After this , i got back on the CCIE bus and i finished Day -4 of the bootcamp. Again a very productive day. Here are the notes :

MANAGEMENT – PART 1

• Port filter service policy takes care of “early” drop of traffic to closed/ non listed ports. This ensures that the packets don’t have to go till the CPU to get dropped ( saves resources )
• Logging type class-maps match packets that are permitted / dropped.
• IP-options traffic is always sent to the control-plane( processor )
• Control Plane Protection
  • host subinterface : Routing traffic destined to the router,etc
  • Transit subinterrface : Non – terminating tunnels,etc
  • CEF exception subinterface : ARP, L2 keepalives ,etc
• Ensure that during policing , we don’t misconfigure the “burst” value (I’ve done this before )
• Ensure that when configuring droppping traffic going to closed-ports, ensure that all the necessary ports that we need are open.
• FPM
  • PHDF -> Protocol header definition file
  • If we don’t load the PHDF files, we won’t have access to the protocol structures, we have to match using offsets from L2 , L3 start, etc
  • Use nested policy maps judiciously
  • Do not change the current directory that you are working on using the “CD” command ( ‘coz after reloading you always go back to the original directory. So for “load protocol” command, use the full path of thePHDF files.

MANAGEMENT – PART 2

• SNMP v3
  • Additional security features compared to v1 and v2
  • Version 1 , communities, ACL’s
  • Version 2 has views as a security feature
  • v3 adds the different security levels.
    • noAuthnoPriv
    • AuthNoPriv
    • AuthPriv
  • SNMP v3 has groups defined. Individual users within a group have different credentials
  • Sample config
    • access-list 99 permit 10.0.0.100
    • snmp-server view NORMVW iso included
    • snmp-server view RESTVW ifENTR.*.3 included
    • snmp-server group NORMGRP v3 priv read NORMVW write NORMVW
    • snmp-server user NORMUSER NORMGRP v3 auth sha CISCO priv des56 CISCO
  • For the write and notify views, without a view configured, we can’t access the views (unlike the “read” view which is read everything by default )
  • Notify view gets autogen after the “snmp-server host” command
  • Note : the user information doesn’t come up in the “sh run “
  • RMON
    • custom Log, trap intries based on SNMP values
    • Under the “Technologies” section of the DocCD
• FLEXIBLE NETFLOW
  • flow monitor TEST
  • statistics packet protocol
  • statistics packet size
  • record netflow ipv4 protocol-port-tos
  • int fa 0/1
  • ip flow monitor TEST output
  • This is more granular than the old netflow ( Read more )
• IP ACCOUNTING
  • int fa 0/1
  • ip accounting output-packets
• ASA CAPTURE
  • Can look at traffic real-time
  • check what the order of the flow-capture events are

IPS

• Ensure that SPAN /RSPAN is configured on the switches correctly.
• Ensure that the RSPAN VLAN is allowed in the trunk between the swxs
• In Inline VLAN pairs, you don’t have to configure SPAN.
• Ensure that the traffic flow the IPS to the AAA server is allowed. ( HTTPS ACCESS )
• Ensure that if the management network is translated, then permit that translated address in the IPS

IOS IPS

• We use the 5.x signature formats
• Even if the -package is present locally, don’t forget to copy it onto IDCONF
• And remember to setup the key information prior to copying the pacage to the IDCONF
• The ASA IPS configuration is not on the blueprint

One more day to go!

Cheers,

TacACK

Day 3 of the bootcamp is DONE. I’m glad i started this bootcamp , ‘coz there are many things i’m learning as i go along. Here are Day 3 notes!

GETVPN

• IP Header preservation
• Protocols used
  • UDP 848 -> GDOI
  • Protocol 50 -> ESP
• It keeps the original header and ecrypts only the payload
• So the intermediate routers will see the packet with a source of the original host who sent it and the destination as the destination router ( not the IPSEC peers )
• Make sure that we permit this traffic ( ‘coz this is a little different from theconventional VPN methodologies )
• The concept of KS and GM’s help reduces misconfiguration.
• In a L2L VPN, we see two separate unidirectional SPI’s in each IPsec peer, here we use 1 SPI
• If there is a change in the SA information on the KS, then the KS can push out these configurations to the GMs immediately. It won’t till the rekey timer expires.
• Ensure that the rekey messages are also allowed by the firewalls/routers in between the KS-GM
• Double check rekeying
• We need to have 2 ACL’s for each pair, for both directions.
• The “server address” order under the GM configuration defines who is primary and who is the failover
• GETVPN also supports multicast traffic encryption

