Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Narbik Kocharians
CCIE #12410
R&S, Security, SP
CCSI #30832
Table of Contents
ASA Firewall
LAB 1.1. BASIC ASA CONFIGURATION 8
LAB 1.2. BASIC SECURITY POLICY 17
LAB 1.3. DYNAMIC ROUTING PROTOCOLS 29
LAB 1.4. ASA MANAGEMENT 46
LAB 1.5. STATIC NAT (8.2) 59
LAB 1.6. DYNAMIC NAT (8.2) 67
LAB 1.7. NAT EXEMPTION (8.2) 77
LAB 1.8. STATIC POLICY NAT (8.2) 81
LAB 1.9. DYNAMIC POLICY NAT (8.2) 91
LAB 1.10. STATIC NAT (8.3+) 99
LAB 1.11. DYNAMIC NAT (8.3+) 115
LAB 1.12. BIDIRECTIONAL NAT (8.3+) 126
LAB 1.13. MODULAR POLICY FRAMEWORK (MPF) 131
LAB 1.14. FTP ADVANCED INSPECTION 138
LAB 1.15. HTTP ADVANCED INSPECTION 146
LAB 1.16. INSTANT MESSAGING ADVANCED INSPECTION 156
LAB 1.17. ESMTP ADVANCED INSPECTION 159
LAB 1.18. DNS ADVANCED INSPECTION 164
LAB 1.19. ICMP ADVANCED INSPECTION 169
LAB 1.20. CONFIGURING VIRTUAL FIREWALLS 175
LAB 1.21. ACTIVE/STANDBY FAILOVER 198
LAB 1.22. ACTIVE/ACTIVE FAILOVER 212
LAB 1.23. REDUNDANT INTERFACES 239
LAB 1.24. TRANSPARENT FIREWALL 246
LAB 1.25. THREAT DETECTION 260
LAB 1.26. CONTROLLING ICMP AND FRAGMENTED TRAFFIC 264
LAB 1.27. TIME BASED ACCESS CONTROL 270
LAB 1.28. QOS - PRIORITY QUEUING 276
LAB 1.29. QOS – TRAFFIC POLICING 280
LAB 1.30. QOS – TRAFFIC SHAPING 285
LAB 1.31. QOS – TRAFFIC SHAPING WITH PRIORITIZATION 290
LAB 1.32. SLA ROUTE TRACKING 296
LAB 1.33. ASA IP SERVICES (DHCP) 303
LAB 1.34. URL FILTERING AND APPLETS BLOCKING 310
LAB 1.35. TROUBLESHOOTING USING PACKET TRACER AND CAPTURE TOOLS 314
Page 2 of 100
CCIE SECURTY v4 Lab Workbook
Site-to-Site VPN
LAB 1.36. BASIC SITE TO SITE IPSEC VPN MAIN MODE (IOS-IOS) 326
LAB 1.37. BASIC SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) 352
LAB 1.38. BASIC SITE TO SITE VPN WITH NAT (IOS-IOS) 369
LAB 1.39. IOS CERTIFICATE AUTHORITY 385
LAB 1.40. SITE-TO-SITE IPSEC VPN USING PKI (ASA-ASA) 396
LAB 1.41. SITE-TO-SITE IPSEC VPN USING PKI (IOS-IOS) 410
LAB 1.42. SITE-TO-SITE IPSEC VPN USING PKI (STATIC IP IOS-ASA) 420
LAB 1.43. SITE-TO-SITE IPSEC VPN USING PKI (DYNAMIC IP IOS-ASA) 440
LAB 1.44. SITE-TO-SITE IPSEC VPN USING PSK (IOS-ASA HAIRPINNING) 461
LAB 1.45. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-IOS) 475
LAB 1.46. SITE-TO-SITE IPSEC VPN USING EASYVPN NEM (IOS-ASA) 484
LAB 1.47. SITE-TO-SITE IPSEC VPN USING EASYVPN WITH ISAKMP PROFILES (IOS-IOS)
LAB 1.48. GRE OVER IPSEC 550
LAB 1.49. DMVPN PHASE 1 567
LAB 1.50. DMVPN PHASE 2 (WITH EIGRP) 584
LAB 1.51. DMVPN PHASE 2 (WITH OSPF) 603
LAB 1.52. DMVPN PHASE 3 (WITH EIGRP) 623
LAB 1.53. DMVPN PHASE 3 (WITH OSPF) 643
LAB 1.54. DMVPN PHASE 2 DUAL HUB (SINGLE CLOUD) 667
LAB 1.55. DMVPN PHASE 2 DUAL HUB (DUAL CLOUD) 697
LAB 1.56. GET VPN (PSK) 738
LAB 1.57. GET VPN (PKI) 760
LAB 1.58. GET VPN COOP (PKI) 779
Page 3 of 100
CCIE SECURTY v4 Lab Workbook
Page 4 of 100
CCIE SECURTY v4 Lab Workbook
Page 5 of 100
CCIE SECURTY v4 Lab Workbook
Network Attacks
LAB 3.53. PROTECTING AGAINST FRAGMENTATION ATTACKS 442
LAB 3.54. PROTECTING AGAINST MALICIOUS IP OPTION USAGE 447
LAB 3.55. PROTECTING AGAINST NETWORK MAPPING 454
LAB 3.56. PROTECTING AGAINST DOS ATTACKS USING CAR 458
LAB 3.57. PREVENTING PORT REDIRECTION ATTACKS 460
LAB 3.58. PROTECTING AGAINST SMURF ATTACKS 462
LAB 3.59. PORT SECURITY 465
LAB 3.60. PREVENTING VLAN HOPING ATTACKS 472
Page 6 of 100
CCIE SECURTY v4 Lab Workbook
Page 7 of 100
CCIE SECURTY v4 Lab Workbook
Physical Topology
Page 8 of 100
CCIE SECURTY v4 Lab Workbook
Page 9 of 100
CCIE SECURTY v4 Lab Workbook
Page 10 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Site-to-Site VPNs
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 11 of 100
CCIE SECURTY v4 Lab Workbook
Lab Setup
R1’s F0/0 and R2’s G0/0 interface should be configured in VLAN 12
R2’s S0/1/0 and R5’s S0/1/0 interface should be configured in a frame-relay
point-to-point manner
R2’s S0/1/0 and R4’s S0/0/0 interface should be configured in a frame-relay
point-to-point manner
Configure Telnet on all routers using password “cisco”
