on R2: (1) PRIVATE (2) PUBLIC. The first step in a zone based firewall is configuring the zones. A security zone is a logical group of interface(s) to which a policy can be applied. R2(config)#zone security PRIVATE R2(config-sec-zone)#description Inside Networks R2(config-sec-zone)#exit R2(config)#zone security PUBLIC R2(config-sec-zone)#description Outside networks R2(config-sec-zone)#exit T a s k 2 . 1 6 Setup a zone pair to allow traffic from the PRIVATE zone to the PUBLIC zone. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated A zone-pair allows you to specify a one way firewall policy between two security zones. It is configured with the zone- pair security command. The direction of the traffic is specified by specifying a source and destination zone. R2(config)#zone-pair security OUTBOUND source PRIVATE destination PUBLIC R2(config-sec-zone-pair)#description Traffic from PRIVATE zone to PUBLIC zone T a s k 2 . 1 7 Configure a class-map that should identify all TCP and UDP traffic. Layer 3 and 4 class maps identify traffic at a high level. In this case were matching all traffic with the match protocol command within the class-map. R2(config)#class-map type inspect match-any TCP_UDP_ICMAP R2(config-cmap)#match protocol tcp R2(config-cmap)#match protocol udp T a s k 2 . 1 8 Configure a policy-map to inspect the class map created above. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Layer 3/4 policy maps allow you to define high-level actions such as inspect, drop, pass, and URL filter. In this case were using inspect. R2(config)#policy-map type inspect INSPECT_PMAP R2(config-pmap)#class type inspect TCP_UDP_ICMAP R2(config-pmap-c)#inspect T a s k 2 . 1 9 Apply the policy-map to the zone pair for private to public. To attach a firewall policy map to a zone-pair well use the service-policy type inspect command. R2(config)#zone-pair security OUTBOUND source PRIVATE destination PUBLIC R2(config-sec-zone-pair)#service-policy type inspect INSPECT_PMAP Verify with the show zone-pair security command. R2#show zone-pair security Zone-pair name OUTBOUND Description: Traffic from PRIVATE zone to PUBLIC zone Source-Zone PRIVATE Destination-Zone PUBLIC service-policy INSPECT_PMAP T a s k 2 . 2 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Assign interface FastEthernet0/0 and FastEthernet0/1 to the PRIVATE zone and interface Serial0/0/0 to the PUBLIC zone. Traffic between members of the same zone is unrestricted. Traffic between members of different zones will only be allowed if a zone-pair and policy exists. Add an interface to a zone with the zone-member security command. R2(config)#interface FastEthernet 0/0 R2(config-if)#zone-member security PRIVATE R2(config-if)#interface FastEthernet 0/1 R2(config-if)#zone-member security PRIVATE R2(config-if)#interface Serial0/0/0 R2(config-if)#zone-member security PUBLIC Verify with the show zone security command. R2#show zone security zone self Description: System defined zone zone PRIVATE Description: Inside Networks Member Interfaces: FastEthernet0/0 FastEthernet0/1 zone PUBLIC Description: Outside Networks Member Interfaces: Serial0/0/0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 2 1 Configure R2 the inspect parameters listed below. This parameter map should be applied to the existing class for TCP and UDP traffic. Alerting should be on Auditing should be on DNS timeout should be set to 4 seconds Drop existing half-open sessions when the number rises above 1000. Stop dropping existing half-open sessions when the number falls below 800. Drop existing half- open sessions when the number rises above 700 within a minute, and stop dropping existing half-open sessions when the number falls below 500 within a minute. Allow a maximum of 3000 sessions Each host can have a maximum of 25 existing half-open sessions. When this is exceeded, all existing half- open sessions should be deleted and blocked for 10 minutes. Manage TCP sessions for only 5 seconds after they have finished. Delete TCP sessions after 30 minutes of inactivity. Delete TCP sessions if not fully established within 20 seconds. Delete UDP sessions after 20 seconds of inactivity. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated A parameter map allows you to specify parameters and apply them within a policy-map. First well create the parameter map. R2(config)#parameter-map type inspect INSPECT_PARAMETER_MAP R2(config-profile)#alert on R2(config-profile)#audit-trail on R2(config-profile)#dns-timeout 4 R2(config-profile)#max-incomplete high 1000 R2(config-profile)#max-incomplete low 800 R2(config-profile)#one-minute high 700 R2(config-profile)#one-minute low 500 R2(config-profile)#sessions maximum 3000 R2(config-profile)#tcp max-incomplete host 25 block-time 10 R2(config-profile)#tcp finwait-time 5 R2(config-profile)#tcp idle-time 1800 R2(config-profile)#tcp synwait-time 20 R2(config-profile)#udp idle-time 20 Then apply it under our existing policy map. Notice that the parameter map is added within the inspect command. Although we only have one, different parameter maps can be applied to different classes of traffic. R2(config)#policy-map type inspect INSPECT_PMAP R2(config-pmap)#class type inspect TCP_UDP_ICMAP R2(config-pmap-c)#inspect INSPECT_PARAMETER_MAP Verify with show parameter-map. R2#show parameter-map type inspect parameter-map type inspect INSPECT_PARAMETER_MAP audit-trail on alert on max-incomplete low 800 max-incomplete high 1000 one-minute low 500 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated one-minute high 700 udp idle-time 20 icmp idle-time 10 dns-timeout 4 tcp idle-time 1800 tcp finwait-time 5 tcp synwait-time 20 tcp max-incomplete host 25 block-time 10 sessions maximum 3000 T a s k 2 . 2 2 Rate limit ICMP traffic from the PRIVATE zone to the PUBLIC zone to 8000 bps with a burst of 2000 bytes. Rate limiting is done within a policy map with the police command. First identify the protocol ICMP with a class-map. R2(config)#class-map type inspect ICMP R2(config-cmap)#match protocol icmp Then apply actions to it within our existing policy-map. R2(config)#policy-map type inspect INSPECT_PMAP R2(config-pmap)#class ICMP R2(config-pmap-c)#inspect R2(config-pmap-c)#police rate 8000 burst 2000 T a s k 2 . 2 3 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Drop all P2P (KaZaA, Morpheus, Grokster) traffic and AOL and Yahoo IM traffic from the PRIVATE zone to the PUBLIC zone. This is done with a layer 7 or application class-map. The match criteria within such a class-map are specific to the particular application. In this case well be matching any of the listed P2P protocols. R2(config)#class-map type inspect match-any P2P R2(config-cmap)#match protocol fasttrack R2(config-cmap)#match protocol aol R2(config-cmap)#match protocol ymsgr We can then apply the drop action to this class of traffic in our policy map. R2(config)#policy-map type inspect INSPECT_PMAP R2(config-pmap)#class type inspect P2P R2(config-pmap-c)#drop Configure Auth~Proxy T a s k 2 . 2 4 Configure R1 to authenticate the ACS Server via HTTP before allowing the ACS Server to browse to R2. Use a local user with username authproxyuser and password cisco to do this. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 5 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Auth-proxy intercepts requests on a particular interface and requires authentication before allowing the connection. The authentication can either be local or remote via TACACS+ or RADIUS. In this example it will be local authentication. R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username authproxyuser password cisco R1(config)# R1(config)#aaa new-model R1(config)#aaa authentication login default local R1(config)#aaa authorization auth-proxy default local R1(config)#ip auth-proxy name AUTHP http R1(config)# R1(config)# R1(config)#interface FastEthernet0/0 R1(config-if)#ip auth-proxy AUTHP R1(config-if)#exit R1(config)# R1(config)#ip http server R1(config)#ip http authentication aaa Enable the http server on R2 before testing. R2(config)#ip http server And verify by attempting to connect via http from the ACS to R2. The connection must first be authenticated. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The show ip auth-proxy cache command will list the authenticated client. R1#show ip auth-proxy cache Authentication Proxy Cache Client Name authproxyuser, Client IP 192.168.2.101, Port 4775, timeout 60, Time Remaining 60, state ESTAB T a s k 2 . 2 5 Configure R1 with a login banner for Authentication Proxy that states Unauthorized access is prohibited. As we saw in the previous section there is no banner on the authentication screen by default. It can be added with the ip auth-proxy auth-proxy-banner command. R1(config)# ip auth-proxy auth-proxy-banner http ^Unauthorized access is prohibited^ Clear the authentication proxy cache on R1, and re- authenticate. The login banner is now displayed. R1#clear ip auth-proxy cache * For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 2 6 Configure R1 so that user authentication entries are removed after 30 minutes of inactivity. Configure R1 so that the absolute time is 30 minutes. The maximum number of retries should be set to 5. Auth-proxy has several timers, thresholds and variables that can be modified. R1(config)#ip auth-proxy inactivity-timer 30 R1(config)#ip auth-proxy absolute-timer 10 R1(config)#ip auth-proxy max-login-attempts 5 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 2 7 Configure R1 so that it only requires authentication if the ACS Server is attempting to HTTP to R2s loopback 0 address (2.2.2.2). This is done with the list option at the end of the ip auth-proxy command. It allows for control over what traffic will be authenticated. R1(config)#access-list 101 permit tcp host 192.168.2.101 host 2.2.2.2 eq 80 R1(config)#ip auth-proxy name AUTHP http list 101 To verify, clear the authentication proxy cache on R1, and browse to 24.234.12.2 from the ACS Server. No authentication is required. From the ACS Server, browse to R2s loopback 0 address 2.2.2.2, and authentication is required. R1#clear ip auth-proxy cache * For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Access Control (Reload startup config for R2 and R3) T a s k 2 . 2 8 Configure R2 to deny any IP connectivity from behind FastEthernet0/0 to the rest of the network. In order for anyone behind FastEthernet0/0 to have IP connectivity to the rest of the network, they must authenticate to R2 with the username locknkey and password cisco. Idle time should be 2 minutes minimum. Ensure that EIGRP is not interrupted. This is done with a lock-and-key. Lock-and-key allows a user to gain temporary access through a dynamic access list after they have authenticated via telnet to the router. R2(config)#username locknkey password cisco R2(config)#ip access-list extended INBOUND R2(config-ext-nacl)# permit tcp any host 24.234.12.2 eq telnet R2(config-ext-nacl)# permit eigrp host 24.234.12.1 host 224.0.0.10 R2(config-ext-nacl)# permit eigrp host 24.234.12.1 host 24.234.12.2 R2(config-ext-nacl)#dynamic ACCESS timeout 120 permit ip any any R2(config-ext-nacl)#interface FastEthernet0/0 R2(config-if)# ip access-group INBOUND in For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config-if)#line vty 0 4 R2(config-line)# login local R2(config-line)# autocommand access-enable timeout 2 Verify by attempting to ping from R1 to R5, it will fail. R1#ping 24.234.245.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.245.5, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) In order for R1 to connect to R5, R1 must authenticate to R2 via telnet. R1#telnet 24.234.12.2 Trying 24.234.12.2 ... Open User Access Verification Username: locknkey Password: [Connection to 24.234.12.2 closed by foreign host] R1#ping 24.234.245.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.245.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms Once authenticated, you can view the dynamic ACL entry on R2. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2#show ip access-lists Extended IP access list INBOUND 10 permit tcp any host 24.234.12.2 eq telnet (81 matches) 20 permit eigrp host 24.234.12.1 host 224.0.0.10 (138 matches) 30 permit eigrp host 24.234.12.1 host 24.234.12.1 40 Dynamic ACCESS permit ip any any permit ip any any (5 matches) (time left 110) Notice, that the dynamic ACL is permit ip any any. This requirement changes in the next step. T a s k 2 . 2 9 Modify the configuration of R2 to enable per-host access only. The host keyword must be used within the access-enable command in order to enable per-host access. R2(config)#line vty 0 4 R2(config-line)#autocommand access-enable host timeout 2 R1 cannot ping R5, so R1 will need to authenticate to R2, before being allowed. R1#ping 24.234.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.5.5, timeout is 2 seconds: U.U.U For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Success rate is 0 percent (0/5) R1# R1#telnet 24.234.12.2 Trying 24.234.12.2 ... Open User Access Verification Username: locknkey Password: [Connection to 24.234.12.2 closed by foreign host] R1#ping 24.234.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.5.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms R1# The dynamic access-list now permits the specific host instead of any. R2#sh ip access-lists Extended IP access list INBOUND 10 permit tcp any host 24.234.12.2 eq telnet (159 matches) 20 permit eigrp host 24.234.12.1 host 224.0.0.10 (1020 matches) 30 permit eigrp host 24.234.12.1 host 24.234.12.1 40 Dynamic ACCESS permit ip any any permit ip host 24.234.12.1 any (5 matches) (time left 104) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 6 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 2 . 3 0 Configure R3 so that all TCP, UDP, and ICMP traffic initiated from behind FastEthernet0/0 is automatically allowed to return. Permit FastEthernet0/0 on R6 to initiate telnet sessions to the 24.234.0.0 network. Ensure that routing information is not interrupted. Log any denied packets to the local buffer. Do not use CBAC to accomplish this. Since we cant use CBAC, this will be done with reflexive ACLs. Reflexive ACLs allow return traffic for certain protocols, in this case TCP, UDP, and ICMP. On the outbound ACL use the reflect keyword. On the inbound or blocking ACL use the evaluate command to allow the return traffic. R3(config)#logging buffered R3(config)#ip access-list extended OUTBOUND R3(config-ext-nacl)#permit tcp any any reflect REF R3(config-ext-nacl)#permit udp any any reflect REF R3(config-ext-nacl)#permit icmp any any reflect REF R3(config-ext-nacl)#ip access-list extended INBOUND R3(config-ext-nacl)#permit udp host 24.234.36.6 host 224.0.0.9 eq 520 R3(config-ext-nacl)#permit tcp host 24.234.36.6 24.234.0.0 0.0.255.255 eq 23 R3(config-ext-nacl)#evaluate REF R3(config-ext-nacl)#deny ip any any log R3(config-ext-nacl)#interface FastEthernet0/1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(config-if)# ip access-group INBOUND in R3(config-if)# ip access-group OUTBOUND out Test by pinging from R2 to R6. R2#ping 24.234.36.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.36.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Now do a show ip access-list. Notice that there is a reflexive ACL entry for the traffic. R3#show ip access-list Extended IP access list INBOUND 10 permit udp host 24.234.36.6 host 224.0.0.9 eq rip (12 matches) 20 permit tcp host 24.234.36.6 24.234.0.0 0.0.255.255 eq telnet 30 evaluate REF 40 deny ip any any log Extended IP access list OUTBOUND 10 permit tcp any any reflect REF 20 permit udp any any reflect REF 30 permit icmp any any reflect REF (10 matches) Reflexive IP access list REF permit icmp host 24.234.36.6 host 24.234.23.2 (20 matches) (time left 282) T a s k 2 . 3 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure R2 s0/0/0 so that ICMP from R5 s0/0/0 is denied access to the rest of the network from 2am to 4am. Also, deny all non-initial fragments inbound on FastEthernet0/0. All other traffic should be allowed at all times. This is accomplished with a time based ACL. First well configure a time range identifying the time we want to work with. Then well create an ACL entry using the time range to deny ICMP traffic. The fragments keyword is used to block non-initial fragments. Notice that the deny statement is before any other entry in the ACL. Only if there are no non-initial fragments should other entries be checked. R2(config)#time-range R5 R2(config-time-range)# periodic daily 02:00 to 04:00 R2(config-time-range)#ip access-list extended TIME R2(config-ext-nacl)#deny ip any any fragments R2(config-ext-nacl)#deny icmp host 24.234.245.5 any time-range R5 R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#interface s0/0/0 R2(config-if)# ip access-group TIME in Set the clock on R2 to an acceptable time that will allow R5 to ping R2s loopback address. R2#clock set 01:00:00 22 jan 2009 R2# For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated *Jan 22 01:00:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:04:48 UTC Wed Mar 11 2009 to 01:00:00 UTC Thu Jan 22 2009, configured from console by console. R5#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms Set the clock on R2 to a time between 2am and 4am. Try the ping again. It will fail. R2#clock set 03:00:00 22 jan 2009 Jan 22 03:00:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 01:01:06 UTC Thu Jan 22 2009 to 03:00:00 UTC Thu Jan 22 2009, configured from console by console. R5#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 3 ~ VPN Technology For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 7 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure IPsec lan to lan (IOS/ASA) T a s k 3 . 1 Configure R1 as a CA and NTP server with authentication. Setup ASA1 and R5 as NTP and CA clients. T a s k 3 . 2 Add the following route to the ACS server: route add 100.0.0.0 mask 255.0.0.0 192.168.2.100. T a s k 3 . 3 Configure the following IPsec parameters between ASA1 and R5. IKE 1 RSA, DH2, AES, SHA IKE 2 AES, SHA Protected traffic, all IP between hosts 1.1.1.1 and 22.22.22.2 tunnel endpoints asa 100.60.10.100 and R5 5.5.5.5 DMVPN Erase and Reload initial configurations on ASA1 and R5. Verify the ACS PC has a route to 100.0.0.0 via firewall For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 3 . 4 Create a DMVPN using the following: R2 hub R3/R4 Spokes GRE network 10.0.0.y/24 New loop 234 of 10.yy.0.y/24 Overlay of eigrp 1 for the 10 networks. source from loop 0 on each router IKE 1: dh2, psk cisco, 3des, sha IKE 2: 3des, sha T a s k 3 . 5 Permit the IPsec related traffic through the ASA.
GET VPN T a s k 3 . 6 Setup GET VPN with the following: R6 key server R3/R4 members IKE 1 3des, dh2, lifetime 400, psk cisco IKE 2 3des, sha For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated interesting traffic ICMP between 3.3.3.3 and 4.4.4.4 bidirectional
Easy VPN T a s k 3 . 7 Configure EasyVPN with the following: ASA easy vpn server on inside R2 and ACS PC easy vpn clients IKE 1 sha, dh2, aes, psk IKE 2 aes, sha, pfs 2 split tunnel- traffic for the 100.70.10.0/24 net clilent mode pool 100.60.10.201-210 username vpn_user group vpn_group password cisco (for both) R2 loop 0 is inside interface allow password storage on clients user virtual template For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 3 . 8 Allow clients to locally save password. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated QoS for VPN T a s k 3 . 9 Configure the ASA to prioritize EasyVPN IPsec traffic. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated WebVPN(clientless) T a s k 3 . 1 0 Configure clientless WebVPN on the inside of ASA1 using the following: Connection named SSL_VPN URL: https://192.168.2.100/ssl local authentication user ssl_user password cisco group policy = SSL_VPN For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated High availability T a s k 3 . 1 1 Configure high availability using the following: R2 loop 0, peers with R3 and R4 HSRP address IKE 1 PSK cisco, dh 2, 3des, sha IKE 2 3des sha Interesting traffic: IP between New loopback 222 of 10.yy.yy.2/24 and R5 loop 0 Do not add 10.yy.yy.0/24 to any routing protocols on R2. VPN Technologies Solutions Configure IPsec lan to lan (IOS/ASA) T a s k 3 . 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure R1 as a CA and NTP server with authentication. Setup ASA1 and R5 as NTP and CA clients: NTP is necessary so that all times on certificates match what time the router thinks it is. If they dont a valid cert may be seen as expired or future. The NTP source is setup as L0 so that it will be reachable regardless of interface status. NTP master 1 configures the router as an NTP server, stratum 1. Stratum is the distance from the reference clock. Stratum 1 is most trusted/accurate as it is assumed to be directly connected to a reference clock. We set up key 1 as cisco. R1(config)#ntp source Loopback0 R1(config)#ntp master 1 R1(config)#ntp authentication-key 1 md5 cisco R1(config)#clock timezone PST -8 R1(config)#clock summer-time PDT recurring Apr 14 17:31:44.327: %SYS-6-CLOCKUPDATE: System clock has been updated from 17:31:44 UTC Tue Apr 14 2009 to 09:31:44 PST Tue Apr 14 2009, configured from console by console. Apr 14 17:31:44.811: %SYS-6-CLOCKUPDATE: System clock has been updated from 09:31:44 PST Tue Apr 14 2009 to 10:31:44 PDT Tue Apr 14 2009, configured from console by console. To configure a router as a CA server youll need a few things. First, set up the HTTP server. This is used by the clients to enroll. Youll need a domain name and a hostname which will be included in the cert. Optionally you can generate keys which allows you to control the label name. They will be automatically generated if you dont. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 8 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R1(config)#ip http server R1(config)#ip domain-name cisco.com R1(config)#crypto key generate rsa general-keys label R1- General-Keys modulus 1024 exportable The name for the keys will be: R1-General-Keys % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be exportable...[OK] R1(config)# Apr 14 17:31:53.115: %SSH-5-ENABLED: SSH 1.99 has been enabled Now well configure the server itself. Weve included some options such as cert lifetimes and the cdp URL for certificate revocation. The most important one is grant auto. This means certs do not need to be approved via the CLI, they will be granted automatically when the client makes an enrollment request. Remember to issue the no shut command on the server R1(config)#crypto pki server R1-CA_Server R1(cs-server)#database url nvram: R1(cs-server)#database level minimum R1(cs-server)#issuer-name CN=R1-CA_Server.cisco.com L=NV C=US R1(cs-server)#lifetime ca-certificate 365 R1(cs-server)#lifetime certificate 200 R1(cs-server)#lifetime crl 24 R1(cs-server)#cdp-url http://1.1.1.1/R1-CA_Servercdp.R1- CA_Server.crl R1(cs-server)#grant auto R1(cs-server)# Apr 14 17:33:05.183: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. R1(cs-server)#no shut %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password:cisco123 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Re-enter password:cisco123 % Generating 1024 bit RSA keys, keys will be non- exportable...[OK] % Exporting Certificate Server signing certificate and keys... % Certificate Server enabled. R1(cs-server)# Apr 14 17:33:30.451: %PKI-6-CS_ENABLED: Certificate server now enabled. R1(cs-server)# With the CA server enabled, well move on to client configuration. On the ASA well set the same timezone as the server, enter the same key, set it up as trusted and authenticate the server with the key. ASA-1(config)# domain-name cisco ASA-1(config)# clock timezone PST -8 ASA-1(config)# clock summer-time PDT recurring ASA-1(config)# ntp authentication-key 1 md5 cisco ASA-1(config)# ntp trusted-key 1 ASA-1(config)# ntp authenticate ASA-1(config)# ntp server 1.1.1.1 key 1 Well generate RSA keys before setting up the trustpoint. The retry commands are optional, what is important is the enrollment URL. Note that the port is 80. ASA-1(config)# crypto key generate rsa general-keys modulus 1024 WARNING: You have a RSA keypair already defined named <Default- RSA-Key>. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait... ASA-1(config)# crypto ca trustpoint R1-CA ASA-1(config-ca-trustpoint)# enrollment retry count 5 ASA-1(config-ca-trustpoint)# enrollment retry period 3 ASA-1(config-ca-trustpoint)# enrollment url http://1.1.1.1:80 ASA-1(config-ca-trustpoint)# revocation-check none For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA-1(config-ca-trustpoint)# exit ASA-1(config)# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 30/32/40 ms After verifying connectivity to the CA server, well first authenticate and then enroll to it. Authentication must occur before enrollment is allowed. You will receive a message stating that the certificate has been granted. ASA-1(config)# crypto ca authenticate R1-CA INFO: Certificate has the following attributes: Fingerprint: 5fe94f9c 3ce30ecc 01972a46 9b34833a Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. ASA-1(config)# cryp ca enroll R1-CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: cisco123 Re-enter password: cisco123 % The fully-qualified domain name in the certificate will be: ASA-1.cisco % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA-1(config)# The certificate has been granted by CA! Configuration for routers is almost identical to the ASA. Set the timezone, configure NTP with authentication, set a domain name, generate keys and configure the trustpoint. The CA must be authenticated before enrollment. R5(config)#clock timezone PST -8 R5(config)#clock summer-time PDT recurring R5(config)# Apr 14 18:40:06.592: %SYS-6-CLOCKUPDATE: System clock has been updated from 18:40:06 UTC Tue Apr 14 2009 to 10:40:06 PST Tue Apr 14 2009, configured from console by console. R5(config)# Apr 14 18:40:07.740: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:40:07 PST Tue Apr 14 2009 to 11:40:07 PDT Tue Apr 14 2009, configured from console by console. R5(config)#ntp authentication-key 1 md5 cisco R5(config)#ntp trusted-key 1 R5(config)#ntp authenticate R5(config)#ntp server 1.1.1.1 key 1 R5(config)#ip domain-name cisco.com R5(config)#crypto key generate rsa general-keys modulus 1024 exportable The name for the keys will be: R5.cisco.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be exportable...[OK] R5(config)# *Apr 14 17:52:04.235: %SSH-5-ENABLED: SSH 1.99 has been enabled R5(config)#crypto ca trustpoint R1-CA R5(ca-trustpoint)# enrollment retry count 5 R5(ca-trustpoint)# enrollment retry period 3 R5(ca-trustpoint)# enrollment url http://1.1.1.1:80 R5(ca-trustpoint)# revocation-check none R5(ca-trustpoint)#exit R5(config)# R5(config)#! R5(config)#crypto pki authenticate R1-CA For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Certificate has the following attributes: Fingerprint MD5: 5FE94F9C 3CE30ECC 01972A46 9B34833A Fingerprint SHA1: A6BD7EA9 73833535 8DD8E12E C6BDC548 BEF74795 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. R5(config)#cryp pki enroll R1-CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will include: R5.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: yes Enter Interface name or IP Address[]: loop 0 Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate R1-CA verbose' commandwill show the fingerprint. R5(config)# Apr 14 17:49:37.897: CRYPTO_PKI: Certificate Request Fingerprint MD5: 68D31458 C10A3DC7 B5113FBD 38132DF8 Apr 14 17:49:37.897: CRYPTO_PKI: Certificate Request Fingerprint SHA1: EF0CFEDB 71907504 A49B193C 7D700BDC 346789D9 R5(config)# R5(config)# R5(config)# Apr 14 17:49:42.697: %PKI-6-CERTRET: Certificate received from Certificate Authority For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 3 . 2 Add the following route to the ACS server: route add 100.0.0.0 mask 255.0.0.0 192.168.2.100 This is simple windows routing. Traffic for 100.x.x.x should be sent to the next hop of 192.168.2.100. T a s k 3 . 