WEBVPN & SSL VPN

• ASA Webvn structure
  • • WEBVPN
      • enable outside
      • tunnel-group-list enable
    • GROUP POLICY
    • TUNNEL GROUP
    • If using local authentication add this to the username attributes
    • username <test> attributes
      • service-type remote-access
  • TIP : Use a “sh run all”
    • SSLVPN extendeds WEVPN by allowing an SVC to be downloaded automagically.
    • Uses normal RRI / Address allocation like EZVPN
    • #webvpn
      • #enable outside
      • #tunnel-group-list enable
      • #svc image <path>
      • #svc enable
    • #group-policy
      • #vpn-tunnel-protocol webvpn
      • #split-tunel-policy..
      • #split-tunnel-network-list value [acl]
      • #webvpn
      • #svc required < Forces users to download the SVC >
    • #tunnel-group
      • #default-group-policy
• IOS SSL VPN structure
  • GATEWAY
    • termination info, etc
    • Trustpoint
  • CONTEXT
    • Terminates VPN / establishes user session
    • contains user policies
  • POLICY GROUP
    • Set policy information
  • DEFAULT GROUP POLICY
  • Don’t forget the “inservice” commands to turn on the various configuration elements
  • Even if we don’t generate the trust point for the gateways, it would be self-generated.
  • We use the “domain” keyword after the “gateway < gateway > in the context configuration ”
    • This is used to differentiate users logging into the same gateway.
    • Suppose we use the command “gateway gateway1 domain INE”
    • Then the users connecting to the gateway will have to use ” https://<GATEWAY IP>/INE”
    • This way we can use the same gateway for more than 1 contexts
  • To turn on SVC , we use “functions svc-enabled” under the policy-group configuration
• Ensure that in the real-lab, always use a Split tunnelling ACL when trying to connect from the Test-PC ( ‘coz if you don’t have any, you might lock yourself out )
• Enter the “set isakmp-profile” command under the “crypto ipsec profile” configuration

AAA PASSWORDS/PRIVILEGES

• The user needs to be at a level “higher or equal” to the command level, to be able to run it
• “sh run” will only sh commands that you have permission to configure. This is assuming we have permission to run “sh run” to in the first place
• If we have just a “username xxx privi 7 password cisco” ( without any aaa new-model ), the user would be authenticatied and authorized locally , and he would be set at privi 7.
• If we ‘ve configured the aaa-newmodel, then authentication and authorization is done separately.’coz separate commands are now needed.

ADVANCED AAA

• On the actual lab, the access to the AAA server , would be via browser only ( we woulnd’t be able to RDP into it )
• Dynamic ACLs are not scalable , “access enable” opens up all dynamic ACL
• Using auth-proxy, per-user-ACL’s can be put into place.
• AUTH-PROXY
  • User should be denied access via a Static ACL
  • Make sure you don’t lock yourself out after configuring “AAA authentication” . Try and insert a local fallback in the authentication command
  • Use the command “aaa authorization auth-proxy”
  • Enable the HTTP server
  • Deny all traffic inbound , except the traffic which you need to trigger the Auth-proxy
  • Specify the triggerring ACL and add it to the “auth-proxy” command, and don’t forget to turn pn auth-proxy on the interface
  • Remember the issue regarding local auth-proxy ( read blog )
  • For radius, we use the Cisco AV Pairs : “auth-proxy : priv-lvl = 15 “, etc. The only difference between RADIUS and TACACS+ is the “auth-proxy” keyword
• CUT-THRU-PROXY
  • IN ASA , using HTTP/HTTPS , FTP , TELNET , the asa can do in-line cut-though for these protocols
  • For others, we cannot do the authentication in-stream.
  • If you wanna add ACL entries in the “outside” acl, then we need the “per-user-override” acl
  • For inside to outside, you just need the authentication, no need for acls
  • Must configure this
• ASA-LDAP
  • Configure the LDAP server
  • aaa-server test protocol ldap
  • aaa-server test host 10.0.0.100
  • <parameters>
  • Attribute map
    • ldap attribute-map MYMAP
    • Is used to determine what group a user gets put into, based on the group-membership returned from the LDAP server
    • We then apply the LDAP attribute map to the LDAP server configuration
    • Based on the different group-policies specified in the Attribute map, we should configure different group-policies on the ASA

Next, Day 4!