Configure default routing on R1, R4 and R5 pointing to the R2
IP Addressing
Device Interface IP address
R1 Lo0 192.168.1.1/24
F0/0 10.1.12.1/24
Page 12 of 100
CCIE SECURTY v4 Lab Workbook
R2 F0/0 10.1.12.2/24
S0/1/0.25 10.1.25.2/24
S0/1/0.24 10.1.24.2/24
R4 Lo0 192.168.4.4/24
S0/0/0.42 10.1.24.4/24
R5 Lo0 192.168.5.5/24
S0/1/0.52 10.1.25.5/24
Task 1
Configure Hub-and-Spoke GRE tunnels between R1, R4 and R5, where R1
is acting as a Hub. Traffic originated from every Spoke’s loopback
interface should be transmitted securely via the Hub to the other spokes.
You must use EIGRP dynamic routing protocol to let other spokes know
about protected networks. Use the following settings when configuring
tunnels:
• Tunnel Parameters
o IP address: 172.16.145.0/24
o IP MTU: 1400
o Tunnel Authentication Key: 12345
• NHRP Parameters
o NHRP ID: 12345
o NHRP Authentication key: cisco123
o NHRP Hub: R1
• Routing Protocol Parameters
o EIGRP 145
Encrypt the GRE traffic using the following parameters:
• ISAKMP Parameters
o Authentication: Pre-shared
o Encryption: 3DES
o Hashing: SHA
o DH Group: 2
Page 13 of 100
CCIE SECURTY v4 Lab Workbook
Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by
Cisco in late 2000. This technology has been developed to address needs for
automatically created VPN tunnels when dynamic IP addresses on the spokes
are in use.
In GRE over IPSec (described in the previous lab) both ends of the connection
must have static/unchangeable IP address. It is possible however, to create
many GRE Site-to-Site tunnels from company’s branches to the Headquarters.
This is pure Hub-and-Spoke topology where all branches may communicate
with each other securely through the Hub.
In DMVPN may have dynamic IP addresses on the spokes, but there must be
static IP address on the Hub. There is also an additional technology used to let
the hub know what dynamic IP addresses are in use by the spokes. This is
NHRP (Next Hop Resolution Protocol) which works like ARP but for layer 3. All
it does is building a dynamic database stored on the hub with information about
spokes’ IP addresses. Now the Hub knows IPSec peers and can build the
tunnels with them.
The Hub must be connected to many spokes at the same time so there was
another issue to solve: how to configure the Hub to not have many Tunnel
interfaces (each for Site-to-Site tunnel with spoke). The answer is: use GRE
multipoint type of tunnel, where we do not need to specify the other end of the
tunnel statically.
That being said, there are three DMVPN mutations called phases:
Phase 1: simple Hub and Spoke topology were dynamic IP addresses on
the spokes may be used
Phase 2: Hub and Spoke with Spoke to Spoke direct communication
allowed
Phase 3: Hub and Spoke with Spoke to Spoke direct communication
allowed with better scalability using NHRP Redirects
All above phases will be described in more detail in the next few labs.
Configuration
Complete these steps:
Page 14 of 100
CCIE SECURTY v4 Lab Workbook
Step 1 R1 configuration.
R1(config)#interface Tunnel0
R1(config-if)#ip address 172.16.145.1 255.255.255.0
Page 15 of 100
CCIE SECURTY v4 Lab Workbook
Since we use EIGRP between the Hub and the Spokes, we need
to disable Split Horizon for that protocol to be able to
send routes gathered from one Spoke to the other Spoke. The
Split Horizon rule says: “information about the routing is
never sent back in the direction from which it was
received”. This is basic rule for loop prevention.
R1(config-if)#exi
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Page 16 of 100
CCIE SECURTY v4 Lab Workbook
Step 2 R5 configuration.
R5(config)#interface Tunnel0
R5(config-if)# ip address 172.16.145.5 255.255.255.0
R5(config-if)# ip mtu 1400
R5(config-if)# ip nhrp authentication cisco123
R5(config-if)# ip nhrp map 172.16.145.1 10.1.12.1
R5(config-if)# ip nhrp network-id 12345
R5(config-if)# ip nhrp holdtime 360
R5(config-if)# ip nhrp nhs 172.16.145.1
Page 17 of 100
CCIE SECURTY v4 Lab Workbook
Step 3 R4 configuration.