3 Configure the following IPSec parameters between ASA1 and R5. IKE 1 RSA, DH2, AES, SHA IKE 2 AES, SHA traffic, all IP between hosts 1.1.1.1 and 22.22.22.2 tunnel endpoints asa 100.60.10.100 and R5 5.5.5.5 On the ASA you must enable isakmp per interface, so well enable it on the outside. An ACL must be set up to identify interesting traffic, in this case any ip from 22.22.22.2 to 1.1.1.1. A tunnel group is set up to enter various attributes of the tunnel. The group name must be the ip address of the peer, in this case 5.5.5.5. The tunnel is configured as ipsec lan For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated to lan. The trustpoint, isakmp policy to use and authentication method (rsa-sig AKA pki) is also set here. ASA-1(config)# crypto isakmp enable outside ASA-1(config)# access-list outside_1_cryptomap line 1 extended permit ip host 22.22.22.2 host 1.1.1.1 ASA-1(config)# clear xlate ASA-1(config)# tunnel-group 5.5.5.5 type ipsec-l2l ASA-1(config)# tunnel-group 5.5.5.5 ipsec-attributes ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2 ASA-1(config-tunnel-ipsec)# trust-point R1-CA ASA-1(config-tunnel-ipsec)# crypto isakmp policy 10 authen rsa- sig The isakmp policy is set per the instructions. AES, SHA, DH group 2. ASA-1(config)# crypto isakmp policy 10 encrypt aes ASA-1(config)# crypto isakmp policy 10 hash sha ASA-1(config)# crypto isakmp policy 10 group 2 ASA-1(config)# crypto isakmp policy 10 lifetime 86400 The transform set is configured per the instructions. ESP using AES and SHA. ASA-1(config)# crypto ipsec transform-set ESP-AES-128-SHA esp- aes esp-sha-hmac Now well set up our crypto map to tie everything together. We set the trustpoint to be used, reference our previously created ACL for interesting traffic, set the peer, the transform set, the tunnel group to use and the very important peer-id-validate cert command. Finally, the crypto map is applied to the outside interface. ASA-1(config)# crypto map outside_map 1 set trustpoint R1-CA For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA-1(config)# crypto map outside_map 1 match address outside_1_cryptomap ASA-1(config)# crypto map outside_map 1 set peer 5.5.5.5 ASA-1(config)# crypto map outside_map 1 set transform-set ESP- AES-128-SHA ASA-1(config)# tunnel-group 5.5.5.5 ipsec-attributes ASA-1(config-tunnel-ipsec)# peer-id-validate cert ASA-1(config-tunnel-ipsec)# exit ASA-1(config)# crypto map outside_map interface outside Router configuration is similar but a little bit more simple than the ASA. First well create an ACL to identify interesting traffic. It will be a mirrot image of the ASAs ACL. R5(config)# access-list 100 permit ip 1.1.1.1 0.0.0.0 22.22.22.2 0.0.0.0 Then isakmp policy is set. This must match what the ASA is using, so rsa-sig authentication (the default), AES encryption, SHA for hashing and DH group 2. R5(config)#crypto isakmp policy 1 R5(config-isakmp)# authentication rsa-sig R5(config-isakmp)# encr aes 128 R5(config-isakmp)# hash sha R5(config-isakmp)# group 2 R5(config-isakmp)# lifetime 86400 R5(config-isakmp)# exit The transform set must also match what is being used on the ASA. ESP with AES and SHA. R5(config)# crypto ipsec transform-set MYSET esp-sha-hmac esp- aes 128 R5(cfg-crypto-trans)# exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated A crypto map is used to tie the configuration together. Recall that the tunnel endpoint on R5 must be 5.5.5.5 or l0. This must be done even though the crypto map is applied to an actual interface. The local-address loop 0 command accomplishes this. The transform set, peer and crypto ACL are all set and the crypto map applied to the fa0/0.70 interface. R5(config)# crypto map MYMAP local-address loop 0 R5(config)# crypto map MYMAP 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R5(config-crypto-map)# set transform-set MYSET R5(config-crypto-map)# set peer 100.60.10.100 R5(config-crypto-map)# match address 100 R5(config-crypto-map)# exit R5(config)#interface FastEthernet0/0.70 R5(config-subif)# crypto map MYMAP R5(config-subif)# exit Verify by generating interesting traffic, in this case a ping between 1.1.1.1 and 22.22.22.2. The ping is successful. Sho crypto ipsec sa shows that the 4 packets were encrypted and decrypted on both the router and the ASA. Apr 14 18:27:31.483: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verify with a ping from R1 loopback 0 to 22.22.22.2: R1#ping 22.22.22.2 source loop 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated .!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/36 ms R5#show crypto map Crypto Map: "MYMAP" idb: Loopback0 local address: 5.5.5.5 Crypto Map "MYMAP" 1 ipsec-isakmp Peer = 100.60.10.100 Extended IP access list 100 access-list 100 permit ip host 1.1.1.1 host 22.22.22.2 Current peer: 100.60.10.100 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, } Interfaces using crypto map MYMAP: FastEthernet0/0.70 R5# show crypto ipsec sa interface: FastEthernet0/0.70 Crypto map tag: MYMAP, local addr 5.5.5.5 protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (22.22.22.2/255.255.255.255/0/0) current_peer 100.60.10.100 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 1 9 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA-1(config)# show crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 100.60.10.100 access-list outside_1_cryptomap permit ip host 22.22.22.2 host 1.1.1.1 local ident (addr/mask/prot/port): (22.22.22.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) current_peer: 5.5.5.5 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 DMVPN Erase and Reload initial configs on ASA1 and R5. Verify the ACS pc has a route to 100.0.0.0 via firewall. T a s k 3 . 4 Create a DMVPN using the following: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2 hub R3/R4 Spokes GRE network 10.0.0.y/24 New loop 234 of 10.yy.0.y/24 Overlay of eigrp 1 for the 10 networks. source from loop 0 on each router IKE 1: dh2, psk cisco, 3des, sha IKE 2: 3des, sha Hub configuration: First well create the loopback interface. Its important to note that this address isnt routeable on the existing nextwork. R2(config)#int loop 234 *Apr 14 20:09:36.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback234, changed state to up R2(config-if)#ip add 10.22.0.2 255.255.255.0 Now well need to set up isakmp according to the instructions. 3des encryption, sha for hashing, DH group 2 and authentication using a pre-shared key. Note that the peer address from the pre-shared is the wildcard of 0.0.0.0. This means the key isnt tied to a specific peer which is important since multiple peers will be using it. R2(config)#crypto isakmp policy 1 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# encr 3des For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config-isakmp)# hash sha R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400 R2(config-isakmp)# exit R2(config)#crypto isakmp key cisco address 0.0.0.0 The transform set is configured using the instructions. ESP with 3des and sha. Transport mode is set here, if it wasnt the default of tunnel would be used. This saves us an additional 20 bytes since the existing IP header is used. R2(config)# crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)# exit Finally, DMVPN doesnt use a crypto map. The ipsec configuration is tied to the tunnel with an ipsec profile, so well create that. It is very simple, set the transform set to be used. R2(config)#crypto ipsec profile DMVPN_PROFILE R2(ipsec-profile)# set transform-set ESP-3DES-SHA R2(ipsec-profile)# exit Most of the DMVPN configuration occurs on the tunnel interface itself. Here we set the bandwidth and delay of the interface, important since EIGRP uses these for metrics and because the bandwidth by default is very low while the delay is very high. We also need to set the MTU to a reasonable level to take into account the additional packet size caused by ipsec and GRE. Otherwise the packet can be too large and cause fragmentation. 1400 is a good conservative mtu. The ip tcp adjust-mss command modifies the TCP maximum segement size in packets sent during TCP For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated establishment. It is set to 1360 so that end hosts will only send 1360 bytes via TCP which will keep total packet size no greater than our MTU of 1400 bytes. This is again done to combat fragmentation. R2(config)#interface Tunnel0 R2(config-if)# ip address 10.0.0.2 255.255.255.0 R2(config-if)# bandwidth 1000 R2(config-if)# delay 1000 R2(config-if)# ip mtu 1400 R2(config-if)# ip tcp adjust-mss 1360 Next well set up the ip nhrp command which allows the hub to use the next hop routing protocol to properly map ip addresses. The important command here is map mulicast dynamic, which will allow EIGRP to function properly. R2(config-if)# ip nhrp holdtime 360 R2(config-if)# ip nhrp network-id 100000 R2(config-if)# ip nhrp authentication cisco R2(config-if)# ip nhrp map multicast dynamic It is critical to turn off EIGRP split horizon since routing updates will be leaving via the same interface they were received on. Also, next-hop-self must be turned off or *ALL* EIGRP routed traffic between the spokes will traverse the hub. This defeats the purpose of DMVPN. R2(config-if)# no ip split-horizon eigrp 1 R2(config-if)# no ip next-hop-self eigrp 1 The tunnel source is set to our new loopback 0 interface, the mode is set to GRE multipoint, a tunnel key is set and the ipsec profile is tied to the interface with the tunnel protection command. Finally the interface is brought up with no shut command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config-if)# tunnel source Loop 0 R2(config-if)# tunnel mode gre multipoint R2(config-if)# tunnel key 100000 R2(config-if)# tunnel protection ipsec profile DMVPN_PROFILE R2(config-if)# no shutdown R2(config-if)# exit EIGRP is configured. Well be advertising all of our 10.x.x.x networks. This will include both the tunnel interface and the loopback interface. R2(config)#router eigrp 1 R2(config-router)# no auto-summary R2(config-router)# network 10.0.0.0 0.255.255.255 R2(config-router)# exit R3 Spoke configuration: To start, the configuration is almost identical to the hub. The loopback interface is setup, then isakmp, the transform set and the ipsec profile. R3(config)#int loop 234 R3(config-if)#ip address 10.33.0.3 255.255.255.0 R3(config)#crypto isakmp policy 1 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# encr 3des R3(config-isakmp)# hash sha R3(config-isakmp)# group 2 R3(config-isakmp)# lifetime 86400 R3(config-isakmp)# exit R3(config)#crypto isakmp key cisco address 0.0.0.0 R3(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des R3(cfg-crypto-trans)# mode transport For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(cfg-crypto-trans)# exit R3(config)#crypto ipsec profile DMVPN_PROFILE R3(ipsec-profile)# set transform-set ESP-3DES-SHA R3(ipsec-profile)# exit The tunnel interface configuration starts the same as the hub. An IP followed by the commands neccessary to combat fragmentation. R3(config)#interface Tunnel0 R3(config-if)# ip address 10.0.0.3 255.255.255.0 R3(config-if)# bandwidth 1000 R3(config-if)# delay 1000 R3(config-if)# ip mtu 1400 R3(config-if)# ip tcp adjust-mss 1360 There are a few differences in the ip nhrp configuration. First we need to set a next hop server so that we can register our tunnel to interface ip mappings and get the mappings for other spokes we will communicate with. This is done with the ip nhrp nhs command. Note that it is mapped to the hubs tunnel address. Since this is the case, we need to know what routable IP we can send these packets to. This is done with ip nhrp map. We map the NHS address to the hubs actual interface IP. We then map multicast to this same IP so that EIGRP will function via the tunnel interfaces. R3(config-if)# ip nhrp holdtime 360 R3(config-if)# ip nhrp network-id 100000 R3(config-if)# ip nhrp authentication cisco R3(config-if)# ip nhrp nhs 10.0.0.2 R3(config-if)# ip nhrp map 10.0.0.2 100.60.10.22 R3(config-if)# ip nhrp map multicast 100.60.10.22 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The rest of the tunnel configuration is the same as the hub. A tunnel source, the GRE mode, a tunnel key and the ipsec profile which will be used to encrypt traffic. Remember to no shut the interface. R3(config-if)# tunnel source Loop 0 R3(config-if)# tunnel mode gre multipoint R3(config-if)# tunnel key 100000 R3(config-if)# tunnel protection ipsec profile DMVPN_PROFILE R3(config-if)# no shutdown R3(config-if)# exit EIGRP is set up the same as the hub. It encompasses the entire 10.x.x.x network. R3(config)#router eigrp 1 R3(config-router)# no auto-summary R3(config-router)# network 10.0.0.0 0.255.255.255 R3(config-router)# exit R4 spoke configuration: Aside from the ip addresses the other spoke is setup identical to the first spoke. Cut n paste is the preferred method for additional spokes since it will save a lot of time. R4(config)#int loop 234 R4(config-if)#ip address 10.44.0.4 255.255.255.0 R4(config)#crypto isakmp policy 1 R4(config-isakmp)# authentication pre-share R4(config-isakmp)# encr 3des R4(config-isakmp)# hash sha R4(config-isakmp)# group 2 R4(config-isakmp)# lifetime 86400 R4(config-isakmp)# exit R4(config)#crypto isakmp key cisco address 0.0.0.0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des R4(cfg-crypto-trans)# mode transport R4(cfg-crypto-trans)# exit R4(config)#crypto ipsec profile DMVPN_PROFILE R4(ipsec-profile)# set transform-set ESP-3DES-SHA R4(ipsec-profile)# exit R4(config)#interface Tunnel0 R4(config-if)# ip address 10.0.0.4 255.255.255.0 R4(config-if)# bandwidth 1000 R4(config-if)# delay 1000 R4(config-if)# ip mtu 1400 R4(config-if)# ip tcp adjust-mss 1360 R4(config-if)# ip nhrp holdtime 360 R4(config-if)# ip nhrp network-id 100000 R4(config-if)# ip nhrp authentication cisco R4(config-if)# ip nhrp nhs 10.0.0.2 R4(config-if)# ip nhrp map multicast 100.60.10.22 R4(config-if)# ip nhrp map 10.0.0.2 100.60.10.22 R4(config-if)# tunnel source Loop 0 R4(config-if)# tunnel key 100000 R4(config-if)# tunnel mode gre multipoint R4(config-if)# tunnel protection ipsec profile DMVPN_PROFILE R4(config-if)# no shutdown R4(config-if)# exit R4(config)#router eigrp 1 R4(config-router)# no auto-summary R4(config-router)# network 10.0.0.0 0.255.255.255 R4(config-router)# exit At this point there is still a problem. The ipsec traffic is not being allowed to pass the ASA. ASA-1(config)# logging enable ASA-1(config)# logging buffered 5 ASA-1(config)# show log Syslog logging: enabled Facility: 20 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level notifications, 3 messages logged Trap logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled %ASA-5-111008: User 'enable_15' executed the 'logging buffered 5' command. %ASA-2-106006: Deny inbound UDP from 4.4.4.4/500 to 100.60.10.22/500 on interface outside %ASA-2-106006: Deny inbound UDP from 3.3.3.3/500 to 100.60.10.22/500 on interface outside T a s k 3 . 5 Permit the IPSec related traffic through the ASA using an ACL. Were allowing ISAKMP and NAT-T as a general rule. ASA-1(config)# access-list outside_access_in line 1 extended permit udp host 3.3.3.3 host 100.60.10.22 eq 500 ASA-1(config)# access-list outside_access_in line 1 extended permit udp host 3.3.3.3 host 100.60.10.22 eq 4500 ASA-1(config)# access-list outside_access_in line 1 extended permit udp host 4.4.4.4 host 100.60.10.22 eq 500 ASA-1(config)# access-list outside_access_in line 1 extended permit udp host 4.4.4.4 host 100.60.10.22 eq 4500 ASA-1(config)# clear xlate ASA-1(config)# access-group outside_access_in in interface outside With the traffic allowed your EIGRP neighbor relationships should form and NHRP should be functional. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2#show ip nhrp 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:00:32, expire 00:05:28 Type: dynamic, Flags: unique registered used NBMA address: 3.3.3.3 10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:00:37, expire 00:05:22 Type: dynamic, Flags: unique registered used NBMA address: 4.4.4.4 R2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 10.0.0.3 Tu0 10 00:00:41 6 200 0 3 0 10.0.0.4 Tu0 10 00:00:46 4 200 0 3 R3#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3 protected vrf: (none) local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (100.60.10.22/255.255.255.255/47/0) current_peer 100.60.10.22 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97 #pkts decaps: 96, #pkts decrypt: 96, #pkts verify: 96 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 72, #recv errors 0 A sho ip route verifies that the next hop for the 10.x.x.x networks is via tunnel 0. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 0 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets O 1.1.1.0 [110/66] via 100.70.10.5, 00:30:59, FastEthernet0/0.70 2.0.0.0/24 is subnetted, 1 subnets O 2.2.2.0 [110/12] via 100.60.10.100, 00:36:01, FastEthernet0/0.60 100.0.0.0/8 is variably subnetted, 9 subnets, 2 masks O 100.110.10.0/24 [110/75] via 100.70.10.5, 00:30:59, FastEthernet0/0.70 C 100.70.10.0/24 is directly connected, FastEthernet0/0.70 O 100.66.10.0/24 [110/67] via 100.70.10.5, 00:30:59, FastEthernet0/0.70 O 100.90.10.0/24 [110/66] via 100.70.10.5, 00:31:00, FastEthernet0/0.70 C 100.60.10.0/24 is directly connected, FastEthernet0/0.60 O 100.55.10.0/24 [110/2] via 100.70.10.5, 00:35:52, FastEthernet0/0.70 O 100.15.10.1/32 [110/65] via 100.70.10.5, 00:31:00, FastEthernet0/0.70 O 100.15.10.5/32 [110/1] via 100.70.10.5, 00:31:20, FastEthernet0/0.70 O 100.11.10.0/24 [110/66] via 100.70.10.5, 00:31:00, FastEthernet0/0.70 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 4.0.0.0/24 is subnetted, 1 subnets O 4.4.4.0 [110/2] via 100.70.10.4, 00:35:52, FastEthernet0/0.70 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated [110/2] via 100.60.10.4, 00:36:12, FastEthernet0/0.60 5.0.0.0/24 is subnetted, 1 subnets O 5.5.5.0 [110/2] via 100.70.10.5, 00:35:52, FastEthernet0/0.70 6.0.0.0/24 is subnetted, 1 subnets O 6.6.6.0 [110/67] via 100.70.10.5, 00:31:00, FastEthernet0/0.70 22.0.0.0/24 is subnetted, 1 subnets O 22.22.22.0 [110/12] via 100.60.10.100, 00:36:03, FastEthernet0/0.60 10.0.0.0/24 is subnetted, 4 subnets C 10.0.0.0 is directly connected, Tunnel0 D 10.22.0.0 [90/2944000] via 10.0.0.2, 00:04:38, Tunnel0 D 10.44.0.0 [90/3200000] via 10.0.0.4, 00:02:34, Tunnel0 C 10.33.0.0 is directly connected, Loopback234 O 192.168.2.0/24 [110/11] via 100.60.10.100, 00:19:26, FastEthernet0/0.60 A ping and sho crypto ipsec sa verifies the traffic. R3#ping 10.44.0.4 repeat 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 10.44.0.4, timeout is 2 seconds: !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 4/14/24 ms R3#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3 protected vrf: (none) local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (100.60.10.22/255.255.255.255/47/0) current_peer 100.60.10.22 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 123, #pkts encrypt: 123, #pkts digest: 123 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated #pkts decaps: 122, #pkts decrypt: 122, #pkts verify: 122 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 72, #recv errors 0 local crypto endpt.: 3.3.3.3, remote crypto endpt.: 100.60.10.22 path mtu 1514, ip mtu 1514, ip mtu idb Loopback0 current outbound spi: 0xC400E3DA(3288392666) inbound esp sas: spi: 0x988C61D7(2559336919) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2003, flow_id: NETGX:3, crypto map: Tunnel0- head-0 sa timing: remaining key lifetime (k/sec): (4390499/3146) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC400E3DA(3288392666) transform: esp-3des esp-sha-hmac , in use settings ={Transport UDP-Encaps, } conn id: 2004, flow_id: NETGX:4, crypto map: Tunnel0- head-0 sa timing: remaining key lifetime (k/sec): (4390499/3144) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated protected vrf: (none) local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0) current_peer 4.4.4.4 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 3.3.3.3, remote crypto endpt.: 4.4.4.4 path mtu 1514, ip mtu 1514, ip mtu idb Loopback0 current outbound spi: 0xFB5404C8(4216587464) inbound esp sas: spi: 0x1BCE6890(466512016) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2005, flow_id: NETGX:5, crypto map: Tunnel0- head-0 sa timing: remaining key lifetime (k/sec): (4525120/3583) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xE945AB59(3913657177) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2007, flow_id: NETGX:7, crypto map: Tunnel0- head-0 sa timing: remaining key lifetime (k/sec): (4453101/3581) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated outbound esp sas: spi: 0x99FE240B(2583569419) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2006, flow_id: NETGX:6, crypto map: Tunnel0- head-0 sa timing: remaining key lifetime (k/sec): (4525120/3581) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0xFB5404C8(4216587464) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2008, flow_id: NETGX:8, crypto map: Tunnel0- head-0 sa timing: remaining key lifetime (k/sec): (4453101/3580) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated GET VPN T a s k 3 . 6 Setup GET VPN with the following: R6 key server R3/R4 members IKE 1 3des, dh2, lifetime 400, psk cisco IKE 2 3des, sha interesting traffic icmp between 3.3.3.3 and 4.4.4.4 bidirectional Key server configuration: Get VPN uses ipsec to encrypt traffic, so this part of the configuration will look no different than standard site to site VPN. Note the wildcard pre-shared key. R6(config)#no ip domain lookup R6(config)#ip domain name cisco.com R6(config)#crypto isakmp policy 1 R6(config-isakmp)# encr 3des R6(config-isakmp)# authentication pre-share R6(config-isakmp)# group 2 R6(config-isakmp)# lifetime 400 R6(config-isakmp)#crypto isakmp key cisco address 0.0.0.0 R6(config)# transform-set gdoi-trans-group1 esp-3des esp-sha- hmac For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Well be using an ipsec profile, so that is configured here. Were really just setting the transform set to be used similar to DMVPN. The SA lifetime is optional. R6(cfg-crypto-trans)# crypto ipsec profile gdoi-profile-group1 R6(ipsec-profile)# set security-association lifetime seconds 1800 R6(ipsec-profile)# set transform-set gdoi-trans-group1 R6(ipsec-profile)#exit Now well setup the gdoi or group domain of interpretation. This is the group that this key server will be providing policy for. The server is set to local, meaning that this is a key server. With GET, if youre using unicast re-key instead of multicast you must define an rsa key to be used. This is done with the rekay authentication command. R6(config)#crypto gdoi group group1 R6(config-gdoi-group)# identity number 1 R6(config-gdoi-group)# server local R6(gdoi-local-server)# rekey lifetime seconds 86400 R6(gdoi-local-server)# rekey retransmit 10 number 2 R6(gdoi-local-server)# rekey auhentication mypubkey rsa group1- export-general R6(gdoi-local-server)# rekey transport unicast Policy is set using the sa ipsec <number> command. Here we define the ACL that will be used to determine interesting traffic, the ipsec profile that well use and the address clients will use for the server, in this case 6.6.6.6. R6(gdoi-local-server)# sa ipsec 1 R6(gdoi-sa-ipsec)# profile gdoi-profile-group1 R6(gdoi-sa-ipsec)# match address ipv4 101 R6(gdoi-sa-ipsec)# replay counter window-size 64 R6(gdoi-sa-ipsec)# address ipv4 6.6.6.6 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Finally well create the ACL that will be used to determine interesting traffic. This step *CAN* be performed after the ACL is defined in the key server setup, and can be changed without having to reconfigure the key server. R6(gdoi-coop-ks-config)#access-list 101 permit icmp host 3.3.3.3 host 4.4.4.4 R6(config)#access-list 101 permit icmp host 4.4.4.4 host 3.3.3.3 Member R3 configuration: Most of the work in a GET configuration is done on the key server. On the members you simply configure isakmp. A transform set and ACL is not needed as it will be pushed down by the key server. R3(config)#crypto isakmp policy 1 R3(config-isakmp)# encr 3des R3(config-isakmp)# authentication pre-share R3(config-isakmp)# group 2 R3(config-isakmp)# lifetime 3600 R3(config-isakmp)# crypto isakmp key cisco address 6.6.6.6 Now well set up the gdoi. Well use the same group and identity number used on the key server. Instead of server local well set server to R6s configured key server address, 6.6.6.6. R3(config)#crypto gdoi group group1 R3(config-gdoi-group)# identity number 1 R3(config-gdoi-group)# server address ipv4 6.6.6.6 R3(config-gdoi-group)#exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The configuration is completed by creating a gdoi crypto map and setting it to use the group we just created, group 1. The crypto map is then applied to an interface just as it would be in a site to site tunnel. Registration should happen almost instantly. R3(config)#crypto map map-group1 10 gdoi R3(config-crypto-map)# set group group1 R3(config-crypto-map)# interface fa0/0.60 R3(config-subif)# crypto map map-group1 R3(config-subif)# interface fa0/0.70 R3(config-subif)# crypto map map-group1 *Apr 14 21:14:33.191: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.6 complete for group group1 using address 100.60.10.3 *Apr 14 21:14:33.443: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.6 for group group1 using address 100.70.10.3 *Apr 14 21:14:33.571: %SYS-5-CONFIG_I: Configured from console by console *Apr 14 21:14:33.839: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.6 complete for group group1 using address 100.70.10.3 Member R4 configuration: Configuration is identical to R3. Cut n paste is recommended. R4(config)# crypto isakmp policy 1 R4(config-isakmp)# encr 3des R4(config-isakmp)# authentication pre-share R4(config-isakmp)# group 2 R4(config-isakmp)# lifetime 3600 R4(config-isakmp)# crypto isakmp key cisco address 6.6.6.6 R4(config)# crypto gdoi group group1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4(config-gdoi-group)# identity number 1 R4(config-gdoi-group)# server address ipv4 6.6.6.6 R4(config-gdoi-group)# exit R4(config)#crypto map map-group1 10 gdoi R4(config-crypto-map)# set group group1 R4(config-crypto-map)#interface Fa0/0.60 R4(config-subif)# crypto map map-group1 R4(config-subif)# interface Fa0/0.70 R4(config-subif)# crypto map map-group1 *Apr 14 21:21:45.119: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.6 complete for group group1 using address 100.60.10.4 *Apr 14 21:21:45.415: %CRYPTO-5-GM_REGSTER: Start registration to KS 6.6.6.6 for group group1 using address 100.70.10.4 *Apr 14 21:21:45.811: %GDOI-5-GM_REGS_COMPL: Registration to KS 6.6.6.6 complete for group group1 using address 100.70.10.4 Test by pinging 4.4.4.4 with a source of loopback 0. The ping should be successful and a sho ipsec sa verifies the encryption. R3#ping 4.4.4.4 source loop 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Packet sent with a source address of 3.3.3.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R3#show crypto ipsec sa interface: FastEthernet0/0.60 Crypto map tag: map-group1, local addr 100.60.10.3 protected vrf: (none) local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/1/0) remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/1/0) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 1 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.60.10.3, remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.60 current outbound spi: 0x52555EAA(1381326506) inbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: NETGX:3, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1733) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: NETGX:4, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1732) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/1/0) remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/1/0) current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.60.10.3, remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.60 current outbound spi: 0x52555EAA(1381326506) inbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: NETGX:1, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1731) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: NETGX:2, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1723) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated outbound pcp sas: interface: FastEthernet0/0.70 Crypto map tag: map-group1, local addr 100.70.10.3 protected vrf: (none) local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/1/0) remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/1/0) current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.70.10.3, remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.70 current outbound spi: 0x52555EAA(1381326506) inbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2007, flow_id: NETGX:7, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1723) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2008, flow_id: NETGX:8, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1721) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/1/0) remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/1/0) current_peer port 848 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.70.10.3, remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.70 current outbound spi: 0x52555EAA(1381326506) inbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2005, flow_id: NETGX:5, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1720) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x52555EAA(1381326506) transform: esp-3des esp-sha-hmac , For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated in use settings ={Tunnel, } conn id: 2006, flow_id: NETGX:6, crypto map: map-group1 sa timing: remaining key lifetime (sec): (1716) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Easy VPN T a s k 3 . 