Cheers,

TacACK

Here are the notes for Bootcamp- Day 2 . Hope you find it useful

ZONE BASED FIREWALL

• An interface can only be in a single zone
• Unless we have a policy on the self-zone, the default behavior is that the traffic destined to the router, is permitted
• Traffic cannot flow between a zone-member and a non zone-member
• The ZPF service policies have the following actiobns
  • pass -> permit unidirectional traffic
  • inspect -> stateful inspection
  • drop -> block
• You can’t configure SPI(CBAC) and ZPF for the same set of interfaces. But you can do it for different sets
• Auth-proxy and stuff arent supported by the ZPF, they’re still done using SPI
• IN ZPF, if we have interface ACL’s, then the ZPF doesn’t open “pinholes’in them. If the ACL’s are configured for block, then the traffic is blocked.
• We use a class-map of the type “inspect” to tell the IOS that this is a class-map to be used with ZPF
• You can test by putting both the interfaces in the same-zone ( all traffic will be permitted )
• Understand the difference between ” sh ip port-map ” and “sh ip nbar port-map”
• By specifying an ACL at the end of the “ip port-map ” command, we can specify the destination IP which has to be accessed using the special ports
  • ex : ip port-map http port tcp 8080 list 10
• For overriding the default port, we require a host-specific PAM mapping
  • ex : access-list 10 permit host 192.168.1.1
  • ip port-map http port 25 list 10
• Here, only for host 192.168.1.1 , HTTP runs on tcp port 25
• After I finished this section, I read this document. It was very helpfulJ http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055217

IPSEC VPNs

• Why IPSec VPNs over other type of VPNs?
  • Does not need static SP provisioning like FR/ATM/MPLS
  • Independant of SP access method
  • Allows both site-to-site and remote-accesss ( IPsec is always on, v/s dial-on-demand )
  • Data is protected. ( main motivation )
• IPSec as a suite offers
  • Data origin authentication
  • Data integrity
  • Data confidentiality
  • Anti-replay
• The advantage of using UDP 500 for both the source and destination ports, is useful during NAT-D
• ISAKMP peers must agree on
  • Authentication method
  • Encryption type
  • hash algo
  • DH group
• Lifetimes need not match ( the lower one is dynamically chosen )
• Remember, the phase 1 config is only used to setup a secure channel through the network for the exchange of IPSec configuration data.
• Default policy : 65535
• IPSec peers ( IPSec sa a.k.a IKE Phase 2 ) must agree on
  • Transform set to match
  • In an L2L Vpn, the VPN_ACLs are exchanged and they need to match.( they need to be mirror images of each other )
• Do not use “any any” for the ACL. Always try and specify the exact networks
• IPSec SA rekeying can also include PFS
  • Runs another DH exchange ( more secure )
• During configuration on the lab, make sure that the traffic ( both UDP 500 and ESP ) between the 2 VPN routers passes freely .( take care of any Firewalls , IOS FW , SPI configured in previous tasks )
• Ensure that we can have the VPN initiate from both sides ( testing before moving on to the next task. If you have a doubt, as the proctor )
• Certificate based authentication
  • If Certificate based Authentictation is’nt working, try doing PSK auth and see if it works
  • When using certificates for ISAKMP authentication, ensure that CA server (port 80) is reachable by the clients and ensure that the time is synced.
  • If you don’t have NTP, ensure that the client is set to a time, slightly ahead of the server. ( if you can’t exactly sync them )
  • Also check the time-zones

