It’s not everyday that i’m happy with GNS3 . But today, i couldn’t be happier!

It worked like a charm yesterday. I did ASA VPN Vol 1 labs, TASK 1 to 10 yesterday. It went well and i made some notes . Here are the notes!

1.2 RIP v2

• This task asked for configuring RIP and authentication between peers running RIP. I thought i’d configured it correctly, but i kept getting  ” invalid authentication” on the “debug ip rip” command output on both the peers.
• Everything looked fine.
  • I’d configured the key chain
  • The keys and the key-id on both the peers were matching
• I happened to notice that the key-id i had configured was “0″ ( well theoretically, the range is 0-255 ). So just for kicks, i changed the key-id to “1″ on both the RIP peers. It started working!
• So this is where i make a note to myself : NEVER USE a key-id value of “0″. Again, i do not know if this is a problem on other IOS’s, Platforms, but on the 3725 running 12.4-18(AdvancedIPServices) IOS, it doesn’t work!

1.3 OSPF

• I always get a warm feeling ( like the feeling you get when you bite into a honey glzed ,warm, blackberry jelly donut with powdered sugar on it ) when i finish configuring OSPF and it works!
• After configuring them , i was playing around with the DR election and it was awesome.
• OSPF  first checks the interface priority, the one with the highest priority becomes the DR.
  • #int fa 0/0
    • #ospf priority <priority>
• If the priority is the same, the one with the highest-router ID becomes the DR.
  • #router ospf 1
    • #router-id <router-id>

1.6 IP ACCESS-LIST

• I now have an awesome way of approaching this problem, i’ll make a video of this tonight and i’ll post here! I hope this’ll help you.

1.7 OBJECT GROUPS

• This task was pretty vague
• They asked me to reduce the size of the previous ACL, but they don’t say anything about adding additional ACL statements/keeping the old ACL’s which are not configured on the object-groups..
• So i assumed that the original ACL should be maintained. They can be replaced by object-groups wherever possible, but if not possible, ( ex : NTP ) , i have configured an ACL entry explictly permitting that traffic
• If i got this topic in the exam , i would definitely ask for clarification.

1.8 ADMINISTRATIVE ACCESS

• One quick note here regarding granting SSH access to manage the firewall.
• Ensure that you have a license which allows you to create DES/3-DES keys. If you don’t what happens is, despite correct configuration, SSH access will still not work!
• I found this out the hard-way , as i spent about 15 mins trying to find what was wrong
• And i would also suggest specifying the SSH version when you’re trying to SSH into the firewall ( or any device, for that matter )
  • #ssh -l <username> -v <version> <ip address>

1.9 ICMP TRAFFIC

• I did some configuration, but i’m not satisfied as it don’t know how to permit pMTU replies…even the solution doesn’t address this..i was thinking we might have to permit maybe ” fragmentation needed ” or size-too-big packets..but since they don’t figure in the ICMP list, i’m thinking as to how this can be done. Please let me know if you have a solution for this. I’d really appreciate it!

1.10 URL FILTERING

• After configuring URL-filtering, when i tried to test it using the “sh url-server statistics” command, it was showing that my URL requests were getting dropped.
• I didn’t have a websense URL filtering server configured, but i had configure url filtering with the “allow” keyword at the end , so that if the URL-server wasn’t detected, the URL requests would automatically get granted.
• But the requests are getting dropped
• Not even blocked, they are getting “dropped”. Again if any of you can shed any light on this, i’d be super grateful!

I’m looking forward to finishing the rest of the labs! This is just awesome!

More on this tonight, tomorrow and the day-after ( Please check schedule on the side-bar )

Cheers,

TacACK