Hey, Hey , Hey!

Once in a while, i feel like i just can’t lab Today’s an example for that. That was the same state the day-before-yesterday! So what i do when i don’t feel like labbing is that , i start studying and going through the DocCD.

Reading through the Doc-CD is an idea i stole from Paul Stewart ( @packetu ) , who’s one of the people i really look up to. I took his idea and added my own twist to it by adding in elements which would make the study more effective for me.

The way i go about it is very simple . Since i have a below-average memory , i take down sections of the Doc-CD that i need to read/cover on my iPod-touch whenever i think of it( i’ve actually stopped riding my bike once to write down a topic – long story short, the GF did not like it! ) . Then whenever i have days allocated to Doc-CD , i study through the topics and i take notes on WAVE.

I’ve found this method to be very useful to me because i usually think about the topic a day or two afterwards and i never remember anything! So here the notes are very beneficial.
Right, yesterday i studied 3 topics and i made notes on Google WAVE. You can find them HERE.

I hope you find it useful!

Cheers,

TacACK

Hello all!

I finished the ASA Vol 1 lab( finally! ) ,  and here are the notes i made when i was configuring them. Here they are Again, these are just a copy+paste of my notes I haven’t formatted / spell-checked them , so i’m sorry if there are any grammatical mistakes,etc.

1.11 Dynamic NAT and PAT

• Always remember the order of Nat processing is :
  • Identity NAT ( Nat with ACL )
  • Static policy NAT ( Static with ACL)
  • Static NAT ( with a pool )
  • Static PAT ( using a single address )
  • Dynamic policy NAT ( NAT with ACL )
  • Dynamic NAT ( with a pool )
  • Dynamic PAT.

1.14 Static Policy NAT and PAT

• This is a little tricky … hmmm
• I got the first configuration correct, but the second task is troubling me, let me think for somemore time..
• Hmm here’s the problem that i’m facing
• There’s a task where i have to configure Static Policy nat such that , any HTTP access to the outside port of the firewall, from the lo0 address of R2 ( 150.1.2.2/24 ) should be redirected to AAA ( on the DMZ )
• Now this is what i configured. First i configure the access-list list, to match the reverse traffic from the DMZ to 150.1.2.2
  • #access-list HTTP permit tcp interface eq http host 150.1.2.2
• Then i configure the static nat statement ..
  • #static (dmz,outside) tcp interface http access-list HTTP
• This should work.
• However, it works too damn well for my own good..what’s happening is that, when i do a : “#telnet 136.1.122.12 80 /source-interface lo 0″ from R2, the connection gets redirected to the AAA server in the DMZ, but even if i do a “#telnet 136.1.122.12 80″ , this is also getting redirected. How is this possible?
• Any help would be awesome!

1.15 Identity NAT and NAT Exemption

• It works fine ! There’s however a little thing which i wanted clarification about.
• I saw the fact that, when using Identity Nat ( Nat 0 ) , you can originate traffic to the inside address from the outside, that’s possible either by using policy nat exemption or by using static .. but here i tested it and i’m able to originate traffic both ways.
• http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065218 -> This is the document that i’m referring I’d really like it if someone clarified this to me.
• Ah, got this! It’s given clearly in the INE workbook solution.
• The Identity translation works ONLY AFTER THE inside host generates some traffic! After that, traffic can flow both ways.
• So to test this i did a “clear xlate” on the ASA and tried to ping the inside “identity” address from the AAA server. ( didn’t go through! )

1.16 OUTSIDE Dynamic NAT

• It’s not working…:( The translation is occuring on the ASA , but the ping packets don’t reach R1 at all!
• Outside Dynamic NAT translation is not working..:(
• I did enter the “outside” keyword in the translation.But it’s not working . However when i enter ” no nat-control” it starts working
• I discussed this with David and this is what he had to say :
  • “ my guess is that since you need a static NAT to go from low->high sec intf that the nat (outside) wont work w/o no nat-control “
• So , this is an important point to keep in mind while labbing

1.17 DNS DOCTORING USING ALIAS

• Beautiful! works really well, just ensure that you enable DNS inspection for this to work!

1.18 DNS DOCTORING using Static

• I tried this too. Again, the same rules apply as the previous ones! Configure DNS inspection to run globally just like for the ALIAS command

1.19 Fragmented Traffic

• This is AWESOME! it works just fine! the only command you need is
  • #fragment chain 1 ( which tells the ASA to only have a 1 fragment buffer for each packet )
• So when i ping and i specify a size of 1501 bytes ( 1 byte over the MTU ), the pings don’t go through as the second fragment doesnt get processed.
• This is such a cool feature!

1.21 BGP Across the firewall

• Ok i finished configuring this, there should be a TCP map added which permits checking of option 19 then this should be added to a policy-map which also disables randomization of the TCP sequence number ( this screwes with the EIGRP authentication process )
• It works well I can see the updates going through the firewall and i can see the updates on R1 and R2 .