Page 18 of 100
CCIE SECURTY v4 Lab Workbook
R4(config)#interface Tunnel0
R4(config-if)# ip address 172.16.145.4 255.255.255.0
R4(config-if)# ip mtu 1400
R4(config-if)# ip nhrp authentication cisco123
R4(config-if)# ip nhrp map 172.16.145.1 10.1.12.1
R4(config-if)# ip nhrp network-id 12345
R4(config-if)# ip nhrp holdtime 360
R4(config-if)# ip nhrp nhs 172.16.145.1
R4(config-if)# tunnel source Serial0/0/0.42
R4(config-if)# tunnel destination 10.1.12.1
R4(config-if)# tunnel key 12345
R4(config-if)# tunnel protection ipsec profile DMVPN
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed
state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R4(config-if)#exi
Verification
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
Page 19 of 100
CCIE SECURTY v4 Lab Workbook
Spokes have sent updates about their networks (loopback interfaces) to the Hub.
Now Hub must send that information down to the other Spokes. The Hub may do
that as long as Split Horizon rule is disabled for the routing protocol.
R1#sh ip nhrp
172.16.145.4/32 via 172.16.145.4
Tunnel0 created 00:00:33, expire 00:05:26
Type: dynamic, Flags: unique registered
NBMA address: 10.1.24.4
172.16.145.5/32 via 172.16.145.5
Tunnel0 created 00:01:08, expire 00:04:51
Type: dynamic, Flags: unique registered
NBMA address: 10.1.25.5
NHRP database displayed on the DMVPN hub. Note that “sh ip nhrp” shows mapping
between Tunnel0 ip address and ip address of Serial interface which is used for
reaching the tunnel endpoint. The entries in NHRP database on the hub are
dynamic (dynamically obtained from the spokes).
Page 20 of 100
CCIE SECURTY v4 Lab Workbook
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.12.1
Local and remote identities used for the tunnel. Note that GRE protocol is
transported in the tunnel (IP protocol 47). It is automatically achieved by
assigning IPSec profile to the tunnel interface (configuring crypto ACLs is no
longer needed)
Note that traffic is going through the tunnel established between the hub (R1)
and the spoke (R4).
Page 21 of 100
CCIE SECURTY v4 Lab Workbook
inbound ah sas:
outbound ah sas:
Local and remote identities used for tunnel established between hub (R1) and
one of the spokes (R5).
Page 22 of 100
CCIE SECURTY v4 Lab Workbook
inbound ah sas:
outbound ah sas:
R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
The networks of R1 and R5 loopbacks are present in the R4’s routing table.
These networks are reachable through the hub (R1) over the DMVPN network.
Page 23 of 100
CCIE SECURTY v4 Lab Workbook
Next hop IP address followed by the information source (R1 – the hub)
The CEF entries displayed for R5 loopback network. This indicates an IP address
of next hop which have to be used for reaching 192.168.5.0/24.
R4#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:04:04, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
The NHRP database entries displayed. This shows the mapping between hub’s
tunnel interface IP address and hub’s real interface IP address through which
the tunnel endpoint is reachable. Note that NHRP database entries related to
the hub are static and never expires (the hub must be always reachable for the
spoke and cannot be dynamic).
This indicates that ISAKMP tunnel is established and active (QM_IDLE means that
ISAKMP SA is authenticated and Quick Mode – IPSec Phase 2 is fininshed.
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.24.4
Page 24 of 100
CCIE SECURTY v4 Lab Workbook
IPSec proxy IDs on the spoke indicates that traffic between tunnel endpoint
will be encrypted/decrypted. Also, packet counters are incrementing as there
are routing updates crossing the tunnel.
inbound ah sas:
outbound ah sas:
Page 25 of 100
CCIE SECURTY v4 Lab Workbook
Now ping the other spoke using its loopback IP address as source. This should
simulate end-to-end connectivity through the DMVPN network.
R4#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:04:40, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
R5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
R5#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:02:11, never expire
Type: static, Flags:
Page 26 of 100
CCIE SECURTY v4 Lab Workbook
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.25.5
inbound ah sas:
Page 27 of 100
CCIE SECURTY v4 Lab Workbook
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000006, crypto map: Tunnel0-
head-0
sa timing: remaining key lifetime (k/sec): (4430459/3455)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
R5#sh ip nhrp
172.16.145.1/32 via 172.16.145.1
Tunnel0 created 00:03:01, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
Page 28 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Content Security
WSA
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 29 of 100
CCIE SECURTY v4 Lab Workbook
Page 30 of 100
CCIE SECURTY v4 Lab Workbook
Objectives
This lab shows how integrate WSA with ASA to do transparen proxy services
for users.
Task
Reconfigure WSA to provide Transparent Proxy services to all users. THE
WSA should use it’s M1 interface and talk to ASA using WCCP v2 protocol.
Messages exchanged between WSA and ASA should be authenticated using
‘cisco123’ shared secret. Enable Transparent proxy for http and HTTPS.
Disable CONNECT method for explicit proxy.
Page 31 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Configure WCCP on ASA.
!
access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 80
access-list WCCP permit tcp 10.1.10.0 255.255.255.0 any eq 443
!
wccp 90 redirect-list WCCP password cisco123
wccp interface inside 90 redirect in
!
Page 32 of 100
CCIE SECURTY v4 Lab Workbook
• From the drop-down list select WCCP v2 Router and click Submit.
• Provide name for WCCP service e.g. asa-wccp and select Dynamic
service ID option. Set the ID to 90 and associate Port Numbers of
80,443. Put 10.1.10.10 (ASA’s inside interface IP) as Router IP
Address and tick Enable Security for Service option configuring
‘cisco123’ as password. Click Submit.