MISCELLANEOUS FEATURES

• Advantage of using GRE for VPN’s -> passing multicast(routing) traffic
• Disadvantage -> Overhead
• Solution -> VTI
  • also better interop with other vendors not supporting GRE
  • less overhead
• Dynamic VTI
  • virtual template configured with interface type “tunnel”
  • The virtual template acts as a logical interface
• In case of ZBF, the virtual template can be assigned to zones ( this just acts like a normal interface )
• IPSEC HA
  • Link resiliency
    • If i have 2 devices, and 2 links between them, if one fails, traffic can flow through the other links
  • Backup peers
    • if one peer fails, the secondary peer is used
  • HSRP / RRI
    • if this is configured, then the HSRP address is used instead of the peer IP.
  • GRE w/IPSEC, dynamic routing
• QOS for VPN
  • QOS for encrypted traffic
    • This is the default type of QOS
  • QOS for unencrypted traffic
    • we use the QOS pre-classify configured on the virtual template, crypto map or GRE tunnel to classify the traffic prior to encryption
• We can encrypt the ISAKMP keys ( to prevent them from being seen in the running-config in plaintext)
  • “password encryption aes”
  • “key config-key password-encrypt”
• Encrypts the ISAKMP keys using Type-6 AES
• We can also configure Certificate MAPS to ignore revocation checks as well as expired certificates. This can be configured when we “match” the certificate MAP under the trustpoint
  • match certificate TEST allow expired-certificate
  • match certificate TEST skip revocation-check
• This scenario is useful when the CA to be used by one peer is behind the remote-peer and it can be reached only after establishing the VPN
• In this situation, we can configure the certificate MAP to allow expired-certificates,ignore revocation checks
• Clearing the DF bit
  • We can set/clear the DF bit on the IPSec traffic ( to allow/deny fragmentation of the traffic )
  • This is for the traffic passing through the Router
  • can be done globally or on an interface
• Fragmentation
  • We can fragment before/after we encrypt
    • Depends on who has to do the reassembly / decryption
      • if we fragment before encryption, at the other end the little fragmented packets get decypted and sent on to the remote-networks
        • crypto ipsec fragmentation before-encryption
      • if we fragment after encryption, then the other end ( remote peer ) has to do both reassembly and decryption
        • crypto ipsec fragmentation after-encryption
• Anti-replay
  • Keeps track of sequence numbers. Default window size is 64
  • crypto ipsec security-association replay [disable | window size XX ]
  • (or )
  • crypto map MYMAP
    • set security-association replay [disable | window size XX ]

DMVPN

• It allows an on-demand full mesh IPSec tunnels
• Instead of n*(n-1)/2 static tunnel configurations, we have 1 mGRE interface for all connections
• Always remember, ISAKMP Phase 1 is still required.
• In case of the HUB mgre interface, we have Tunnel source.
• If we wanna force all the spokes to send traffic through the HUB ( DMVPN type 1 ) , then we can also specify the tunnel destination
• The IGP which we will be using here is an OVERLAY network ( independant of the real routing protocols running in the network )
• If you’re using OSPF , use the same network types for the hubs and the spokes
  • if there is a DR election, ensure that the Hub becomes the DR.
  • This is achieved by setting the “priority” to 0 on the spokes.
• With EIGRP
  • One of the issues is split-horizon , on the mgre interface . Issue the “no ip split-horizon eigrp # “
  • Hub by default re-writes the next-hop for all the advertised routes to itself.
  • So if we want spoke-to-spoke tunnels, disable this feature by using ” no ip next-hop-self eigrp # “
• Phase 3 DMVPN
  • Configuration
    • ip nhrp redirect
    • ip nhrp shortcut
  • creates NHRP entries for remote networks
• Interesting traffic
  • we can define an ACL on the tunnel interface, this sets up interesting traffic for the NHRP requests ( restricting what traffic can bring up a spoke-spoke tunnel )
    • ip nhrp interest 101
• Groups
  • ip nhrp group A ( spoke )
  • ip nhrp map group A service-policy output TEST ( hub )
  • can have separate service policies configured outbound for different hosts.
• Watch out for recursive routing issues.

Day 3 , here i come!

Cheers,

TacACK

Here are the notes and i hope you find them useful :