1.22 Stub Multicast Routing

• I always cringe when i hear the word multicast , dunno why?
• I’m not very familiar with this, i will have to read some info about this..hang on
• Read the topic and trying to get this to work.
• Crap..it’s just not working…:(..i’ve gotta rethink what i’m doing here..
• I found out what the problem was : Apparently PEMU doesn’t support Multicast routing

1.23 PIM multicast Routing

• I removed the forward commands, and now i’ve PIM enabled on the ASA with a helper address pointing to R2’s lo 0 ( 150.1.2.2 )
• Since ASA supports only PIM sparse-mode, configure ASA and R2 with the “rp-address of 150.1.2.2 “
• This is’nt working too.
• The worst thing is i’m unable to see the IGMP groups on the ASA.
• I see the debug on the inside routers and i can see the IGMP join messages going out on the interface connected to the ASA…but i don’t see anything when i do a debug igmp on the firewall
• I found out what the problem was : Apparently PEMU doesn’t support Multicast routing

1.24 Network Time protocol

• Awesome..but i didn’t understand why ” ntp trusted-key ” command is used? Isn’t that already specified when specifying the key next to the “ntp server <IP> key” ?
• seems a little redundant to me .

1.25 System Logging

• Just finished configuring this.
• Don’t forget to turn on logging by using the command “logging enable” VERY important!

1.27 SNMP Monitoring

• This is getting SNMP. I love SNMP! It’s hard to configure, but totally worth it i guess!
• I forgot to configure the SNMP_MAP inside the global_policy..MUST REMEMBER THIS!
• The configuration misses one point in the solution
• They do not configure VPN messages to be sent as traps to the SNMP server
• for that i’m guessing we need to add the message “logging class vpn trap critical” & the already existing ” logging history critical”

1.29 HTTP TRAFFIC INSPECTION

• I have one doubt :
  • Does the inspection take place before or after xlate?
    • ‘coz the access-list on the Outside HTTP inspection works when i configure the IP address of the destination( http server ) as 136.1.122.100 . ( i.e the outside mapped address ). But i always thought xlate happens before inspection…?

1.31 SMTP TRAFFIC INSPECTION

• Done configuring this, except for one feature
• I didn’t know how to allow mails to only “cisco.com“
• Apparently that can be done using the mail-relay command.
• MUST REMEMBER THIS COMMAND!

1.32 TCP INSPECTION

• Here we use TCP maps to configure the TCP options and then we apply it to the policy-map
• Let’s see if it works.
• The way i’m going to test this, is to try and initiate 4 telnet connections from R1 to R2…according to our configuration, it should block this
• Beautiful! It works! ” Remember use “Cntrl + Shift+6 and then X” to suspend connections

1.33 MANAGEMENT TRAFFIC INSPECTION

• Management traffic represents all the traffic originated/destined from/to the ASA device itself
• Ex : Routing protocol traffic, Management protocols like Telnet, SSH, SNMP ,etc
• Let’s head into the configuration
• Alright done with this configuration . Learnt something new..about the “policy-maps type radius-accounting.
• Ok, another thing to remember is, configure the Radius and the key under the radius-accounting policy-map..

1.34 ICMP INSPECTION

• I can’t tell you how much i love the “inspect icmp error” command
• It’s awesome that i got a chance to use this here

1.35 THREAT DETECTION

• NOTE : IN threat detectiuon, the default burst interval (1/60 of <rate-interval> )
• So if you wanna specify a limit for the number of drops, always use “acl-drop”..( atleast thats whats used in the solutions )
• And to enable advanced scanning-threat detection, we use the command ” threat-detection scanning-threat shun.. “

1.38 Low LATENCY QUEUING

• I’d read some stuff about the Priority queue sometime back..This is the queue which is above the hold-queue on every interface, where special packets which should be sent out ASAP are kept.( routing protocol traffic , etc )
• In Routers, we would use the “hold-queue” command under the interface configuration sub-menu to configure the hold-queue size, wheras here we can do it under the “priority” command in the global configuration mode.
• Also setting of the priority queue size can be done in the IOS by using the “priority-list” and “priority-group” commands, whereas in the ASA, they can be done using the “priority” command. (global configuration )
• The mistake i did in the configuration was, i used an ACL – ” permit udp any any range 16384 32767″ to specify the RTP traffic. Instead the way to do it is :
  • class-map VOIP
    • match rtp 16384 32767

While i was taking notes here,  GOOGLE wave just ATE away about 5 or 6 of my configuration tasks! So i have notes for tasks 1.39 to 1.43 Sorry! I’ll start from 1.49 now .

1.49 ACTIVE/STANDBY FAILOVER

• I love failover configuration!
• Beautiful! it works!