7 Configure EasyVPN with the following: ASA easy vpn server on the inside interface R2 and ACS PC easy vpn clients IKE 1 sha, dh2, aes, psk IKE 2 aes, sha, pfs 2 split tunnel- traffic for the 100.70.10.0/24 net client mode pool 100.60.10.201-210 username vpn_user For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated group vpn_group password cisco (for both) R2 loop 0 is inside interface allow password storage on clients user virtual template ASA1 EasyVPN Server configuration: The EasyVPN server configuration can be complex so it helps to break it down into sections. First well configure IPSec settings. These will include the ISAKMP policy and transform set that conforms to the instructions. ASA-1(config)# crypto isakmp enable inside ASA-1(config)# crypto isakmp policy 10 encrypt aes ASA-1(config)# crypto isakmp policy 10 hash sha ASA-1(config)# crypto isakmp policy 10 group 2 ASA-1(config)# crypto isakmp policy 10 lifetime 86400 ASA-1(config)# crypto ipsec transform-set ESP-AES-128-SHA esp- aes esp-sha-hmac Now well need to set up the EasyVPN attributes that will be used by the clients. This will include the split tunnel ACL, the group policy, the username/password and the IP address pool. ASA-1(config)# access-list vpn_group_splitTunnelAcl standard permit 100.70.10.0 255.255.255.0 ASA-1(config)# group-policy vpn_group internal ASA-1(config)# group-policy vpn_group attributes ASA-1(config-group-policy)# vpn-tunnel-protocol IPSec For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA-1(config-group-policy)# split-tunnel-policy tunnelspecified ASA-1(config-group-policy)# split-tunnel-network-list value vpn_group_splitTunnelAcl ASA-1(config)# username vpn_user password cisco privilege 0 ASA-1(config)# username vpn_user attributes ASA-1(config-username)# vpn-group-policy vpn_group ASA-1(config-username)# ip local pool MYPOOL 100.60.10.201- 100.60.10.210 mask 255.255.255.0 Now well configure the tunnel group. Notice that the type is remote-access. It will reference the previously created group policy and address pool. The IPSec attributes are then set, including the PSK and the isakmp policy we already created. ASA-1(config)# tunnel-group vpn_group type remote-access ASA-1(config)# tunnel-group vpn_group general-attributes ASA-1(config-tunnel-general)# default-group-policy vpn_group ASA-1(config-tunnel-general)# address-pool MYPOOL ASA-1(config-tunnel-general)# tunnel-group vpn_group ipsec- attributes ASA-1(config-tunnel-ipsec)# pre-shared-key cisco ASA-1(config-tunnel-ipsec)# crypto isakmp policy 10 authen pre- share A dynamic crypto map is used to set both PFS and the transform set. This dynamic map is referenced in the crypto map which is actually applied to the inside interface. The server configuration is now complete. ASA-1(config)# crypto dynamic-map MYDYN 65535 set pfs group2 ASA-1(config)# crypto dynamic-map MYDYN 65535 set transform-set ESP-AES-128-SHA ASA-1(config)# crypto map inside_map 65535 ipsec-isakmp dynamic MYDYN ASA-1(config)# crypto map inside_map interface inside For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2 EasyVPN Client Configuration: This is known as an EasyVPN Hardware client. The setup is fairly simple. First well configure the ezvpn client settings. This includes the group to be used which must match the group name created on the ASA. The peer (the ASA) ip address is set as is the username and password to be used. The username and password must match what was set on the ASA. R2(config)#crypto ipsec client ezvpn EZ_CLIENT R2(config-crypto-ezvpn)# group vpn_group key 0 cisco R2(config-crypto-ezvpn)# peer 192.168.2.100 R2(config-crypto-ezvpn)# username vpn_user password 0 cisco R2(config-crypto-ezvpn)# xauth userid mode local R2(config-crypto-ezvpn)# exit Loopback 0 is configured as the inside of the EasyVPN tunnel. R2(config)#interface loop 0 R2(config-if)# crypto ipsec client ezvpn EZ_CLIENT inside R2(config-if)# exit Now well need to create our virtual template. This template will be cloned to create a virtual access interface (applied to the physical outside interface) when the actual tunnel is built. R2(config)#interface Virtual-Template1 type tunnel R2(config-if)# exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated With the virtual template created, we can go back into our client configuration and set it to use a virtual-interface. R2(config)#crypto ipsec client ezvpn EZ_CLIENT R2(config-crypto-ezvpn)# virtual-interface 1 R2(config-crypto-ezvpn)# exit Well now set the outside interface of the EasyVPN client, the interface that face the EasyVPN server. Well also bring up the virtual-template interface. R2(config)#interface FastEthernet0/0.168 R2(config-subif)# crypto ipsec client ezvpn EZ_CLIENT outside R2(config-subif)# exit R2(config)#interface Virtual-Template1 type tunnel R2(config-if)# no shutdown R2(config-if)# tunnel mode ipsec ipv4 R2(config-if)# exit R2(config)#end Now that the configuration is complete, we can authenticate to the server. This is done with the crypto ipsec client ezvpn xauth command. Youll br prompted for the username and password. Once authenticated the connection will come up. Youll see the client address get assigned and see the virtual access interface come up. R2# crypto ipsec client ezvpn xauth Username: vpn_user Password: cisco *Apr 14 21:42:08.063: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=vpn_group Server_public_addr=192.168.2.100 Assigned_client_addr=100.60.10.201 *Apr 14 21:42:08.067: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up R2# For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated *Apr 14 21:42:08.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up *Apr 14 21:42:09.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up *Apr 14 21:42:09.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up Once the connection is up you can verify the setting with sho crypto ipsec client ezvpn. Note that the virtual-access interface is bound to the real outside interface. This lets us know the virtual-template is functioning. The client IP was received and is part of the proper pool that we set on the server. The split tunnel ACL is also correct. Only traffic destined for 100.70.10.0/24 will be encrypted. R2#show crypto ipsec client ezvpn Easy VPN Remote Phase: 6 Tunnel name : EZ_CLIENT Inside interface list: Loopback0 Outside interface: Virtual-Access1 (bound to FastEthernet0/0.168) Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 100.60.10.201 (applied on Loopback10000) Mask: 255.255.255.255 Save Password: Disallowed Split Tunnel List: 1 Address : 100.70.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 192.168.2.100 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 2 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 3 . 8 Allow clients to locally save password. To allow this, add the password-storage enable command to the group policy. With this enabled and the xauth userid mode local command on the client (which weve already configured) the password will be stored and the next connect will occur authomatically. View the output below for verification. ASA-1(config)# group-policy vpn_group attributes ASA-1(config-group-policy)# password-storage enable R2#clear crypto sa R2# *Apr 14 21:46:48.967: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpn_group Server_public_addr=192.168.2.100 Assigned_client_addr=100.60.10.201 R2# *Apr 14 21:46:49.023: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down *Apr 14 21:46:50.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down R2# *Apr 14 21:46:51.015: %LINK-5-CHANGED: Interface Loopback10000, changed state to administratively down *Apr 14 21:46:51.299: EZVPN(EZ_CLIENT): Pending XAuth Request, Please enter the following command: *Apr 14 21:46:51.299: EZVPN: crypto ipsec client ezvpn xauth R2# *Apr 14 21:46:52.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to down R2#crypto ipsec client ezvpn xauth Username: vpn_user For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Password: cisco R2# *Apr 14 21:47:02.827: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100 Assigned_client_addr=100.60.10.201 R2# *Apr 14 21:47:02.831: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Apr 14 21:47:03.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R2# *Apr 14 21:47:04.779: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up *Apr 14 21:47:05.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up R2#show crypto ipsec client ezvpn Easy VPN Remote Phase: 6 Tunnel name : EZ_CLIENT Inside interface list: Loopback0 Outside interface: Virtual-Access1 (bound to FastEthernet0/0.168) Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 100.60.10.201 (applied on Loopback10000) Mask: 255.255.255.255 Save Password: Allowed Split Tunnel List: 1 Address : 100.70.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 192.168.2.100 R2#clear crypto sa R2# *Apr 14 21:47:58.927: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100 Assigned_client_addr=100.60.10.201 R2# For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated *Apr 14 21:47:58.955: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down *Apr 14 21:47:59.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down R2# *Apr 14 21:48:00.955: %LINK-5-CHANGED: Interface Loopback10000, changed state to administratively down *Apr 14 21:48:01.087: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100 Assigned_client_addr=100.60.10.201 R2# *Apr 14 21:48:01.091: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Apr 14 21:48:02.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R2# *Apr 14 21:48:03.043: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up R2#show crypto ipsec client ezvpn Easy VPN Remote Phase: 6 Tunnel name : EZ_CLIENT Inside interface list: Loopback0 Outside interface: Virtual-Access1 (bound to FastEthernet0/0.168) Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 100.60.10.201 (applied on Loopback10000) Mask: 255.255.255.255 Save Password: Allowed Split Tunnel List: 1 Address : 100.70.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 192.168.2.100 R2#telnet 100.70.10.5 /source-interface Loop 0 Trying 100.70.10.5 ... Open R5#who For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Line User Host(s) Idle Location 0 con 0 idle 00:24:34 *514 vty 0 idle 00:00:00 100.60.10.201 Interface User Mode Idle Peer Address QoS for VPN T a s k 3 . 9 Configure the ASA to prioritize EasyVPN IPSec traffic. The first step is to configure priority queues on both the inside and outside interfaces. In this case the queue-limit (size of the queue) and tx-ring-limit (number of packets allowed in the queue) are set but this is optional. ASA-1(config)# priority-queue inside ASA-1(config-priority-queue)# tx-ring-limit 80 ASA-1(config-priority-queue)# queue-limit 2048 ASA-1(config-priority-queue)# priority-queue outside ASA-1(config-priority-queue)# tx-ring-limit 80 ASA-1(config-priority-queue)# queue-limit 2048 Next well need to identify the traffic to be placed in the priority queue. This is done with a class-map that matches our easyvpn tunnel-group. Once identified an action is applied to the traffic using a policy map. In this case the For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated global policy map is used which will affect the traffic regardless of what interface it appears on. The action of course is priority which will place the identified traffic into the priority queue. This means it will be transmitted before normal traffic. ASA-1(config)# class-map Remote_VPN ASA-1(config-cmap)# match tunnel-group vpn_group ASA-1(config-cmap)# policy-map global_policy ASA-1(config-pmap)# class Remote_VPN ASA-1(config-pmap-c)# priority Verify with the show service-policy command. Under the class map Remote_VPN section the aggregate transmit counter for the priority on the inside interface is incrementing. This means the EasyVPN traffic is being prioritized. ASA-1(config)# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: netbios, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: skinny , packet 0, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip , packet 0, drop 0, reset-drop 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Inspect: xdmcp, packet 0, drop 0, reset-drop 0 Inspect: icmp, packet 20964, drop 0, reset-drop 0 Class-map: Remote_VPN Priority: Interface outside: aggregate drop 0, aggregate transmit 0 Priority: Interface inside: aggregate drop 0, aggregate transmit 482 Class-map: class-default Default Queueing WebVPN(clientless) T a s k 3 . 1 0 Configure clientless WebVPN on the inside of ASA1 using the following: Connection named SSL_VPN url: https://192.168.2.100/ssl local authentication user ssl_user password cisco group policy = SSL_VPN To enter webvpn configuration mode, use the command webvpn. Well enable it on the inside interface. ASA-1(config)# webvpn ASA-1(config-webvpn)# enable inside INFO: WebVPN and DTLS are enabled on 'inside'. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well configure the group policy for webvpn. The vpn tunnel protocol is set to webvpn and since no url list is needed this is set to none. ASA-1(config)# group-policy SSL_VPN attributes ASA-1(config-group-policy)# vpn-tunnel-protocol webvpn ASA-1(config-group-policy)# webvpn ASA-1(config-group-webvpn)# url-list none ASA-1(config-group-webvpn)# configure terminal Next well configure the user, making sure that both the group policy is set to our previously created policy. ASA-1(config-webvpn)# username ssl_vpn password cisco privilege 0 ASA-1(config)# username ssl_vpn attributes ASA-1(config-username)# vpn-group-policy SSL_VPN ASA-1(config-username)# group-policy SSL_VPN internal Finally the tunnel group is set up. Note that like the EasyVPN configuration the type is set to remote access. The default group policy is set to our policy which is set to use webvpn. The specific webvpn attributes such as the alias and URL are set using the tunnel-group <name> webvpn- attributes command. ASA-1(config)# tunnel-group SSL_VPN type remote-access ASA-1(config)# tunnel-group SSL_VPN general-attributes ASA-1(config-tunnel-general)# default-group-policy SSL_VPN ASA-1(config-tunnel-general)# tunnel-group SSL_VPN webvpn- attributes ASA-1(config-tunnel-webvpn)# group-alias ssl enable ASA-1(config-tunnel-webvpn)# group-url https://100.60.10.100/ssl enable ASA-1(config-tunnel-webvpn)# exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated High availability T a s k 3 . 1 1 Configure high availability using the following: R2 loop 0, peers with R3 and R4 HSRP address IKE 1 PSK cisco, dh 2, 3des, sha IKE 2 3des sha Interesting traffic: ip between New loopback 222 of 10.yy.yy.2/24 and R5 loop 0 Do not add 10.yy.yy.0/24 to any routing protocols on R2. R2 configuration: First well create loopback 222. R2(config)#int loop 222 R2(config-if)# ip address 10.22.22.2 255.255.255.0 Then configure our basic ipsec settings. Most of this should be very familiar with a few new settings. These include isakmp and NAT keepalives so that the tunnel problems can be detect and the tunnel rebuilt when failover occurs. Also new is the local-address command in the crypto For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated map. This lets the tunnel be built between the HSRP address and the R2 l0 address even though the crypto map is applied to a physical interface. R2(config)#crypto isakmp policy 1 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# encr 3des R2(config-isakmp)# hash sha R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400 R2(config-isakmp)# exit R2(config)#crypto isakmp key cisco address 0.0.0.0 R2(config)#crypto isakmp keepalive 10 R2(config)#crypto isakmp nat keepalive 10 R2(config)#crypto isakmp invalid-spi-recovery R2(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des R2(cfg-crypto-trans)# exit R2(config-if)#access-list 101 permit ip host 10.22.22.2 host 5.5.5.5 R2(config)#crypto map MYMAP local-address loop 0 R2(config)#crypto map MYMAP 1 ipsec-isakmp R2(config-crypto-map)# set transform-set ESP-3DES-SHA R2(config-crypto-map)# set peer 100.60.10.34 R2(config-crypto-map)# match address 101 R2(config-crypto-map)# exit R2(config)#interface FastEthernet0/0.168 R2(config-subif)# crypto map MYMAP R2(config-subif)# exit R3 configuration: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Like the R2 configuration, this is mostly a basic IPSec tunnel. The differences are isakmp and NAT keepalives, and the crypto map. Weve already talked about the keepalives. Notice in the crypto map the reverse-route command is used. When the IPSec tunnel is built, this will create a static route to the subnets protected by the tunnel. This route is then redistributed into OSPF so that R5 knows which router (R3 or R4) to send the traffic to. This is a key concept for VPN failover to function properly. The other piece needed for VPN failover is the HSRP configuration. Notice that the standby group is given a name, and the crypto map is then applied to the name with the redundancy keyword. This means the map is applied to the standby IP, not the actual physical interface. R3(config)#crypto isakmp policy 1 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# encr 3des R3(config-isakmp)# hash sha R3(config-isakmp)# group 2 R3(config-isakmp)# lifetime 86400 R3(config-isakmp)# exit R3(config)#crypto isakmp key cisco address 0.0.0.0 R3(config)#crypto isakmp keepalive 10 R3(config)#crypto isakmp nat keepalive 10 R3(config)#crypto isakmp invalid-spi-recovery R3(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des R3(cfg-crypto-trans)# exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 3 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(config)#access-list 101 permit ip host 5.5.5.5 host 10.22.22.2 R3(config)#crypto map MYMAP 1 ipsec-isakmp R3(config-crypto-map)# set transform-set ESP-3DES-SHA R3(config-crypto-map)# set peer 100.60.10.22 R3(config-crypto-map)# match address 101 R3(config-crypto-map)# reverse-route R3(config-crypto-map)# exit R3(config)#interface FastEthernet0/0.60 R3(config-subif)# standby 1 name HA R3(config-subif)# crypto map MYMAP redundancy HA R3(config-subif)# exit R3(config)#router ospf 1 R3(config-router)#redistribute static subnets R3(config-router)#end R3#debug ip routing IP routing debugging is on R4 configuration: R4 configuration is the same as R3. R4(config)#crypto isakmp policy 1 R4(config-isakmp)# authentication pre-share R4(config-isakmp)# encr 3des R4(config-isakmp)# hash sha R4(config-isakmp)# group 2 R4(config-isakmp)# lifetime 86400 R4(config-isakmp)# exit R4(config)#crypto isakmp key cisco address 0.0.0.0 R4(config)#crypto isakmp keepalive 10 R4(config)#crypto isakmp nat keepalive 10 R4(config)#crypto isakmp invalid-spi-recovery R4(config)#access-list 101 permit ip host 5.5.5.5 host 10.22.22.2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4(config)#crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des R4(cfg-crypto-trans)# exit R4(config)#crypto map MYMAP 1 ipsec-isakmp R4(config-crypto-map)# set transform-set ESP-3DES-SHA R4(config-crypto-map)# set peer 100.60.10.22 R4(config-crypto-map)# match address 101 R4(config-crypto-map)# reverse R4(config-crypto-map)# exit R4(config)#interface FastEthernet0/0.60 R4(config-subif)# standby 1 name HA R4(config-subif)# crypto map MYMAP redundancy HA R4(config-subif)# exit R4(config)#router ospf 1 R4(config-router)#redistribute static subnets R4(config-router)#end R4#debug ip routing IP routing debugging is on R4(config)# int fa 0/0.60 R4(config-subif)# ip ospf cost 2 R4(config-subif)# int fa0/0.70 R4(config-subif)# ip ospf cost 2 First test to see if the tunnel is built by pinging from loopback 222 to 5.5.5.5. R2#ping 5.5.5.5 source loop 222 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: Packet sent with a source address of 10.22.22.2 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms With debug ip routing turned on, youll see the static route created on R3. This is because R3 is the active HSRP For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated router. Since the route is redistributed into OSPF R5 knows to send the packets destined for 10.22.22.2 to R3. Although not shown you can also verify this with a sho ip route on R5. R3# *Apr 14 22:50:54.571: RT: add 10.22.22.2/32 via 100.60.10.22, static metric [1/0] *Apr 14 22:50:54.571: RT: NET-RED 10.22.22.2/32 R3#show crypto ipsec sa interface: FastEthernet0/0.60 Crypto map tag: MYMAP, local addr 100.60.10.34 protected vrf: (none) local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.22.22.2/255.255.255.255/0/0) current_peer 100.60.10.22 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 Now test failover by reloading R3. R3#reload Proceed with reload? [confirm] *Apr 14 22:52:26.871: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. *Apr 14 22:52:26.911: %HSRP-5-STATECHANGE: FastEthernet0/0.60 Grp 1 state Active -> Init *Apr 14 22:52:26.911: RT: del 10.22.22.2/32 via 100.60.10.22, static metric [1/0] *Apr 14 22:52:26.911: RT: delete subnet route to 10.22.22.2/32 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated *Apr 14 22:52:26.911: RT: NET-RED 10.22.22.2/32 *Apr 14 22:52:26.911: RT: delete network route to 10.0.0.0 *Apr 14 22:52:26.911: RT: NET-RED 10.0.0.0/8 System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Initializing memory for ECC Failover isnt instant, give some time for it to occur and then repeat the ping from R2 loopback 222 to 5.5.5.5. R2#ping 5.5.5.5 source loop 222 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: Packet sent with a source address of 10.22.22.2 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms Youll notice that since R4 has now become the active HSRP router, the static route is created and again redistributed into OSPF. Youve now verified that VPN redundancy is functioning properly. R4# *Apr 14 23:00:38.563: RT: add 10.22.22.2/32 via 100.60.10.22, static metric [1/0] *Apr 14 23:00:38.563: RT: NET-RED 10.22.22.2/32 R4#show crypto ipsec sa interface: FastEthernet0/0.60 Crypto map tag: MYMAP, local addr 100.60.10.34 protected vrf: (none) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated local ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.22.22.2/255.255.255.255/0/0) current_peer 100.60.10.22 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 4 ~ Intrusion Prevention Sensor For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ACS outside 24.234.0.0/24 DMZ 172.16.0.0/24 E0/0.1 E0/1 .100 .100 R1 R2 R3 ASA1 .2 .1 .101 IPS Lab Topoloy .100 E0/0.200 IPS VLAN 200 VLAN 2 inside 192.168.2.0/16 IPS ACS .150 .3 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank ACS outside 24.234.0.0/24 DMZ 172.16.0.0/24 E0/0.1 E0/1 .100 .100 R1 R2 R3 ASA1 .2 .1 .101 IPS Lab Topoloy .100 E0/0.200 IPS VLAN 200 VLAN 2 inside 192.168.2.0/16 IPS ACS .150 .3 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 4 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Initialize the Sensor T a s k 4 . 1 Log into the IPS with the username cisco and password ccie5796 T a s k 4 . 2 Set the hostname to IPS, set the management IP to 192.168.2.150/16 and the default gateway to 192.168.2.100. Allow network 192.168.0.0/16 to manage the IPS. Save your configuration and verify that you can connect to the device via IDM from the ACS server. T a s k 4 . 3 Set the sensor to use a local NTP server at 192.168.2.3. Set timezone to pacific (GMT -8)
Configure Sensor Appliance Management T a s k 4 . 4 Restrict access to ONLY allow the ACS server to the sensor configuration. (192.168.2.101) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 5 Setup a user called ccbootcamp with a password of ccbootcamp. This user should be able to tune signatures but not configure devices settings such as interfaces. T a s k 4 . 6 Setup another user called monitor with a password of monitor123. This user should only be able to view events. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Security Policy T a s k 4 . 7 Make a duplicate of policy sig0 called sig1. T a s k 4 . 8 Make a duplicate of policy rules0 called rules1. T a s k 4 . 9 Make a duplicate of anomaly detection policy ad0 called ad1. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Virtual Sensors T a s k 4 . 1 0 Create an additional virtual sensor called vs1. Assign it signature def policy sig1, event action policy rules1 and anomaly detection policy ad1. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure SPAN and RSPAN T a s k 4 . 1 1 Setup a SPAN session on SW1 so that all traffic from port fa0/10 is mirrored to port fa0/11. T a s k 4 . 1 2 Configure an RSPAN session so that traffic from VLAN 3 on SW1 is mirrored to port fa0/4 on SW3. Use VLAN 99 as the remote vlan. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Promiscuous and Inline Monitoring T a s k 4 . 1 3 Remove any existing inline pairs. T a s k 4 . 1 4 Setup fa1/0 as a promiscuous interface, enable it and assign it to virtual sensor vs1. This will monitor the inside network. T a s k 4 . 1 5 Setup interface g0/0 as an inline VLAN pair using vlans 2 and 200. Assign this new inline pair to sensor vs0. This will monitor traffic between the outside and dmz. Verify that the inline pair is working. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure and Tune Signatures T a s k 4 . 1 6 Policy sig1 should monitor traffic only. Ensure that no signature within sig1 performs a TCP reset. T a s k 4 . 1 7 Sort sig0 signatures by name and search for ICMP. Find the sig named ICMP echo reply. Enable it, then modify it to only fire when R1 replies to R2s echo request. Verify that the signature is working. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Custom Signatures T a s k 4 . 1 8 Internal users have been attacking the ACS server with pings. Create a custom signature that will alert you when any host pings the ACS server 50 times or more with packets larger than 2000k For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 5 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Blocking T a s k 4 . 1 9 Setup the ASA as a blocking device. For this task, create a user with a username of blocker and password of blocker. Use SSH to log into the ASA. T a s k 4 . 2 0 Create a signature in sig0 that will fire when a user tries to telnet using a username of baduser (case insensitive). The IPS should use the ASA to block the host and generate an alert when this happens. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure TCP Resets T a s k 4 . 2 1 Enable interface fa1/1. Set this interface up as an alternate TCP reset interface for fa1/0. T a s k 4 . 2 2 Configure a signature within sig1 that will send a TCP reset when a host attempts to telnet to R1 with a username of baduser. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Rate Limiting T a s k 4 . 2 3 Setup R2 as a blocking device. Use the username blocker with a password blocker and a privilege of 15. Use telnet to log into R2. Use the fa0/0 interface to rate limit traffic. T a s k 4 . 2 4 Enable and modify the rule within sig0 called icmp flood so that it requests a rate limit of 1% of interface bandwidth and generates an alert. Test the rate limit. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Event Actions T a s k 4 . 2 5 Configure rules0 to protect against dangerous attacks by changing any signatures action to deny an attacker inline if the risk rating is 90-100. T a s k 4 . 2 6 R2 is a critical server. Configure rules0 so that the risk rating of an attack against R2 is changed to reflect the critical nature of the server, ensuring that these attacks will be blocked. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Event Monitoring T a s k 4 . 2 7 View events that have occurred on the sensor in the last hour. T a s k 4 . 2 8 Sort the view so only events with a threat rating of 90 or greater are shown. Do not show error events. T a s k 4 . 2 9 View attack response controller events. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Advanced Features T a s k 4 . 3 0 Setup ad1 anomaly detection to use the inside network for the internal zone. For ad0, setup the DMZ network as the internal zone. T a s k 4 . 3 1 The ACS servers normal traffic appears to be worm traffic to the sensor. Exclude the ACS server from anomaly detection in ad1. T a s k 4 . 3 2 Youve recently redesigned your DMZ and need to establish baseline traffic patterns for anomaly detection using ad0. Set ad0 to learn mode. Intrusion Prevention Sensor Solutions For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Initialize the Sensor T a s k 4 . 1 Log into the IPS with the username cisco and password ccie5796 An un-configured IPS will have a default administrator account username and password of cisco which you will have to change upon initial login. CCBOOTCAMPs IPS has been preconfigured with a username of cisco and a password of ccie5796. IPS login: cisco Password: ccie5796 Last login: Thu Mar 26 07:28:39 on ttyS0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 2 Set the hostname to IPS, set the management IP to 192.168.2.150/16 and the default gateway to 192.168.2.100. Allow network 192.168.0.0/16 to manage the IPS. Save your configuration and verify that you can connect to the device via IDM from the ACS server. Basic setup can be accomplished with the setup command. This runs a step by step prompted guide that helps setup basic connectivity so that IDM can be used for further configuration. You will be shown the current configuration and then will be allowed to modify it. During these steps you will be able to set the hostname, management IP address and access-list to allow management. At the end you can review your configuration. You will then be prompted to save your configuration. sensor# setup --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name sensor telnet-option disabled ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service interface inline-interfaces pair-1 description Created via setup by user cisco interface1 FastEthernet1/0 interface2 FastEthernet1/1 exit inline-interfaces pair-2 description Created via setup by user cisco interface1 FastEthernet1/2 interface2 FastEthernet1/3 exit exit service event-action-rules rules0 overrides override-item-status Enabled risk-rating-range 90-100 exit exit Current time: Thu Mar 26 18:52:03 2009 Setup Configuration last modified: Thu Mar 26 17:42:57 2009 Continue with configuration dialog?[yes]: For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Enter host name[sensor]: IPS Enter IP interface[192.168.1.2/24,192.168.1.1]: 192.168.2.150/16,192.168.2.100 Enter telnet-server status[disabled]: Enter web-server port[443]: Modify current access list?[no]: yes Current access list entries: No entries Permit: 192.168.0.0/16 Modify system clock settings?[no]: Modify interface/virtual sensor configuration?[no]: Modify default threat prevention settings?[no]: The following configuration was entered. service host network-settings host-ip 192.168.2.150/16,192.168.2.100 host-name IPS telnet-option disabled access-list 192.168.0.0/16 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service interface inline-interfaces pair-1 description Created via setup by user cisco interface1 FastEthernet1/0 interface2 FastEthernet1/1 exit inline-interfaces pair-2 description Created via setup by user cisco For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 6 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated interface1 FastEthernet1/2 interface2 FastEthernet1/3 exit exit service event-action-rules rules0 overrides override-item-status Enabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Enter your selection[2]: 2 Configuration Saved. *18:52:47 UTC Thu Mar 26 2009 Modify system date and time?[no]: With basic configuration setup you can now connect to the sensor using a web browser to launch IDM (IPS Device Manager), once again using cisco/ccie5796 as your administrator username and password. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 3 Set the sensor to use a local NTP server at 192.168.2.3. Set timezone to pacific (GMT -8) Proper time stamping is the key to a good IPS installation. Synchronizing to an NTP server isnt required but is highly recommended so that events can be correlated with other device logs. This is set under configuration->sensor setup- >time. Hit apply when done with your changes, the sensor will require a reboot. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Sensor Appliance Management T a s k 4 . 4 Restrict access to ONLY allow the ACS server to the sensor configuration. (192.168.2.101) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This is done under configuration->sensor setup->allowed hosts. Either edit an existing entry or add a new one. You should only allow 192.168.2.101 255.255.255.255 meaning just the ACS server. Hit apply when done. T a s k 4 . 