Page 33 of 100
CCIE SECURTY v4 Lab Workbook
Page 34 of 100
CCIE SECURTY v4 Lab Workbook
Verification
• On Win7 client PC open up web browser and go to http://www.google.com.
Authenticate as user from Employees group.
Page 35 of 100
CCIE SECURTY v4 Lab Workbook
ASA1(config)# sh conn
11 in use, 77 most used
TCP outside 2.16.216.40:443 inside 10.1.10.80:57688, idle 0:00:07, bytes 32361, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57686, idle 0:00:07, bytes 27805, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57685, idle 0:00:07, bytes 74840, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57684, idle 0:00:07, bytes 75426, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57683, idle 0:00:08, bytes 11142, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57682, idle 0:00:08, bytes 83528, flags UIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57680, idle 0:00:14, bytes 2593, flags UfFrIO
TCP outside 2.16.216.40:443 inside 10.1.10.80:57679, idle 0:00:14, bytes 45467, flags UfFrIO
TCP outside 195.12.233.137:443 inside 10.1.10.80:57666, idle 0:00:15, bytes 2548, flags UIO
TCP outside 31.13.64.23:443 inside 10.1.10.80:53205, idle 0:00:17, bytes 30380, flags UIO
ASA1(config)# sh wccp
Service Identifier: 90
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 11464
Redirect access-list: WCCP
Total Connections Denied Redirect: 0
Total Packets Unassigned: 6
Page 36 of 100
CCIE SECURTY v4 Lab Workbook
Page 37 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Identity Management
ACS
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 38 of 100
CCIE SECURTY v4 Lab Workbook
Page 39 of 100
CCIE SECURTY v4 Lab Workbook
Objectives
This lab introduces Cisco Secure Access Control Server v5.3 and verifies
basic connectivity with other network elements.
Page 40 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Run Putty and connect to IP address of 172.31.1.100
Page 41 of 100
CCIE SECURTY v4 Lab Workbook
-----------------------------
Version : 5.3.0.40
Internal Build ID : B.839.EVAL
The main version is 5.3 and the patch level is 40. The build depends
on the development stage and also indicates that we use evaluation
version of ACS. You can install production license or evaluation
license (90 days). Remember that if the ACS was installed with 60GB
disk (minimum) there will be no option to run it with no-eval
license. The 60GB is a minimum value and can only be used in lab
environment.
Page 42 of 100
CCIE SECURTY v4 Lab Workbook
Make sure that you see RX and TX packets and no error counters
increasing. This is a first indicator that something can be wrong
with connectivity. If you do not see eth0 interface that usually
means the interface is down.
Page 43 of 100
CCIE SECURTY v4 Lab Workbook
Note that you cannot reach ASA firewall at this stage. This is
because the ASA has no route back to network 172.31.1.0/24. You will
fix this later.
Step 8 Check the name server and domain configuration. Verify if DNS
works asking to resolve FQDN of acs5.micronics.local
;; QUESTION SECTION:
;acs5.micronics.local. IN ANY
;; ANSWER SECTION:
Page 44 of 100
CCIE SECURTY v4 Lab Workbook
unsynchronised
time server re-starting
polling server every 64 s
Page 45 of 100
CCIE SECURTY v4 Lab Workbook
Step 11 Connect through the GUI and install the license. Open up web
browser (IE or FF) and enter the following URL
https://172.31.1.100/acsadmin
• Authenticate as acsadmin/default and change the default
Page 46 of 100
CCIE SECURTY v4 Lab Workbook
password to Micronics1.
Page 47 of 100
CCIE SECURTY v4 Lab Workbook
Page 48 of 100
CCIE SECURTY v4 Lab Workbook
Objectives
This lab shows how to configure AAA clients in ACS and perform basic
authentication using RADIUS and TACACS+ protocols.
Page 49 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.
Add new entry to Device Type and Location NDGs (Network Device
Groups).
• Go to Users and Identity Stores > Identity Groups and click
Create. Add name Students under All Groups and click Submit.
• Go to Users and Identity Stores > Users and click Create. Add
new user with a name of student1 and password of student123,
select Students under Identity Groups and click Submit.
Page 50 of 100
CCIE SECURTY v4 Lab Workbook
Verification
There is no Verification for this task.
Page 51 of 100
CCIE SECURTY v4 Lab Workbook
Configure R1 router as AAA client in ACS using TACACS+ with secret key of
cisco123. Make sure the device is sourcing TACACS+ traffic from its
loopback0 interface and uses only one TCP connection for whole AAA
conversation.
The new AAA client should be added as Device Type = Routers in Location =
HQ. Configure AAA on the router and use test aaa command to verify your
solution.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.
Add new entry to Device Type and Location NDGs (Network Device
Groups).
• Go to Network Resources > Network Device Groups > Location
and click Create. Add name HQ under All Locations and click
Submit.
Page 52 of 100
CCIE SECURTY v4 Lab Workbook
Page 53 of 100
CCIE SECURTY v4 Lab Workbook
Page 54 of 100
CCIE SECURTY v4 Lab Workbook
Verification
Use test aaa command to check user authentication.
Page 55 of 100
CCIE SECURTY v4 Lab Workbook
Configure SW1 switch as AAA client in ACS using RADIUS with secret key of
cisco123. Make sure the device is sourcing RADIUS traffic from vlan10
interface with IP address of 10.1.10.7/24.
The new AAA client should be added as Device Type = Switches in Location =
HQ. Configure AAA on the switch and use test aaa command to verify your
solution.
Configuration
Complete these steps:
Step 1 Connect to ACS from WinXP PC and authenticate using acsadmin.
