Hello all!

I finished the ASA Vol 1 lab( finally! ) ,  and here are the notes i made when i was configuring them. Here they are Again, these are just a copy+paste of my notes I haven’t formatted / spell-checked them , so i’m sorry if there are any grammatical mistakes,etc.

1.11 Dynamic NAT and PAT

• Always remember the order of Nat processing is :
  • Identity NAT ( Nat with ACL )
  • Static policy NAT ( Static with ACL)
  • Static NAT ( with a pool )
  • Static PAT ( using a single address )
  • Dynamic policy NAT ( NAT with ACL )
  • Dynamic NAT ( with a pool )
  • Dynamic PAT.

1.14 Static Policy NAT and PAT

• This is a little tricky … hmmm
• I got the first configuration correct, but the second task is troubling me, let me think for somemore time..
• Hmm here’s the problem that i’m facing
• There’s a task where i have to configure Static Policy nat such that , any HTTP access to the outside port of the firewall, from the lo0 address of R2 ( 150.1.2.2/24 ) should be redirected to AAA ( on the DMZ )
• Now this is what i configured. First i configure the access-list list, to match the reverse traffic from the DMZ to 150.1.2.2
  • #access-list HTTP permit tcp interface eq http host 150.1.2.2
• Then i configure the static nat statement ..
  • #static (dmz,outside) tcp interface http access-list HTTP
• This should work.
• However, it works too damn well for my own good..what’s happening is that, when i do a : “#telnet 136.1.122.12 80 /source-interface lo 0″ from R2, the connection gets redirected to the AAA server in the DMZ, but even if i do a “#telnet 136.1.122.12 80″ , this is also getting redirected. How is this possible?
• Any help would be awesome!

1.15 Identity NAT and NAT Exemption

• It works fine ! There’s however a little thing which i wanted clarification about.
• I saw the fact that, when using Identity Nat ( Nat 0 ) , you can originate traffic to the inside address from the outside, that’s possible either by using policy nat exemption or by using static .. but here i tested it and i’m able to originate traffic both ways.
• http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218 -> This is the document that i’m referring I’d really like it if someone clarified this to me.
• Ah, got this! It’s given clearly in the INE workbook solution.
• The Identity translation works ONLY AFTER THE inside host generates some traffic! After that, traffic can flow both ways.
• So to test this i did a “clear xlate” on the ASA and tried to ping the inside “identity” address from the AAA server. ( didn’t go through! )

1.16 OUTSIDE Dynamic NAT

• It’s not working…:( The translation is occuring on the ASA , but the ping packets don’t reach R1 at all!
• Outside Dynamic NAT translation is not working..:(
• I did enter the “outside” keyword in the translation.But it’s not working . However when i enter ” no nat-control” it starts working
• I discussed this with David and this is what he had to say :
  • “ my guess is that since you need a static NAT to go from low->high sec intf that the nat (outside) wont work w/o no nat-control “
• So , this is an important point to keep in mind while labbing

1.17 DNS DOCTORING USING ALIAS

• Beautiful! works really well, just ensure that you enable DNS inspection for this to work!

1.18 DNS DOCTORING using Static

• I tried this too. Again, the same rules apply as the previous ones! Configure DNS inspection to run globally just like for the ALIAS command

1.19 Fragmented Traffic

• This is AWESOME! it works just fine! the only command you need is
  • #fragment chain 1 ( which tells the ASA to only have a 1 fragment buffer for each packet )
• So when i ping and i specify a size of 1501 bytes ( 1 byte over the MTU ), the pings don’t go through as the second fragment doesnt get processed.
• This is such a cool feature!

1.21 BGP Across the firewall

• Ok i finished configuring this, there should be a TCP map added which permits checking of option 19 then this should be added to a policy-map which also disables randomization of the TCP sequence number ( this screwes with the EIGRP authentication process )
• It works well I can see the updates going through the firewall and i can see the updates on R1 and R2 .

1.22 Stub Multicast Routing

• I always cringe when i hear the word multicast , dunno why?
• I’m not very familiar with this, i will have to read some info about this..hang on
• Read the topic and trying to get this to work.
• Crap..it’s just not working…:(..i’ve gotta rethink what i’m doing here..
• I found out what the problem was : Apparently PEMU doesn’t support Multicast routing

1.23 PIM multicast Routing

• I removed the forward commands, and now i’ve PIM enabled on the ASA with a helper address pointing to R2’s lo 0 ( 150.1.2.2 )
• Since ASA supports only PIM sparse-mode, configure ASA and R2 with the “rp-address of 150.1.2.2 “
• This is’nt working too.
• The worst thing is i’m unable to see the IGMP groups on the ASA.
• I see the debug on the inside routers and i can see the IGMP join messages going out on the interface connected to the ASA…but i don’t see anything when i do a debug igmp on the firewall
• I found out what the problem was : Apparently PEMU doesn’t support Multicast routing

1.24 Network Time protocol

• Awesome..but i didn’t understand why ” ntp trusted-key ” command is used? Isn’t that already specified when specifying the key next to the “ntp server <IP> key” ?
• seems a little redundant to me .