ASA

• Make sure you don’t block traffic flows as we configure tasks ( don’t screw up earlier tasks )
• Marvin’s of the opinion that it’ll mostly be 8.0 running on the ASA on the lab
• It’s a good idea to read through the lab once before we start configuring ( helpful in changing firewall modes, contexts ,etc )
• Add a “description” on the catalysts if necessary ( to identify the interfaces connected to the switch ). Make this a habit. ( helps )
• Redundant interfaces
  • Multiple interfaces grouped together
  • order of configuration determines preference
• We can use both Subinterfaces and the real interface on the ASA. In case of the sub-interfaces ( e 0/1.100 VLAN 100 ), the ASA would send the packets with a dot1q tag on, in case of the interface with the actual interface ( ex : e 0/1 ), it would send it untagged.
  • So we have to program the switch to accept untagged packets in the trunk link. This can be done using native-vlans.
• Addresses, protocols and ports can be found under the “references section” of any Configuration guide for 8.X . This is cool!
• Draw out network flows for protocols running in the network to visualize what needs to be allowed.
• Routing protocols
  • ASA supports the following routing protocols :
    • static
    • Rip v1/v2
    • OSPF
    • EIGRP
  • Different OSPF areas in a firewall, can be configured under a signle process or multiple processes
  • Configuring them under one process will alow routing information to pass from one OSPF area to the other freely
  • configuring them as 2 separate processes, will logically isolate the areas. To exchange routes, we need to explicitly redistribute.
  • So be careful when you configure them under 1/separate OSPF processes.
  • Having an exact OSPF match, can be a good thing to check if we have configured the addresses correctly.
• NAT
  • Nat 0 -> Nat exemption
  • Options in NAT configuration
    • TCP/UDP maximum connection limits
    • TCP Half-open connections
    • DNS rewrite
    • Disable randomizing sequence numbers
  • By default, NAT-control is disabled.
  • NAT-control only applies for traffic between 2 interfaces of “different” security levels.
• In transparent firewall, TCP , UDP traffic is inspected by default
• “allocate-interface redundant1.3 int1 ”
• There are sample ASA configurations under the “references”section in the ASA configuration guides! -> AWESOME!
• Good practice is to save the config in a notepad file before we start Failover configuration.

IOS F/w

• The log-input command in ACL logging , logs the following info
  • list name/number
  • permit/deny
  • protocol name/number
  • source/destination IP
  • port numbers
  • MAC addresses
  • Input VC
• The first 5 are also logged when you do the “log” option instead of log-input
• The routing protocols use a “distribute-list” to filter routes
• The autocommand for Dynamic ACL’s configured on the LINE VTY 0 4 lines, blocks also legitimate management traffic
• By using the “host” keyword, the “any” in the source address portion of the ACL is replaced by the host that underwent the authentication.
  
• Thing to remember is “reflexive” ACL’s don’t wory for locally generated trarffic
• So we need to statically permit required traffic back in
• or configure local policy-routing
• we can use the “router-traffic” keyword in the CBAC inspect commands, to inspect locally generated traffic

I’m going to be starting Day 2 of the bootcamp in about 30 mins . Surf with me on the WAVE

Cheers,

TacACK

Once in a while, i feel like i just can’t lab Today’s an example for that. That was the same state the day-before-yesterday! So what i do when i don’t feel like labbing is that , i start studying and going through the DocCD.

Reading through the Doc-CD is an idea i stole from Paul Stewart ( @packetu ) , who’s one of the people i really look up to. I took his idea and added my own twist to it by adding in elements which would make the study more effective for me.

The way i go about it is very simple . Since i have a below-average memory , i take down sections of the Doc-CD that i need to read/cover on my iPod-touch whenever i think of it( i’ve actually stopped riding my bike once to write down a topic – long story short, the GF did not like it! ) . Then whenever i have days allocated to Doc-CD , i study through the topics and i take notes on WAVE.

I’ve found this method to be very useful to me because i usually think about the topic a day or two afterwards and i never remember anything! So here the notes are very beneficial.
Right, yesterday i studied 3 topics and i made notes on Google WAVE. You can find them HERE.

I hope you find it useful!

Cheers,

TacACK

I finished the ASA Vol 1 lab( finally! ) ,  and here are the notes i made when i was configuring them. Here they are Again, these are just a copy+paste of my notes I haven’t formatted / spell-checked them , so i’m sorry if there are any grammatical mistakes,etc.

1.11 Dynamic NAT and PAT

• Always remember the order of Nat processing is :
  • Identity NAT ( Nat with ACL )
  • Static policy NAT ( Static with ACL)
  • Static NAT ( with a pool )
  • Static PAT ( using a single address )
  • Dynamic policy NAT ( NAT with ACL )
  • Dynamic NAT ( with a pool )
  • Dynamic PAT.