• Go to Network Resources > Network Device Groups > Device
Type and click Create. Add name Switches under All Device Types
and click Submit.
Page 56 of 100
CCIE SECURTY v4 Lab Workbook
!
interface Vlan10
ip address 10.1.10.7 255.255.255.0
!
aaa new-model
!
ip default-gateway 10.1.10.1
ip radius source-interface Vlan10
radius-server host 172.31.1.100 key cisco123
!
Note that when you enable ‘aaa new-model’ the router will start asking
for Username/Password on VTY lines. You must either configure ‘login
authentication’ command on VTYs or create some backup/fallback username
in the local router’s database.
It is always recommended to have such local user account.
!
username backup password backup
!
Page 57 of 100
CCIE SECURTY v4 Lab Workbook
Verification
Use test aaa command to check user authentication.
SW1#ping 172.31.1.100
Page 58 of 100
CCIE SECURTY v4 Lab Workbook
Objectives
This lab shows how to configure routers to perform basic authentication and
authorization.
The router may authenticate remote users using its local user database. Every
user connecting to the router must be authenticated and authorized to perform
specific tasks. There are 16 privilege levels on the router. The levels are defined
with a number of 0 through 15. By default only three levels are configured:
• Level 0 – basic level which is accessible by every user with only access
to basic commands like “exit” and “logout”
• Level 1 – user without administrative permissions has this level
assigned. Usually every user in non-privileged router mode (non-enable
mode) is on this level
• Level 15 – user with administrative privileges is on this level. All
commands are available on this level by default. When a user enters
“enable” command and authenticates successfully, he/she is by default
authorized on level 15.
Page 59 of 100
CCIE SECURTY v4 Lab Workbook
Rest of the levels (2-14) is user configurable so that we can assign commands
to a specific level. The term “assign” is unfortunate here as we are able to only
“move” a command between levels. For example, if a command is by default on
level 15 (remember that most of the configuration commands are available only
on level 15) we can move it down to level 10. However, this command will be
now available on level 10 and on all levels above up to level 15.
The router can have different passwords for every privilege level, so that we can
authenticate to a specified level by entering command “enable <lvl>”.
Note that because most configuration commands are available on level 15,
entering level 5 for example will not give us any access to other commands. We
need to “move” specific commands first to that level to be able to use them.
Page 60 of 100
CCIE SECURTY v4 Lab Workbook
On R2 configure local user “luser1” with a password of “luser1” and allow him
to issue only “show” commands when accessing the router using TELNET
session. Use strong encryption for enable password if possible. You are not
allowed to use any AAA commands or views to accomplish this task.
Configuration
Complete these steps:
Step 1 Configure R2 as follows:
!
privilege exec all level 3 show
!
enable secret level 3 enable3
!
username luser1 password luser1
!
line vty 0 4
login local
!
Verification
R1#telnet 100.2.2.2
Trying 100.2.2.2 ... Open
Username: luser1
Password:
R2>show priv
^ ”show” command is not accessible for level 1 user – it is now on
level 3
% Invalid input detected at '^' marker.
R2>enable
% No password set there’s no enalble password for level 15 configured
R2>enable 3
Password: “enable3” password works for privilege level 3 only
R2#sh priv
Current privilege level is 3
Page 61 of 100
CCIE SECURTY v4 Lab Workbook
R2#show ?
aaa Show AAA values
aal2 Show commands for AAL2
access-expression List access expression
access-lists List access lists
accounting Accounting data for active sessions
adjacency Adjacent nodes
alarm-interface Display information about a specific Alarm
Interface Card
aliases Display alias commands
alignment Show alignment information
alps Alps information
appfw Application Firewall information
appletalk AppleTalk information
arap Show Appletalk Remote Access statistics
archive Archive of the running configuration information
arp ARP table
ase Display ASE specific information
async Information on terminal lines used as router
interfaces
auto Show Automation Template
autoupgrade Show autoupgrade related information
backhaul-session-manager Backhaul Session Manager information
<...snip...>
R2#conf t
^ higher level commands are not accessible for level 3 user
% Invalid input detected at '^' marker.
R2#exit
Page 62 of 100
CCIE SECURTY v4 Lab Workbook
Page 63 of 100
CCIE SECURTY v4 Lab Workbook
Advanced
CCIE SECURITY v4
LAB WORKBOOK
Identity Management
ISE
Narbik Kocharians
CCIE #12410
R&S, Security, SP
Piotr Matusiak
CCIE #19860
R&S, Security
www.MicronicsTraining.com
Page 64 of 100
CCIE SECURTY v4 Lab Workbook
ISE v1.1 is connected to the network behind Router1 and has IP address of
172.31.1.20. Default gateway should be set to R1.
Management access to ISE should be allowed from WinXP PC (10.1.10.50).
Page 65 of 100
CCIE SECURTY v4 Lab Workbook
Objectives
This lab introduces Identity Service Engine v1.1 and verifies basic connectivity
with other network elements.
This is an optional task. If the ISE is already pre-installed, you can go directly
to next task.
Task
Perform ISE installation and bootstrapping. Provide the following information
during the installation process:
• Hostname: ISE
• IP Address and mask: 172.31.1.20/24
• Default gateway: 172.31.1.1
• Domain name and nameserver: micronics.local, 172.31.1.200
• NTP server and timezone: 172.31.1.200, UTC
Page 66 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Log into the ISE Virtual Appliance console (if you have access to it).
