Hello All,

Lesson learnt : Convert a not-so-great labbing day into an awesome Doc-CD day.

That’s exactly what i did today. I started out this morning with INE Vol 1 ( VPN ) section with a rack-rental . As i started and i started moving to complex tasks, i began to wonder how things work . I’ve a pretty bad memory and i’d forgotten how hostname mapping works, how does the asa land connections on the tunnel-groups , etc. So i decided to stop ( because, it’s all about having fun and understanding, not doing labs mechanically ) and move to studying.

I had my lunch and a siesta , after which i was super fresh. I opened up the doc-cd and google(evil! ) and i started studying.

Here’s what all i read this evening :

http://www.unixwiz.net/techtips/iguide-ipsec.html -> The best explanation on Tunnel / Transport mode , ESP v/s AH , etc  that i’ve found

http://blog.ine.com/2009/05/18/understanding-external-easy-vpn-authorization/ -> How do the ASA and IOS perform easy-vpn external group authentication.

http://blog.ine.com/2010/05/28/when-transport-mode-becomes-tunnel-mode-free-of-charge/#more-3943 -> I bet this is a “gotcha” . Keith Barker explains why sometimes, even after choosing the transform-set as “transport mode”, it reverts to tunnel.

http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comments -> How does the ASA land VPN connections using tunnel-groups?

Doc-CD -> A whole bunch of documentation on PKI , IOS L2L VPN , DMVPN , GETVPN ,etc

http://blog.ine.com/2010/05/17/ccie-security-tunnels-within-tunnels-challenge/ -> A great exercise to test your knowledge on GRE over IPSEC.

After this, i had my dinner and i did some configuration. I tried configuring

• The challenge scenario that Keith Barker had posted . It worked just fine and i verified the results using Wireshark
• Tested out the other blog-post by Keith where he stated that tunnel-mode gets automatically picked sometimes, even if configured as transport mode. It worked precisely according to what he said.
• Changed the mode to “aggressive” and used hostnames for authentication.
• Changed the IKE p1 authentication to Digital signatures and checked to see if the VPN would come up. It worked.  Since i had not configured any certificate maps, it used the OU (present in the subject-name field of the peer’s certificate ) to land the VPN connection to an ISAKMP Profile.

I’m yet to test out Certificate mapping. I figured i’m going to do this tomorrow morning, so why worry

Till tomorrow!

Cheers!

TacACK

Hello All,

For the first time, i did an IPX lab yesterday I did the VPN Vol 1A section from workbook 1 and i was impressed and disappointed at the same time

IMPRESSED

• The tasks are worded well. They are kinda cryptic and that makes you think about the possible techniques to be used to solve this. In INE , the topic headings are a big give-away as to what the task is expecting you to do.
• The rack is super fast, all ISR’s . This made me super happy
• Their support staff is very good. I just stated that the diagrams were not clear and Mike Down and several other guys responded with solutions. That’s awesome and very much appreciated.

DISAPPOINTED

• Connecting to the rack is a little time-consuming as we have to connect to the terminal server and manually connect to the individual devices. INE has a feature where we can directly connect to each device. To be honest, i don’t know if there’s such a feature in IPX, i guess i’ll figure it out soon.

  UPDATE : Jimmy just mentioned that we can connect to the devices directly and not have to go through the terminal server. Check the comments for this . Thanks a lot Jimmy ,for the update!

• The lab diagrams are below par. As @amplebrain pointed out, maybe i’m too used to INE’s crisp and clear diagrams. I had to spend close to 2 hours trying to figure out the diagram.

As far as the configuration items, i’m not going to give away much, but i’ll just say that there was nothing NEW in there

Cheers,

TacACK

Hello All,

The pending tasks in the INE Vol 1 ( ASA ) workbook are done! It’s time to move on to IPX for the first time

I hope their rack-rental process isn’t too complex and as i’ve got used to the INE rack-rentals and topologies , it’s going to be a change. But i guess, this is good as it keeps your mind open and flexible , which i feel is an essential if we have to tackle the lab. Who knows what Yusuf has in mind!

I’ve a IPX Rack-rental scheduled for later today and i’m going to try doing the IPX vol1  ASA lab ( both 1A and 1B ). Let’s see how that goes .

BTW, on a side note, i’ve been watching OSL keenly for the last couple of weeks and it’s been one helluva place to ask/get your questions answered. I found one thread that Kingsley started which was particularly intriguing.  It was to do with VPN Clients registered with an IOS CA.Almost all the time i’ve worked on that, i couldn’t get the VPN Client to register. Apparently, kingsley faced the same issue and Tyson Scott ( IPX Fame ) stepped in to help in OSL.

You can find that conversation HERE . I’m yet to try this out , but i definitely will As Keith Parsons ( Awesome, super friendly guy ) would say, Empirical evidence rules!

Cheers,

TacACK

Hello all!

I’ve been super busy the last 2 days . It’s been a mixture of official work + labbing. Speaking of labbing, i’ve officially restarted Vol 1 labs again. Here’s my plan :

I’m going to work a section from the INE vol 1 workbook (’coz it’s more exhaustive ) and follow it up with the same section from the IPX Vol 1 workbook after which i spend 1 day review notes/studying and filling up the gaps etc. I’m planning each section will take approximately 5 days to complete.

After the first month, i should be done with the vol 1 labs and i plan to start the Vol 2 labs . That’ll be super fun!

As of today, i’m done with 44/53 tasks in the INE vol 1 workbook ( ASA section ). Hopefully i’ll complete this tomorrow and move on to IPX

Before i sign off, i wanna give a big shout-out to my fellow CCIE-sec candidates on twitter ( Fellow inmates ). In case you don’t know who i’m talking about, here they are :

• Ryan Schuett (@routsec) -> He runs www.routsec.com and he’s a super dedicated guy. Over the last couple of months, we’ve been debugging configs / discussing topics and it’s been an absolute privilege and a pleasure interacting with him. I was just chatting with him sometime back and he’s trying to kill NAC early in the morning . He even has CCIE related dreams . Despite a hectic schedule and a family, ryan plugs in many hours a day labbing and that reflects in his knowledge and his exceptional debugging skills . I look up to him and i wish him well for his CCIE lab . Btw, we’re attempting our labs on the same date . I’ve absolutely no doubt Ryan is going places. Watch out for this guy
• Tolulope Ogunsina (@amplebrain ) -> Another dude who’s just been nailing INE vol 2 labs, one after the other. You can see him active on OSL. He’s very knowledgeable and patient and that reflects in his answers on OSL/ twitter. He’s debugged many a configuration for me and i’d like to thank him for his help. I look-up to this guy too and someday , i wish to be half as good as him . Oh, BTW , i almost forgot, he’s a CCIE R&S
• Toyos Yooyen (@tawtoyos , @tyooyen ) -> Great guy , CCIE R&S and another friend on twitter who helps debug issues. Very knowledgeable and hard-working. And he’s pretty young too! Good going toyos, i learn from you bro.

I’m privileged to meet such hardworking, motivated and focused individuals and i hope to keep learning from them everyday . Thanks a lot guys.

Cheers,

TacACK

Hey guys,

In case you’re wondering why i haven’t posted anything for the last couple of days, that’s ‘coz i’m taking a break. This week has been super stressful for me and i’m going to put my feet up and relax.

After all , it’s about enjoying and being happy right I will be back on monday, ready kick some CCIE butt!

Cheers,

TacACK.