1.14 Static Policy NAT and PAT

• This is a little tricky … hmmm
• I got the first configuration correct, but the second task is troubling me, let me think for somemore time..
• Hmm here’s the problem that i’m facing
• There’s a task where i have to configure Static Policy nat such that , any HTTP access to the outside port of the firewall, from the lo0 address of R2 ( 150.1.2.2/24 ) should be redirected to AAA ( on the DMZ )
• Now this is what i configured. First i configure the access-list list, to match the reverse traffic from the DMZ to 150.1.2.2
  • #access-list HTTP permit tcp interface eq http host 150.1.2.2
• Then i configure the static nat statement ..
  • #static (dmz,outside) tcp interface http access-list HTTP
• This should work.
• However, it works too damn well for my own good..what’s happening is that, when i do a : “#telnet 136.1.122.12 80 /source-interface lo 0″ from R2, the connection gets redirected to the AAA server in the DMZ, but even if i do a “#telnet 136.1.122.12 80″ , this is also getting redirected. How is this possible?
• Any help would be awesome!

1.15 Identity NAT and NAT Exemption

• It works fine ! There’s however a little thing which i wanted clarification about.
• I saw the fact that, when using Identity Nat ( Nat 0 ) , you can originate traffic to the inside address from the outside, that’s possible either by using policy nat exemption or by using static .. but here i tested it and i’m able to originate traffic both ways.
• http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218 -> This is the document that i’m referring I’d really like it if someone clarified this to me.
• Ah, got this! It’s given clearly in the INE workbook solution.
• The Identity translation works ONLY AFTER THE inside host generates some traffic! After that, traffic can flow both ways.
• So to test this i did a “clear xlate” on the ASA and tried to ping the inside “identity” address from the AAA server. ( didn’t go through! )

1.16 OUTSIDE Dynamic NAT

• It’s not working…:( The translation is occuring on the ASA , but the ping packets don’t reach R1 at all!
• Outside Dynamic NAT translation is not working..:(
• I did enter the “outside” keyword in the translation.But it’s not working . However when i enter ” no nat-control” it starts working
• I discussed this with David and this is what he had to say :
  • “ my guess is that since you need a static NAT to go from low->high sec intf that the nat (outside) wont work w/o no nat-control “
• So , this is an important point to keep in mind while labbing

1.17 DNS DOCTORING USING ALIAS

• Beautiful! works really well, just ensure that you enable DNS inspection for this to work!

1.18 DNS DOCTORING using Static

• I tried this too. Again, the same rules apply as the previous ones! Configure DNS inspection to run globally just like for the ALIAS command

1.19 Fragmented Traffic

• This is AWESOME! it works just fine! the only command you need is
  • #fragment chain 1 ( which tells the ASA to only have a 1 fragment buffer for each packet )
• So when i ping and i specify a size of 1501 bytes ( 1 byte over the MTU ), the pings don’t go through as the second fragment doesnt get processed.
• This is such a cool feature!

1.21 BGP Across the firewall

• Ok i finished configuring this, there should be a TCP map added which permits checking of option 19 then this should be added to a policy-map which also disables randomization of the TCP sequence number ( this screwes with the EIGRP authentication process )
• It works well I can see the updates going through the firewall and i can see the updates on R1 and R2 .

1.22 Stub Multicast Routing

• I always cringe when i hear the word multicast , dunno why?
• I’m not very familiar with this, i will have to read some info about this..hang on
• Read the topic and trying to get this to work.
• Crap..it’s just not working…:(..i’ve gotta rethink what i’m doing here..
• I found out what the problem was : Apparently PEMU doesn’t support Multicast routing

1.23 PIM multicast Routing

• I removed the forward commands, and now i’ve PIM enabled on the ASA with a helper address pointing to R2’s lo 0 ( 150.1.2.2 )
• Since ASA supports only PIM sparse-mode, configure ASA and R2 with the “rp-address of 150.1.2.2 “
• This is’nt working too.
• The worst thing is i’m unable to see the IGMP groups on the ASA.
• I see the debug on the inside routers and i can see the IGMP join messages going out on the interface connected to the ASA…but i don’t see anything when i do a debug igmp on the firewall
• I found out what the problem was : Apparently PEMU doesn’t support Multicast routing

1.24 Network Time protocol

• Awesome..but i didn’t understand why ” ntp trusted-key ” command is used? Isn’t that already specified when specifying the key next to the “ntp server <IP> key” ?
• seems a little redundant to me .

1.25 System Logging

• Just finished configuring this.
• Don’t forget to turn on logging by using the command “logging enable” VERY important!