1.25 System Logging

• Just finished configuring this.
• Don’t forget to turn on logging by using the command “logging enable” VERY important!

1.27 SNMP Monitoring

• This is getting SNMP. I love SNMP! It’s hard to configure, but totally worth it i guess!
• I forgot to configure the SNMP_MAP inside the global_policy..MUST REMEMBER THIS!
• The configuration misses one point in the solution
• They do not configure VPN messages to be sent as traps to the SNMP server
• for that i’m guessing we need to add the message “logging class vpn trap critical” & the already existing ” logging history critical”

1.29 HTTP TRAFFIC INSPECTION

• I have one doubt :
  • Does the inspection take place before or after xlate?
    • ‘coz the access-list on the Outside HTTP inspection works when i configure the IP address of the destination( http server ) as 136.1.122.100 . ( i.e the outside mapped address ). But i always thought xlate happens before inspection…?

1.31 SMTP TRAFFIC INSPECTION

• Done configuring this, except for one feature
• I didn’t know how to allow mails to only “cisco.com“
• Apparently that can be done using the mail-relay command.
• MUST REMEMBER THIS COMMAND!

1.32 TCP INSPECTION

• Here we use TCP maps to configure the TCP options and then we apply it to the policy-map
• Let’s see if it works.
• The way i’m going to test this, is to try and initiate 4 telnet connections from R1 to R2…according to our configuration, it should block this
• Beautiful! It works! ” Remember use “Cntrl + Shift+6 and then X” to suspend connections

1.33 MANAGEMENT TRAFFIC INSPECTION

• Management traffic represents all the traffic originated/destined from/to the ASA device itself
• Ex : Routing protocol traffic, Management protocols like Telnet, SSH, SNMP ,etc
• Let’s head into the configuration
• Alright done with this configuration . Learnt something new..about the “policy-maps type radius-accounting.
• Ok, another thing to remember is, configure the Radius and the key under the radius-accounting policy-map..

1.34 ICMP INSPECTION

• I can’t tell you how much i love the “inspect icmp error” command
• It’s awesome that i got a chance to use this here

1.35 THREAT DETECTION

• NOTE : IN threat detectiuon, the default burst interval (1/60 of <rate-interval> )
• So if you wanna specify a limit for the number of drops, always use “acl-drop”..( atleast thats whats used in the solutions )
• And to enable advanced scanning-threat detection, we use the command ” threat-detection scanning-threat shun.. “

1.38 Low LATENCY QUEUING

• I’d read some stuff about the Priority queue sometime back..This is the queue which is above the hold-queue on every interface, where special packets which should be sent out ASAP are kept.( routing protocol traffic , etc )
• In Routers, we would use the “hold-queue” command under the interface configuration sub-menu to configure the hold-queue size, wheras here we can do it under the “priority” command in the global configuration mode.
• Also setting of the priority queue size can be done in the IOS by using the “priority-list” and “priority-group” commands, whereas in the ASA, they can be done using the “priority” command. (global configuration )
• The mistake i did in the configuration was, i used an ACL – ” permit udp any any range 16384 32767″ to specify the RTP traffic. Instead the way to do it is :
  • class-map VOIP
    • match rtp 16384 32767

While i was taking notes here,  GOOGLE wave just ATE away about 5 or 6 of my configuration tasks! So i have notes for tasks 1.39 to 1.43 Sorry! I’ll start from 1.49 now .

1.49 ACTIVE/STANDBY FAILOVER

• I love failover configuration!
• Beautiful! it works!

1.50 ACTIVE/ACTIVE FAILOVER

• Awesome! It took me over 30 mins..but it’s working fine! A big thanks to the INE Audio bootcamp and Keith!

1.51 REDUNDANT INTERFACES

• One thing to remember is to trunk on the member interfaces of the redundant-pair

1.52 ENHANCED OBJECT GROUPS

• This configuration is pretty- straightforward and it’s done.

As always, i live-blog on Google wave, when i’m doing the labs . Please feel free to join me there where we can interact/discuss/solve each others problems all in real-time!

Tonight, i’m going to be doing the rest of VPN Vol 1 lab! See you there!

Finally, thank you all for all the encouragement you give and your zeal to gain knowledge, which i truly find inspiring. I hope to keep learning!

Cheers,

TacACK