Archive for January 30th, 2010
T-50 | More videos + Big doubts cleared!
Posted by TacAck in CCIE-Security on January 30th, 2010
Hello All,
I’m really relieved that i’m done with all the Group-locking/Group authorization/Xauth of EZVPNs using ACS and local configuration. These fall under task numbers 2.18 to 2.28 of the INE vol1 lab workbook.
Today i’m going to share with you a video i made regarding the Group-locking feature on the ASA. Today i’m only going to be posting the local group-lock configuration. But tomorrow i’m going to be posting the one where we use the ASA as well.
Here you go!
I hope this helps! Thanks a lot for watching and i’d appreciate any comments! 
And, here’s the config for the ASA :
PIX Version 8.0(4)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif out
security-level 0
ip address 11.0.0.12 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 136.1.120.12 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 136.1.100.12 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list VPN_ACL extended permit ip any any
access-list VPN_ACL extended permit ip 136.1.120.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu out 1500
mtu dmz 1500
ip local pool VPN_POOL 20.0.0.1-20.0.0.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group VPN_ACL in interface out
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN_TRANS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN_DYNA 10 set transform-set VPN_TRANS
crypto dynamic-map VPN_DYNA 10 set security-association lifetime seconds 28800
crypto dynamic-map VPN_DYNA 10 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_DYNA
crypto map VPN_MAP interface out
crypto isakmp enable out
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GP_1 internal
group-policy GP_1 attributes
vpn-tunnel-protocol IPSec
group-lock value VPN_USERS_2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ACL
username tacack password QSJpFq2FSZtsqs5L encrypted
username tacack attributes
group-lock value VPN_USERS_1
tunnel-group VPN_USERS_1 type remote-access
tunnel-group VPN_USERS_1 general-attributes
address-pool VPN_POOL
default-group-policy GP_1
tunnel-group VPN_USERS_1 ipsec-attributes
pre-shared-key *
tunnel-group VPN_USERS_2 type remote-access
tunnel-group VPN_USERS_2 general-attributes
address-pool VPN_POOL
default-group-policy GP_1
tunnel-group VPN_USERS_2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cheers,
TacACK
-
You are currently browsing the archives for Saturday, January 30th, 2010
INTERACT!
Last Message22 hours, 42 minutesagoRami and 1 guest are online.- Info : Please, resolve the addition below before post any new comment...
- Rami : so i wondering if this exam can be passed or not
- Rami : Am sorry for that, hope you will do it next time, my studying is going on slowly, am little bit fed up, you are the 3rd person i know who didnt clear it, i've 2 of my friends didnt clear it too.
- TacAck : Hello Rami, Well i couldn't clear the lab this time. However i hope to clear it sometime soon How are your studies going ?
- Rami : Hello man, how was you exam?
- TacAck : Hello Guest_1455. Yeah, i guess i'm as ready as i'll ever be Hoping to have a good time.
- Guest_1455 : ready for the exam? did u finalize every thing? good luck
- Guest_1455 : Hello man,
- TacAck : Thank you Rahgovin
- rahgovin : See that your lab exam is coming up soon. All the best for the same Do well.
- TacAck : Thank you , my friend!
- Guest_3723 : it has to be really god meal I wish you good luck man!!!
- TacAck : Yep! I've the lab scheduled on the 31st of this month. Hoping to get atleast a good meal for the $1400
- Guest_3723 : I saw your countdown you are going very soon
- Guest_3723 : I think it is going to be at the end of November.
- TacAck : Thanks a lot Guest_3723! All the best for your ccie-sec journey too. When are you shooting for the lab?
- Guest_3723 : I am also an ccie sec candidate.
- Guest_3723 : Good luck on your exam!
- TacAck : Hello Guest_1455 -> By CLND , I was referring to the Cisco Learning Network Discussions
- Guest_1455 : Hi, what clnd you are talking about?
- TacAck : Hello Guest_2104, please go ahead with your question. I hope to be of some assistance!
- Guest_2104 : anyone thr... i've some doubts
- Guest_2104 : hi
- TacAck : One of my ccie-sec peeps ( Simon Baumann ) just finished his lab in Dubai. Here's wishing him the best of luck!
- TacAck : Thanks for the kind words Pritham!
- Pritham : Wow...another goal from TacACK...nice interview...keep it up
- TacAck : Lol..Ajay! Welcome to my boring world
- Guest_462 : nope im Ajay lol
- TacAck : Hello Guest_462! Thanks for visiting! Are you a ccie-sec candidate too?
- Guest_462 : hey tacAck
- routsec : Another good interview. I wish only the best of luck to Brian A!
- TacAck : Hello! Thanks for visiting. What kinda examples are you looking for? I could help you find them?
- Guest_848 : Ana, thanks for the link to this cool site. Where's the examples of CCNA ACL's?
- TacAck : Thanks Ana. Are you on the CCIE-sec train too?