You should see the following prompt:
**********************************************
Please type ‘setup’ to configure the appliance
**********************************************
localhost login:
Page 67 of 100
CCIE SECURTY v4 Lab Workbook
Verification
Connect to the GUI from WinXP desktop and check license and ISE deployment
options.
Page 68 of 100
CCIE SECURTY v4 Lab Workbook
Cisco ISE is an application installed on underlying operating system called Cisco ADE.
Once you’re connected to ADE you must check what applications are installed. Then you
can use application name (in our case ‘ise) in all other commands.
The main version is 1.1 and the patch level is 665. The build depends on the
development stage. By default ISE is in EVAL mode for 90 days. You can install
production license or use evaluation license. You do not need to provide any license
file for ISE to be working.
Page 69 of 100
CCIE SECURTY v4 Lab Workbook
If there is other status than ‘is running’ it means theres something wrong with a
particular ISE subsystem/process. To fix that you can try to restart ISE application
using ‘application stop ise’ and then ‘application start ise’. Be patient as it may
take a while to start all ISE processes.
Make sure that you see RX and TX packets and no error counters increasing. This is the
first indicator that something can be wrong with connectivity. If you do not see
GigabitEhernet0 interface that usually means the interface is down.
You may see more interfaces depending on ISE installation. Some interfaces may be used
for profiling services.
Page 70 of 100
CCIE SECURTY v4 Lab Workbook
Note that there is still interface ‘eth0’ in the command output. This interface is a
pointer to GigabitEthernet0.
You may not reach ASa firewall at this stage. If not, check if ASA has static route to
172.31.1.0/24 network configured.
Page 71 of 100
CCIE SECURTY v4 Lab Workbook
Check the name server and domain configuration. Verify if DNS works asking to
resolve FQDN of ise.micronics.local
;; QUESTION SECTION:
;ise.micronics.local. IN ANY
;; ANSWER SECTION:
ise.micronics.local. 3600 IN A 172.31.1.20
If there is a different timezone configured you can always change it to the correct
value using ‘clock timezone UTC’ command in the global configurtion. To check what
timezone names are available use ‘show timezones’ command.
Page 72 of 100
CCIE SECURTY v4 Lab Workbook
If you experience the above issue try to reapply the NTP server configuration.
ISE/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISE/admin(config)# ntp server 172.31.1.1
ISE/admin(config)# end
NTP synchronization is very important especially when ISE is a part of Active Directory
domain. If you plan to join AD then clock between Domain Controller and ISE must be
synchronized. The NTP related issues are causing most problems with AD integration.
You can also check application logs when syncing with NTP.
Note that ISE may not synchronize with a source that is not reliable (the source gets
time from its local clock).
unsynchronised
time server re-starting
polling server every 64 s
<after a while>
Page 73 of 100
CCIE SECURTY v4 Lab Workbook
Connect through the GUI and check license. Open up web browser (IE or FF) and
enter the following URL https://172.31.1.20
• Authenticate as admin/Micronics1.
• You may see the following message while connecting to the ISE for the first time.
• Pick Do not show this message again and then click OK.
Page 74 of 100
CCIE SECURTY v4 Lab Workbook
• Check the deployment mode by selecting ise on the top right of the current window.
To check license you must go to Administration -> System -> Licensing.
Page 75 of 100
CCIE SECURTY v4 Lab Workbook
Objectives
This lab shows how to configure 802.1x for wired environment.
Task
There is a Windows 7 host connected to SW1 port 0/7 through the IP Phone.
The IP Phone is authenticated using MAB configured in previous tasks.
Configure Win7 PC to use its native supplicant with PEAP/MS-CHAPv2 only.
Use Active Directory user employee1 and computer’s account (member of
Domain Computers AD group) for authentication. Upon successful
authentication the user and machine should get full access to the network.
Enable 802.1x low impact mode on the port and allow only DHCP, DNS, TFTP
and ICMP traffic. Ensure the following authentication order:
o 802.1x
o MAB
The switch should time out 802.1x authentication method after 15 seconds
and allow only one MAC address to be seen behind the IP Phone. If there are
more MAC addresses the switch should NOT authenticate them and silently
drop the packets.
Page 76 of 100
CCIE SECURTY v4 Lab Workbook
You can disable Whitelist authorization rule and put the IP Phone back to the
default Cisco-IP-Phone group.
Page 77 of 100
CCIE SECURTY v4 Lab Workbook
Configuration
Complete these steps:
Step 1 Switch configuration.
!
ip access-list extended DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark TFTP
permit udp any any eq tftp
remark Ping
permit icmp any any
!
interface GigabitEthernet0/7
ip access-group DEFAULT in
authentication open
authentication order dot1x mab
dot1x timeout tx-period 5
!
ip device tracking
radius vsa send
!
Page 78 of 100
CCIE SECURTY v4 Lab Workbook
Step 3 Create authorization profile for AD clients to get full network access
upon successful authorization.
• Go to Policy > Policy Elements > Results > Authorization >
Authorization Profiles and click Add. Enter AD_Success_Profile as
name, pick DACL Name checkbox and chose default
PERMIT_ALL_TRAFFIC from the drop-down list. Click Submit.
Page 79 of 100
CCIE SECURTY v4 Lab Workbook
Step 4 Move IP Phone MAC address to the default Identity Group and disable
Whitelist authorization rule.
• Go to Administration > Identity Management > Identities >
Endpoints and click Cisco-IP-Phone (an entry with IP Phone MAC
address). Change the Identity Group Assignment to Cisco-IP-
Phone. Click Save.