1.50 ACTIVE/ACTIVE FAILOVER

• Awesome! It took me over 30 mins..but it’s working fine! A big thanks to the INE Audio bootcamp and Keith!

1.51 REDUNDANT INTERFACES

• One thing to remember is to trunk on the member interfaces of the redundant-pair

1.52 ENHANCED OBJECT GROUPS

• This configuration is pretty- straightforward and it’s done.

As always, i live-blog on Google wave, when i’m doing the labs . Please feel free to join me there where we can interact/discuss/solve each others problems all in real-time!

Tonight, i’m going to be doing the rest of VPN Vol 1 lab! See you there!

Finally, thank you all for all the encouragement you give and your zeal to gain knowledge, which i truly find inspiring. I hope to keep learning!

Cheers,

TacACK

It’s not everyday that i’m happy with GNS3 . But today, i couldn’t be happier!

It worked like a charm yesterday. I did ASA VPN Vol 1 labs, TASK 1 to 10 yesterday. It went well and i made some notes . Here are the notes!

1.2 RIP v2

• This task asked for configuring RIP and authentication between peers running RIP. I thought i’d configured it correctly, but i kept getting  ” invalid authentication” on the “debug ip rip” command output on both the peers.
• Everything looked fine.
  • I’d configured the key chain
  • The keys and the key-id on both the peers were matching
• I happened to notice that the key-id i had configured was “0″ ( well theoretically, the range is 0-255 ). So just for kicks, i changed the key-id to “1″ on both the RIP peers. It started working!
• So this is where i make a note to myself : NEVER USE a key-id value of “0″. Again, i do not know if this is a problem on other IOS’s, Platforms, but on the 3725 running 12.4-18(AdvancedIPServices) IOS, it doesn’t work!

1.3 OSPF

• I always get a warm feeling ( like the feeling you get when you bite into a honey glzed ,warm, blackberry jelly donut with powdered sugar on it ) when i finish configuring OSPF and it works!
• After configuring them , i was playing around with the DR election and it was awesome.
• OSPF  first checks the interface priority, the one with the highest priority becomes the DR.
  • #int fa 0/0
    • #ospf priority <priority>
• If the priority is the same, the one with the highest-router ID becomes the DR.
  • #router ospf 1
    • #router-id <router-id>

1.6 IP ACCESS-LIST

• I now have an awesome way of approaching this problem, i’ll make a video of this tonight and i’ll post here! I hope this’ll help you.

1.7 OBJECT GROUPS

• This task was pretty vague
• They asked me to reduce the size of the previous ACL, but they don’t say anything about adding additional ACL statements/keeping the old ACL’s which are not configured on the object-groups..
• So i assumed that the original ACL should be maintained. They can be replaced by object-groups wherever possible, but if not possible, ( ex : NTP ) , i have configured an ACL entry explictly permitting that traffic
• If i got this topic in the exam , i would definitely ask for clarification.

1.8 ADMINISTRATIVE ACCESS

• One quick note here regarding granting SSH access to manage the firewall.
• Ensure that you have a license which allows you to create DES/3-DES keys. If you don’t what happens is, despite correct configuration, SSH access will still not work!
• I found this out the hard-way , as i spent about 15 mins trying to find what was wrong
• And i would also suggest specifying the SSH version when you’re trying to SSH into the firewall ( or any device, for that matter )
  • #ssh -l <username> -v <version> <ip address>

1.9 ICMP TRAFFIC

• I did some configuration, but i’m not satisfied as it don’t know how to permit pMTU replies…even the solution doesn’t address this..i was thinking we might have to permit maybe ” fragmentation needed ” or size-too-big packets..but since they don’t figure in the ICMP list, i’m thinking as to how this can be done. Please let me know if you have a solution for this. I’d really appreciate it!

1.10 URL FILTERING

• After configuring URL-filtering, when i tried to test it using the “sh url-server statistics” command, it was showing that my URL requests were getting dropped.
• I didn’t have a websense URL filtering server configured, but i had configure url filtering with the “allow” keyword at the end , so that if the URL-server wasn’t detected, the URL requests would automatically get granted.
• But the requests are getting dropped
• Not even blocked, they are getting “dropped”. Again if any of you can shed any light on this, i’d be super grateful!

I’m looking forward to finishing the rest of the labs! This is just awesome!

More on this tonight, tomorrow and the day-after ( Please check schedule on the side-bar )

Cheers,

TacACK

All!

What is up! I missed writing stuff here and now i’m back. I had a pretty successful week at work and now i’m ready to focus on the tasks at hand. I’ve some interesting articles for you which i’m going to be blogging about for the next couple of days. So watch this space!

Today, i’m going to be doing the ASA Vol 1 lab. I promise this is going to be my last revision! I’ve decided to move onto Vol 2 labs come Monday ‘coz this is taking a lot of time!

I’m really excited about my studies today and i’m going to live-blogging on WAVE. Great to be back!

Cheers,

TacACK