1.27 SNMP Monitoring

• This is getting SNMP. I love SNMP! It’s hard to configure, but totally worth it i guess!
• I forgot to configure the SNMP_MAP inside the global_policy..MUST REMEMBER THIS!
• The configuration misses one point in the solution
• They do not configure VPN messages to be sent as traps to the SNMP server
• for that i’m guessing we need to add the message “logging class vpn trap critical” & the already existing ” logging history critical”

1.29 HTTP TRAFFIC INSPECTION

• I have one doubt :
  • Does the inspection take place before or after xlate?
    • ‘coz the access-list on the Outside HTTP inspection works when i configure the IP address of the destination( http server ) as 136.1.122.100 . ( i.e the outside mapped address ). But i always thought xlate happens before inspection…?

1.31 SMTP TRAFFIC INSPECTION

• Done configuring this, except for one feature
• I didn’t know how to allow mails to only “cisco.com“
• Apparently that can be done using the mail-relay command.
• MUST REMEMBER THIS COMMAND!

1.32 TCP INSPECTION

• Here we use TCP maps to configure the TCP options and then we apply it to the policy-map
• Let’s see if it works.
• The way i’m going to test this, is to try and initiate 4 telnet connections from R1 to R2…according to our configuration, it should block this
• Beautiful! It works! ” Remember use “Cntrl + Shift+6 and then X” to suspend connections

1.33 MANAGEMENT TRAFFIC INSPECTION

• Management traffic represents all the traffic originated/destined from/to the ASA device itself
• Ex : Routing protocol traffic, Management protocols like Telnet, SSH, SNMP ,etc
• Let’s head into the configuration
• Alright done with this configuration . Learnt something new..about the “policy-maps type radius-accounting.
• Ok, another thing to remember is, configure the Radius and the key under the radius-accounting policy-map..

1.34 ICMP INSPECTION

• I can’t tell you how much i love the “inspect icmp error” command
• It’s awesome that i got a chance to use this here

1.35 THREAT DETECTION

• NOTE : IN threat detectiuon, the default burst interval (1/60 of <rate-interval> )
• So if you wanna specify a limit for the number of drops, always use “acl-drop”..( atleast thats whats used in the solutions )
• And to enable advanced scanning-threat detection, we use the command ” threat-detection scanning-threat shun.. “

1.38 Low LATENCY QUEUING

• I’d read some stuff about the Priority queue sometime back..This is the queue which is above the hold-queue on every interface, where special packets which should be sent out ASAP are kept.( routing protocol traffic , etc )
• In Routers, we would use the “hold-queue” command under the interface configuration sub-menu to configure the hold-queue size, wheras here we can do it under the “priority” command in the global configuration mode.
• Also setting of the priority queue size can be done in the IOS by using the “priority-list” and “priority-group” commands, whereas in the ASA, they can be done using the “priority” command. (global configuration )
• The mistake i did in the configuration was, i used an ACL – ” permit udp any any range 16384 32767″ to specify the RTP traffic. Instead the way to do it is :
  • class-map VOIP
    • match rtp 16384 32767

While i was taking notes here,  GOOGLE wave just ATE away about 5 or 6 of my configuration tasks! So i have notes for tasks 1.39 to 1.43 Sorry! I’ll start from 1.49 now .

1.49 ACTIVE/STANDBY FAILOVER

• I love failover configuration!
• Beautiful! it works!

1.50 ACTIVE/ACTIVE FAILOVER

• Awesome! It took me over 30 mins..but it’s working fine! A big thanks to the INE Audio bootcamp and Keith!

1.51 REDUNDANT INTERFACES

• One thing to remember is to trunk on the member interfaces of the redundant-pair

1.52 ENHANCED OBJECT GROUPS

• This configuration is pretty- straightforward and it’s done.

As always, i live-blog on Google wave, when i’m doing the labs . Please feel free to join me there where we can interact/discuss/solve each others problems all in real-time!

Tonight, i’m going to be doing the rest of VPN Vol 1 lab! See you there!

Finally, thank you all for all the encouragement you give and your zeal to gain knowledge, which i truly find inspiring. I hope to keep learning!

Cheers,

TacACK

In this post, i’m going to be posting a small video on how i prep for big tasks like ZBF/ACL configuration. By BIG , i mean tasks which have lotsa small configuration items which we are bound to miss during configuration.