Page 80 of 100
CCIE SECURTY v4 Lab Workbook
• Go to Policy > Authorization and click Edit link next to the Whitelist
rule. Click on the green icon and chose Disabled. Click Done and
Save.
Page 81 of 100
CCIE SECURTY v4 Lab Workbook
Page 82 of 100
CCIE SECURTY v4 Lab Workbook
Page 83 of 100
CCIE SECURTY v4 Lab Workbook
• Click Save.
Page 84 of 100
CCIE SECURTY v4 Lab Workbook
Page 85 of 100
CCIE SECURTY v4 Lab Workbook
Page 86 of 100
CCIE SECURTY v4 Lab Workbook
Page 87 of 100
CCIE SECURTY v4 Lab Workbook
Verification
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int g0/7
SW1(config-if)#shut
SW1(config-if)#no shu
SW1(config-if)#^Z
Page 88 of 100
CCIE SECURTY v4 Lab Workbook
// dot1x has failed for IP Phone because the phone has no dot1x supplicant, now
the MAB is running
Page 89 of 100
CCIE SECURTY v4 Lab Workbook
Page 90 of 100
CCIE SECURTY v4 Lab Workbook
// The switch must download ACL from ISE. This is done by another RADIUS request
where username is a dACL name. There must be three things configured on the switch
to make this happen:
- aaa authorization network
- ip device tracking
- radius vsa send
// with the RADIUS Access-Accept message the switch gets ACl entries.
Page 91 of 100
CCIE SECURTY v4 Lab Workbook
// check the authentication session again. You should see correct domain
(VOICE) based on the attribute received from the ISE, and ACL name. You will
not see ACL entries here.
Page 92 of 100
CCIE SECURTY v4 Lab Workbook
Bounce the Win7 NIC (LAB-Network) to trigger dot1x and check debug output. Click
on the balloon message that appears and provide user/pass of
employee1/Micronics1 to authenticate.
// you may see more dot1x reties here. It depends on configured tx-period and
how quickly you provide username and password to the supplicant.
Page 93 of 100
CCIE SECURTY v4 Lab Workbook
RADIUS: authenticator 07 CE 7D 37 DF DA B8 D6 - 00 16 97 E8 97 BC 0F 4F
RADIUS: User-Name [1] 11 "employee1"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Framed-MTU [12] 6 1500
RADIUS: Called-Station-Id [30] 19 "C4-64-13-6C-E8-07"
RADIUS: Calling-Station-Id [31] 19 "00-26-55-D0-0D-56"
RADIUS: EAP-Message [79] 16
RADIUS: 02 01 00 0E 01 65 6D 70 6C 6F 79 65 65 31 [ employee1]
RADIUS: Message-Authenticato[80] 18
RADIUS: 9C 1F 81 CF 9F 9E 64 34 E5 DA AC 68 D2 57 C1 41 [ d4hWA]
RADIUS: EAP-Key-Name [102] 2 *
RADIUS: Vendor, Cisco [26] 49
RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A010A070000003100EE1DEA"
RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
RADIUS: NAS-Port [5] 6 50007
RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/7"
RADIUS: NAS-IP-Address [4] 6 10.1.10.7
RADIUS(00000036): Started 5 sec timeout
Page 94 of 100
CCIE SECURTY v4 Lab Workbook
RADIUS(00000036): sending
// another RADIUS request is sent. Note that RADIUS message does NOT contain
any password. There is just username. The username/password will be carried
securely by EAP which is sent using RADIUS AVP/79.
// This RADIUS challenge message is for ISE authentication. PEAP uses server
side authentication using digital certificate. This is why that message is so
long – it contains ISE certificate.
Page 95 of 100
CCIE SECURTY v4 Lab Workbook
RADIUS: 64 01 19 16 05 6C 6F 63 61 6C 31 19 30 17 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 09 6D 69 63 72 6F [dlocal10&,dmicro]
RADIUS: 6E 69 63 73 31 1B 30 19 06 03 55 04 03 13 12 63 61 2E 6D 69 63 72 6F 6E [nics10Uca.micron]
RADIUS: 69 63 73 2E 6C 6F 63 61 6C 30 1E 17 0D 31 32 31 31 32 30 [ics.local0121120]
RADIUS: 31 39 34 39 31 38 5A 17 0D 31 34 [ 194918Z14]
RADIUS: EAP-Message [79] 255
RADIUS: 31 31 32 30 31 39 34 39 31 38 5A 30 5A 31 0B 30 09 06 03 55 [1120194918Z0Z10U]
RADIUS: 04 06 13 02 75 73 31 0B 30 09 06 03 55 04 08 13 02 63 61 31 12 30 10 06 03 55 04 0A 13 09 6D 69 63 72 6F 6E [us10Uca10Umicron]
RADIUS: 69 63 73 31 0C 30 0A 06 03 55 04 0B 13 03 6C 61 62 31 1C 30 1A 06 03 55 04 03 13 13 69 73 65 2E [ics10Ulab10Uise.]