- Ana : your website is very well structured, I like your explanations. thank you.
- TacAck : @Pritham Thanks for the kind words
- Pritham : Hey tacAck, I just went thru ur short tweenterview wid amplebrain ,really awesum...keep it up
- TacAck : Good luck with your studies, Pritham!
- Pritham : Currently loading CCSP...next CCIE-sec
- TacAck : That's great to hear! Are you studying for CCIE-sec?
- Pritham : @ TacAck...I m frm Mumbai...
- TacAck : Haha @Pritham. Thanks! Where are you from?
- Pritham : Thx Macha...its really inspiring !!!
- TacAck : @LBSources -> Thanks bro. I hope to keep learning and sharing
- LBSources : Your blogging is very inspiring man. CCIE-Sec is the goal for me as well. Thanks for sharing your journey.
- TacAck : Thanks Murad
- Murad Rahman : Cool job with taking notes.
- Murad Rahman : Dude,
- TacAck : @Murad : Hang in there bro, and keep plugging away at the lab
- TacAck : 3) Almost none, but yes there is. I do feel bad when i see my friends chill out and go on vacations,etc , but this is all going to be worth it
- TacAck : 2) Umm..not sure if i understand your question. Could you please elaborate?
- TacAck : 1) Hardware costs a lot and rack-rentals are a lot cheaper. I can rent a rack for about 600-700 hours for half the price of a second-hand ASA
- TacAck : Hello Murad. Here are my answers
- Murad : 2. when you use INE/IPX material, how do you blend it with DOC-CD? 3. Is there any social life for CCIE candidates?
- Murad : Shoutbox sucks!
- Murad : Great Blog! Your blog keeps me motivated although I am not making much progress Unfortunately. I had few questions: 1. why rack rental? - because you don't have hardware cost or because all
- TacAck : Thanks @rahgovin for the encouragement
- rahgovin : hey man...awesome posts...keep up the good work..
- routsec : I have a feeling that we will not be tested on LI views.....
- routsec : Quick update on LI Views, I believe SNMP v3 needs to be enabled along with the view defined. Unfortunately, I don't have a high end router (I have a 2851) that supports the TAP mib. This is why the view is absent I believe...
- Tac-ACK : Hey Ryan! Maybe on the same date? Will def book it tonight..see you on gtalk/wave!
- routsec : The date is set my friend - Aug. 31 Any idea when you will schedule?
- routsec : Have you taken a vacation, I am concerned due to your absence from the digital world....
- TacAck : @routsec : Yes, we can , my friend. We're going to kick it!
- routsec : Well, hopefully we can crunch through the studies in the month of March!
- TacAck : Currently reading some NAC fundamentals!
- TacAck : Would you like to too any topic covered .. Let me know!
- TacAck : Would you like any changes to be made to the site.. Let me know!
- TacAck : EVERYONE my wave id is " ybnmts at googlewave.com"
- TacAck : Hello Tirumala. I've sent you an invite you should be getting one soon.
- Tirumala : please send me wave request to «email»
- TacAck : So will i , my friend
- Routec : Time to get on the wave and do some serious labbing material. I will be on the wave all this week!
- TacAck : Sure Please email me your wave ID and i'll add you right in
- Guest_58 : Can I get google wave invitation from you.
- TacAck : Thanks for the all kickass info that you pose Ryan ( a.k.a Routsec ) . I really appreciate all your help!
- routsec : I have been trying to keep our core knowledge questions coming. Check out some new ones on the Wave!
- TacAck : Yeah control plane security next!
- Routec : Well, I see you put Identity Management on the wave, I have to do some catch up now. Control and Management Plane Security next?
- TacAck : Thanks for the suggestion @routsec. We've started the IPS thread on the wave, next i'm planning to do Attack mitigation/contr ol plane security. Any suggestions/comm ents?
- routsec : I guess we should start coming up with another WAVE topic. I chose IPS, your turn....
- TacAck : Another wave is scheduled at 7 PM UTC on Friday! Be there!
- TacAck : Next Wave at 1:30 AM UTC! See you there Routsec! Others are welcome!
- TacAck : I'll schedule the next one in accordance with either the Pacific or Atlantic time-zone More surfers = better!
- routsec : Too bad we are about 12 hours apart. I would have liked to join you in google wave.
- TacAck : P.S : This is not a twitter feed This's like a Chat engine/live discussion/query tool!
- TacAck : Guys, i'm going to be starting a WAVE at 2 PM IST ( 9:30 AM UTC ) when i start the Lt2p config. Do feel free to join . My google wave id is "ybnmts". Send me a request! Cheers!
- TacAck : I'm making notes for the next article
- TacAck : Alright guys! I'm starting Written study in about 20 mins...
- TacAck : Any feedbacks/commen ts will be appreciated!
- TacAck : Hello everyone! I've integrated this new feature with the site so that we can interact live whenever possible! Cheers!