5 Setup a user called ccbootcamp with a password of ccbootcamp. This user should be able to tune signatures but not configure devices settings such as interfaces. To create a user, go to configuration->sensor setup->users. Click add to add a user. Our ccbootcamp user needs to be For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated assigned the role of operator, which can tune signatures but not change physical device settings. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated To test our new user, close IDM and log back in as ccbootcamp. If you click on the interfaces configuration you will receive the following pop-up letting you know that you dont have rights to modify it. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated However, if you click on configure->policies->signature definitions->sig0 you will be allowed. This lets us know that our operator role is functioning. T a s k 4 . 6 Setup another user called monitor with a password of monitor123. This user should only be able to view events. Youll need to close IDM and log back in as user cisco, password ccie5796. This user setup works the same as the operator role setup, but the account is setup with the viewer role. This role is even more restricted than the operator role. A viewer can only view events and monitoring information. After creation, close IDM and log in as monitor. You should receive the following message when you try to configure anything. If you click on the monitoring button however, you are allowed. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Security Policy T a s k 4 . 7 Make a duplicate of policy sig0 called sig1. The easiest way to create a new policy is to copy an existing one and modify as necessary. This is done under configuration->policies->signature definitions. Select sig0 and click on clone. Name the new policy sig1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 8 Make a duplicate of policy rules0 called rules1. This process is very similar to signature cloning. configuration->policies->event action rules. T a s k 4 . 9 Make a duplicate of anomaly detection policy ad0 called ad1. This is very similar to the other two policies. configuration->policies->anomaly detections. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 7 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Virtual Sensors T a s k 4 . 1 0 Create an additional virtual sensor called vs1. Assign it signature def policy sig1, event action policy rules1 and anomaly detection policy ad1. This is done under configuration->analysis engine->virtual sensors. Click on add to create the new vs1 virtual sensor. Name it vs1 and change the policies from sig0 to sig1, rules0 to rules1, etc. Note that this new virtual sensor can be assigned to interfaces but we wont do so now. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure SPAN and RSPAN T a s k 4 . 1 1 Setup a SPAN session on SW1 so that all traffic from port fa0/10 is mirrored to port fa0/11. SPAN sessions allow network traffic from an interface or vlan(s) to be mirrored to a port. This port is usually connected to a network sniffer or promiscuous IPS. SPAN sessions are setup with the monitor session command. They must have a source and destination. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated SW1(config)#monitor session 10 source interface fa0/10 SW1(config)#monitor session 10 destination interface fa0/11 T a s k 4 . 1 2 Configure an RSPAN session so that traffic from VLAN 3 on SW1 is mirrored to port fa0/4 on SW3. Use VLAN 99 as the remote vlan. RSPAN functions similarly to SPAN but allows for data to be mirrored from a source to a destination VLAN. This VLAN can then be carried to remote switches so they can use it as a source for their own span sessions. In this case the traffic will be used by the IPS for the promiscuous sensor. First an RSPAN VLAN must be configured on SW1. Then it can be used as a destination in a monitor session. SW1(config)#vlan 99 SW1(config-vlan)#remote-span SW1(config-vlan)#exit SW1(config)#monitor session 1 source vlan 3 SW1(config)#monitor session 1 destination remote vlan 99 On SW 3, the remote vlan is used as a source and the destination is set to a physical port. This port is connected to the IPS. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated SW3(config)#monitor session 1 source remote vlan 99 SW3(config)#monitor session 1 destination interface fa0/4 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Promiscuous and Inline Monitoring T a s k 4 . 1 3 Remove any existing inline pairs. Your IPS may come with its interfaces pre-configured as inline pairs. To free up these interfaces for other use, you must delete the pairs. This is done under configuration->interface configuration->inline pairs. Select the pair you want to delete and click delete. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 1 4 Setup fa1/0 as a promiscuous interface, enable it and assign it to virtual sensor vs1. This will monitor the inside network. Interfaces not setup as inline are promiscuous by default. Interfaces are enabled under configuration->interface configuration->interfaces. Select the interface fa1/0 and click edit. Click on the enabled radio button and click ok to enable. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now you have to assign the interface to virtual sensor vs1. This is done under configuration->analysis engine->virtual sensors. Select vs1 and click on edit. Select fa1/0 and click the assign button. You will see a yes in the assigned field. Click on ok. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 1 5 Setup g0/0 as an inline VLAN pair using vlans 2 and 200. Assign this new inline pair to sensor vs0. This will monitor traffic between the outside and dmz. Verify that the inline pair is working. Inline VLAN pairs force layer 3 traffic to traverse a layer 2 bridge on the IPS. Because the traffic must flow through For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated the IPS at layer 2, it is able to inspect and pass or drop traffic in real time. To setup the VLAN pair, go to configuration->interface configuration->VLAN pairs and click on add. Select g0/0 and enter a subinterface between 1 and 255, I used 2 since were dealing with VLAN 2. Set VLAN A to 2 and VLAN B to 200. Now we have to assign g0/0 (and thus the inline vlan pair) to virtual sensor vs0. This is done exactly the same as with our promiscuous interface above. Make sure that the g0/0 interface is enabled as well. To verify that the pair is working, simply ping from R2 to R1. Since R2 is on a different vlan than its default For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated gateway (the ASA) the ping will only succeed if the pair is bridging between the two. Configure and Tune Signatures T a s k 4 . 1 6 Policy sig1 should monitor traffic only. Ensure that no signature within sig1 performs a TCP reset. Signatures for internal traffic are often setup to monitor only to avoid disrupting corporate network traffic. To do this, go to configuration->policies->signature definitions- >sig1 and click on select all. All of your active signatures will now be selected. Click on actions to modify actions for all selected signatures. Uncheck Reset TCP Connection and click on ok. This will remove the action. Click apply when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 8 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 1 7 Sort sig0s signatures by name and search for ICMP. Find the sig named ICMP echo reply. Enable it, then modify it to only fire when R1 replies to R2s echo request. Verify that the signature is working. You can sort signatures based on a variety of criteria. To sort by name, go to configuration->policies->signature definitions->sig0 and click on select by. Choose Sig Name. You can type a string in the Enter Sig Name field and then click find. In our case well enter ICMP. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Sig 2000 is the ICMP echo reply signature were looking for. Click on it to select, and then click on enable. The signature is now active, but we need to modify it so that it will only fire on echo replies from R1 to R2. Click on edit to edit the signature. Well need to scroll down and set specific ip addr options. Set the source to 24.234.0.1 (R1) and the destination to 172.16.0.2 (R2). Click ok when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated To verify the sig is working we need to generate echo replies from R1 to R2, so well ping from R2 to R1 which will of course generate replies. R2#ping 24.234.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now on the IPS well go to monitoring->events and click on view. There is an ICMP Echo Reply event shown, so the signature has fired.
For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Custom Signatures T a s k 4 . 1 8 Internal users have been attacking the ACS server with pings. Create a custom signature that will alert you when any host pings the ACS server 50 times or more with packets larger than 2000k If you cant find a signature to clone and modify, you can create a custom signature. This is done by going to configuration->policies->signature definitions->sig1 and clicking on the custom signature tab. Start the wizard. Well be using the atomic IP engine since it allows us greater detection detail. Call the signature Large Pings to ACS, a descriptive title. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now configure the signature. Well set the protocol to icmp, the ip payload length to 2000-18024 and the destination address to 192.168.2.101 (The ACS server) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The signature fidelity and severity can be left at the defaults. We have now setup our sig to detect large pings, but not 50 or more. Well need to click on the advanced button to set this. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Set the event count to 50 and the event count key to attacker address. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Since attacks of this type could generate a large number of alerts, well use summarization. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The summary interval will be set to every 60 seconds. This means the sig will only generate an alert once a minute regardless of how many batches of 50 large pings come from a single attacker. Click finish to complete the wizard. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 2 9 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well test our sig by generating large pings from R3 to the ACS server. R3#ping 192.168.2.101 size 5000 repeat 1000 Type escape sequence to abort. Sending 1000, 5000-byte ICMP Echos to 192.168.2.101, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/3/28 ms When we view events, notice that the sig only generated one alert even though we pinged the ACS server 1000 times. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Blocking T a s k 4 . 1 9 Setup the ASA as a blocking device. For this task, create a user with a username and password of blocker. Use SSH to log into the ASA. To add a blocking device, we must first setup a login profile. Go to configuration->blocking->device login profile. Click on add and enter our username and password of blocker. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now we can add our blocking device. This is done under configuration->blocking->blocking devices. Enter the IP address of the ASA inside interface, use our newly created blocker profile and set the device type to pix/asa. Click on ok and apply when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well need to configure the ASA. This involves creating the blocker username/password, setting up SSH authentication and allowing SSH from the IPS. ASA1# conf t ASA1(config)# username blocker password blocker privilege 15 ASA1(config)# aaa authentication ssh console LOCAL ASA1(config)# ssh 192.168.2.150 255.255.255.255 inside Finally we must obtain the ASAs ssh public host key so it can be set as a known host. Do this under configuration- >ssh->known host keys. Click on add. Enter the IP address of the ASA and click on retrieve host key. When the key has been added, click ok and apply. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 2 0 Create a signature in sig0 that will fire when a user tries to telnet using a username of baduser, case insensitive. The IPS should use the ASA to block the host and generate an alert when this happens. This involves creating a custom signature. We are already familiar with running the wizard. Use the string TCP engine and create a regex that will match the string baduser regardless of case. Set the service to port 23, telnet. The For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated event action should be produce alert and request block host. With the signature complete, attempt to telnet from R2 to R1 using the username baduser. The host will be blocked and further communication of any type will be unsuccessful. R2#telnet 24.234.0.1 Trying 24.234.0.1 ... Open User Access Verification Username: baduser [Connection to 24.234.0.1 closed by foreign host] For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2#ping 24.234.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Now on the IPS, go to monitoring->active host blocks. Youll see a block for host 172.16.0.2. Configure TCP Resets T a s k 4 . 2 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Enable interface fa1/1. Set this interface up as an alternate TCP reset interface for fa1/0. An interface in promiscuous mode cannot drop connections inline by definition. It also cannot send normal network traffic since it relies on the SPAN port of the switch it is attached to. It can however, use another interface to send TCP resets post attack. While this isnt ideal it can provide SOME response to attacks which is better than nothing. We already know how to enable an interface under configure- >interface configuration->interfaces. After enabling fa1/1, we need to set it as an alternate tcp reset interface for fa1/0. Select fa1/0 and click on edit. Check the use alternate tcp reset interface and choose fa1/1 from the dropdown menu. Fa1/1 will now be used to send tcp resets for fa1/0. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 2 2 Configure a signature within sig1 that will send a TCP reset when a host attempts to telnet to R1 with a username of baduser. This signature will be identical to the custom sig we created for our blocking task, except for the event action. This will be reset tcp connection instead of block host. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 0 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated We can test the signature by attempting to telnet from R3 to R1. When prompted try to login with a username of baduser. The connection will be immediately reset. R3#telnet 24.234.0.1 Trying 24.234.0.1 ... Open User Access Verification Username: baduser [Connection to 24.234.0.1 closed by foreign host] Configure Rate Limiting T a s k 4 . 2 3 Setup R2 as a blocking device. Use the username of blocker with a password of blocker and a privilege of 15. Use telnet to log into R2. Use the fa0/0 interface to rate limit traffic. We already know how to setup a blocking device. The difference is R2 will only be set to rate limit instead of block, and the communication method will be telnet instead of SSH. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well also need to setup what interface will be doing the blocking. This is done under configuration->blocking- >router blocking device interfaces. Click on add, select 172.16.0.2 (R2) as the blocking device. Enter fa0/0 as the blocking interface. The direction should be in. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The username blocker must be configured on R2 as well as the aaa login configuration. R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#username blocker privilege 15 password blocker R2(config)#aaa new-model R2(config)#aaa authentication login default local R2(config)#aaa authorization exec default local R2(config)#line vty 0 4 R2(config-line)#login authentication default T a s k 4 . 2 4 Enable and modify the rule within sig0 called icmp flood so that it requests a rate limit of 1% of interface bandwidth and generates an alert. Test the rate limit. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Sort sig0s signatures by name and search for the icmp flood signature. Select it by clicking on it and then click enable. Click on actions and add the request rate limit action. Click on ok. Click on edit and change the external rate limit percentage to 1%. Click ok when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now we can test our signature by generating large pings from R1 to R2. R1#ping 172.16.0.2 repeat 50 size 10000 Type escape sequence to abort. Sending 50, 10000-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds: !!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!! Success rate is 76 percent (38/50), round-trip min/avg/max = 12/13/16 ms For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The rate limit is clearly working, but you can also verify the limit under monitoring->rate limits. You can also remove the rate limit by selecting it and clicking delete. Configure Event Actions T a s k 4 . 2 5 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure rules0 to protect against dangerous attacks by changing any signatures action to deny an attacker inline if the risk rating is 90-100. This is done with event action overrides. As the name suggests, if an event has a high enough risk rating, the override will change the action to the configured action. This is configured in configuration->policies->event action rules->rules0->event action overrides tab. Well want to disable the existing deny packet inline and add a new override. This override will have an action of deny attacker inline and a risk rating of 90-100. T a s k 4 . 2 6 R2 is a critical server. Configure rules0 so that the risk rating of an attack against R2 is changed to reflect the For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated critical nature of the server, ensuring that these attacks will be blocked. Specific hosts or networks can be given a target value rating which will modify the risk rating of an event. This is configured in configuration->policies->event action rules->rules0->target value rating tab. Click on add, enter the IP for R2 and set the TVR to mission critical. This will greatly boost the risk rating of attacks against R2. With our configuration complete, we can test it by doing a large ping from R1 to R2. In our last section this was rated limited. Now since the TVR of R2 is boosting the threat rating, R1 is denied inline instead. (Ping stopped) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R1#ping 172.16.0.2 repeat 1000 size 10000 Type escape sequence to abort. Sending 1000, 10000-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!...... Success rate is 80 percent (24/30), round-trip min/avg/max = 12/15/16 ms You can verify the attacker was blocked under monitoring- >denied attackers.
Configure Event Monitoring T a s k 4 . 2 7 View events that have occurred on the sensor in the last hour. Monitoring of events on the sensor is found under monitoring->events. The task asks for the default settings, viewing events that occurred in the last hour. This is done by clicking on the view button. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 1 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 2 8 Sort the view so only events with a threat rating of 90 or greater are shown. Do not show error events. This is done by changing the min field to 90 under show alert events. Now only events with a threat rating of 90- 100 will be shown. Well also uncheck the error and fatal boxes under show error events. If you click on view now you should not show any events as none meet the criteria for viewing. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 4 . 2 9 View attack response controller events. This is done by checking the show attack response controller events box. If you click on view now you will be shown the block and/or rate limit requests from our previous tasks. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated
Configure Advanced Features T a s k 4 . 3 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Setup ad1 anomaly detection to use the inside network for the internal zone. For ad0 setup the DMZ network as the internal zone. The internal zone represents your internal network in anomaly detection, in our case the 192.168.0.0/16 network. This is setup under configuration->anomaly detections->ad1- >internal zone tab. Well enter the range of addresses 192.168.0.0-192.168.255.255. The configuration for ad0 is identical except for the DMZ address range. T a s k 4 . 3 1 The ACS servers normal traffic appears to be worm traffic to the sensor. Exclude the ACS server from anomaly detection in ad1. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated If a device is causing AD signatures to fire incorrectly you can exclude it from anomaly detection under the configuration->anomaly detections->ad1->operation settings tab. Make sure that enable ignored IP addresses box is checked and enter the ACS server IP address under source addresses. T a s k 4 . 3 2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Youve recently redesigned your DMZ and need to establish baseline traffic patterns for anomaly detection using ad0. Set ad0 to learn mode. When you want anomaly detection to establish a network baseline for normal traffic you can put it into learn mode. This is done under configuration->analysis engine->virtual sensors. Select vs0 and click on edit. Under the AD operational mode drop down box select learn. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 5 Identity Management For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 2 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure TACACS+ T a s k 5 . 1 Configure TACACS+ on R6 so that logins will authenticate to the ACS server by default. Use a key of cisco. The console should not require authentication. T a s k 5 . 2 Ensure exec mode is authorized and accounted for using TACACS+. Also, use accounting for all privilege level 0,1, and 15 commands. T a s k 5 . 3 Configure ASA1 to use the ACS as a RADIUS server. Do not setup any further AAA. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Secure ACS T a s k 5 . 4 On the ACS server create a new ACS administrator named admin with a password of cisco. This user should have unlimited access to ACS. T a s k 5 . 5 Setup R6 as a client within the ACS server using TACACS+ as the protocol and cisco as the key. T a s k 5 . 6 Setup ASA1 as a client using RADIUS as the protocol and cisco as the key. T a s k 5 . 7 Create a shell command authorization set to allow any command and associate this command auth set with a group named super. Ensure that this group has the privilege level to use any command. T a s k 5 . 8 Create a user ID on the ACS named superuser with password of cisco and add this user to the super group. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 9 Verify that this user can login to R6 via telnet and that all commands are available. Also verify that accounting is working for both EXEC mode and privilege level 15 commands. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure LDAP T a s k 5 . 1 0 Configure the ACS server so that authentication via the windows database is possible. Do not require dialin permission for windows users to authenticate. T a s k 5 . 1 1 Ensure that users not found in the ACS local database will be authenticated against the windows database and will use the super group for authorization. T a s k 5 . 1 2 Verify that windows authentication is functional by logging in to R6 with a username of enablemode and password enableme. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Proxy Authentication T a s k 5 . 1 3 If the ACS server attempts to access R2 via http, R5 should intercept and authenticate the traffic before allowing it. Use a local username of authp and a password of cisco to do this. T a s k 5 . 1 4 Require authentication via telnet at ASA1 before R6 can ping SW2. Use RADIUS and a virtual telnet address of 24.234.51.50. Authenticate with the ACS windows username of enablemode and a password of enableme. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 3 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure 802.lx T a s k 5 . 1 5 Configure 802.1x on SW2. After successful authentication to the ACS server using RADIUS, clients should be placed into VLAN111. If a client doesnt have an 802.1x supplicant they should be placed in VLAN432. Use F0/20 for this configuration, leave the port shutdown. Add a user to ACS named dot1xuser with password cisco. T a s k 5 . 1 6 Verify that you can authenticate as this user from SW2 using the test aaa command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Advanced Identity Management T a s k 5 . 1 7 On R2, configure a local user account named ping with password cisco. Allow this user to perform an extended ping but do not give access to other privilege level 15 commands. T a s k 5 . 1 8 Create a user on the ACS server called limited with a password of cisco that can only authenticate on R6 and can only use level 1 show commands and exit. Identity Management Solutions Configure TACACS+ T a s k 5 . 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure TACACS+ on R6 so that logins will authenticate to the ACS server by default. Use a key of cisco. The console should not require authentication. AAA can be configured locally or by using a remote server. In this case well be using the ACS server so we need to configure the router to communicate with it first. R6(config)#tacacs-server host 192.168.2.101 R6(config)#tacacs-server key cisco Next, well configure AAA itself to authenticate to the ACS server by default for logins. This is done with the aaa commands. First well start a new model, then configure login authentication setting the default method list to use tacacs+ as the method. R6(config)#aaa new-model R6(config)#aaa authentication login default group tacacs+ Finally, we need to make sure we can always get in via the console even if the connection to the ACS server is not working. To do this well create a special method list called CONSOLE with no authentication method. Well apply it to the console port. R6(config)#aaa authentication login CONSOLE none R6(config)#line con 0 R6(config-line)#login authentication CONSOLE For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Well test by logging out of the console port and then back in. There will be no prompt for username or password. R6#exit R6 con0 is now available Press RETURN to get started. R6> T a s k 5 . 2 Ensure exec mode is authorized and accounted for using TACACS+. Also, use accounting for all privilege level 0,1, and 15 commands. Authorization and Accounting are the other 2 As in AAA. These are also setup using the aaa command with the authorization and accounting options. R6(config)#aaa authorization exec default group tacacs+ R6(config)#aaa accounting exec default start-stop group tacacs+ R6(config)#aaa accounting commands 0 default start-stop group tacacs+ R6(config)#aaa accounting commands 1 default start-stop group tacacs+ R6(config)#aaa accounting commands 15 default start-stop group tacacs+ For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 3 Configure ASA1 to use the ACS as a RADIUS server. Do not setup any further AAA. Similar to a router, the ASA can either do local or remote AAA. Were going to set the ASA up to use RADIUS instead of TACACS+. First well setup a server group called RADIUS that will use the protocol radius. Then well add a host to this server group which will use the key cisco. ASA1(config)# aaa-server RADIUS protocol radius ASA1(config-aaa-server-group)# aaa-server RADIUS host 192.168.2.101 ASA1(config-aaa-server-host)# key cisco Configure Secure ACS T a s k 5 . 4 On the ACS server create a new ACS administrator named admin with a password of cisco. This user should have unlimited access to ACS. There should be at least one admin account on the ACS. It is setup under administration control. Click on add administrator. Enter the username and password. Under Administrator Privileges click on grant all. Click submit when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 5 Setup R6 as a client within the ACS server using TACACS+ as the protocol and cisco as the key. Before a device can authenticate to the ACS server it must be setup as a client. This is done under network configuration. Click on add entry under the AAA clients box. Enter the name, ip address, key, and protocol to be used by the client. When done click on submit + apply. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 6 Setup ASA1 as a client using RADIUS as the protocol and cisco as the key. This is done the same as it was for R6. Instead of selecting TACACS+ as the protocol select RADIUS. Youll notice there are several forms of RADIUS you can choose. The choice is based on the vendor/model of the device, in our case VPN3000/ASA/PIX 7.x. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 7 Create a shell command authorization set to allow any command and associate this command auth set with a group named super. Ensure that this group has the privilege level to use any command. Shell command authorization sets are used to grant access to specific commands. They are setup under shared profile components. Click on Shell Command Authorization Sets. Enter a name for the set. Normally you would add commands here which would give the user access to those commands when logged on to the device. However we will enter no commands and check the permit unmatched commands radio button. This will give us access to all commands when logged in. Click on submit when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Shell command authorization sets are attached to users or groups. Well create a group called super under group setup. Select a group from the drop down box and click on rename group. Call it super and submit. Then click on edit settings. Scroll down to the TACACS+ section and put a check in the Shell (exec) box. Under the Shell Command Authorization section click the radio button next to assign a shell authorization set to any device. Select the super authorization set that we created. Click on submit + restart. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 4 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 8 Create a user ID on the ACS named superuser with password of cisco and add this user to the super group. Users are created under user setup. Enter the name superuser in the user: field and click on add/edit. Once in the user setup section you can enter a password and select the super group under the group to which the user is assigned. Click on submit when you are done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 9 Verify that this user can login to R6 via telnet and that all commands are available. Also verify that accounting is working for both EXEC mode and privilege level 15 commands. This is done by telneting from the ACS server to R6 and logging in as superuser. Obviously we cant test ALL the commands on the router, but we can go into config mode and bring an interface up/down as a good indicator we have full access. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated EXEC accounting is verified under reports and activity. Click on TACACS+ accounting. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Command accounting is seen by clicking on TACACS+ Administration. You can see the commands issued in the report. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure LDAP T a s k 5 . 1 0 Configure the ACS server so that authentication via the windows database is possible. Do not require dialin permission for windows users to authenticate. This is done under external user databases. Click on configure database, windows database. Click the configure button. Uncheck the verify that grant dialin permission box. Under the configure domain list select \LOCAL and move For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated it from available domains to domain list. Click submit when done. T a s k 5 . 1 1 Ensure that users not found in the ACS local database will be authenticated against the windows database and will use the super group for authorization. The first part of this task is done under external user databases, unknown user policy. The policy should be set to check the following external user databases and the Windows Database should be selected. Click on submit when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Next, youll need to map an ACS group to the windows database. This is also done under external user databases by clicking on database group mapping and windows database. Click on new configuration and then enter \LOCAL in the domain field. Click submit. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now, click on the newly created \LOCAL domain. Click on the add mapping button. Click on users and add to selected. From the CiscoSecure group dropdown, select the Super group. Click submit. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 1 2 Verify that windows authentication is functional by logging in to R6 with a username of enablemode and password enableme. Telnet from the ACS to R6. After login, your rights will be the same as they were when you logged in as superuser. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Proxy Authentication T a s k 5 . 1 3 If the ACS server attempts to access R2 via http, R5 should intercept and authenticate the traffic before allowing it. Use a local username of authp and a password of cisco to do this. Authentication proxy allows a router to require authentication before allowing certain traffic. First well create a local user, then configure AAA. R5(config)#username authp password cisco R5(config)#aaa new-model R5(config)#aaa authentication login authp local R5(config)#aaa authorization auth-proxy default local For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 5 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now, we can setup an auth proxy rule that will intercept http. The final step is to apply it to an interface, in this case fa0/0.51 which faces the ACS server. R5(config)#ip auth-proxy name AUTHP http R5(config)#interface fa0/0.51 R5(config-subif)#ip auth-proxy AUTHP Test by attempting an http connection from the ACS to R2. Youll be prompted for a username and password. Enter authp/cisco and the traffic will be allowed. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 5 . 1 4 Require authentication via telnet at ASA1 before R6 can ping SW2. Use RADIUS and a virtual telnet address of 24.234.51.50. Authenticate with the ACS windows username of enablemode and a password of enableme. This is known as cut through proxy on an ASA. Similar to auth proxy, traffic must be authenticated before it is allowed. First well configure our virtual telnet address. ASA1(config)# virtual telnet 24.234.51.50 Then setup our outside access list to permit traffic both to the virtual telnet address and from SW2 to R6. ASA1(config)# access-list outside line 1 permit tcp any host 24.234.51.50 eq telnet ASA1(config)# access-list outside line 2 permit icmp host 24.234.51.15 host 192.168.0.6 Next well create an ACL for traffic requiring authentication to be matched against. ASA1(config)# access-list VTELNET extended permit icmp host 24.234.51.15 host 192.168.0.6 ASA1(config)# access-list VTELNET extended permit tcp host 24.234.51.15 host 24.234.51.50 eq telnet Virtual telnet requires a static translation from the virtual telnet address to itself. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)# static (inside,outside) 24.234.51.50 24.234.51.50 netmask 255.255.255.255 Finally, well use AAA to authenticate traffic that matches our VTELNET ACL. ASA1(config)# aaa authentication match VTELNET outside RADIUS With the configuration in place, try pinging from SW2 to R6. It will fail. SW2#ping 192.168.0.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Now well telnet to the virtual telnet address and authenticate using the windows username and password of enablemode/enableme. After authentication try the ping again. It will be successful. SW2#telnet 24.234.51.50 Trying 24.234.51.50 ... Open LOGIN Authentication Username: enablemode Password: Authentication Successful For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated [Connection to 24.234.51.50 closed by foreign host] SW2#ping 192.168.0.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms On the ASA you can verify authentication with show uauth. ASA1# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 1 user 'enablemode' at 24.234.51.15, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00 Configure 802.lx T a s k 5 . 1 5 Configure 802.1x on SW2. After successful authentication to the ACS server using RADIUS, clients should be placed into VLAN111. If a client doesnt have an 802.1x supplicant they should be placed in VLAN432. Use F0/20 for this configuration, leave the port shutdown. Add a user to ACS named dot1xuser with password cisco. 802.1x requires configuration on both the switch and ACS server. First well need to setup the switch to authenticate to the ACS using RADIUS. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated SW2(config)#radius-server host 192.168.2.101 SW2(config)#radius-server key cisco Then well configure AAA to use radius for dot1x and globally enable it on the switch. SW2(config)#aaa new-model SW2(config)#aaa authentication dot1x default group radius SW2(config)#aaa authorization network default group radius SW2(config)#aaa accounting dot1x default start-stop group radius SW2(config)#dot1x system-auth-control Well create the VLANs that will be used by dot1x SW2(config)#vlan 111,432 SW2(config-vlan)#exit And configure the port specific dot1x commands. Note the guest VLAN. This is used by clients that do not have dot1x supplicant software. SW2(config)#interface FastEthernet0/20 SW2(config-if)# switchport mode access SW2(config-if)# shutdown SW2(config-if)# dot1x pae authenticator SW2(config-if)# dot1x port-control auto SW2(config-if)# dot1x guest-vlan 432 Now well move on to the ACS configuration. First well setup SW2 as an AAA client. Note that were using RADIUS (IETF). Click on submit + apply when done. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well need to setup RADIUS to allow for per user attributes. This is done under interface configuration. Click on RADIUS (IETF) which is what SW2 is going to authenticate with. Place check marks in the user column for attributes 64, 65 and 81. Click on submit. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well need to setup our dot1x user. You should already know how to create a user. Scroll down to the IETF RADIUS attributes section. Put check marks in attributes 64, 65 and 81. For attribute 64 select VLAN from the dropdown menu. For attribute 65 select 802. For attribute 81 type in VLAN0111 which must exactly match the name of the VLAN on the switch. This will assign the user to VLAN 111 when they authenticate successfully. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated The final step for the configuration to function properly is the ability of SW2 to communicate with the ACS server. RADIUS must be allowed through the firewall. ASA1(config)# access-list outside line 1 permit udp host 24.234.51.15 host 192.168.2.101 T a s k 5 . 1 6 Verify that you can authenticate as this user from SW2 using the test aaa command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Although there isnt an 802.1x supplicant connected you can verify that authentication will work using the test aaa command. SW2#test aaa group radius dot1xuser cisco legacy Attempting authentication test to server-group radius using radius User was successfully authenticated. Configure Advanced Identity Management T a s k 5 . 1 7 On R2, configure a local user account named ping with password cisco. Allow this user to perform an extended ping but do not give access to other privilege level 15 commands. This is done by changing the privilege level of the ping command. Well do that, and then create a user of the same privilege level. R2(config)#privilege exec level 1 ping R2(config)#username ping privilege 1 password cisco Then well setup AAA to authenticate and authorize the user. Well setup the VTY lines 0-4 to use the AAA configuration. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config)#aaa new-model R2(config)#aaa authentication login AUTHEN local R2(config)#aaa authorization exec AUTHOR local R2(config)#line vty 0 4 R2(config-line)#authorization exec AUTHOR R2(config-line)# login authentication AUTHEN Now, we can test by telneting from R5 to R2. Once authenticated as ping we can issue an extended ping from user exec mode. R5#telnet 24.234.25.2 Trying 24.234.25.2 ... Open User Access Verification Username: ping Password: R2>ping Protocol [ip]: Target IP address: 24.234.25.5 Repeat count [5]: Datagram size [100]: 1000 Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 1000-byte ICMP Echos to 24.234.25.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms T a s k 5 . 1 8 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 6 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Create a user on the ACS server called limited with a password of cisco that can only authenticate on R6 and can only use level 1 show commands and exit. This will be accomplished with various per user attributes. Well create the user which we already know how to do. Scrolling down, the first thing well set is per user network access restrictions. Set the table to define permitted calling/point of access locations. Select R6 from the AAA clients dropdown. The port and address will both be *. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Under the advanced TACACS+ settings well set the max privilege for any AAA client to 1. Under TACACS+ setting click on Shell (exec) and set the privilege level to 1. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Click the radio button for per user command authorization. Set it to deny unmatched commands. Enter show for the command and permit unmatched arguments. Click on submit. Well have to edit the user after submitting to add the exit command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated With both commands entered, well submit the user again and verify that we can login to R6 but not issue commands other than privilege level 1 show and exit. All other commands will give a command authorization failed. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 6 ~ Control Plane and Management Plane Security For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page int ent ionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 7 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Implement routing plane security features T a s k 6 . 1 Configure RIP MD5 authentication on the link between R1 and ASA1. T a s k 6 . 2 Configure OSPF MD5 authentication on the link between R2 and ASA1. T a s k 6 . 3 Configure EIGRP MD5 authentication on the link between ASA1, R3, and R4. T a s k 6 . 4 Configure BGP peering between R1 and R4. R1 should advertise the 192.168.0.0 /16 network. R4 should advertise the 24.234.4.0, 24.234.5.0 and 24.234.6.0 networks. T a s k 6 . 5 Configure MD5 authentication for the BGP peering between R1 and R4. T a s k 6 . 6 Configure R1 to deny the route 24.234.5.0 via BGP, but accept all other BGP routes from R4. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Control Plane Policing T a s k 6 . 7 Configure R5s Control Plane to drop telnet traffic from R3 FastEthernet0/0, and rate limit all remaining telnet traffic to 8000bps. Any telnet traffic that exceeds 8000bps should be dropped. T a s k 6 . 8 Configure R6s Control Plane to rate limit all ICMP traffic outbound to 8000bps with a burst of 1000 bytes. Traffic should be dropped when it exceeds. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure CP Protection and Management Protection T a s k 6 . 9 Configure R1s control plane host sub-interface to drop all telnet packets destined for any of its interfaces. T a s k 6 . 1 0 Modify R1s control plane configuration to only drop all closed ports. T a s k 6 . 1 1 Configure R2s control plane host sub-interface to limit the number of SNMP packets in the control-plane IP input queue to 25. Configure Broadcast Control and Switchport Security T a s k 6 . 1 2 Configure SW2 interface FastEthernet0/14 to drop unicast packets when 75% of the interface bandwidth is reached. SW2 should continue blocking all unicast packets until unicast traffic falls below 50%. T a s k 6 . 1 3 Configure SW2 interface FastEthernet0/15 to drop broadcast packets when the interface reaches 3000bps. The interface For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated should continue blocking all broadcast packets until they drop below 1000bps. During the broadcast storm, SW2 should shutdown this interface. T a s k 6 . 1 4 Configure SW2 interface FastEthernet0/16 to drop multicast packets when the interface reaches 1000pps. The interface should continue blocking all multicast packets until multicast packets drop below 700pps. An SNMP trap should be sent when a storm is detected. T a s k 6 . 1 5 Configure SW2 to keep track of the small-frame rate- arrival. Configure interface FastEthernet0/10 to drop small frames when it reaches 3000 packets per second. T a s k 6 . 1 6 Configure SW2 to recovery from a port being disabled due to small frames. SW2 should re-enable the interface after 45 seconds. T a s k 6 . 1 7 Configure SW2 interface FastEthernet0/11 to block the forwarding of unknown unicast and multicast packets. T a s k 6 . 1 8 Configure SW1 interface FastEthernet0/3 so that a maximum of 1 mac-address is allowed. If there is a violation the port should be shutdown. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 6 . 1 9 Configure SW1 interface FastEthernet0/4 so the first mac- address learned is copied into the running configuration. T a s k 6 . 2 0 Configure SW1 to check for the correction of a port security violations every 30 seconds and to re-enable the port if the violation is corrected. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure CPU Protection Mechanisms T a s k 6 . 2 1 Configure R3 to delete all packets that contain IP Options. T a s k 6 . 2 2 Configure R6 for logging. Disable logging to the console and monitor. Configure R6 to limit log generation and transmission to 100 messages per second except for log levels 4 (warnings) through 0 (emergencies). T a s k 6 . 2 3 Configure R6 to limit log-induced process switching to one packet per 10 milliseconds. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Disable Unnecessary Services T a s k 6 . 2 4 Secure R5 by disabling unnecessary global services. T a s k 6 . 2 5 Secure R5 fa0/0 by disabling unnecessary interface services. T a s k 6 . 2 6 Secure R1 by disabling unnecessary services using a single command. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 8 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Control Device Access T a s k 6 . 2 7 Configure R3 so that only devices in vlan 5 can telnet to it. T a s k 6 . 2 8 Configure R5 so that only devices in vlan 6 can ssh to it. Authenticate the connection using a local user named admin with a password cisco. T a s k 6 . 2 9 Configure R4 so that only the ACS Server can HTTP into it. T a s k 6 . 3 0 Configure ASA1 so that only SW2 can telnet to it. The telnet session should disconnect after 2 minutes of inactivity. T a s k 6 . 3 1 Configure ASA1 so that only R1 can SSH to it. Authenticate the connection using a local user named admin with a password cisco. T a s k 6 . 3 2 Configure SW1 so that when user admin telnets into the switch, they will have privilege 15 access. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure SNMP, SYSLOG, AAA, NTP T a s k 6 . 3 3 Configure SW1 to log to the Syslog Server on the ACS Server. T a s k 6 . 3 4 Configure SW1 for snmp with a community string of cisco for read-only and a community string of ccbootcamp for read-write. Send config traps to the SNMP Manager at 192.168.2.101 with a string of cisco. T a s k 6 . 3 5 Set the clock and time zone on R1. Configure R1 as an NTP master. Configure R4 to get its time from R1 using authenticated NTP. Control Plane and Management Plane Security Solutions For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Implement routing plane security features T a s k 6 . 1 Configure RIP MD5 authentication on the link between R1 and ASA1. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication per interface. First a key chain must be configured, then at least one key within the chain. On the interface itself you can choose the authentication mode and what key chain to use. R1(config)#key chain RIP R1(config-keychain)#key 1 R1(config-keychain-key)#key-string cisco R1(config-keychain-key)#interface fastethernet0/1 R1(config-if)#ip rip authentication mode md5 R1(config-if)#ip rip authentication key-chain RIP R1 has MD5 authentication configured but ASA1 does not. Clear the IP routing table on R1 and there will be no routes learned from ASA1 present. R1#clear ip route * R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnets C 24.234.10.0 is directly connected, FastEthernet0/1 C 192.168.0.0/16 is directly connected, FastEthernet0/0 Now well configure RIP authentication on the ASA. The configuration is different, not requiring key chains. However the mode and key must match what R1 is using. ASA1(config)# interface ethernet0/1 ASA1(config-if)# rip authentication mode md5 ASA1(config-if)# rip authentication key cisco key_id 1 R1 will now learn routes from ASA1. R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 2.0.0.0/32 is subnetted, 1 subnets R 2.2.2.2 [120/2] via 24.234.10.100, 00:00:16, FastEthernet0/1 3.0.0.0/24 is subnetted, 1 subnets R 3.3.3.0 [120/2] via 24.234.10.100, 00:00:16, FastEthernet0/1 4.0.0.0/24 is subnetted, 1 subnets R 4.4.4.0 [120/2] via 24.234.10.100, 00:00:16, FastEthernet0/1 5.0.0.0/24 is subnetted, 1 subnets R 5.5.5.0 [120/2] via 24.234.10.100, 00:00:17, FastEthernet0/1 6.0.0.0/24 is subnetted, 1 subnets R 6.6.6.0 [120/2] via 24.234.10.100, 00:00:17, FastEthernet0/1 24.0.0.0/24 is subnetted, 6 subnets R 24.234.34.0 [120/1] via 24.234.10.100, 00:00:19, FastEthernet0/1 R 24.234.2.0 [120/1] via 24.234.10.100, 00:00:19, FastEthernet0/1 R 24.234.6.0 [120/2] via 24.234.10.100, 00:00:19, FastEthernet0/1 R 24.234.4.0 [120/2] via 24.234.10.100, 00:00:19, FastEthernet0/1 R 24.234.5.0 [120/2] via 24.234.10.100, 00:00:19, FastEthernet0/1 C 24.234.10.0 is directly connected, FastEthernet0/1 C 192.168.0.0/16 is directly connected, FastEthernet0/0 T a s k 6 . 2 Configure OSPF MD5 authentication on the link between R2 and ASA1. The OSPF authentication mode can be set in the router configuration or per interface as were doing in this case. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config)#interface fastethernet0/0 R2(config-if)#ip ospf authentication message-digest R2(config-if)#ip ospf message-digest-key 1 md5 cisco Since ASA1 does not have OSPF authentication configured, R2 will not show it as a neighbor or learn OSPF routes from it. R2#show ip ospf neighbor R2# R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnets C 24.234.2.0 is directly connected, FastEthernet0/0 Now well configure OSPF authentication on the ASA. The commands are the same as on the router. ASA1(config)# interface ethernet0/2 ASA1(config-if)# ospf authentication message-digest For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config-if)# ospf message-digest-key 1 md5 cisco ASA1 and R2 now have an OSPF adjacency and routes are being exchanged. ASA1# show ospf neighbor Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 1 FULL/BDR 0:00:35 24.234.2.2 dmz ASA1# R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 24.234.34.100 1 FULL/DR 00:00:37 24.234.2.100 FastEthernet0/0 R2# R2#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets O E2 1.1.1.0 [110/20] via 24.234.2.100, 00:00:05, FastEthernet0/0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 3.0.0.0/24 is subnetted, 1 subnets O E2 3.3.3.0 [110/20] via 24.234.2.100, 00:00:05, FastEthernet0/0 4.0.0.0/24 is subnetted, 1 subnets O E2 4.4.4.0 [110/20] via 24.234.2.100, 00:00:05, FastEthernet0/0 5.0.0.0/24 is subnetted, 1 subnets O E2 5.5.5.0 [110/20] via 24.234.2.100, 00:00:06, FastEthernet0/0 6.0.0.0/24 is subnetted, 1 subnets O E2 6.6.6.0 [110/20] via 24.234.2.100, 00:00:06, FastEthernet0/0 24.0.0.0/24 is subnetted, 6 subnets O E2 24.234.34.0 [110/20] via 24.234.2.100, 00:00:07, FastEthernet0/0 C 24.234.2.0 is directly connected, FastEthernet0/0 O E2 24.234.6.0 [110/20] via 24.234.2.100, 00:00:07, FastEthernet0/0 O E2 24.234.4.0 [110/20] via 24.234.2.100, 00:00:07, FastEthernet0/0 O E2 24.234.5.0 [110/20] via 24.234.2.100, 00:00:07, FastEthernet0/0 O E2 24.234.10.0 [110/20] via 24.234.2.100, 00:00:07, FastEthernet0/0 O E2 192.168.0.0/16 [110/20] via 24.234.2.100, 00:00:07, FastEthernet0/0 T a s k 6 . 3 Configure EIGRP MD5 authentication on the link between ASA1, R3, and R4. As with RIP, well use key chains for EIGRP authentication. The authentication mode and key chain to be used are set per interface. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(config)#key chain EIGRP R3(config-keychain)#key 1 R3(config-keychain-key)#key-string cisco R3(config-keychain-key)#interface fastethernet0/0 R3(config-if)#ip authentication mode eigrp 1 md5 R3(config-if)#ip authentication key-chain eigrp 1 EIGRP At this point R3 will no longer learn routes from ASA1 and R4. R3#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnets C 24.234.34.0 is directly connected, FastEthernet0/0 Now well configure authentication on R4 using the same key and mode. R4(config)#key chain EIGRP R4(config-keychain)#key 1 R4(config-keychain-key)#key-string cisco R4(config-keychain-key)#interface fastethernet0/0 R4(config-if)#ip authentication mode eigrp 1 md5 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4(config-if)#ip authentication key-chain eigrp 1 EIGRP R3 and R4 now have an EIGRP adjacency, but neither R3 nor R4 have an EIGRP adjacency with ASA1. R3#show ip eigrp 1 neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 24.234.34.4 Fa0/0 13 00:02:32 4 200 0 42 R4#show ip eigrp 1 neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 24.234.34.3 Fa0/0 14 00:03:08 2 200 0 23 2 24.234.4.10 Fa0/1 14 00:59:08 1 200 0 53 Well now configure authentication on ASA1. As with RIP, key chains arent used but mode and key must match. ASA1(config)# interface ethernet0/0 ASA1(config-if)# authentication mode eigrp 1 md5 ASA1(config-if)# authentication key eigrp 1 cisco key-id 1 ASA1 now has adjacencies with R3 and R4 and is learning routes via EIGRP. ASA1# show eigrp neighbors For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 3 9 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated EIGRP-IPv4 neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 24.234.34.3 Et0/0 14 00:00:18 2 200 0 26 0 24.234.34.4 Et0/0 14 00:00:18 6 200 0 45 ASA1# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set R 1.1.1.0 255.255.255.0 [120/1] via 24.234.10.1, 0:00:08, inside O 2.2.2.2 255.255.255.255 [110/11] via 24.234.2.2, 0:11:44, dmz D 3.3.3.0 255.255.255.0 [90/131072] via 24.234.34.3, 0:01:16, outside D 4.4.4.0 255.255.255.0 [90/131072] via 24.234.34.4, 0:01:16, outside D 5.5.5.0 255.255.255.0 [90/156928] via 24.234.34.4, 0:01:16, outside D 6.6.6.0 255.255.255.0 [90/156928] via 24.234.34.4, 0:01:16, outside C 24.234.34.0 255.255.255.0 is directly connected, outside C 24.234.2.0 255.255.255.0 is directly connected, dmz For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated D 24.234.6.0 255.255.255.0 [90/28928] via 24.234.34.4, 0:01:16, outside D 24.234.4.0 255.255.255.0 [90/28672] via 24.234.34.4, 0:01:16, outside D 24.234.5.0 255.255.255.0 [90/28928] via 24.234.34.4, 0:01:16, outside C 24.234.10.0 255.255.255.0 is directly connected, inside R 192.168.0.0 255.255.0.0 [120/1] via 24.234.10.1, 0:00:08, inside T a s k 6 . 4 Configure BGP peering between R1 and R4. R1 should advertise the 192.168.0.0 /16 network. R4 should advertise the 24.234.4.0, 24.234.5.0 and 24.234.6.0 networks. Before any BGP peering can occur, the ASA must be configured to allow the BGP (TCP 179) traffic from R4 to R1. This is done with an ACL, allowing the traffic in both directions. ASA1(config)# access-list OUTSIDE permit tcp host 24.234.34.4 host 24.234.10.1 eq 179 ASA1(config)# access-list OUTSIDE permit tcp host 24.234.34.4 eq 179 host 24.234.10.1 ASA1(config)# access-group OUTSIDE in interface outside Now we can configure BGP on both routers. R1(config)#router bgp 1 R1(config-router)#neighbor 24.234.34.4 remote-as 4 R1(config-router)#neighbor 24.234.34.4 ebgp-multihop 2 R1(config-router)#network 192.168.0.0 mask 255.255.0.0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4(config)#router bgp 4 R4(config-router)#neighbor 24.234.10.1 remote-as 1 R4(config-router)#neighbor 24.234.10.1 ebgp-multihop 2 R4(config-router)#network 24.234.4.0 mask 255.255.255.0 R4(config-router)#network 24.234.5.0 mask 255.255.255.0 R4(config-router)#network 24.234.6.0 mask 255.255.255.0 Verify that peering has occurred. R1#show ip bgp summary BGP router identifier 1.1.1.1, local AS number 1 BGP table version is 7, main routing table version 7 4 network entries using 480 bytes of memory 4 path entries using 208 bytes of memory 4/3 BGP path/bestpath attribute entries using 496 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory BGP using 1240 total bytes of memory BGP activity 10/6 prefixes, 11/7 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 24.234.34.4 4 4 21 18 7 0 0 00:03:35 3 R1#show ip bgp BGP table version is 7, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 24.234.4.0/24 24.234.34.4 0 0 4 i *> 24.234.5.0/24 24.234.34.4 28416 0 4 i *> 24.234.6.0/24 24.234.34.4 28416 0 4 i For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated *> 192.168.0.0/16 0.0.0.0 0 32768 i T a s k 6 . 5 Configure MD5 authentication for the BGP peering between R1 and R4. This is setup with the neighbor command within router bgp configuration. R1#conf t R1(config)#router bgp 1 R1(config-router)#neighbor 24.234.34.4 password cisco R4#conf t R4(config)#router bgp 4 R4(config-router)#neighbor 24.234.10.1 password cisco Once configured, you will start seeing these messages on both routers. *Mar 12 18:34:32.451: %TCP-6-BADAUTH: No MD5 digest from 24.234.34.4(55006) to 24.234.10.1(179) With the default settings in place, an ASA will break MD5 authentication between BGP peers. This is for two reasons: First, the ASA clears Option 19 from the TCP header. Second, it randomizes the TCP sequence number before sending the packet. The original sequence number is used in the MD5 hash so hash values wont match at the destination. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated First the ASA must be configured to allow for option 19 using a TCP map. The map is applied within the global_policy policy map. ASA1(config)# tcp-map OPTION19 ASA1(config-tcp-map)# tcp-options range 19 19 allow ASA1(config)# class-map BGP_CMAP ASA1(config-cmap)# match port tcp eq 179 ASA1(config)# policy-map global_policy ASA1(config-pmap)# class BGP_CMAP ASA1(config-pmap-c)# set connection advanced-options OPTION19 Once the option 19 is allowed, the error message received on R1 and R4 is now an Invalid MD5 digest, instead of a no MD5 digest. *Mar 12 18:42:04.503: %TCP-6-BADAUTH: Invalid MD5 digest from 24.234.34.4(14857) to 24.234.10.1(179) This is solved by disabling TCP sequence number randomization for BGP packets. ASA1(config)# policy-map global_policy ASA1(config-pmap)# class BGP_CMAP ASA1(config-pmap-c)# set connection random-sequence-number disable After the random-sequence-number is disabled, the errors will cease and the peers will establish. R1# *Apr 14 21:55:41.503: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Up For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 6 . 