RADIUS: 6D 69 63 72 6F 6E 69 63 73 2E 6C 6F 63 61 6C 30 [micronics.local0]
RADIUS: 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 B1 23 13 7A 04 C5 03 F4 95 32 21 93 02 08 3C CF DF 6C A2 F0 0B FC 12
0F B7 C8 05 05 F5 35 E6 71 1A 6E 0C 38 A3 D7 98 11 1E 4F ["0*H0#z2!<l5qn8O]
RADIUS: EA 25 51 70 FB F5 7B C0 2C 82 C8 44 92 3A C1 47 85 60 23 BF 2E C6 E8 4A 15 C0 FA FC 70 3E D6 94 4D DB 4E [?Qp{,D:G`#.Jp>MN]
RADIUS: F0 0D F0 89 4C 60 C8 59 61 AE 0E 81 75 70 55 51 15 1D 84 5C ED 36 DA 01 C9 7D 37 12 1E FA 25 8F E8 9F 0C 66 33 BB 9B D5 [ L`YaupUQ\6}7?f3]
RADIUS: EAP-Message [79] 255
RADIUS: 14 91 6B AF 74 93 29 5A 11 9B ED 31 CD E0 84 E6 B3 4D 64 A1 35 AF A8 90 1B BA 02 DA 36 2A 0B 81 6A BA 1D 1A 22 8A 78 F1 17 C9 01 CE 6D 48 53 [kt)Z1Md56*j"xmHS]
RADIUS: BB 44 1C 13 62 7E EE EB 6C EE 48 1D F3 FA 3B F0 84 3A C5 8A 76 86 C6 67 80 3D 9A 08 CF 19 43 A8 07 B3 DC 0E 3F DE 24 30 C9 0D 5E 0E 69 [Db~lH;:vg=C?$0^i]
RADIUS: 6F 8D 3E 95 EC 58 B3 F5 DC 0B 0D DC C6 D2 5B C0 54 9F CC F5 1A 01 4E BE 51 5B AC 16 45 F7 27 76 A2 73 FA 3C 3F 2E 06 19 C9 20 [o>X[TNQ[E'vs<?. ]
RADIUS: 87 C2 A4 14 6D 02 03 01 00 01 A3 82 02 D3 30 82 02 CF 30 0B 06 03 55 1D 0F 04 04 03 02 05 A0 30 1D 06 03 55 1D 0E 04 16 04 14 DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95
60 18 90 AF D8 07 09 30 13 06 03 55 1D 25 [m00U0U9^kK2U`0U?]
RADIUS: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 1F 06 03 55 1D 23 04 18 30 16 80 14 4E 48 F2 B6 65 69 28 34 9F F9 7D D1 62 B0 58 34 [0+0U#0NHei(4}bX4]
RADIUS: B3 86 31 44 30 82 01 [ 1D0]
RADIUS: EAP-Message [79] 255
RADIUS: 0E 06 03 55 1D 1F 04 82 01 05 30 82 01 01 30 81 FE A0 81 FB A0 81 F8 86 81 B8 6C 64 61 70 3A 2F 2F 2F 43 4E 3D 63 61 [U00ldap:///CN=ca]
RADIUS: 2E 6D 69 63 72 6F 6E 69 63 73 2E 6C 6F 63 61 6C [.micronics.local]
RADIUS: 2C 43 4E 3D 64 63 2C 43 4E 3D 43 44 50 2C 43 4E [,CN=dc,CN=CDP,CN]
RADIUS: 3D 50 75 62 6C 69 63 25 32 30 4B 65 79 25 32 30 [=Public?20Key?20]
RADIUS: 53 65 72 76 69 63 65 73 2C 43 4E 3D 53 65 72 76 [Services,CN=Serv]
RADIUS: 69 63 65 73 2C 43 4E 3D 43 6F 6E 66 69 67 75 72 [ices,CN=Configur]
RADIUS: 61 74 69 6F 6E 2C 44 43 3D 6D 69 63 72 6F 6E 69 [ation,DC=microni]
RADIUS: 63 73 2C 44 43 3D 6C 6F 63 61 6C 3F 63 65 72 74 [cs,DC=local?cert]
RADIUS: 69 66 69 63 61 74 65 52 65 76 6F 63 61 74 69 6F [ificateRevocatio]
RADIUS: 6E 4C 69 73 74 3F 62 61 73 65 3F 6F 62 6A 65 63 [nList?base?objec]
RADIUS: 74 43 6C 61 73 73 3D 63 52 4C 44 69 73 74 72 69 [tClass=cRLDistri]
RADIUS: 62 75 74 69 6F 6E 50 6F 69 6E 74 86 3B 68 74 74 70 [butionPoint;http]
RADIUS: 3A 2F 2F 64 63 2E 6D 69 63 72 6F 6E 69 63 73 2E [://dc.micronics.]
RADIUS: 6C 6F 63 61 6C 2F 43 65 72 74 45 6E 72 6F 6C 6C [local/CertEnroll]
RADIUS: 2F 63 61 2E 6D [ /ca.m]
RADIUS: Message-Authenticato[80] 18
RADIUS: A1 DC DF 16 43 95 CA 9C B4 3C 55 31 71 31 41 01 [ C<U1q1A]
RADIUS(00000036): Received from id 1645/163
RADIUS/DECODE: EAP-Message fragments, 253+253+253+253, total 1012 bytes
<snip>
Page 96 of 100
CCIE SECURTY v4 Lab Workbook
Page 97 of 100
CCIE SECURTY v4 Lab Workbook
// Note that there is no ACL download in this case. This is because the ACL of
the same name has been already downloaded in the previous steps (IP Phone
authorization).
Page 98 of 100
CCIE SECURTY v4 Lab Workbook
// check out authentication sessions on the port. You should see two separate
domains (VOICE and DATA) each authenticated separately.
----------------------------------------
Interface: GigabitEthernet0/7
MAC Address: 0021.a084.6ff4
IP Address: Unknown
User-Name: 00-21-A0-84-6F-F4
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Page 99 of 100
CCIE SECURTY v4 Lab Workbook