This way by making a small diagram, i am able to more clearly and effectively convert the configuration tasks into ideas in my head. Please do let me know if they were of any help to you..or if you have a better way , i’d more more than happy to listen to it!

Cheers,

TacACK

It worked like a charm yesterday. I did ASA VPN Vol 1 labs, TASK 1 to 10 yesterday. It went well and i made some notes . Here are the notes!

1.2 RIP v2

• This task asked for configuring RIP and authentication between peers running RIP. I thought i’d configured it correctly, but i kept getting  ” invalid authentication” on the “debug ip rip” command output on both the peers.
• Everything looked fine.
  • I’d configured the key chain
  • The keys and the key-id on both the peers were matching
• I happened to notice that the key-id i had configured was “0″ ( well theoretically, the range is 0-255 ). So just for kicks, i changed the key-id to “1″ on both the RIP peers. It started working!
• So this is where i make a note to myself : NEVER USE a key-id value of “0″. Again, i do not know if this is a problem on other IOS’s, Platforms, but on the 3725 running 12.4-18(AdvancedIPServices) IOS, it doesn’t work!

1.3 OSPF

• I always get a warm feeling ( like the feeling you get when you bite into a honey glzed ,warm, blackberry jelly donut with powdered sugar on it ) when i finish configuring OSPF and it works!
• After configuring them , i was playing around with the DR election and it was awesome.
• OSPF  first checks the interface priority, the one with the highest priority becomes the DR.
  • #int fa 0/0
    • #ospf priority <priority>
• If the priority is the same, the one with the highest-router ID becomes the DR.
  • #router ospf 1
    • #router-id <router-id>

1.6 IP ACCESS-LIST

• I now have an awesome way of approaching this problem, i’ll make a video of this tonight and i’ll post here! I hope this’ll help you.

1.7 OBJECT GROUPS

• This task was pretty vague
• They asked me to reduce the size of the previous ACL, but they don’t say anything about adding additional ACL statements/keeping the old ACL’s which are not configured on the object-groups..
• So i assumed that the original ACL should be maintained. They can be replaced by object-groups wherever possible, but if not possible, ( ex : NTP ) , i have configured an ACL entry explictly permitting that traffic
• If i got this topic in the exam , i would definitely ask for clarification.

1.8 ADMINISTRATIVE ACCESS

• One quick note here regarding granting SSH access to manage the firewall.
• Ensure that you have a license which allows you to create DES/3-DES keys. If you don’t what happens is, despite correct configuration, SSH access will still not work!
• I found this out the hard-way , as i spent about 15 mins trying to find what was wrong
• And i would also suggest specifying the SSH version when you’re trying to SSH into the firewall ( or any device, for that matter )
  • #ssh -l <username> -v <version> <ip address>

1.9 ICMP TRAFFIC

• I did some configuration, but i’m not satisfied as it don’t know how to permit pMTU replies…even the solution doesn’t address this..i was thinking we might have to permit maybe ” fragmentation needed ” or size-too-big packets..but since they don’t figure in the ICMP list, i’m thinking as to how this can be done. Please let me know if you have a solution for this. I’d really appreciate it!

1.10 URL FILTERING

• After configuring URL-filtering, when i tried to test it using the “sh url-server statistics” command, it was showing that my URL requests were getting dropped.
• I didn’t have a websense URL filtering server configured, but i had configure url filtering with the “allow” keyword at the end , so that if the URL-server wasn’t detected, the URL requests would automatically get granted.
• But the requests are getting dropped
• Not even blocked, they are getting “dropped”. Again if any of you can shed any light on this, i’d be super grateful!

I’m looking forward to finishing the rest of the labs! This is just awesome!

More on this tonight, tomorrow and the day-after ( Please check schedule on the side-bar )

Cheers,

TacACK

What is up! I missed writing stuff here and now i’m back. I had a pretty successful week at work and now i’m ready to focus on the tasks at hand. I’ve some interesting articles for you which i’m going to be blogging about for the next couple of days. So watch this space!

Today, i’m going to be doing the ASA Vol 1 lab. I promise this is going to be my last revision! I’ve decided to move onto Vol 2 labs come Monday ‘coz this is taking a lot of time!

I’m really excited about my studies today and i’m going to live-blogging on WAVE. Great to be back!

Cheers,

TacACK