6 Configure R1 to deny the route 24.234.5.0 via BGP, but accept all other BGP routes from R4. This is done with a distribute list. The distribute list references an ACL and is set with the neighbor command. R1(config)#access-list 1 deny 24.234.5.0 0.0.0.255 R1(config)#access-list 1 permit any R1(config)#router bgp 1 R1(config-router)#neighbor 24.234.34.4 distribute-list 1 in Well clear bgp and then verify the 24.234.5.0 route is gone. R1#clear ip bgp * R1# *Mar 12 18:53:46.175: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Down User reset R1# *Mar 12 18:53:48.687: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Up R1#show ip bgp BGP table version is 4, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 24.234.4.0/24 24.234.34.4 0 0 4 i *> 24.234.6.0/24 24.234.34.4 28416 0 4 i *> 192.168.0.0/16 0.0.0.0 0 32768 i For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Control Plane Policing T a s k 6 . 7 Configure R5s Control Plane to drop telnet traffic from R3 FastEthernet0/0, and rate limit all remaining telnet traffic to 8000bps. Any telnet traffic that exceeds 8000bps should be dropped. Control plane policing allows for MQC to be applied to the control plane. The configuration is the same as a standard MQC. Identify traffic with a class map, act on the identified traffic with a policy map and apply the policy to the control plane with service-policy. In this case well need two different class maps, one to identify telnet from R3 and one to identify all other telnet. The traffic from R3 gets an action of drop and all other telnet is policed to 8000bps. R5(config)#ip access-list extended TELNET_DROP R5(config-ext-nacl)#permit tcp host 24.234.34.3 any eq telnet R5(config)#ip access-list extended TELNET_RATE R5(config-ext-nacl)#deny tcp host 24.234.34.3 any eq telnet R5(config-ext-nacl)#permit tcp any any eq telnet R5(config-ext-nacl)#class-map TELNET_DROP_CMAP R5(config-cmap)#match access-group name TELNET_DROP R5(config-cmap)#class-map TELNET_RATE_CMAP R5(config-cmap)#match access-group name TELNET_RATE For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R5(config-cmap)#policy-map TELNET_PMAP R5(config-pmap)#class TELNET_DROP_CMAP R5(config-pmap-c)#drop R5(config-pmap)#class TELNET_RATE_CMAP R5(config-pmap-c)#police rate 8000 bps R5(config-pmap-c-police)#conform-action transmit R5(config-pmap-c-police)#exceed-action drop R5(config-pmap-c-police)#exit R5(config-pmap-c)#exit R5(config-pmap)#exit R5(config)#control-plane R5(config-cp)#service-policy input TELNET_PMAP Well verify with a telnet from R4 to R5, this is allowed. R4#telnet 24.234.5.5 Trying 24.234.5.5 ... Open User Access Verification Password: Now well try a telnet from R3, the traffic is dropped. R3#telnet 24.234.5.5 Trying 24.234.5.5 ... % Connection timed out; remote host not responding Show policy-map control-plane shows us that packets matched the configured classes and were acted upon. R5#show policy-map control-plane Control Plane Service-policy input: TELNET_PMAP Class-map: TELNET_DROP_CMAP (match-all) 4 packets, 240 bytes For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name TELNET_DROP drop Class-map: TELNET_RATE_CMAP (match-all) 22 packets, 1329 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name TELNET_RATE police: rate 8000 bps, burst 1500 bytes conformed 22 packets, 1329 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: class-default (match-any) 52 packets, 4140 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any T a s k 6 . 8 Configure R6s Control Plane to rate limit all ICMP traffic outbound to 8000bps with a burst of 1000 bytes. Traffic should be dropped when it exceeds. Like the previous example, this is done with MQC applied to the control plane. However the service policy is in the outbound direction. R6(config)#ip access-list extended ICMP R6(config-ext-nacl)#permit icmp any any R6(config-ext-nacl)#class-map ICMP_CMAP R6(config-cmap)#match access-group name ICMP R6(config-cmap)#policy-map ICMP_PMAP For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R6(config-pmap)# class ICMP_CMAP R6(config-pmap-c)#police rate 8000 bps burst 1000 bytes R6(config-pmap-c-police)#conform-action transmit R6(config-pmap-c-police)#exceed-action drop R6(config-pmap-c-police)#exit R6(config-pmap-c)#exit R6(config-pmap)#exit R6(config)#control-plane R6(config-cp)#service-policy output ICMP_PMAP Well test by sending 100 icmp packets. R6#ping 24.234.34.3 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 24.234.34.3, timeout is 2 seconds: !!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.! !!!!!! !.!!!!!!!!.!!!!!!!!.!!!!!!!!.! Success rate is 89 percent (89/100), round-trip min/avg/max = 1/2/4 ms Note that some packets were dropped. A look at the policy- map shows that 11 packets were in violation of the policy and were dropped. R6#sho policy-map control-plane Control Plane Service-policy output: ICMP_PMAP Class-map: ICMP_CMAP (match-all) 100 packets, 11400 bytes 5 minute offered rate 2000 bps, drop rate 0 bps Match: access-group name ICMP police: rate 8000 bps, burst 1000 bytes For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 0 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated conformed 89 packets, 10146 bytes; actions: transmit exceeded 11 packets, 1254 bytes; actions: drop conformed 1000 bps, exceed 0 bps Class-map: class-default (match-any) 30 packets, 2253 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Configure CP Protection and Management Protection T a s k 6 . 9 Configure R1s control plane host sub-interface to drop all telnet packets destined for any of its interfaces. Control plane protection allows for finer granularity in filtering control plane traffic. Well use a port-filter class map to identify all telnet traffic, and then drop it in a policy map which is applied to control-plane host. R1(config)#class-map type port-filter match-any PORT_CMAP R1(config-cmap)#match port tcp 23 R1(config-cmap)#exit R1(config)#policy-map type port-filter PORT_PMAP R1(config-pmap)#class PORT_CMAP R1(config-pmap-c)#drop R1(config-pmap-c)#exit R1(config-pmap)#exit R1(config)#control-plane host R1(config-cp-host)#service-policy type port-filter input PORT_PMAP R1(config-cp-host)# *Mar 12 22:14:05.354: %CP-5-FEATURE: TCP/UDP Portfilter feature enabled on Control plane host path For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated We can test by telneting from SW2 to R1. The traffic is dropped. SW2#telnet 192.168.0.1 Trying 192.168.0.1 ... % Connection timed out; remote host not responding Showing the policy-map verifies that the packets were dropped. R1#show policy-map type port-filter control-plane host Control Plane Host Service-policy port-filter input: PORT_PMAP Class-map: PORT_CMAP (match-any) 4 packets, 240 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: port tcp 23 4 packets, 240 bytes 5 minute rate 0 bps drop Class-map: class-default (match-any) 6 packets, 1554 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any T a s k 6 . 1 0 Modify R1s control plane configuration to only drop all closed ports. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Closed ports are ports that the router is not actively listening on. To drop this traffic well remove the telnet match in our class map and add closed-ports. R1(config)#class-map type port-filter match-any PORT_CMAP R1(config-cmap)#no match port tcp 23 R1(config-cmap)#match closed-ports Verify what ports are open with show control-plane host open-ports. R1#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN tcp *:80 *:0 HTTP CORE LISTEN udp *:67 *:0 DHCPD Receive LISTEN udp *:68 *:0 BootP client LISTEN Notice, that RIP (UDP 520) is not listed, but the router is running RIP. Since this port is not listed, RIP will be blocked. Verify that R1 is no longer learning routes from ASA1. R1#clear ip route * R1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per- user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 24.0.0.0/24 is subnetted, 1 subnets C 24.234.10.0 is directly connected, FastEthernet0/1 C 192.168.0.0/16 is directly connected, FastEthernet0/0 T a s k 6 . 1 1 Configure R2s control plane host sub-interface to limit the number of SNMP packets in the control-plane IP input queue to 25. This is done with a queue-threshold class-map and policy- map. These are special map types used by control plane protection to limit the number of packets allowed for specified protocols. This can be useful in defeating DoS attacks launched against your router. R2(config)#class-map type queue-threshold match-any QUEUE_CMAP R2(config-cmap)#match protocol snmp R2(config-cmap)#exit R2(config)#policy-map type queue-threshold QUEUE_PMAP R2(config-pmap)#class QUEUE_CMAP For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config-pmap-c)#queue-limit 25 R2(config-pmap-c)#exit R2(config-pmap)#exit R2(config)#control-plane host R2(config-cp-host)#service-policy type queue-threshold input QUEUE_PMAP R2(config-cp-host)# *Mar 12 22:18:40.562: %CP-5-FEATURE: Protocol Queue Thresholding feature enabled on Control plane host path Verify the configuration with a show policy-map. R2#show policy-map type queue-threshold control-plane host queue-limit 25 queue-count 0 packets allowed/dropped 0/0 Control Plane Host Service-policy queue-threshold input: QUEUE_PMAP Class-map: QUEUE_CMAP (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol snmp 0 packets, 0 bytes 5 minute rate 0 bps Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Configure Broadcast Control and Switchport Security T a s k 6 . 1 2 Configure SW2 interface FastEthernet0/14 to drop unicast packets when 75% of the interface bandwidth is reached. SW2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated should continue blocking all unicast packets until unicast traffic falls below 50%. This is accomplished with storm-control. Storm control is configured per interface and sets a rising and falling threshold in percentage of interface bandwidth. The port will block traffic when the rising threshold is reached and resume normal operation when the traffic rate drops below the falling threshold. SW2(config)#interface fastethernet0/14 SW2(config-if)#storm-control unicast level 75 50 Verify with show storm-control unicast. SW2#show storm-control unicast Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Fa0/14 Link Down 75.00% 50.00% 0.00% T a s k 6 . 1 3 Configure SW2 interface FastEthernet0/15 to drop broadcast packets when the interface reaches 3000bps. The interface should continue blocking all broadcast packets until they drop below 1000bps. During the broadcast storm, SW2 should shutdown this interface. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This is also done with storm control using the broadcast option instead of unicast. The shutdown action will error-disable the interface during a storm. SW2(config)#interface fastethernet0/15 SW2(config-if)#storm-control broadcast level bps 3000 1000 SW2(config-if)#storm-control action shutdown Verify with show storm-control. SW2#show storm-control broadcast Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Fa0/15 Link Down 3k bps 1k bps 0 bps T a s k 6 . 1 4 Configure SW2 interface FastEthernet0/16 to drop multicast packets when the interface reaches 1000pps. The interface should continue blocking all multicast packets until multicast packets drop below 700pps. An SNMP trap should be sent when a storm is detected. This is done with the multicast option. Notice were using pps instead of bps. Well also use the action trap option to send an SNMP trap when the storm is detected. SW2(config)#interface FastEthernet0/16 SW2(config-if)#storm-control multicast level pps 1000 700 SW2(config-if)#storm-control action trap For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Once again, well verify with show storm-control. SW2#show storm-control multicast Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ---------- Fa0/16 Link Down 1k pps 700 pps 0 pps T a s k 6 . 1 5 Configure SW2 to keep track of the small-frame rate- arrival. Configure interface FastEthernet0/10 to drop small frames when it reaches 3000 packets per second. Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch but they do not cause the switch storm-control counters to increment. You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate (the threshold) are dropped since the port is error disabled. SW2# errdisable detect cause small-frame SW2(config)#interface fastethernet0/10 SW2(config-if)#small-frame violation-rate 3000 T a s k 6 . 1 6 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure SW2 to recovery from a port being disabled due to small frames. SW2 should re-enable the interface after 45 seconds. This is done with errdisable recovery for the cause small-frame. The interval is set to 45. SW2(config)#errdisable recovery cause small-frame SW2(config)#errdisable recovery interval 45 T a s k 6 . 1 7 Configure SW2 interface FastEthernet0/11 to block the forwarding of unknown unicast and multicast packets. Default switch behavior is to flood packets with unknown destination MAC addresses out of all ports. You can change this behavior per interface with the switchport block command. SW2(config)#interface fastethernet0/11 SW2(config-if)#switchport block unicast SW2(config-if)#switchport block multicast T a s k 6 . 1 8 Configure SW1 interface FastEthernet0/3 so that a maximum of 1 mac-address is allowed. If there is a violation the port should be shutdown. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This is done with port-security. First port-security is enabled, then a maximum number of allowed mac addresses and a violation is configured. SW1(config)#interface fastethernet0/3 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 1 SW1(config-if)#switchport port-security violation shutdown T a s k 6 . 1 9 Configure SW1 interface FastEthernet0/4 so the first mac- address learned is copied into the running configuration. This is done using the sticky option within port security. The sticky option should be configured before turning on port-security so the address can be properly learned. SW1(config)#interface fastethernet0/4 SW1(config-if)#switchport port-security mac-address sticky SW1(config-if)#switchport port-security T a s k 6 . 2 0 Configure SW1 to check for the correction of a port security violations every 30 seconds and to re-enable the port if the violation is corrected. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 1 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This is done with errdisable recovery using the cause psecure-violation. The recovery interval can also be set. SW1(config)#errdisable recovery cause psecure-violation SW1(config)#errdisable recovery interval 30 To verify we will change the mac-address on R4 F0/0 to 0004.0004.0004. The switchport it is connected to will shut down due to the violation. R4(config)#interface fastethernet0/0 R4(config-if)#mac-address 0004.0004.0004 SW1# 09:35:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down SW1# 09:35:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up 09:35:39: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/4, putting Fa0/4 in err-disable state SW1# 09:35:39: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0004.0004.0004 on port FastEthernet0/4. SW1# 09:35:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down 09:35:41: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down This can be further verified with the show port-security command for the interface. SW1#show port-security interface fastethernet0/4 Port Security : Enabled Port Status : Secure-shutdown For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0004.0004.0004:34 Security Violation Count : 1 Now, we will remove the mac-address from R4 F0/0. The port will automatically recover. R4(config-if)#no mac-address 0004.0004.0004 SW1# 09:37:34: %PM-4-ERR_RECOVER: Attempting to recover from psecure- violation err-disable state on Fa0/4 SW1# 09:37:37: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up 09:37:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up Verify that the violation has been resolved. SW1#show port-security interface fastethernet0/4 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0017.5926.03b0:34 Security Violation Count : 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure CPU Protection Mechanisms T a s k 6 . 2 1 Configure R3 to delete all packets that contain IP Options. IP Options can be globally removed with the ip options drop command. R3(config)#ip options drop % Warning: RSVP and other protocols that use IP Options packets may not function as expected. T a s k 6 . 2 2 Configure R6 for logging. Disable logging to the console and monitor. Configure R6 to limit log generation and transmission to 100 messages per second except for log levels 4 (warnings) through 0 (emergencies). Logging can be CPU intensive. Specific methods of logging can be turned off with the no version of the logging command. To limit the number of messages logged use logging rate-limit. R6(config)#logging on R6(config)#no logging console R6(config)#no logging monitor R6(config)#logging rate-limit 100 except 4 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Verify the logging configuration with show logging. R6#show logging Syslog logging: enabled (11 messages dropped, 1 messages rate- limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: disabled Monitor logging: disabled Buffer logging: disabled, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled No active filter modules. Trap logging: level informational, 41 message lines logged T a s k 6 . 2 3 Configure R6 to limit log-induced process switching to one packet per 10 milliseconds. Although we rate limited the number of log entries, each packet that matches a logging enabled ACE within an ACL is processed in the switch. This is CPU intensive. This can be solved using ip access-list logging interval. The interval is set in milliseconds. R6(config)#ip access-list logging interval 10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Disable Unnecessary Services T a s k 6 . 2 4 Secure R5 by disabling unnecessary global services. These common global services should be disabled on a router, if not used. Some are off by default. R5(config)#no service finger R5(config)#no service pad R5(config)#no service udp-small-servers R5(config)#no service tcp-small-servers R5(config)#no cdp run R5(config)#no ip bootp server R5(config)#no ip http server R5(config)#no ip finger R5(config)#no ip source-route R5(config)#no ip gratuitous-arps R5(config)#no ip identd T a s k 6 . 2 5 Secure R5 fa0/0 by disabling unnecessary interface services. These common interface services should be disabled on a router, if not used. R5(config)#interface fastethernet0/0 R5(config-if)#no ip redirects R5(config-if)#no ip proxy-arp R5(config-if)#no ip unreachables For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R5(config-if)#no ip directed-broadcast R5(config-if)#no ip mask-reply For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 6 . 2 6 Secure R1 by disabling unnecessary services using a single command. This is done with the auto secure management command. AutoSecure disables common IP services that can be exploited by network attacks. Well use the no-interact option to avoid prompting. (Output cut) R1#auto secure management no-interact --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. Securing Management plane services... Control Device Access T a s k 6 . 2 7 Configure R3 so that only devices in vlan 5 can telnet to it. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This is done with a standard ACL. The ACL is applied to the VTY lines with the access-class command. R3(config)#access-list 1 permit 24.234.5.0 0.0.0.255 R3(config)#line vty 0 4 R3(config-line)#transport input telnet R3(config-line)#access-class 1 in Test telneting from R5 which is in the allowed VLAN. The connection is allowed. R5#telnet 24.234.34.3 Trying 24.234.34.3 ... Open User Access Verification Password: Now telnet from R6 which is not in the allowed VLAN. The connection is refused. R6#telnet 24.234.34.3 Trying 24.234.34.3 ... % Connection refused by remote host T a s k 6 . 2 8 Configure R5 so that only devices in vlan 6 can ssh to it. Authenticate the connection using a local user named admin with a password cisco. To enable SSH the router must first have a domain name and generated crypto keys. Then well create a local user. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Finally, SSH can be limited just like telnet: with an ACL. Login is set to local. R5(config)#ip domain-name ccbootcamp.com R5(config)#crypto key generate rsa The name for the keys will be: R5.ccbootcamp.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non- exportable...[OK] R5(config)# *Mar 13 21:06:57.746: %SSH-5-ENABLED: SSH 1.99 has been enabled R5(config)#username admin password cisco R5(config)#access-list 2 permit 24.234.6.0 0.0.0.255 R5(config)#line vty 0 4 R5(config-line)#transport input ssh R5(config-line)#access-class 2 in R5(config-line)#login local Verify by connecting via ssh from R6 with a username of admin. The connection is allowed. R6#telnet 24.234.34.3 Trying 24.234.34.3 ... % Connection refused by remote host R6#ssh -l admin -c 3des 24.234.5.5 Password: R5>exit [Connection to 24.234.5.5 closed by foreign host] For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 6 . 2 9 Configure R4 so that only the ACS Server can HTTP into it. By default, routers have the http server service enabled. Well need to create an access-list that only allows host 192.168.2.101. Apply it to the http server with ip http access-class. R4(config)#access-list 1 permit host 192.168.2.101 R4(config)#ip http server R4(config)#ip http access-class 1 T a s k 6 . 3 0 Configure ASA1 so that only SW2 can telnet to it. The telnet session should disconnect after 2 minutes of inactivity. By default, there are no devices allowed to telnet to the ASA. The telnet command is used to identify networks and/or hosts that are allowed to telnet, and from which interface. The default telnet password for the ASA is cisco. ASA1(config)# telnet 192.168.0.10 255.255.255.255 inside ASA1(config)# telnet timeout 2 Verify by telneting from SW2, the connection will be allowed. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 2 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated SW2#telnet 24.234.10.100 Trying 24.234.10.100 ... Open User Access Verification Password: Type help or '?' for a list of available commands. ASA1> Now telnet from R1, the connection is not allowed. R1#telnet 24.234.10.100 Trying 24.234.10.100 ... % Connection timed out; remote host not responding T a s k 6 . 3 1 Configure ASA1 so that only R1 can SSH to it. Authenticate the connection using a local user named admin with a password cisco. By default, no devices allowed to ssh to the ASA. The ssh command is used to identify networks and/or hosts that are allowed to ssh, and from which interface. Like a router, in order for the ASA to be an ssh server crypto keys have to be generated. AAA is used to setup authentication for SSH. ASA1(config)# domain-name ccbootcamp.com ASA1(config)# crypto key generate rsa modulus 1024 WARNING: You have a RSA keypair already defined named <Default- RSA-Key>. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait... ASA1(config)# username admin password cisco ASA1(config)# ssh 24.234.10.1 255.255.255.255 inside ASA1(config)# aaa authentication ssh console LOCAL Test by connecting from R1 via SSH with a username of admin. The connection will be allowed. R1#ssh -l admin -c 3des 24.234.10.100 Password: Type help or '?' for a list of available commands. ASA1> T a s k 6 . 3 2 Configure SW1 so that when user admin telnets into the switch, they will have privilege 15 access. This is done by setting the privilege level of the user. SW1(config)#username admin privilege 15 password cisco SW1(config)#line vty 0 4 SW1(config-line)# login local Test by telneting from R5 to SW1. When you log in as admin youll be able to show your privilege level. R5#telnet 24.234.5.10 Trying 24.234.5.10 ... Open For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated User Access Verification Username: admin Password: SW1# SW1#show privilege Current privilege level is 15 Configure SNMP, SYSLOG, AAA, NTP T a s k 6 . 3 3 Configure SW1 to log to the Syslog Server on the ACS Server. Since SW1 is on the outside of the ASA, a translation and access-list entry must be made for the syslog traffic. ASA1(config)#static (inside,outside) 192.168.2.101 192.168.2.101 ASA1(config)#access-list OUTSIDE permit udp host 24.234.4.10 host 192.168.2.101 eq 514 And then syslog can be configured with the logging host command. SW1(config)#logging host 192.168.2.101 T a s k 6 . 3 4 Configure SW1 for snmp with a community string of cisco for read-only and a community string of ccbootcamp for For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated read-write. Send config traps to the SNMP Manager at 192.168.2.101 with a string of cisco. This is done with the snmp-server commands. Community strings are setup with the community option, traps are setup with the enable traps option and the trap receiver setup with the host option. SW1(config)#snmp-server community cisco ro SW1(config)#snmp-server community ccbootcamp rw SW1(config)#snmp-server enable traps config SW1(config)#snmp-server host 192.168.2.101 traps cisco config We can verify that traps are being sent by turning on SMNP debugging and then entering configure commands. SW1#debug snmp packets SNMP packet debugging is on SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#exit SW1# *Mar 1 00:19:06.974: SNMP: Queuing packet to 192.168.2.101 *Mar 1 00:19:06.974: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 24.234.4.10, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.10 = 1 ccmHistoryEventEntry.4.10 = 2 ccmHistoryEventEntry.5.10 = 3 *Mar 1 00:19:07.225: SNMP: Packet sent via UDP to 192.168.2.101 SW1# *Mar 1 00:19:08.106: %SYS-5-CONFIG_I: Configured from console by console T a s k 6 . 3 5 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Set the clock and time zone on R1. Configure R1 as an NTP master. Configure R4 to get its time from R1 using authenticated NTP. Since R4 resides on the outside of the ASA, a translation and access-list entry is needed to allow ntp traffic. ASA1(config)# static (inside,outside) 24.234.10.1 24.234.10.1 netmask 255.255.255.255 ASA1(config)# access-list OUTSIDE permit udp host 24.234.34.4 host 24.234.10.1 eq 123 R1s clock is set with the clock set command. NTP is configured with the ntp command. R1#clock set 9:00:00 22 JAN 2009 R1#conf t R1(config)#clock timezone PST -8 R1(config)#ntp master 8 R1(config)#ntp authentication-key 1 md5 cisco R1(config)#ntp authenticate R1(config)#ntp trusted-key 1 NTP is setup on R4 as well. The difference in the configurations is that R4 is not set as a master; instead it uses the ntp server command to get its time. R4(config)#clock timezone PST -8 R4(config)#ntp authentication-key 1 md5 cisco R4(config)#ntp authenticate R4(config)#ntp trusted-key 1 R4(config)#ntp server 24.234.10.1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Verify with show ntp status. Notice that the reference is R1s IP address. R4#show ntp status Clock is synchronized, stratum 9, reference is 24.234.10.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is CD2326ED.1E74C01D (09:10:05.118 PST Thu Jan 22 2009) clock offset is 412.0026 msec, root delay is 1.92 msec root dispersion is 615.78 msec, peer dispersion is 203.75 msec Show ntp associations gives more detail about the NTP server, R1. R4#show ntp associations detail 24.234.10.1 configured, our_master, sane, valid, stratum 8 ref ID 127.127.7.1, time CD232728.5B248A87 (09:11:04.356 PST Thu Jan 22 2009) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 377, sync dist 103.592 delay 1.89 msec, offset 414.3799 msec, dispersion 102.62 precision 2**24, version 3 org time CD23272D.884979E0 (09:11:09.532 PST Thu Jan 22 2009) rcv time CD23272D.1E72CDAC (09:11:09.118 PST Thu Jan 22 2009) xmt time CD23272D.1DF4FA20 (09:11:09.117 PST Thu Jan 22 2009) filtdelay = 1.89 1.92 1.86 1.83 1.83 1.86 1.85 1.85 filtoffset = 414.38 412.00 409.67 0.46 0.42 0.40 0.36 0.33 filterror = 0.02 0.99 1.97 2.94 2.96 2.98 2.99 3.01 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter 7 ~ Advanced Security For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 3 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Fa0/1 Fa0/1 SW1 SW2 Fa0/0 Fa0/1 R1 Fa0/2 Fa0/2 SW1 SW2 Fa0/0 Fa0/1 R2 Fa0/3 Fa0/3 SW1 SW2 Fa0/0 Fa0/1 R3 Fa0/4 Fa0/4 SW1 SW2 Fa0/0 Fa0/1 R4 Fa0/5 Fa0/5 SW1 SW2 Fa0/0 Fa0/1 R5 Fa0/6 Fa0/6 SW1 SW2 Fa0/0 Fa0/1 R6 Fa0/9 Fa0/9 SW1 SW2 Fa0/0 Fa0/1 BB1 Fa0/10 Fa0/10 SW1 SW2 Fa0/0 Fa0/1 BB2 Fa0/12 Fa0/12 SW1 SW2 E0/0 E0/2 Fa0/14 Fa0/14 SW1 SW2 Gi0/0: sense Gi0/1: c&c IDS Fa0/17 Fa0/17 SW1 SW2 E0/1 E0/3 Fa0/18 Fa0/18 SW1 SW2 E0/0 E0/2 Fa0/23 Fa0/23 SW1 SW2 E0/1 E0/3 ASA01 ASA01 ASA02 ASA02 IDS Sensor Int. Connected to: G0/0 SW1 Fa0/14 Fa1/0 SW3 Fa0/4 Fa1/1 SW3 Fa0/3 Fa1/2 SW3 Fa0/2 Fa1/3 SW3 Fa0/1 Fas0/20 Fas0/20 Fas0/19 Fas0/19 SW1 SW2 SW3 SW4 Fas0/20 Fas0/20 Fas0/19 Fas0/19 2811 R7 Fas0/0 Fas0/1 SW3 Fas0/17 SW4 Fas0/17 2811 R8 Fas0/0 Fas0/1 SW3 Fas0/18 SW4 Fas0/18 ACS PC SW1 Fa0/24 192.168.2.101 XP Test PC SW2 Fa0/16 192.168.2.102 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Packet Marking Technigues T a s k 7 . 1 Configure R3 to modify the DSCP value of telnet traffic from VLAN 35 to a value of af43. The traffic should be modified before transmitting out interfaces FastEthernet0/0 and Serial0/0/0. T a s k 7 . 2 Configure R4 to modify the IP Precedence field for packets arriving from VLAN 46 to an IP Precedence of immediate (2). For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Implement Security RFCs T a s k 7 . 3 Configure R4 to deny RFC1918, RFC2827/3704, and RFC3330 addresses on its FastEthernet0/0 interface. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Black Hole and Sink Hole Solutions T a s k 7 . 4 Configure R3 so that traffic sourced from VLAN 35 and destined to R2s Loopback0 will take 24.234.234.2 as the next hop instead of SW1 (24.234.3.10). T a s k 7 . 5 Configure R1 FastEthernet0/0 to send IP traffic destined for R6s L0 to interface null0. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Remote Triggered Black Hole Filtering T a s k 7 . 6 R2, R3, and R4 are configured in BGP AS 234. R2 is peering with R3 and R4, and is acting as a Route-Reflector Server. R2 is configured with Loopback 22 (22.22.22.2), and R2 is redistributing its connected networks into BGP. R5 and R6 have static route for 22.22.22.0/24 to R3 and R4 respectively. Configure Remote Triggered Black Hole (RTBH) filtering so that Routers R3 and R4 black hole any packets destined for the 22.22.22.0 network. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Traffic Filtering using Access~Lists T a s k 7 . 7 Configure R3 to deny inbound telnet and ICMP ECHOs on FastEthernet0/1 from VLAN 35. T a s k 7 . 8 Configure R4 to deny all inbound packets with the IP option of timestap on interface FastEthernet0/0. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 4 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure IOS NAT T a s k 7 . 9 Configure NAT on R4 so that any 24.234.0.0/16 address will use an external pool as the source IP Address when connecting to any R6 network. The external NAT pool will be 46.46.46.100 46.46.46.200. T a s k 7 . 1 0 Configure R4 so that incoming connections from R6 to 46.46.46.2 will be translated to the destination address of loopback0 on R2. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure TCP Intercept T a s k 7 . 1 1 Configure R1 to protect the ACS Server (192.168.2.101) from SYN-flooding attacks. Use TCP Intercept. T a s k 7 . 1 2 Configure R1 to wait 20 seconds for TCP sessions to establish. If TCP connections are not established within 20 seconds, then R1 should send a reset. T a s k 7 . 1 3 Configure R1 to drop TCP connections 3 seconds after receiving a reset or FIN-Exchange. T a s k 7 . 1 4 Configure R1 to manage TCP connections for up to one hour with no activity. T a s k 7 . 1 5 Configure R1 to start dropping incomplete TCP connections when the number exceeds 1000. Stop aggressive behavior when incomplete TCP connections drop below 700. Configure R1 to start aggressive behavior when the number of incomplete TCP connections reaches 400 within a minute. Stop aggressive behavior when the number of incomplete TCP connections reaches 200 within a minute. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 7 . 1 6 Configure R1 so that when connections are dropped they are chosen randomly instead of oldest first. Configure uRPF T a s k 7 . 1 7 Configure R3 interface FastEthernet0/1 to ensure that packets are reachable via the interface they come in on. Any denied packets should be logged. T a s k 7 . 1 8 Configure uRPF on ASA1 for all traffic. Configure CAR T a s k 7 . 1 9 Configure R2 FastEthernet0/0 so that the inbound traffic is limited to the following: HTTP traffic is limited to 1Mbps with a normal burst of 16KB and an excess burst of 24KB. ICMP traffic is limited to 200Kbps with a normal burst of 8KB and an excess of 16KB. All remaining traffic is limited to 4Mbps with a normal burst of 16KB and an excess of 16KB. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure NBAR T a s k 7 . 2 0 Configure R4 to discover application protocols on interface F0/0. T a s k 7 . 2 1 Configure R3 FastEthernet0/1 to drop KaZaA, Morpheus, and Grokster P2P traffic coming from R6. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure NetFlow T a s k 7 . 2 2 Configure R1 to capture traffic being received by interface fastethernet0/1. T a s k 7 . 2 3 Configure R1 to export this data to the ACS Server over UDP port 514. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Policing T a s k 7 . 2 4 Configure R4 to police SMTP traffic to 400000Kbps with a burst of 8k bytes and an excess burst of 16k bytes inbound on interface FastEthernet0/0. SMTP traffic that conforms is transmitted, and SMTP traffic that does not conform is dropped. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Capture and Utilize Packet Captures T a s k 7 . 2 5 On ASA1 capture ICMP traffic from R1 to R2. The buffer should start overwriting the beginning when full. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure Transit Traffic Control and Congestion Management T a s k 7 . 2 6 Configure R2 to guarantee 33% of the bandwidth for voice traffic with the dscp value of ef. Next, police ICMP traffic to 8000 bps with a burst of 1000 bytes and an excess burst of 1000 bytes. All other traffic uses the queuing method of fair-queue. Advanced Security Solutions Configure Packet Marking Technigues T a s k 7 . 1 Configure R3 to modify the DSCP value of telnet traffic from VLAN 35 to a value of af43. The traffic should be For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated modified before transmitting out interfaces FastEthernet0/0 and Serial0/0/0. This is done with MQC. (Modular Quality of Service Command Line Interface) An access-list with permit statements identifies the traffic that we want subjected to the marking. This ACL is referenced in a class map, an action (set dscp) is applied in a policy map and finally the policy applied to an interface with service-policy. R3(config)#ip access-list extended VLAN35 R3(config-ext-nacl)#permit tcp 35.35.35.0 0.0.0.255 any eq telnet R3(config-ext-nacl)#exit R3(config)#class-map match-any VLAN35_CMAP R3(config-cmap)#match access-group name VLAN35 R3(config-cmap)#exit R3(config)#policy-map VLAN35_PMAP R3(config-pmap)#class VLAN35_CMAP R3(config-pmap-c)#set dscp af43 R3(config-pmap-c)#exit R3(config-pmap)#exit R3(config)#interface fastethernet0/1 R3(config-if)#service-policy input VLAN35_PMAP Show policy-map will allow us to verify. Currently, the policy-map has not marked any telnet traffic. R3#show policy-map interface fastethernet0/1 FastEthernet0/1 Service-policy input: VLAN35_PMAP Class-map: VLAN35_CMAP (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Match: access-group name VLAN35 0 packets, 0 bytes 5 minute rate 0 bps QoS Set dscp af43 Packets marked 0 Class-map: class-default (match-any) 23 packets, 1690 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Now well telnet from R5 to R2. R5#telnet 24.234.234.2 Trying 24.234.234.2 ... Open User Access Verification Password: cisco R2#exit [Connection to 24.234.234.2 closed by foreign host] Issue the show policy-map command again. Notice that packets have now been marked. R3#show policy-map interface fastethernet0/1 FastEthernet0/1 Service-policy input: VLAN35_PMAP Class-map: VLAN35_CMAP (match-any) 23 packets, 1389 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name VLAN35 23 packets, 1389 bytes 5 minute rate 0 bps QoS Set For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 5 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated dscp af43 Packets marked 23 Class-map: class-default (match-any) 44 packets, 3210 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any T a s k 7 . 2 Configure R4 to modify the IP Precedence field for packets arriving from VLAN 46 to an IP Precedence of immediate (2). This time well be using a route map to provide the marking of packets. Once again an ACL with a permit statement is used to identify the traffic. This ACL is referenced in the route-map. The set command within the route map is used to set the IP precedence. R4(config)#ip access-list extended VLAN46 R4(config-ext-nacl)#permit ip 46.46.46.0 0.0.0.255 any R4(config-ext-nacl)#exit R4(config)#route-map VLAN46_RMAP R4(config-route-map)#match ip address VLAN46 R4(config-route-map)#set ip precedence immediate R4(config-route-map)#exit R4(config)#interface fastethernet0/0 R4(config-if)#ip policy route-map VLAN46_RMAP Verify with show route-map. No packets have matched. R4#show route-map VLAN46_RMAP route-map VLAN46_RMAP, permit, sequence 10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Match clauses: ip address (access-lists): VLAN46 Set clauses: ip precedence immediate Policy routing matches: 0 packets, 0 byte Now generate traffic that will match the ACL. R6#ping 24.234.234.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.234.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms Issue the show route-map command again and youll see packets have matched. R4#show route-map route-map VLAN46_RMAP, permit, sequence 10 Match clauses: ip address (access-lists): VLAN46 Set clauses: ip precedence immediate Policy routing matches: 5 packets, 570 bytes Implement Security RFCs T a s k 7 . 3 Configure R4 to deny RFC1918, RFC2827/3704, and RFC3330 addresses on its FastEthernet0/0 interface. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated All of these RFCs refer to address space allocated for private, internal, or special use. They should never be seen incoming from a public network (The Internet) so we will block them with an ACL. R4(config)#ip access-list extended RFCs R4(config-ext-nacl)#remark RFC 1918 R4(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any R4(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any R4(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any R4(config-ext-nacl)#remark RFC2827/RFC3704 R4(config-ext-nacl)#deny ip 24.234.0.0 0.0.255.255 any R4(config-ext-nacl)#remark RFC 3330 R4(config-ext-nacl)#deny ip host 0.0.0.0 any R4(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any R4(config-ext-nacl)#deny ip 169.254.0.0 0.0.255.255 any R4(config-ext-nacl)#deny ip 224.0.0.0 15.255.255.255 any R4(config-ext-nacl)#permit ip any any R4(config-ext-nacl)#interface fastethernet0/0 R4(config-if)#ip access-group RFCs in Configure Black Hole and Sink Hole Solutions T a s k 7 . 4 Configure R3 so that traffic sourced from VLAN 35 and destined to R2s Loopback0 will take 24.234.234.2 as the next hop instead of SW1 (24.234.3.10). Sinkhole routing involves diverting specific traffic so that it can be segregated, analyzed, etc In order to set a different next hop than what is present in the routing For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated table, a route map will be used. Traffic that matches a particular access-list will have a new next-hop set. Currently, R3 shows the next hop of 2.2.2.2 to be SW1, and a traceroute from R5 to 2.2.2.2 verifies this. R3#show ip route 2.2.2.2 Routing entry for 2.0.0.0/8 Known via "eigrp 1", distance 90, metric 156416, type internal Redistributing via eigrp 1 Last update from 24.234.3.10 on FastEthernet0/0, 00:13:09 ago Routing Descriptor Blocks: * 24.234.3.10, from 24.234.3.10, 00:13:09 ago, via FastEthernet0/0 Route metric is 156416, traffic share count is 1 Total delay is 5110 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 R5#traceroute 2.2.2.2 Type escape sequence to abort. Tracing the route to 2.2.2.2 1 35.35.35.3 0 msec 0 msec 4 msec 2 24.234.3.10 0 msec 0 msec 4 msec 3 24.234.2.2 0 msec * 0 msec Now well configure and apply our route map. R3(config)#ip access-list extended R2_L0 R3(config-ext-nacl)#permit ip any host 2.2.2.2 R3(config-ext-nacl)#exit R3(config)#route-map R2_L0_RMAP R3(config-route-map)#match ip address R2_Lo0 R3(config-route-map)#set ip next-hop 24.234.234.2 R3(config-route-map)#exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(config)#interface fastethernet0/1 R3(config-if)#ip policy route-map R2_L0_RMAP We can verify it is working by running the traceroute again. This time it goes to 24.234.234.2. R5#traceroute 2.2.2.2 Type escape sequence to abort. Tracing the route to 2.2.2.2 1 35.35.35.3 0 msec 4 msec 0 msec 2 24.234.234.2 12 msec * 12 msec T a s k 7 . 5 Configure R1 FastEthernet0/0 to send IP traffic destined for R6s L0 to interface null0. This is known as black hole routing. A route map is used to set the next-hop of matched traffic to null0 which drops the packets. Currently, SW2 can ping R6s L0 (6.6.6.6). SW2#ping 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 58/58/59 ms For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now well configure our route-map. R1(config)#ip access-list extended R6_L0 R1(config-ext-nacl)#permit ip any host 6.6.6.6 R1(config-ext-nacl)#exit R1(config)#route-map R6_L0_RMAP R1(config-route-map)#match ip address R6_L0 R1(config-route-map)#set interface null 0 R1(config-route-map)#exit R1(config)#interface fastethernet0/0 R1(config-if)#ip policy route-map R6_L0_RMAP Now well ping again to verify the black hole routing is working properly. SW2#ping 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The pings are being dropped. A show route-map verifies that 5 packets were matched. R1#show route-map R6_L0_RMAP route-map R6_L0_RMAP, permit, sequence 10 Match clauses: ip address (access-lists): R6_L0 Set clauses: interface Null0 Policy routing matches: 5 packets, 570 bytes Configure Remote Triggered Black Hole Filtering T a s k 7 . 6 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2, R3, and R4 are configured in BGP AS 234. R2 is peering with R3 and R4, and is acting as a Route-Reflector Server. R2 is configured with Loopback 22 (22.22.22.2), and R2 is redistributing its connected networks into BGP. R5 and R6 have static route for 22.22.22.0/24 to R3 and R4 respectively. Configure Remote Triggered Black Hole (RTBH) filtering so that Routers R3 and R4 black hole any packets destined for the 22.22.22.0 network. RTBH provides the capability to drop packets at the edge of your network by changing the configuration of a single router. R3 and R4 are learning about the R2 connected networks via BGP. R3#show ip bgp BGP table version is 19, local router ID is 3.3.3.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i2.2.2.0/24 24.234.234.2 0 100 0 ? *>i22.22.22.0/24 24.234.234.2 0 100 0 ? r>i24.234.2.0/24 24.234.234.2 0 100 0 ? r>i24.234.234.0/24 24.234.234.2 0 100 0 ? For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4#show ip bgp BGP table version is 19, local router ID is 4.4.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i2.2.2.0/24 24.234.234.2 0 100 0 ? *>i22.22.22.0/24 24.234.234.2 0 100 0 ? r>i24.234.2.0/24 24.234.234.2 0 100 0 ? r>i24.234.234.0/24 24.234.234.2 0 100 0 ? R5 and R6 have connectivity to the 22.22.22.0 network. R5#ping 22.22.22.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms R6#ping 22.22.22.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms First, the BGP routers must have a black hole to route the bad traffic to. Well configure an address that will be statically routed to null0. R2#conf t For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R2(config)#ip route 192.0.5.1 255.255.255.255 null0 R2(config)#end R3#conf t R3(config)#ip route 192.0.5.1 255.255.255.255 null0 R3(config)#end R4#conf t R4(config)#ip route 192.0.5.1 255.255.255.255 null0 R4(config)#end Now well configure the BGP Trigger Router (R2) so that traffic destined for the 22.22.22.0 network will be routed to our black hole address of 192.0.5.1. R2(config)#access-list 1 permit 22.22.22.0 0.0.0.255 R2(config)#route-map RTBH permit 10 R2(config-route-map)#match address 1 R2(config-route-map)#set ip next-hop 192.0.5.1 R2(config-route-map)#set local-preference 200 R2(config-route-map)#route-map RTBH permit 20 R2(config-route-map)#router bgp 234 R2(config-router)#neighbor 24.234.234.3 route-map RTBH out R2(config-router)#neighbor 24.234.234.4 route-map RTBH out After issuing a clear ip bgp *, we see that R3 and R4 have updated their BGP table to reflect the next hop for 22.22.22.0 as 192.0.5.1. R3#clear ip bgp * R3#show ip bgp BGP table version is 20, local router ID is 3.3.3.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Network Next Hop Metric LocPrf Weight Path *>i2.2.2.0/24 24.234.234.2 0 100 0 ? *>i22.22.22.0/24 192.0.5.1 0 200 0 ? r>i24.234.2.0/24 24.234.234.2 0 100 0 ? r>i24.234.234.0/24 24.234.234.2 0 100 0 ? R4#show ip bgp BGP table version is 20, local router ID is 4.4.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i2.2.2.0/24 24.234.234.2 0 100 0 ? *>i22.22.22.0/24 192.0.5.1 0 200 0 ? r>i24.234.2.0/24 24.234.234.2 0 100 0 ? r>i24.234.234.0/24 24.234.234.2 0 100 0 ? R5 and R6 can no longer ping 22.22.22.2. R5#ping 22.22.22.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R6#ping 22.22.22.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Configure Traffic Filtering using Access~Lists For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 6 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 7 . 7 Configure R3 to deny inbound telnet and ICMP ECHOs on FastEthernet0/1 from VLAN 35. Access-lists provide traffic filtering capabilities to allow or deny traffic from entering or exiting a network. In this case the ACL is fairly simple. R3(config)#ip access-list extended VLAN35 R3(config-ext-nacl)#deny tcp 35.35.35.0 0.0.0.255 any eq telnet R3(config-ext-nacl)#deny icmp 35.35.35.0 0.0.0.255 any echo R3(config-ext-nacl)#permit ip any any R3(config-ext-nacl)#exit R3(config)#interface fastethernet0/1 R3(config-if)#ip access-group VLAN35 in Verify by attempting a telnet from R5 to 24.234.234.2 R5#telnet 24.234.234.2 Trying 24.234.234.2 ... % Destination unreachable; gateway or host down When sourcing the telnet address from loopback 0, the telnet is allowed. R5#telnet 24.234.234.2 /source-interface lo0 Trying 24.234.234.2 ... Open User Access Verification Password: R2#exit For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated [Connection to 24.234.234.2 closed by foreign host] A ping from R5 fails due to the access-list. R5#ping 24.234.234.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.234.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) But a ping from R5s loopback0 is successful. R5#ping 24.234.234.2 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.234.234.2, timeout is 2 seconds: Packet sent with a source address of 5.5.5.5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms T a s k 7 . 8 Configure R4 to deny all inbound packets with the IP option of timestap on interface FastEthernet0/0. ACLs can filter IP Options. In this example, we are denying packets that have the IP Option timestamp specified. Currently, R6 can traceroute to 2.2.2.2 with the IP Option timestamp. R6#traceroute For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Protocol [ip]: Target IP address: 2.2.2.2 Source address: Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: t Number of timestamps [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[TV]: Type escape sequence to abort. Tracing the route to 2.2.2.2 1 46.46.46.4 4 msec Received packet has options Total option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 9 Time=*16:01:07.611 UTC (836FF01B) >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Now we will configure an access-list to deny ip packets with the timestamp IP Option using the option keyword. R4(config)#ip access-list extended IPOPTIONS R4(config-ext-nacl)#deny ip any any option timestamp R4(config-ext-nacl)#permit ip any any R4(config-ext-nacl)#exit R4(config)#interface fastethernet0/0 R4(config-if)#ip access-group IPOPTIONS in For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now, the traceroute from R6 to 2.2.2.2 with the timestamp IP Option is denied. R6#traceroute Protocol [ip]: Target IP address: 2.2.2.2 Source address: Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: t Number of timestamps [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[TV]: Type escape sequence to abort. Tracing the route to 2.2.2.2 1 46.46.46.4 !A Received packet has options Total option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 9 Time=*15:58:55.915 UTC (836DEDAB) >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) * !A Received packet has options Total option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 9 Time=*15:58:58.915 UTC (836DF963) >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Issuing show ip access-lists verifies the traceroute packets were dropped. R4#show ip access-lists Extended IP access list IPOPTIONS 10 deny ip any any option timestamp (3 matches) 20 permit ip any any (27 matches) Configure IOS NAT T a s k 7 . 9 Configure NAT on R4 so that any 24.234.0.0/16 address will use an external pool as the source IP Address when connecting to any R6 network. The external NAT pool will be 46.46.46.100 46.46.46.200. First we will create a nat pool. Then create an ACL to identify traffic to be translated. Well setup the translation to use the ACL and pool with the ip nat inside command. Finally interface s0/0/0 is setup as inside and fa0/0 setup as outside. R4(config)#ip nat pool NAT-POOL 46.46.46.100 46.46.46.200 prefix-length 24 R4(config)#ip access-list extended NET For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R4(config-ext-nacl)#permit ip 24.234.0.0 0.0.255.255 any R4(config-ext-nacl)#exit R4(config)#ip nat inside source list NET pool NAT-POOL R4(config)#interface serial0/0/0 R4(config-if)#ip nat inside R4(config-if)#interface fastethernet0/0 R4(config-if)#ip nat outside Verify by generating traffic that will be translated. A ping from R2 to R6 accomplishes this. R2#ping 46.46.46.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 46.46.46.6, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 56/58/60 ms Now do a show ip nat translations on R4 to see the NAT. R4#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 46.46.46.100:0 24.234.234.2:0 46.46.46.6:0 46.46.46.6:0 --- 46.46.46.100 24.234.234.2 --- --- T a s k 7 . 1 0 Configure R4 so that incoming connections from R6 to 46.46.46.2 will be translated to the destination address of loopback0 on R2. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated In this example, we are hiding the 2.2.2.2 address behind the public address of 46.46.46.2. When R6 telnets to 46.46.46.2, the packets are sent to 2.2.2.2. R4(config)#ip nat inside source static 2.2.2.2 46.46.46.2 To verify, telnet from R6 to 46.46.46.2. Once logged in youll be connected to R2. R6#telnet 46.46.46.2 Trying 46.46.46.2 ... Open User Access Verification Password: R2# Issue show ip nat translation on R4 to see the NAT. R4#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 46.46.46.2:23 2.2.2.2:23 46.46.46.6:11223 46.46.46.6:11223 --- 46.46.46.2 2.2.2.2 --- --- --- 46.46.46.100 24.234.234.2 --- --- --- 46.46.46.101 24.234.234.3 --- --- Configure TCP Intercept T a s k 7 . 1 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Configure R1 to protect the ACS Server (192.168.2.101) from SYN-flooding attacks. Use TCP Intercept. An access-list is used to provide granularity for the traffic that should be intercepted, in this case from any device to the ACS server. Then TCP intercept is configured with ip tcp intercept. R1(config)#ip access-list extended TCP_INTERCEPT R1(config-ext-nacl)#permit ip any host 192.168.2.101 R1(config-ext-nacl)#exit R1(config)#ip tcp intercept list TCP_INTERCEPT command accepted, interfaces with mls configured might cause inconsistent behavior T a s k 7 . 1 2 Configure R1 to wait 20 seconds for TCP sessions to establish. If TCP connections are not established within 20 seconds, then R1 should send a reset. TCP Intercept can be configured in one of two modes: Intercept or Watch. In watch mode the router will monitor connections and terminate them only if they are not established within a specified period. R1(config)#ip tcp intercept mode watch command accepted, interfaces with mls configured might cause inconsistent behavior R1(config)#ip tcp intercept watch-timeout 20 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated command accepted, interfaces with mls configured might cause inconsistent behavior T a s k 7 . 1 3 Configure R1 to drop TCP connections 3 seconds after receiving a reset or FIN-Exchange. By default, TCP Intercept waits 5 seconds from receipt of a reset or FIN-exchange before it ceases to manage the connection. Well be changing this to 3 seconds. R1(config)#ip tcp intercept finrst-timeout 3 command accepted, interfaces with mls configured might cause inconsistent behavior T a s k 7 . 1 4 Configure R1 to manage TCP connections for up to one hour with no activity. By default, TCP Intercept still manages a connection for 24 hours after no activity. Well be dropping this time down to one hour. The time is in seconds. R1(config)#ip tcp intercept connection-timeout 3600 command accepted, interfaces with mls configured might cause inconsistent behavior For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 7 . 1 5 Configure R1 to start dropping incomplete TCP connections when the number exceeds 1000. Stop aggressive behavior when incomplete TCP connections drop below 700. Configure R1 to start aggressive behavior when the number of incomplete TCP connections reaches 400 within a minute. Stop aggressive behavior when the number of incomplete TCP connections reaches 200 within a minute. TCP Intercept starts aggressive behavior when the high value is exceeded and stops it when the number falls below the low value. R1(config)#ip tcp intercept max-incomplete high 1000 command accepted, interfaces with mls configured might cause inconsistent behavior R1(config)#ip tcp intercept max-incomplete low 700 command accepted, interfaces with mls configured might cause inconsistent behavior R1(config)#ip tcp intercept one-minute high 400 command accepted, interfaces with mls configured might cause inconsistent behavior R1(config)#ip tcp intercept one-minute low 200 command accepted, interfaces with mls configured might cause inconsistent behavior For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 7 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 7 . 1 6 Configure R1 so that when connections are dropped they are chosen randomly instead of oldest first. TCP Intercept can drop partial connections one of two ways: Oldest or Random. The default is to drop the oldest, well be changing that. R1(config)#ip tcp intercept drop-mode random command accepted, interfaces with mls configured might cause inconsistent behavior Configure uRPF T a s k 7 . 1 7 Configure R3 interface FastEthernet0/1 to ensure that packets are reachable via the interface they come in on. Any denied packets should be logged. Unicast Reverse Path Forwarding (uRPF) mitigates source IP Address spoofing. It is applied per interface. Logging can be added by specifying an access-list at the end of the command. The log or log-input statement must be added at the end of the ACL. R3(config)#access-list 1 deny any log For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(config)#interface fastethernet0/1 R3(config-if)#ip verify unicast source reachable-via rx 1 T a s k 7 . 1 8 Configure uRPF on ASA1 for all traffic. Just like an IOS Router, Unicast Reverse Path Forwarding is configured on a per interface basis. ASA1(config)# ip verify reverse-path interface inside ASA1(config)# ip verify reverse-path interface outside Configure CAR T a s k 7 . 1 9 Configure R2 FastEthernet0/0 so that the inbound traffic is limited to the following: HTTP traffic is limited to 1Mbps with a normal burst of 16KB and an excess burst of 24KB. ICMP traffic is limited to 200Kbps with a normal burst of 8KB and an excess of 16KB. All remaining traffic is limited to 4Mbps with a normal burst of 16KB and an excess of 16KB. This is configured with the rate-limit command in interface configuration mode. An ACL is used to identify the traffic For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated to be rate limited. The rate is measured in bits per second. The normal and maximum burst are measured in bytes per second. R2(config)#access-list 101 permit tcp any any eq www R2(config)#access-list 102 permit icmp any any R2(config)#access-list 103 permit ip any any R2(config)#interface fastethernet0/1 R2(config-if)#rate-limit input access-group 101 1000000 16000 24000 conform-action transmit exceed-action drop R2(config-if)#rate-limit input access-group 102 200000 8000 16000 conform-action transmit exceed-action drop R2(config-if)#rate-limit input access-group 103 4000000 16000 16000 conform-action transmit exceed-action drop Configure NBAR T a s k 7 . 2 0 Configure R4 to discover application protocols on interface F0/0. This is done using NBAR with the protocol-discovery keyword. R4(config)#interface fastethernet0/0 R4(config-if)#ip nbar protocol-discovery With this configuration in place, generate some traffic through the router. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R6#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms Now issue the show ip nbar protocol-discovery protocol icmp command. You can see various information including the number and size of packets discovered by NBAR. R4#show ip nbar protocol-discovery protocol icmp FastEthernet0/0 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) ------------------------ ------------------------ ----------- ------------- icmp 5 5 570 570 0 0 0 0 unknown 0 0 0 0 0 0 0 0 Total 47 26 3678 2124 0 0 0 0 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated T a s k 7 . 2 1 Configure R3 FastEthernet0/1 to drop KaZaA, Morpheus, and Grokster P2P traffic coming from R6. After NBAR identifies traffic, MQC can be used to take actions on it such as dropping or policing. The class map identifies the traffic. The policy map sets the action. The policy map is applied to an interface with the service- policy command. R3(config)#class-map match-any P2P_CMAP R3(config-cmap)#match protocol fasttrack R3(config-cmap)#policy-map P2P_PMAP R3(config-pmap)#class P2P_CMAP R3(config-pmap-c)#drop R3(config-pmap-c)#interface fastethernet0/1 R3(config-if)#service-policy input P2P_PMAP Configure NetFlow T a s k 7 . 2 2 Configure R1 to capture traffic being received by interface fastethernet0/1. NetFlow can be configured on an interface with the ip flow command in one of two ways: ingress or egress. Ingress captures traffic being received by the interface. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Egress captures the traffic being transmitted by the interface. Were using ingress. R1(config)#interface fastethernet0/1 R1(config-if)#ip flow ingress Verify that netflow is working by generating traffic. ASA1# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms Now view netflow information with show ip cache flow. R1#show ip cache flow IP packet size distribution (14 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .642 .000 .357 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 2 active, 4094 inactive, 2 added 40 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 25800 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/1 24.234.10.100 Local 1.1.1.1 01 0000 0800 5 Fa0/1 24.234.10.100 Null 224.0.0.10 58 0000 0000 9 T a s k 7 . 2 3 Configure R1 to export this data to the ACS Server over UDP port 514. NetFlow data can be exported to an external device using the ip flow-export command. When specifying the IP Address of the device, you must also specify the port to be used. In this example, we specified the Kiwi Syslog Server on the ACS, and set the port to UDP 514, which is the port for syslog. Since the Kiwi Syslog Server listens on that port, you will see the NetFlow information sent to the Kiwi Syslog Server. R1(config)#ip flow-export destination 192.168.2.101 514 udp Verify that traffic is being exported by generating traffic. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1# ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms And then viewing what traffic has been exported with show ip flow export. R1#show ip flow export Flow export v1 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1) 192.168.2.101 (514) Version 1 flow records 1 flows exported in 1 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures Configure Policing T a s k 7 . 2 4 Configure R4 to police SMTP traffic to 400000 Kbps with a burst of 8k bytes and an excess burst of 16k bytes inbound on interface FastEthernet0/0. SMTP traffic that conforms is transmitted, and SMTP traffic that does not conform is dropped. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated An access-list is used to classify the traffic, and MQC is used to police the traffic. R4(config)#ip access-list extended SMTP R4(config-ext-nacl)#permit tcp any any eq smtp R4(config-ext-nacl)#exit R4(config)#class-map match-any SMTP_CMAP R4(config-cmap)#match access-group name SMTP R4(config-cmap)#policy-map SMTP_PMAP R4(config-pmap)#class SMTP_CMAP R4(config-pmap-c)#police 400000 8000 16000 R4(config-pmap-c-police)#conform-action transmit R4(config-pmap-c-police)#exceed-action drop R4(config-pmap-c-police)#interface fastethernet0/0 R4(config-if)#service-policy input SMTP_PMAP Capture and Utilize Packet Captures T a s k 7 . 2 5 On ASA1 capture ICMP traffic from R1 to R2. The buffer should start overwriting the beginning when full. In order to capture and see packets on the ASA, the first step is to configure an access-list for the specific traffic that you would like to capture. Once the access- list has been configured, the capture command is used to enable the capture. The circular-buffer option allows the buffer to be overwritten. ASA1(config)#access-list R1_R2 permit icmp host 24.234.10.1 host 2.2.2.2 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA1(config)#capture ICMP access-list R1_R2 circular-buffer interface inside R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms The show capture commands are used for viewing of the captured packets. ASA1# show capture ICMP 5 packets captured 1: 02:01:57.919752 24.234.10.1 > 2.2.2.2: icmp: echo request 2: 02:01:57.921735 24.234.10.1 > 2.2.2.2: icmp: echo request 3: 02:01:57.923322 24.234.10.1 > 2.2.2.2: icmp: echo request 4: 02:01:57.924924 24.234.10.1 > 2.2.2.2: icmp: echo request 5: 02:01:57.926526 24.234.10.1 > 2.2.2.2: icmp: echo request 5 packets shown Configure Transit Traffic Control and Congestion Management T a s k 7 . 2 6 Configure R2 to guarantee 33% of the bandwidth for voice traffic with the dscp value of ef. Next, police ICMP traffic to 8000 bps with a burst of 1000 bytes and an excess burst of 1000 bytes. All other traffic uses the queuing method of fair-queue. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 8 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This will be accomplished with MQC. First, the ICMP traffic will be identified with an ACL. R2(config)#ip access-list extended ICMP R2(config-ext-nacl)#permit icmp any any The voice traffic will be identified with the match command within a class map and the ICMP traffic by matching our ACL within another class map. R2(config)#class-map match-all VOICE R2(config-cmap)# match ip dscp ef R2(config-cmap)#exit R2(config)# R2(config)#class-map match-any ICMP_CMAP R2(config-cmap)#match access-group name ICMP R2(config-cmap)#exit Then a policy map is created. Within the policy map the voice class is given priority with the priority percent command. R2(config)#policy-map WAN_PMAP R2(config-pmap)#class VOICE R2(config-pmap-c)#priority percent 33 R2(config-pmap-c)#exit Then the ICMP traffic is policed with the police command. R2(config-pmap-c)#class ICMP_CMAP R2(config-pmap-c)#police 8000 1000 1000 R2(config-pmap-c-police)#conform-action transmit R2(config-pmap-c-police)#exceed-action drop For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated All other traffic is fair-queued with the fair-queue command. R2(config-pmap)#class class-default R2(config-pmap-c)#fair-queue Finally, the policy map is applied to an interface with a service-policy. R2(config-pmap-c)#interface serial0/0/0 R2(config-if)#service-policy output WAN_PMAP Well verify with a normal ping which will conform to the policy. R1#ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms A show policy-map verifies ICMP packets were subjected to the policing and in this case were transmitted. (Output cut for clarity) R2#show policy-map interface serial 0/0/0 Serial0/0/0 Service-policy output: WAN_PMAP Class-map: ICMP_CMAP (match-any) 5 packets, 520 bytes For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name ICMP 5 packets, 520 bytes 5 minute rate 0 bps Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 police: cir 8000 bps, bc 1000 bytes, be 1000 bytes conformed 5 packets, 520 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps, violate 0 bps A large ping request will be denied due to the policy. R1#ping 4.4.4.4 size 2000 Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Doing another show policy-map verifies that there were packets in violation of the policy. R2#show policy-map interface serial 0/0/0 Serial0/0/0 Service-policy output: WAN_PMAP Class-map: ICMP_CMAP (match-any) 15 packets, 10660 bytes 5 minute offered rate 1000 bps, drop rate 1000 bps For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Match: access-group name ICMP 15 packets, 10660 bytes 5 minute rate 1000 bps Queueing Output Queue: Conversation 265 Bandwidth 100 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 police: cir 8000 bps, bc 1000 bytes, be 1000 bytes conformed 10 packets, 3140 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 5 packets, 7520 bytes; actions: drop conformed 0 bps, exceed 0 bps, violate 1000 bps For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Chapter ~ 8 Network Attacks For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated outside 24.234.1.0/24 DMZ 172.16.0.0/24 E0/0.3 E0/1 .100 .100 R1 R2 R3 ASA1 .2 .1 .101 Network Attacks Lab Topoloy .100 E0/0.2 inside 192.168.2.0/16 ACS .3 R4 .4 R5 .5 .1 S0/0/0 Fa0/0 Fa0/0 Fa0/0 Fa0/0 S0/0/0 EIGRP 1 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 4 9 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated This page intentionally blank For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated
Identify and protect against fragmentation attacks T a s k 8 . 1 A network beyond R5 is launching fragmentation based attacks against the network. Drop non-initial fragments incoming on R1 but allow all other traffic to pass. T a s k 8 . 2 Hosts behind R4 are particularly vulnerable to fragmentation attacks. Drop all fragments incoming to R4. Do not use an access list to accomplish this. T a s k 8 . 3 Some fragments must be allowed from the internal network to the outside, but to cut down on fragmentation attacks, configure the ASA to only allow a maximum of 12 fragments per IP packet. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against malicious IP option usage T a s k 8 . 4 A network beyond R5 is launching an IP option based attack. Configure R1 to drop all IP option traffic. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against network reconnaissance attacks T a s k 8 . 5 You believe an attacker from the outside is trying to gain information about your network by scanning internal hosts. Configure the ASA to detect this behavior and shun the attacker for half an hour if detected. T a s k 8 . 6 You think the attacker may have been scanning because you are allowing too much information to the outside. ICMP and telnet should only be allowed incoming from R1 and FTP should only be allowed from anywhere to R2. Review the ASA configuration and correct the access allowed. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against IP spoofing attacks T a s k 8 . 7 R1 is connected to the internet via R5. Configure R1 to drop incoming packets sourced with the RFC 1918 addresses on the internet facing interface. T a s k 8 . 8 You believe that a user inside your network is launching attacks against internet hosts using spoofed source IPs. Configure the ASA so that it will verify incoming packets originated from the internal networks. Identify and protect against MAC spoofing and flooding attacks T a s k 8 . 9 You suspect that a user on port fa0/10 of SW1 is spoofing mac addresses. Configure SW1 to learn the hosts real mac address, enter it in the running config and disable the port if additional mac addresses are seen. T a s k 8 . 1 0 There is a hub attached to port fa0/11 of SW1. The number of devices on the hub varies from 5 to 10 depending on who For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated is in the office that day. One of the users is attempting to flood the CAM table of the switch. Configure SW1 so that the necessary number of devices will be allowed but the port will be shutdown if CAM table flooding occurs. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against DHCP attacks T a s k 8 . 1 1 The ACS server is setup as a DHCP server for VLAN 1. Configure SW1 so that ONLY the ACS server port can respond to DCHP requests on VLAN 1. Any other port that attempts to respond should be shutdown. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against ARP spoofing attacks T a s k 8 . 1 2 Configure SW1 so that ARP spoofing is not possible on VLAN 1. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 0 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against VLAN hopping attacks T a s k 8 . 1 3 Port fa0/19 on SW1 is designated for use as a trunk link. Its current configuration is vulnerable to VLAN hopping. Configure port fa0/19 so this is not possible. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against Denial of Service (DoS) attacks T a s k 8 . 1 4 A specially crafted internet worm has infected your network. Multiple hosts from the inside are leaving half open connections to the FTP server on R2. Configure the ASA to limit the number of half open connections to 1000. Do this without using a NAT statement or ACL. T a s k 8 . 1 5 Hosts on the internal network are infected with a worm. They are attempting to syn flood R5 on random TCP ports. Configure R1 so that when the number of half open connections exceeds 1000 it will start dropping the oldest partial connection. When the number of connections drops below 500 normal behavior should resume. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Mitigate Man in the Middle attack T a s k 8 . 1 6 Although there are already configurations in place to defeat man in the middle attacks, SMTP between the loopback addresses of R3 and R4 is critical to the company. Ensure that this traffic cannot be viewed or tampered with in transit, even if an attacker has physical access to the switch between the devices. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against port redirection attacks T a s k 8 . 1 7 R2 has been compromised from the outside and is taking part in a port redirection attack against internal hosts. Review the ASA configuration and determine why the port redirection is possible. Correct the configuration so that port redirection is not allowed. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against DNS attacks T a s k 8 . 1 8 R2 is an older DNS server that uses a weak randomization algorithm for DNS transaction ID. Configure the ASA to inspect DNS and better randomize the transaction ID for DNS coming from the outside to R2. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against Smurf attacks T a s k 8 . 1 9 You suspect R1 might be configured to allow your network to be used as an intermediary in a smurf attack. Review the configuration and correct it. Network Attacks Solutions Identify and protect against fragmentation attacks T a s k 8 . 1 A network beyond R5 is launching fragmentation based attacks against the network. Drop non-initial fragments incoming on R1 but allow all other traffic to pass. Non-initial fragments can be matched and permitted or denied in an ACL with the fragments keyword. Remember that your ACL needs a permit statement to allow non- fragmented traffic to be permitted. R1(config)#access-list 101 deny ip any any fragments For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R1(config)#access-list 101 permit ip any any R1(config-if)#ip access-group 101 in T a s k 8 . 2 Hosts behind R4 are particularly vulnerable to fragmentation attacks. Drop all fragments incoming to R4. Do not use an access list to accomplish this. Virtual reassembly is normally used with IOS firewall features to set limits on reassembling packets for inspection. However you can also block all fragments using ip virtual reassembly with the drop-fragments keyword. R4(config)#int fa0/0 R4(config-if)#ip virtual-reassembly drop-fragments T a s k 8 . 3 Some fragments must be allowed from the internal network to the outside, but to cut down on fragmentation attacks, configure the ASA to only allow a maximum of 12 fragments per IP packet. The ASA can set limits on the number of fragments allowed per whole IP packet. It is 24 by default but you can set it lower or higher with the fragment chain command. Setting this to 1 means fragmentation will not be allowed. You can also set this per interface as we will do in this task. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA(config)# fragment chain 12 inside Identify and protect against malicious IP option usage T a s k 8 . 4 A network beyond R5 is launching an IP option based attack. Configure R1 to drop all IP option traffic. IP Options can be dropped at a router with the ip options drop command. You will receive a warning about protocols that use IP options not working as expected. R1(config)#ip options drop % Warning: RSVP and other protocols that use IP Options packets may not function as expected. Identify and protect against network reconnaissance attacks T a s k 8 . 5 You believe an attacker from the outside is trying to gain information about your network by scanning internal hosts. Configure the ASA to detect this behavior and shun the attacker for half an hour if detected. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Scanning threats can be detected and/or blocked with the threat-detection command. Use the shun option with a duration to block for a specified amount of time in seconds. ASA(config)# threat-detection scanning-threat shun duration 1800 T a s k 8 . 6 You think the attacker may have been scanning because you are allowing too much information to the outside. ICMP and telnet should only be allowed incoming from R1 and FTP should only be allowed from anywhere to R2. Review the ASA configuration and correct the access allowed. Network attacks often occur because administrators dont use the principal of least access. Only the least amount of access needed for a network to function should be allowed. Anything else leaves the door open for attacks. In this case we know what access is needed. Now we will look at the current configuration to see what is allowed. ASA# sho run access-list access-list outside extended permit icmp any any access-list outside extended permit tcp any any eq telnet access-list outside extended permit tcp any any eq ftp This allows our network to function, but it is too permissive. We need to first remove these ACL entries. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA(config)# no access-list outside extended permit icmp any any ASA(config)# no access-list outside extended permit tcp any any eq telnet ASA(config)# no access-list outside extended permit tcp any any eq ftp And then add only the access needed. Since we removed the entire ACL we need to re-apply the new one to the outside interface. ASA(config)# access-list outside extended permit icmp host 24.234.1.1 any ASA(config)# access-list outside extended permit tcp host 24.234.1.1 any eq telnet ASA(config)# access-list outside extended permit tcp any host 172.16.0.2 eq ftp ASA(config)# access-group outside in interface outside Identify and protect against IP spoofing attacks T a s k 8 . 7 R1 is connected to the internet via R5. Configure R1 to drop incoming packets sourced with the RFC 1918 addresses on the internet facing interface. RFC 1918 addresses are set aside for private network use. They should never come in from the internet and can be blocked with an ACL. We already have an ACL present on the internet facing interface (s0/0/0) so we first need to remove our permit IP any any statement so the deny statements will function. After the RFC 1918 addresses are denied the permit statement can be re-applied. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 1 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R1(config)#no access-list 101 permit ip any any R1(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any R1(config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any R1(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any R1(config)#access-list 101 permit ip any any T a s k 8 . 8 You believe that a user inside your network is launching attacks against internet hosts using spoofed source IPs. Configure the ASA so that it will verify incoming packets originated from the internal networks. This is done with the ip verify reverse-path command. The ASA will check that the source address of a packet is reachable via the interface this command is configured for. If it is not, that packet will be dropped. ASA(config)# ip verify reverse-path interface inside Identify and protect against MAC spoofing and flooding attacks T a s k 8 . 9 You suspect that a user on port fa0/10 of SW1 is spoofing mac addresses. Configure SW1 to learn the hosts real mac address, enter it in the running config and disable the port if additional mac addresses are seen. This is done with the switchport port-security command. By default the max number of mac addresses allowed per port is 1. The default is to disable the port. The sticky For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated option enters the learned mac address into the running config of the switch. SW1(config)#interface fa0/10 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security mac-address sticky T a s k 8 . 1 0 There is a hub attached to port fa0/11 of SW1. The number of devices on the hub varies from 5 to 10 depending on who is in the office that day. One of the users is attempting to flood the CAM table of the switch. Configure SW1 so that the necessary number of devices will be allowed but the port will be shutdown if CAM table flooding occurs. In this case multiple mac addresses are allowable since there is a hub attached to the port. However we should never see more than 10 mac addresses on the port. Well need to use port-security again, but set the maximum allowable mac addresses to 10. SW1(config)#interface fa0/11 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 10 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 1 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against DHCP attacks T a s k 8 . 1 1 The ACS server is setup as a DHCP server for VLAN 1. Configure SW1 so that ONLY the ACS server port can respond to DCHP requests on VLAN 1. Any other port that attempts to respond should be shutdown. This is done with DHCP snooping. It allows you to set a port as trusted. Only trusted ports will be able to respond to DHCP requests. First DHCP snooping must be enabled globally, then for specific VLANs, and finally a port is set as trusted. SW1(config)#ip dhcp snooping SW1(config)#ip dhcp snooping vlan 1 SW1(config)#int fa0/24 SW1(config-if)#ip dhcp snooping trust You can verify your DHCP snooping configuration with show ip dhcp snooping. SW1#sho ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 1 DHCP snooping is operational on following VLANs: 1 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 2 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- FastEthernet0/24 yes unlimited Identify and protect against ARP spoofing attacks T a s k 8 . 1 2 Configure SW1 so that ARP spoofing is not possible on VLAN 1. One of the benefits of DHCP snooping is that it creates a mac to IP binding database. Dynamic ARP inspection (DAI) can then be used to verify a valid mac to ip binding before allowing the ARP packet. SW1(config)#ip arp inspection vlan 1 Identify and protect against VLAN hopping attacks T a s k 8 . 1 3 Port fa0/19 on SW1 is designated for use as a trunk link. Its current configuration is vulnerable to VLAN hopping. Configure port fa0/19 so this is not possible. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 3 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated By default switchports are set to negotiate their mode to either access or trunk links depending on the neighbor. Its possible to connect a rouge switch or a PC emulating trunking. Also, fa0/19 is using the default native VLAN of 1 which is used as a data VLAN in our lab. This allows for possible double tagging to VLAN hop. To eliminate the possibility of VLAN hopping, force fa0/19 to always be a trunk link and set the native VLAN to one unused by regular traffic. SW1(config)#interface fa0/19 SW1(config-if)#switchport trunk encapsulation dot1q SW1(config-if)#switchport mode trunk SW1(config-if)#switchport trunk native vlan 10 Identify and protect against Denial of Service (DoS) attacks T a s k 8 . 1 4 A specially crafted internet worm has infected your network. Multiple hosts from the inside are leaving half open connections to the FTP server on R2. Configure the ASA to limit the number of half open connections to 1000. Do this without using a NAT statement or ACL. Although the ASA can limit half open connections using a NAT statement sometimes you are not using NAT to go from one internal network to another. In this case it can be done from within a policy map. For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 4 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated ASA(config)# class-map FTP ASA(config-cmap)# match port tcp eq ftp ASA(config-cmap)# policy-map FTP ASA(config-pmap)# class FTP ASA(config-pmap-c)# inspect ftp ASA(config-pmap-c)# set connection embryonic-conn-max 1000 ASA(config-pmap-c)# service-policy FTP interface inside T a s k 8 . 1 5 Hosts on the internal network are infected with a worm. They are attempting to syn flood R5 on random TCP ports. Configure R1 so that when the number of half open connections exceeds 1000 it will start dropping the oldest partial connection. When the number of connections drops below 500 normal behavior should resume. This is done with TCP intercept. The max-incomplete high is the number of half open connections that must be exceeded to trigger aggressive mode. The max-incomplete low is the number that half open connections must fall below for normal behavior to resume. R1(config)#access-list 105 permit tcp any host 24.234.0.5 R1(config)#ip tcp intercept list 105 command accepted, interfaces with mls configured might cause inconsistent behavior R1(config)#ip tcp intercept max-incomplete high 1000 command accepted, interfaces with mls configured might cause inconsistent behavior For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 5 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R1(config)#ip tcp intercept max-incomplete low 500 command accepted, interfaces with mls configured might cause inconsistent behavior Mitigate Man in the Middle attack T a s k 8 . 1 6 Although there are already configurations in place to defeat man in the middle attacks, SMTP between the loopback addresses of R3 and R4 is critical to the company. Ensure that this traffic cannot be viewed or tampered with in transit, even if an attacker has physical access to the switch between the devices. Weve already configured DHCP snooping, dynamic arp inspection and port-security on our network. However an attacker with physical access to the switch (such as IT staff) could still perform a MITM attack or simply duplicate and view the traffic with a SPAN port. To defeat this you can treat your internal network as untrusted and encrypt the specific traffic you need to protect. First well configure R3. (ICMP included for testing) R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption aes R3(config-isakmp)#hash sha R3(config-isakmp)#authentication pre-share R3(config-isakmp)#exit R3(config)#crypto isakmp key 0 cisco address 192.168.2.4 For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 6 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated R3(config)#crypto ipsec transform-set R4_SMTP esp-aes esp-sha- hmac R3(cfg-crypto-trans)#exit R3(config)#access-list 101 permit tcp host 3.3.3.3 host 4.4.4.4 eq smtp R3(config)#access-list 101 permit icmp host 3.3.3.3 host 4.4.4.4 R3(config)#crypto map R4_SMTP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#set peer 192.168.2.4 R3(config-crypto-map)#match address 101 R3(config-crypto-map)#set transform-set R4_SMTP R3(config-crypto-map)#exit R3(config)#int fa0/0 R3(config-if)#crypto map R4_SMTP Then R4 R4(config)#crypto isakmp policy 10 R4(config-isakmp)#encryption aes R4(config-isakmp)#hash sha R4(config-isakmp)#authentication pre-share R4(config-isakmp)#exit R4(config)#crypto isakmp key 0 cisco address 192.168.2.3 R4(config)#crypto ipsec transform-set R3_SMTP esp-aes esp-sha- hmac R4(cfg-crypto-trans)#exit R4(config)#access-list 101 permit tcp host 4.4.4.4 host 3.3.3.3 eq smtp R4(config)#access-list 101 permit icmp host 4.4.4.4 host 3.3.3.3 R4(config)#crypto map R3_SMTP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R4(config-crypto-map)#set peer 192.168.2.3 R4(config-crypto-map)#match address 101 R4(config-crypto-map)#set transform-set R3_SMTP R4(config-crypto-map)#exit R4(config)#int fa0/0 R4(config-if)#crypto map R3_SMTP For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 7 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Now verify the tunnel works, in this case with a ping. The ping should be successful and the ipsec sa should show packets encrypted and decrypted. R4#ping 3.3.3.3 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 4.4.4.4 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R4#sho crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: R3_SMTP, local addr 192.168.2.4 protected vrf: (none) local ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/1/0) remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/1/0) current_peer 192.168.2.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 15, #recv errors 0 Identify and protect against port redirection attacks T a s k 8 . 1 7 R2 has been compromised from the outside and is taking part in a port redirection attack against internal hosts. Review For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 8 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated the ASA configuration and determine why the port redirection is possible. Correct the configuration so that port redirection is not allowed. Port redirection exploits trust relationships. An outside host may not have access directly to an internal host, but does have access to a DMZ host. If the DMZ host has access to the inside and is exploited, the attacker uses it as a jump off point to attack the inside. This is often only possible because the DMZ host has more access to the inside network than it needs. This violates the concept of least access. First well review the DMZ ACL to see what might be wrong. ASA# sho run access-list dmz access-list dmz extended permit icmp any any access-list dmz extended permit tcp any any eq telnet access-list dmz extended permit tcp any any eq www access-list dmz extended permit tcp any any eq ftp The access list allows DMZ hosts fairly broad access to the inside network. Since the task made no mention of specific access needed to the inside by DMZ hosts, it is best to apply the principal of least access and completely remove the ACL. This will mean the interface security level will take over and the DMZ will not be able to initiate any traffic to the inside. ASA(config)# clear configure access-list dmz For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 2 9 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against DNS attacks T a s k 8 . 1 8 R2 is an older DNS server that uses a weak randomization algorithm for DNS transaction ID. Configure the ASA to inspect DNS and better randomize the transaction ID for DNS coming from the outside to R2. This will involve the id-randomization parameter within a DNS policy map type inspect. The policy map type inspect is then nested within a L3/4 policy map which is applied to the outside interface. ASA(config)# policy-map type inspect dns R2_DNS ASA(config-pmap)# parameters ASA(config-pmap-p)# id-randomization ASA(config-pmap-p)# exit ASA(config-pmap)# exit ASA(config)# access-list R2_DNS permit tcp any host 172.16.0.2 eq 53 ASA(config)# access-list R2_DNS permit udp any host 172.16.0.2 eq 53 ASA(config)# class-map R2_DNS ASA(config-cmap)# match access-list R2_DNS ASA(config-cmap)# exit ASA(config)# policy-map R2_DNS_L4 ASA(config-pmap)# class R2_DNS ASA(config-pmap-c)# inspect dns R2_DNS ASA(config-pmap-c)# exit ASA(config-pmap)# exit ASA(config)# service-policy R2_DNS_L4 interface outside For questions: www.securityie.com s.f.wb.09.04.sm.r08.09.07.doc 5 3 0 www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.com Copyright 2009, Network Learning, Incorporated Identify and protect against Smurf attacks T a s k 8 . 1 9 You suspect R1 might be configured to allow your network to be used as an intermediary in a smurf attack. Review the configuration and correct it. Smurf attacks rely on directed broadcasts, so that is the configuration well be looking for. R1#sho run int fa0/0 Building configuration... Current configuration : 118 bytes ! interface FastEthernet0/0 ip address 24.234.1.1 255.255.255.0 ip directed-broadcast duplex auto speed auto end IP directed-broadcast is off by default but can be enabled for specific purposes. Since we are concerned with possible smurf attacks well disable it. R1(config)#int fa0/0 R1(config-if)#no ip directed-broadcast